New issue
Advanced search Search tips

Issue 646350 link

Starred by 2 users

Issue metadata

Status: Verified
Owner:
Closed: Sep 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 1
Type: Bug-Security



Sign in to add a comment

Heap-use-after-free in ash::WmWindowAura::StackChildAbove

Project Member Reported by ClusterFuzz, Sep 13 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5327848770633728

Fuzzer: noel-image-flip
Job Type: linux_asan_chrome_chromeos
Platform Id: linux

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x60c000306de0
Crash State:
  ash::WmWindowAura::StackChildAbove
  ash::WindowSelectorItem::RoundedContainerView::AnimationEnded
  gfx::LinearAnimation::Step
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=417948:418041

Minimized Testcase (0.00 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97LhNllXUIpT4Eb85lZqqKHaBUphSeIFGuofxHreYOGjiucbYI9Vbt5P8XlWUcXZoFN-MtrW9QWg0dwz0-9Tl3t2oy_cph3TCu70EuWg7y5CZa6-6Y0mZZxwFMols06ol-jgFybRZcbJWMksbn5YzAUJ3KD5g?testcase_id=5327848770633728

Additional requirements: Requires Gestures

Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Cc: thestig@chromium.org sadrul@chromium.org
Components: UI>Aura
Labels: Pri-1
Owner: shuchen@chromium.org
Status: Assigned (was: Untriaged)
Hello Shu, Sadrul, Lei,

I've added you all to this use-after-free security ticket, as you've handled similar Aura bugs this year.

Could one of you please take ownership of this (currently high severity) ticket?  Or pass ownership to someone who can get a fix in soon?

Thank you very much!


Comment 2 by sadrul@chromium.org, Sep 13 2016

Cc: varkha@chromium.org shuchen@chromium.org
Owner: est...@chromium.org
--> estade@, /cc+ varkha@

Looks like RoundedContainerView::|item_window_| has been destroyed, but RoundedContainerView didn't get the memo. A quick workaround would be to install a WmWindowObserver from RoundedContainerView for |item_window_| to track its destruction. Not sure if that is the right fix though.

Comment 3 by est...@chromium.org, Sep 14 2016

Cc: -varkha@chromium.org est...@chromium.org
Owner: varkha@chromium.org
overview is varkha

Comment 4 by varkha@chromium.org, Sep 14 2016

Components: -UI>Aura UI>Shell>OverviewMode
Labels: -OS-Linux M-55 OS-Chrome
Status: Started (was: Assigned)
I think a simpler fix would be to simply reset item_window_ in the RoundedContainerView here - https://cs.chromium.org/chromium/src/ash/common/wm/overview/window_selector_item.cc?sq=package:chromium&type=cs&rcl=1473794312&l=600 since we already observe the window being destroyed and the RoundedContainerView lifetime is either not shorter then the WindowSelectorItem or the  WindowSelectorItem is aware that the RoundedContainerView has been reset (so it is safe to notify it in case it is still around).
Cc: -thestig@chromium.org
All these class names don't sound that familiar to me -> ducking out of this one.
Project Member

Comment 6 by sheriffbot@chromium.org, Sep 14 2016

Labels: ReleaseBlock-Beta
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 7 by varkha@chromium.org, Sep 15 2016

Labels: Proj-MaterialDesign-CrOS
Draft fix at https://codereview.chromium.org/2337383003/.
Project Member

Comment 8 by bugdroid1@chromium.org, Sep 15 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/81e77929734c8d7d02e9c8dfb2673667b055accb

commit 81e77929734c8d7d02e9c8dfb2673667b055accb
Author: varkha <varkha@chromium.org>
Date: Thu Sep 15 04:27:27 2016

[ash-md] Corrects a crash when a window is closed after leaving overview

Exiting overview mode may leave overview header widget still animating.
It is important not to attempt any window manipulation such as
re-stacking when the animation completes because the affected windows
may be gone by then.

BUG= 646350 
TEST=WindowSelectorTest.SafeToDestroyWindowDuringAnimation

Review-Url: https://codereview.chromium.org/2337383003
Cr-Commit-Position: refs/heads/master@{#418780}

[modify] https://crrev.com/81e77929734c8d7d02e9c8dfb2673667b055accb/ash/common/wm/overview/window_selector_item.cc
[modify] https://crrev.com/81e77929734c8d7d02e9c8dfb2673667b055accb/ash/common/wm/overview/window_selector_item.h
[modify] https://crrev.com/81e77929734c8d7d02e9c8dfb2673667b055accb/ash/wm/overview/window_selector_unittest.cc

Comment 9 by varkha@chromium.org, Sep 15 2016

Status: Fixed (was: Started)
Project Member

Comment 10 by sheriffbot@chromium.org, Sep 15 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 11 by ClusterFuzz, Sep 15 2016

ClusterFuzz has detected this issue as fixed in range 418766:418789.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5327848770633728

Fuzzer: noel-image-flip
Job Type: linux_asan_chrome_chromeos
Platform Id: linux

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x60c000306de0
Crash State:
  ash::WmWindowAura::StackChildAbove
  ash::WindowSelectorItem::RoundedContainerView::AnimationEnded
  gfx::LinearAnimation::Step
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=417948:418041
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=418766:418789

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94HuaSlPVrHjxvaL73GA7FQmUaHHntd3IygAgbdcx4HA_0YFeiXu3ZncoTj7mK1baeP9XsZibfH_ayDgncBjYFU9u3ylvJ5T_sRYhTVNXl6q0bhblk7YLfggbZAayIW5u13_UoI2LXz7-UueFfKcCNRB8fZyA?testcase_id=5327848770633728


Additional requirements: Requires Gestures

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Labels: -ReleaseBlock-Beta
Project Member

Comment 13 by sheriffbot@chromium.org, Dec 22 2016

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Status: Verified (was: Fixed)

Sign in to add a comment