Issue metadata
Sign in to add a comment
|
use-after-poison blink::AdjustAndMarkTrait<blink::EventTarget,0>::mark<blink::InlinedGlobalMarkingVisitor>
Reported by
0in.em...@gmail.com,
Sep 5 2016
|
||||||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.8 Safari/537.36 Steps to reproduce the problem: 1. Open Attached file under ASAN build with flag --js-flags="--expose-gc" 2. 3. What is the expected behavior? What went wrong? crash Did this work before? N/A Chrome version: 55.0.2845.0 Channel: dev OS Version: 6.1 (Windows 7, Windows Server 2008 R2) Flash Version: Shockwave Flash 22.0 r0
,
Sep 6 2016
,
Sep 8 2016
I can't reproduce this either locally or on CF. I'm trying 55.0.2854.0. Can you confirm which revisions this affects?
,
Sep 8 2016
,
Sep 8 2016
finally able to get a repro with 55.0.2846.0 rev 14eb4b39
could be v8 or blink, not sure from stack.
#0 0x194ebf04 in blink::AdjustAndMarkTrait<blink::EventTarget,0>::mark<blink::InlinedGlobalMarkingVisitor> C:\b\c\b\Win_ASan_Release\src\third_party\WebKit\Source\platform\heap\TraceTraits.h:76
#1 0x196bb706 in blink::Event::traceImpl<blink::InlinedGlobalMarkingVisitor> C:\b\c\b\Win_ASan_Release\src\third_party\WebKit\Source\core\events\Event.cpp:368
#2 0x196bb5b5 in blink::Event::trace C:\b\c\b\Win_ASan_Release\src\third_party\WebKit\Source\core\events\Event.cpp:367
#3 0x18b1200e in blink::TraceTrait<blink::Event>::trace C:\b\c\b\Win_ASan_Release\src\third_party\WebKit\Source\platform\heap\TraceTraits.h:206
#4 0x14499a4d in blink::ThreadHeap::popAndInvokeTraceCallback C:\b\c\b\Win_ASan_Release\src\third_party\WebKit\Source\platform\heap\Heap.cpp:366
#5 0x1449d43b in blink::ThreadHeap::processMarkingStack C:\b\c\b\Win_ASan_Release\src\third_party\WebKit\Source\platform\heap\Heap.cpp:636
#6 0x1449ae3b in blink::ThreadHeap::collectGarbage C:\b\c\b\Win_ASan_Release\src\third_party\WebKit\Source\platform\heap\Heap.cpp:553
#7 0x18c67600 in blink::V8GCController::gcEpilogue C:\b\c\b\Win_ASan_Release\src\third_party\WebKit\Source\bindings\core\v8\V8GCController.cpp:370
#8 0x127897c7 in v8::internal::Heap::PerformGarbageCollection C:\b\c\b\Win_ASan_Release\src\v8\src\heap\heap.cc:1379
#9 0x127858e5 in v8::internal::Heap::CollectGarbage C:\b\c\b\Win_ASan_Release\src\v8\src\heap\heap.cc:1005
#10 0x1278223a in v8::internal::Heap::CollectAllGarbage C:\b\c\b\Win_ASan_Release\src\v8\src\heap\heap.cc:860
#11 0x11873f0b in v8::Isolate::RequestGarbageCollectionForTesting C:\b\c\b\Win_ASan_Release\src\v8\src\api.cc:7524
#12 0x12675b0f in v8::internal::GCExtension::GC C:\b\c\b\Win_ASan_Release\src\v8\src\extensions\gc-extension.cc:20
#13 0x1179ad23 in v8::internal::FunctionCallbackArguments::Call C:\b\c\b\Win_ASan_Release\src\v8\src\api-arguments.cc:21
#14 0x119f3256 in v8::internal::`anonymous namespace'::HandleApiCallHelper<0> C:\b\c\b\Win_ASan_Release\src\v8\src\builtins\builtins-api.cc:106
#15 0x119ef6af in v8::internal::Builtin_Impl_HandleApiCall C:\b\c\b\Win_ASan_Release\src\v8\src\builtins\builtins-api.cc:135
#16 0x119eeb7d in v8::internal::Builtin_HandleApiCall C:\b\c\b\Win_ASan_Release\src\v8\src\builtins\builtins-api.cc:123
AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: use-after-poison C:\b\c\b\Win_ASan_Release\src\third_party\WebKit\Source\platform\heap\TraceTraits.h:76 in blink::AdjustAndMarkTrait<blink::EventTarget,0>::mark<blink::InlinedGlobalMarkingVisitor>
Shadow bytes around the buggy address:
0x3195df50: 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00
0x3195df60: 00 00 04 00 00 00 00 00 00 00 00 04 f7 f7 f7 f7
0x3195df70: f7 f7 f7 f7 f7 f7 f7 00 00 00 00 00 00 00 00 00
0x3195df80: 00 00 00 00 00 04 00 00 00 00 00 00 00 00 04 f7
0x3195df90: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
=>0x3195dfa0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7[f7]f7 f7 f7
0x3195dfb0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x3195dfc0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x3195dfd0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x3195dfe0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x3195dff0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
,
Sep 8 2016
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=4613644983992320
,
Sep 9 2016
manually bisected this to find the "unregression", it seems to have been fixed around: You are probably looking for a change made after 411257 (known bad), but no later than 411277 (first known good). CHANGELOG URL: https://chromium.googlesource.com/chromium/src/+log/5ad16b4..95e0356?pretty=fuller this contains a V8 roll: https://chromium.googlesource.com/v8/v8/+log/188b5e4e..b3c3a656?pretty=fuller
,
Sep 9 2016
,
Sep 9 2016
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 9 2016
,
Sep 9 2016
re: #9 this doesn't repro in latest ToT so the revision range in #7 needs an examination to work out what if anything needs to be merged into 53 if it's considered important enough. And yes I know I'm talking to a robot here.
,
Sep 12 2016
I don't know who to assign to in v8 so assigning to jochen to decide.
,
Sep 16 2016
looks like oilpan to me
,
Sep 16 2016
,
Sep 19 2016
keishi: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 29 2016
This bug is reported as M55 Beta blocker.Please try to resolve this before M55 branch on Oct 6th,2016 so it has enough baking time in Dev.
,
Oct 4 2016
keishi: Uh oh! This issue still open and hasn't been updated in the last 29 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 4 2016
A friendly reminder that M55 Beta launch is coming soon! Your bug is labelled as Beta ReleaseBlock, pls make sure to land the fix ASAP. Thank you.
,
Oct 5 2016
Not V8. Is this still relevant though if it does not reproduce on ToT?
,
Oct 6 2016
Don't know what You mean by ToT, but check #c16, it's still reproducing on asan-win32-release-423439.zip
,
Oct 7 2016
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5717805301497856
,
Oct 7 2016
**** Bulk edit - please ignore if not applicable **** This bug is reported as M55 Beta blocker and we're getting closer to M55 Beta promotion. Please plan to have fix ready and merged to M55 branch (2883) by 5:00 PM PT, Monday(10/10) so it has enough baking time in Dev before Beta promotion. Thank you.
,
Oct 11 2016
ToT stands for Top of Tree (used to refer to latest code in a CVS tree). As per c#22 it still looks reproducible.
,
Oct 13 2016
,
Oct 13 2016
The mention of 423439 in #21 suggests this still reproduces in M55. keishi@ - have you tried and failed to reproduce?
,
Oct 19 2016
,
Oct 20 2016
Yes I am failing to reproduce but I am still trying
,
Oct 21 2016
,
Oct 26 2016
**** Bulk edit - please ignore if not applicable **** A friendly reminder that M55 Stable is launch is coming soon! Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and get it merged into the release branch ASAP so it gets enough baking time in Beta (before Stable promotion). Thank you!
,
Oct 31 2016
**** Bulk edit - please ignore if not applicable **** A friendly reminder that M55 Stable is launch is coming soon! Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and get it merged into the release branch ASAP so it gets enough baking time in Beta (before Stable promotion). Thank you!
,
Nov 1 2016
Hi 0in - we're still having problems reproducing using the sample in comment 16. Could you provide the version number, build type, and operating systems details you're using to reproduce?
,
Nov 2 2016
Hi. Above repro doesn't work, but I have few repro variants, it's not cleaned from junk (today I dont have a time). I've tested it on https://www.googleapis.com/download/storage/v1/b/chromium-browser-asan/o/win32-release%2Fasan-win32-release-429267.zip and it works. This bug is really wild, it still exist in different variants. OS: Microsoft Windows 7 Enterprise 64 6.1.7601 Service Pack 1 Kompilacja 7601
,
Nov 3 2016
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5833091823435776
,
Nov 3 2016
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=6185687616585728
,
Nov 3 2016
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=4775564490833920
,
Nov 3 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5833091823435776 Job Type: windows_asan_chrome Platform Id: windows Crash Type: Use-after-poison READ 4 Crash Address: 0x0af21e18 Crash State: blink::AdjustAndMarkTrait<blink::EventTarget,0>::mark<blink::InlinedGlobalMarkin blink::Event::traceImpl<blink::InlinedGlobalMarkingVisitor> blink::Event::trace Recommended Security Severity: High Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94v3jMm1QdjMaS6UaUGNBF0ZyzKNAHJ2NjLyWkCt53hUZvtNsn1K4kgm2cHq7uhWwNkRapAFjunGGTWGnZrtVcadWsxNSSjn0OWCpHDcDlQqPZNIew3nKsoz2epctD2N1R7GjmRmAvEeUHwXVBEeOXY7sDlhZpuoHjFHbtdiYGAHVcKkyQ?testcase_id=5833091823435776 Additional requirements: Requires HTTP See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Nov 3 2016
Hi keishi@ - looks like one of the clusterfuzz runs was able to reproduce. Does this help you any?
,
Nov 4 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5833091823435776 Platform Id: windows Crash Type: Use-after-poison READ 4 Crash Address: 0x0af21e18 Crash State: blink::AdjustAndMarkTrait<blink::EventTarget,0>::mark<blink::InlinedGlobalMarkin blink::Event::traceImpl<blink::InlinedGlobalMarkingVisitor> blink::Event::trace Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_chrome&range=429335:429430 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94v3jMm1QdjMaS6UaUGNBF0ZyzKNAHJ2NjLyWkCt53hUZvtNsn1K4kgm2cHq7uhWwNkRapAFjunGGTWGnZrtVcadWsxNSSjn0OWCpHDcDlQqPZNIew3nKsoz2epctD2N1R7GjmRmAvEeUHwXVBEeOXY7sDlhZpuoHjFHbtdiYGAHVcKkyQ?testcase_id=5833091823435776 Additional requirements: Requires HTTP See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Nov 4 2016
We commit ourselves to a 60 day deadline for fixing for high severity vulnerabilities, and have exceeded it here. If you're unable to look into this soon, could you please find another owner or remove yourself so that this gets back into the security triage queue? For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 7 2016
**** Bulk edit - please ignore if not applicable **** A friendly reminder that M55 Stable is launch is coming soon! Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and get it merged into the release branch ASAP so it gets enough baking time in Beta (before Stable promotion). Thank you! Also due to Thanksgiving holidays in US, please make sure all fixes are ready and merged to M55 latest by 5:00 PM PT Friday, 11/18/16.
,
Nov 8 2016
I have tried all the reported html files and binaries but I just cannot reproduce this issue locally(Win7 Enterprise SP1 64bit). Clusterfuzz can reproduce the issue but it is flaky so the regression/minimize tools aren't working. Without a local reproduction or minimization, the stack trace does not have enough information to identify the cause. Marking as WontFix until I get further information.
,
Nov 11 2016
Hi 0in - any suggestions in getting a more reliable reproduction?
,
Nov 11 2016
I also cannot reproduce crash on builds without ASAN. I've tested POC on 3 different desktops with asan build last week and it works, so I have no idea whats the clue.
,
Nov 14 2016
Hi 0in, thanks for checking. Could you provide more details about your reproduction environment? The file you provided in comment #33 is named 29399.html, but references 29400.html and blast.jpg - perhaps we're missing some files?
,
Nov 14 2016
,
Nov 14 2016
,
Nov 18 2016
Just given this another try and managed to repro with the details in #47. Note that one needs both --no-sandbox and --js-flags="--expose-gc" Mind taking another look keishi@?
,
Nov 18 2016
,
Nov 21 2016
**** Bulk edit - please ignore if not applicable **** A friendly reminder that M55 Stable is launch is coming soon! Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and get it merged into the release branch latest by November 25th, 5:00 PM PST in order to make into the desktop Stable final build cut. Thank you!
,
Nov 22 2016
Per the comment in #33, it looks like the crash happens without any worker. It would mean that the per-thread heap is not related, right?
,
Nov 22 2016
No. I don't think its per thread heap related so I'll start with a bisect today.
,
Nov 22 2016
This seems to be the regression range. In this range, r416984 looks suspicious so I am building to confirm. https://chromium.googlesource.com/chromium/src/+log/caa9926b73d5c11bc5952e64862c065c127b5e30..9773f67d88c0f99b27cc5d2d386870322f692892?pretty=fuller 308051 good 399015 good 403412 good 404191 good 411340 good 411901 good 414352 good 414808 good 414882 bad 414936 bad 414942 bad 414962 bad 415006 bad 415023 bad 415049 bad 415582 good 415740 good 416526 good 416613 good caa9926b73d5c11bc5952e64862c065c127b5e30 417040 bad 9773f67d88c0f99b27cc5d2d386870322f692892 423736 bad 429061 bad 429430 bad
,
Nov 24 2016
I can't reproduce the crash on my local builds so I haven't been able to bisect it further. This is the args I am using. Is there something I can change to make it closer to the prebuilt binaries? enable_nacl = false is_debug = false is_asan = false is_clang = true target_cpu = "x86" Also is there some way to use asan_symbolize.py on prebuilt binaries?
,
Nov 25 2016
hi keishi@ - if you download the build from the clusterfuzz page you can see the args.gn that it used. Try: is_asan = true is_clang = true is_component_build = false is_debug = false proprietary_codecs = true target_cpu = "x86" use_goma = true v8_enable_verify_heap = true
,
Nov 28 2016
Thanks. I tried those settings but I still failed to reproduce. I tried a few more prebuilt binaries and it looks like the test is flaky based on build (but reliably reproduces on problematic builds). 308051 good 399015 good 403412 good 404191 good 411340 good 411901 good 414352 good 414808 good 414882 bad 414936 bad 414942 bad 414962 bad 415006 bad 415023 bad 415049 bad 415582 good 415740 good 416526 good 416613 good 417040 bad 417414 good 417794 bad 417856 bad 423736 bad 429061 bad 429267 bad 429319 bad 429385 bad 429430 bad 429521 bad
,
Nov 28 2016
Thanks keishi. Moving to M56 to continue to the investigation there.
,
Dec 28 2016
ClusterFuzz testcase 5833091823435776 is flaky and no longer reproduces, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jan 30 2017
,
Apr 6 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by ClusterFuzz
, Sep 6 2016