New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 635602 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Last visit > 30 days ago
Closed: Aug 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment

Heap-use-after-free in content::RenderProcessHostImpl::ConnectionFilterImpl::GetInterface

Project Member Reported by ClusterFuzz, Aug 8 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4660090269597696

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_lsan_chrome_mp
Platform Id: linux

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x6080000990f0
Crash State:
  content::RenderProcessHostImpl::ConnectionFilterImpl::GetInterface
  base::internal::Invoker<base::internal::BindState<void
  shell::internal::GenericCallbackBinder::BindInterface
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=410031:410228

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95EmCuYspdzCrgrCX9iJCEDvwXU8jfBjkMm3tpK8ZoyKZLgNAuMhmpz4B8lPMFQXdK-I-s7CRu3qkeXs1C577YDATyJ6YTsBmtb5DrZemLqvTZDmab9epPkH6Q24N2SD6BPPYXSVotQOORmbHU72RcKeK35Hw?testcase_id=4660090269597696


Additional requirements: Requires HTTP

Issue manually filed by: mbarbella

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Owner: darin@chromium.org
Status: Assigned (was: Untriaged)
darin: Would you mind taking a look or reassigning this if you don't have time? Seems related to https://crrev.com/2b78d9ee821f4d5c8c31a05028360610f5d0069f

Comment 2 by darin@chromium.org, Aug 8 2016

Status: Started (was: Assigned)
Project Member

Comment 3 by bugdroid1@chromium.org, Aug 8 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/815c4cbb961e3c077f96b084cd00737f82035da3

commit 815c4cbb961e3c077f96b084cd00737f82035da3
Author: darin <darin@chromium.org>
Date: Mon Aug 08 21:05:31 2016

Revert "Port WebSockets to Mojo IPC"

This reverts commit 2b78d9ee821f4d5c8c31a05028360610f5d0069f due to memory corruption issues.

TBR=jam@chromium.org,tsepez@chromium.org
BUG=635397, 635602 
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_site_isolation

Review-Url: https://codereview.chromium.org/2225133002
Cr-Commit-Position: refs/heads/master@{#410456}

[modify] https://crrev.com/815c4cbb961e3c077f96b084cd00737f82035da3/content/browser/bad_message.cc
[modify] https://crrev.com/815c4cbb961e3c077f96b084cd00737f82035da3/content/browser/bad_message.h
[modify] https://crrev.com/815c4cbb961e3c077f96b084cd00737f82035da3/content/browser/frame_host/render_frame_host_impl.cc
[modify] https://crrev.com/815c4cbb961e3c077f96b084cd00737f82035da3/content/browser/renderer_host/render_process_host_impl.cc
[add] https://crrev.com/815c4cbb961e3c077f96b084cd00737f82035da3/content/browser/renderer_host/websocket_blob_sender.cc
[add] https://crrev.com/815c4cbb961e3c077f96b084cd00737f82035da3/content/browser/renderer_host/websocket_blob_sender.h
[add] https://crrev.com/815c4cbb961e3c077f96b084cd00737f82035da3/content/browser/renderer_host/websocket_blob_sender_unittest.cc
[add] https://crrev.com/815c4cbb961e3c077f96b084cd00737f82035da3/content/browser/renderer_host/websocket_dispatcher_host.cc
[add] https://crrev.com/815c4cbb961e3c077f96b084cd00737f82035da3/content/browser/renderer_host/websocket_dispatcher_host.h
[add] https://crrev.com/815c4cbb961e3c077f96b084cd00737f82035da3/content/browser/renderer_host/websocket_dispatcher_host_unittest.cc
[add] https://crrev.com/815c4cbb961e3c077f96b084cd00737f82035da3/content/browser/renderer_host/websocket_host.cc
[add] https://crrev.com/815c4cbb961e3c077f96b084cd00737f82035da3/content/browser/renderer_host/websocket_host.h
[delete] https://crrev.com/fb357a6207caa3bb81bae702ada464ec39881d39/content/browser/websockets/websocket_impl.cc
[delete] https://crrev.com/fb357a6207caa3bb81bae702ada464ec39881d39/content/browser/websockets/websocket_impl.h
[delete] https://crrev.com/fb357a6207caa3bb81bae702ada464ec39881d39/content/browser/websockets/websocket_manager.cc
[delete] https://crrev.com/fb357a6207caa3bb81bae702ada464ec39881d39/content/browser/websockets/websocket_manager.h
[delete] https://crrev.com/fb357a6207caa3bb81bae702ada464ec39881d39/content/browser/websockets/websocket_manager_unittest.cc
[modify] https://crrev.com/815c4cbb961e3c077f96b084cd00737f82035da3/content/child/OWNERS
[modify] https://crrev.com/815c4cbb961e3c077f96b084cd00737f82035da3/content/child/blink_platform_impl.cc
[modify] https://crrev.com/815c4cbb961e3c077f96b084cd00737f82035da3/content/child/blink_platform_impl.h
[modify] https://crrev.com/815c4cbb961e3c077f96b084cd00737f82035da3/content/child/child_thread_impl.cc
[modify] https://crrev.com/815c4cbb961e3c077f96b084cd00737f82035da3/content/child/child_thread_impl.h
[add] https://crrev.com/815c4cbb961e3c077f96b084cd00737f82035da3/content/child/websocket_bridge.cc
[add] https://crrev.com/815c4cbb961e3c077f96b084cd00737f82035da3/content/child/websocket_bridge.h
[add] https://crrev.com/815c4cbb961e3c077f96b084cd00737f82035da3/content/child/websocket_dispatcher.cc
[add] https://crrev.com/815c4cbb961e3c077f96b084cd00737f82035da3/content/child/websocket_dispatcher.h
[add] https://crrev.com/815c4cbb961e3c077f96b084cd00737f82035da3/content/child/websocket_message_filter.cc
[add] https://crrev.com/815c4cbb961e3c077f96b084cd00737f82035da3/content/child/websocket_message_filter.h
[modify] https://crrev.com/815c4cbb961e3c077f96b084cd00737f82035da3/content/common/BUILD.gn
[modify] https://crrev.com/815c4cbb961e3c077f96b084cd00737f82035da3/content/common/content_message_generator.h
[add] https://crrev.com/815c4cbb961e3c077f96b084cd00737f82035da3/content/common/websocket.cc
[add] https://crrev.com/815c4cbb961e3c077f96b084cd00737f82035da3/content/common/websocket.h
[delete] https://crrev.com/fb357a6207caa3bb81bae702ada464ec39881d39/content/common/websocket.mojom
[add] https://crrev.com/815c4cbb961e3c077f96b084cd00737f82035da3/content/common/websocket_messages.h
[modify] https://crrev.com/815c4cbb961e3c077f96b084cd00737f82035da3/content/content_browser.gypi
[modify] https://crrev.com/815c4cbb961e3c077f96b084cd00737f82035da3/content/content_child.gypi
[modify] https://crrev.com/815c4cbb961e3c077f96b084cd00737f82035da3/content/content_common.gypi
[modify] https://crrev.com/815c4cbb961e3c077f96b084cd00737f82035da3/content/content_common_mojo_bindings.gyp
[modify] https://crrev.com/815c4cbb961e3c077f96b084cd00737f82035da3/content/content_renderer.gypi
[modify] https://crrev.com/815c4cbb961e3c077f96b084cd00737f82035da3/content/content_tests.gypi
[modify] https://crrev.com/815c4cbb961e3c077f96b084cd00737f82035da3/content/renderer/OWNERS
[modify] https://crrev.com/815c4cbb961e3c077f96b084cd00737f82035da3/content/renderer/render_frame_impl.cc
[modify] https://crrev.com/815c4cbb961e3c077f96b084cd00737f82035da3/content/renderer/render_frame_impl.h
[modify] https://crrev.com/815c4cbb961e3c077f96b084cd00737f82035da3/content/renderer/render_thread_impl.cc
[modify] https://crrev.com/815c4cbb961e3c077f96b084cd00737f82035da3/content/renderer/render_thread_impl_browsertest.cc
[modify] https://crrev.com/815c4cbb961e3c077f96b084cd00737f82035da3/content/renderer/renderer_blink_platform_impl.cc
[modify] https://crrev.com/815c4cbb961e3c077f96b084cd00737f82035da3/content/renderer/renderer_blink_platform_impl.h
[delete] https://crrev.com/fb357a6207caa3bb81bae702ada464ec39881d39/content/renderer/websockethandle_impl.cc
[delete] https://crrev.com/fb357a6207caa3bb81bae702ada464ec39881d39/content/renderer/websockethandle_impl.h

Comment 4 by aarya@google.com, Aug 9 2016

Cc: jam@chromium.org
Project Member

Comment 5 by sheriffbot@chromium.org, Aug 9 2016

Labels: M-54
Project Member

Comment 6 by sheriffbot@chromium.org, Aug 9 2016

Labels: ReleaseBlock-Beta
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 7 by sheriffbot@chromium.org, Aug 9 2016

Labels: Pri-1
Components: Blink>Network>WebSockets
Project Member

Comment 9 by ClusterFuzz, Aug 15 2016

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4950007533010944

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_lsan_chrome_mp
Platform Id: linux

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x6080000a81f0
Crash State:
  content::RenderProcessHostImpl::ConnectionFilterImpl::GetInterface
  base::internal::Invoker<base::internal::BindState<void
  shell::internal::GenericCallbackBinder::BindInterface
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=411529:411875

Minimized Testcase (0.51 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97P8bdWONP1BtlsvqJv3GiPCj48KpL7SQVolzdVy7T5RtHvusC8nQzLtJRs0nCkUOJJNHPTXu6smiLHivgi26Cc0Yj4xY3yyssGBPuCxz8DCzgp2_obGzsxNOnbQnNsXzUx_kw4qlRkXbKKEd99r0I1LFSThg?testcase_id=4950007533010944

Issue manually filed by: mmoroz

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
Project Member

Comment 10 by ClusterFuzz, Aug 17 2016

ClusterFuzz has detected this issue as fixed in range 412308:412370.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4950007533010944

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_lsan_chrome_mp
Platform Id: linux

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x6080000a81f0
Crash State:
  content::RenderProcessHostImpl::ConnectionFilterImpl::GetInterface
  base::internal::Invoker<base::internal::BindState<void
  shell::internal::GenericCallbackBinder::BindInterface
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=411529:411875
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=412308:412370

Minimized Testcase (0.51 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97P8bdWONP1BtlsvqJv3GiPCj48KpL7SQVolzdVy7T5RtHvusC8nQzLtJRs0nCkUOJJNHPTXu6smiLHivgi26Cc0Yj4xY3yyssGBPuCxz8DCzgp2_obGzsxNOnbQnNsXzUx_kw4qlRkXbKKEd99r0I1LFSThg?testcase_id=4950007533010944

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 11 by sheriffbot@chromium.org, Aug 23 2016

ben: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Status: Fixed (was: Assigned)
Since the changeset is reverted, closing this. If you are planning to reland this, please land with the fix for the security vulnerability.
Project Member

Comment 13 by sheriffbot@chromium.org, Aug 25 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 14 by sheriffbot@chromium.org, Dec 1 2016

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment