Hello Shu, Sadrul, Lei,

I've added you all to this use-after-free security ticket, as you've handled similar Aura bugs this year.

Could one of you please take ownership of this (currently high severity) ticket?  Or pass ownership to someone who can get a fix in soon?

Thank you very much!

--> estade@, /cc+ varkha@

Looks like RoundedContainerView::|item_window_| has been destroyed, but RoundedContainerView didn't get the memo. A quick workaround would be to install a WmWindowObserver from RoundedContainerView for |item_window_| to track its destruction. Not sure if that is the right fix though.

overview is varkha

I think a simpler fix would be to simply reset item_window_ in the RoundedContainerView here - https://cs.chromium.org/chromium/src/ash/common/wm/overview/window_selector_item.cc?sq=package:chromium&type=cs&rcl=1473794312&l=600 since we already observe the window being destroyed and the RoundedContainerView lifetime is either not shorter then the WindowSelectorItem or the  WindowSelectorItem is aware that the RoundedContainerView has been reset (so it is safe to notify it in case it is still around).

All these class names don't sound that familiar to me -> ducking out of this one.

This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Draft fix at https://codereview.chromium.org/2337383003/.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/81e77929734c8d7d02e9c8dfb2673667b055accb

commit 81e77929734c8d7d02e9c8dfb2673667b055accb
Author: varkha <varkha@chromium.org>
Date: Thu Sep 15 04:27:27 2016

[ash-md] Corrects a crash when a window is closed after leaving overview

Exiting overview mode may leave overview header widget still animating.
It is important not to attempt any window manipulation such as
re-stacking when the animation completes because the affected windows
may be gone by then.

BUG= 646350 
TEST=WindowSelectorTest.SafeToDestroyWindowDuringAnimation

Review-Url: https://codereview.chromium.org/2337383003
Cr-Commit-Position: refs/heads/master@{#418780}

[modify] https://crrev.com/81e77929734c8d7d02e9c8dfb2673667b055accb/ash/common/wm/overview/window_selector_item.cc
[modify] https://crrev.com/81e77929734c8d7d02e9c8dfb2673667b055accb/ash/common/wm/overview/window_selector_item.h
[modify] https://crrev.com/81e77929734c8d7d02e9c8dfb2673667b055accb/ash/wm/overview/window_selector_unittest.cc

ClusterFuzz has detected this issue as fixed in range 418766:418789.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5327848770633728

Fuzzer: noel-image-flip
Job Type: linux_asan_chrome_chromeos
Platform Id: linux

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x60c000306de0
Crash State:
  ash::WmWindowAura::StackChildAbove
  ash::WindowSelectorItem::RoundedContainerView::AnimationEnded
  gfx::LinearAnimation::Step
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=417948:418041
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=418766:418789

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94HuaSlPVrHjxvaL73GA7FQmUaHHntd3IygAgbdcx4HA_0YFeiXu3ZncoTj7mK1baeP9XsZibfH_ayDgncBjYFU9u3ylvJ5T_sRYhTVNXl6q0bhblk7YLfggbZAayIW5u13_UoI2LXz7-UueFfKcCNRB8fZyA?testcase_id=5327848770633728


Additional requirements: Requires Gestures

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot