Issue metadata
Sign in to add a comment
|
Security: Web Worker - Memory corruption in CrossThreadPersistentRegion::prepareForThreadStateTermination()
Reported by
loobeny...@gmail.com,
Nov 8 2016
|
||||||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS Steps to reproduce: 1. Run server side script MemCorrupt_prepareForThreadStateTermination_Repro.js in Node.js ( node MemCorrupt_prepareForThreadStateTermination_Repro.js ). 2. Enter http://localhost:12345 in Chrome browser. 3. Chrome crashes in CrossThreadPersistentRegion::prepareForThreadStateTermination() by accessing arbitrary memory. (7b00.609c): Access violation - code c0000005 (!!! second chance !!!) eax=238580e0 ebx=238bd0ec ecx=00000003 edx=4bec1974 esi=23870280 edi=238bc900 eip=1070aa87 esp=0863e928 ebp=0863e938 iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206 chrome_child!blink::CrossThreadPersistentRegion::prepareForThreadStateTermination+0x35: 1070aa87 8b02 mov eax,dword ptr [edx] ds:002b:4bec1974=???????? VERSION Chrome Version: Chromium 56.0.2913.0 (Developer Build) (32-bit) ( https://www.googleapis.com/download/storage/v1/b/chromium-browser-syzyasan/o/win32-release%2Fasan-win32-release-430376.zip?generation=1478569338231000&alt=media ) Operating System: Windows 10 REPRODUCTION CASE (The following is the worker code, full server code is in MemCorrupt_prepareForThreadStateTermination_Repro.js) var workercode1 = 'var fileReader0 = new FileReader(); var xmlReq0 = new XMLHttpRequest();\n'; workercode1 += 'xmlReq0.onreadystatechange = function (event) {\n'; workercode1 += 'fileReader0.readAsText(new Blob(["AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"], {type : "text/html"}));\n'; workercode1 += 'close();\n'; workercode1 += 'fileReader0.abort();\n'; workercode1 += '}\n'; workercode1 += 'xmlReq0.open("get", "NonExistingFile.js", true);\n'; FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION Type of crash: tab Crash State: Stack: (7b00.609c): Access violation - code c0000005 (!!! second chance !!!) eax=238580e0 ebx=238bd0ec ecx=00000003 edx=4bec1974 esi=23870280 edi=238bc900 eip=1070aa87 esp=0863e928 ebp=0863e938 iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206 chrome_child!blink::CrossThreadPersistentRegion::prepareForThreadStateTermination+0x35: 1070aa87 8b02 mov eax,dword ptr [edx] ds:002b:4bec1974=???????? 4:081> !analyze -v ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* FAULTING_IP: chrome_child!blink::CrossThreadPersistentRegion::prepareForThreadStateTermination+35 [c:\b\c\b\win_syzyasan_lkgr\src\third_party\webkit\source\platform\heap\persistentnode.cpp @ 161] 1070aa87 8b02 mov eax,dword ptr [edx] EXCEPTION_RECORD: (.exr -1) ExceptionAddress: 1070aa87 (chrome_child!blink::CrossThreadPersistentRegion::prepareForThreadStateTermination+0x00000035) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: 4bec1974 Attempt to read from address 4bec1974 FAULTING_THREAD: 0000609c DEFAULT_BUCKET_ID: INVALID_POINTER_READ PROCESS_NAME: chrome.exe ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s. EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s. EXCEPTION_PARAMETER1: 00000000 EXCEPTION_PARAMETER2: 4bec1974 READ_ADDRESS: 4bec1974 FOLLOWUP_IP: chrome_child!blink::CrossThreadPersistentRegion::prepareForThreadStateTermination+35 [c:\b\c\b\win_syzyasan_lkgr\src\third_party\webkit\source\platform\heap\persistentnode.cpp @ 161] 1070aa87 8b02 mov eax,dword ptr [edx] BUGCHECK_STR: INVALID_POINTER_READ NTGLOBALFLAG: 400 APPLICATION_VERIFIER_FLAGS: 0 APP: chrome.exe ANALYSIS_VERSION: 10.0.10240.9 x86fre LAST_CONTROL_TRANSFER: from 1070d546 to 1070aa87 STACK_TEXT: 0863e938 1070d546 00000003 075283f8 07463f80 chrome_child!blink::CrossThreadPersistentRegion::prepareForThreadStateTermination+0x35 0863e948 10707746 074ba1c8 23870280 07463f80 chrome_child!blink::ThreadState::runTerminationGC+0x39 0863e968 1070bfaa 23870280 07533bc8 114facb5 chrome_child!blink::ThreadHeap::detach+0x21 0863e974 114facb5 074ba1c8 07533bc8 0863ec50 chrome_child!blink::ThreadState::detachCurrentThread+0x10 0863e994 114fc969 073f8610 00000000 0863ea04 chrome_child!blink::WorkerBackingThread::shutdown+0x3f 0863e9a4 1083c028 0753fb38 00000000 1775339b chrome_child!blink::WorkerThread::performShutdownOnWorkerThread+0x2e 0863ea04 10fa2dc5 123e7c40 12a183d3 0863ed58 chrome_child!base::debug::TaskAnnotator::RunTask+0x118 0863ed4c 10fa23f1 07539d98 04e6ef00 123e9c50 chrome_child!blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue+0x3f6 0863eebc 10fa19c5 00000000 00000000 00000000 chrome_child!blink::scheduler::TaskQueueManager::DoWork+0x176 0863eed0 10fa1a0b 10fa227b 00000000 07539b90 chrome_child!base::internal::FunctorTraits<void (__thiscall blink::scheduler::TaskQueueManager::*)(base::TimeTicks,bool),void>::Invoke<base::WeakPtr<blink::scheduler::TaskQueueManager> const &,base::TimeTicks const &,bool const &>+0x22 0863eeec 10fa1a27 07539b78 07539b90 07539b88 chrome_child!base::internal::InvokeHelper<1,void>::MakeItSo<void (__thiscall blink::scheduler::TaskQueueManager::*const &)(base::TimeTicks,bool),base::WeakPtr<blink::scheduler::TaskQueueManager> const &,base::TimeTicks const &,bool const &>+0x25 0863ef04 10fa306c 07539b78 07539b80 07539b68 chrome_child!base::internal::Invoker<base::internal::BindState<void (__thiscall blink::scheduler::TaskQueueManager::*)(base::TimeTicks,bool),base::WeakPtr<blink::scheduler::TaskQueueManager>,base::TimeTicks,bool>,void __cdecl(void)>::RunImpl<void (__thiscall blink::scheduler::TaskQueueManager::*const &)(base::TimeTicks,bool),std::tuple<base::WeakPtr<blink::scheduler::TaskQueueManager>,base::TimeTicks,bool> const &,0,1,2>+0x17 0863ef18 1083c028 07539b68 00000000 1775339b chrome_child!base::internal::Invoker<base::internal::BindState<void (__thiscall blink::scheduler::TaskQueueManager::*)(base::TimeTicks,bool),base::WeakPtr<blink::scheduler::TaskQueueManager>,base::TimeTicks,bool>,void __cdecl(void)>::Run+0x16 0863ef78 1080c1ad 121f1f44 12a183d3 04e6ef00 chrome_child!base::debug::TaskAnnotator::RunTask+0x118 0863fbdc 1080b6d6 0863fd04 07526dd0 04e6ef00 chrome_child!base::MessageLoop::RunTask+0x4cd 0863fd4c 1083daed 00000000 04e6ef00 00000000 chrome_child!base::MessageLoop::DoWork+0x276 0863fd80 1080bcce 04e6ef00 0863fe90 07402eb8 chrome_child!base::MessagePumpDefault::Run+0x13d 0863fe48 108174e5 075254c9 17753397 00000000 chrome_child!base::MessageLoop::RunHandler+0x5e 0863fe6c 108166c3 00000000 0863fec8 10816a6c chrome_child!base::RunLoop::Run+0x65 0863fe78 10816a6c 0863fe90 740d1b90 07528218 chrome_child!base::Thread::Run+0x13 0863fec8 107f0892 107f0810 107f0810 07528218 chrome_child!base::Thread::ThreadMain+0x12c 0863fee4 740d38f4 000003a4 740d38d0 994b758e chrome_child!base::`anonymous namespace'::ThreadFunc+0x82 0863fef8 77205de3 07528218 9a76b114 00000000 KERNEL32!BaseThreadInitThunk+0x24 0863ff40 77205dae ffffffff 7722b7be 00000000 ntdll!__RtlUserThreadStart+0x2f 0863ff50 00000000 107f0810 07528218 00000000 ntdll!_RtlUserThreadStart+0x1b FAULTING_SOURCE_LINE: c:\b\c\b\win_syzyasan_lkgr\src\third_party\webkit\source\platform\heap\persistentnode.cpp FAULTING_SOURCE_FILE: c:\b\c\b\win_syzyasan_lkgr\src\third_party\webkit\source\platform\heap\persistentnode.cpp FAULTING_SOURCE_LINE_NUMBER: 161 FAULTING_SOURCE_CODE: No source found for 'c:\b\c\b\win_syzyasan_lkgr\src\third_party\webkit\source\platform\heap\persistentnode.cpp' SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: chrome_child!blink::CrossThreadPersistentRegion::prepareForThreadStateTermination+35 FOLLOWUP_NAME: MachineOwner MODULE_NAME: chrome_child IMAGE_NAME: chrome_child.dll DEBUG_FLR_IMAGE_TIMESTAMP: 58212a1d STACK_COMMAND: ~81s ; kb BUCKET_ID: INVALID_POINTER_READ_chrome_child!blink::CrossThreadPersistentRegion::prepareForThreadStateTermination+35 PRIMARY_PROBLEM_CLASS: INVALID_POINTER_READ_chrome_child!blink::CrossThreadPersistentRegion::prepareForThreadStateTermination+35 FAILURE_PROBLEM_CLASS: INVALID_POINTER_READ FAILURE_EXCEPTION_CODE: c0000005 FAILURE_IMAGE_NAME: chrome_child.dll FAILURE_FUNCTION_NAME: blink::CrossThreadPersistentRegion::prepareForThreadStateTermination FAILURE_SYMBOL_NAME: chrome_child.dll!blink::CrossThreadPersistentRegion::prepareForThreadStateTermination FAILURE_BUCKET_ID: INVALID_POINTER_READ_c0000005_chrome_child.dll!blink::CrossThreadPersistentRegion::prepareForThreadStateTermination ANALYSIS_SOURCE: UM FAILURE_ID_HASH_STRING: um:invalid_pointer_read_c0000005_chrome_child.dll!blink::crossthreadpersistentregion::prepareforthreadstatetermination FAILURE_ID_HASH: {611e1e56-45c0-35be-cfd5-3180d92bd7b2} Followup: MachineOwner ---------
,
Nov 9 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5766565447598080 Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x7ed3f36e1a18 Crash State: blink::PersistentBase<blink::DummyGCBase, blink::CrossThreadPersistentRegion::prepareForThreadStateTermination blink::ThreadState::runTerminationGC Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=424153:424757 Minimized Testcase (0.46 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97EKkL8kfLL_iK6bSNh6MVaVrHjtAKgON7Dr_21P3QaUd3qQUGReo_8sbYUFGa09iluR0BO2ZlDEsFkhvJXS_RyWm5Nv7iXdtjT92RLQN4YPJpu7KBVZZlZfN0hU9E_UxDAEvQmH8963YRGJ7ikNZGrWkK1cg?testcase_id=5766565447598080 Additional requirements: Requires HTTP See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. A recommended severity was added to this bug. Please change the severity if it is inaccurate.
,
Nov 9 2016
,
Nov 10 2016
Hey keishi, I see you have modified PersistentNode.cpp recently - would you happen to be more familiar with what's going on here (or know someone who would be)? Thanks!
,
Nov 10 2016
,
Nov 10 2016
,
Nov 10 2016
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 12 2016
ClusterFuzz has detected this issue as fixed in range 431617:431655. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5766565447598080 Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x7ed3f36e1a18 Crash State: blink::PersistentBase<blink::DummyGCBase, blink::CrossThreadPersistentRegion::prepareForThreadStateTermination blink::ThreadState::runTerminationGC Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=424153:424757 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=431617:431655 Minimized Testcase (0.46 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97EKkL8kfLL_iK6bSNh6MVaVrHjtAKgON7Dr_21P3QaUd3qQUGReo_8sbYUFGa09iluR0BO2ZlDEsFkhvJXS_RyWm5Nv7iXdtjT92RLQN4YPJpu7KBVZZlZfN0hU9E_UxDAEvQmH8963YRGJ7ikNZGrWkK1cg?testcase_id=5766565447598080 Additional requirements: Requires HTTP See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 12 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Nov 12 2016
,
Nov 14 2016
Hi keishi, any idea what might have fixed this?
,
Nov 14 2016
Judging by the stack that shows CrossThreadPersistentRegion::prepareForThreadStateTermination in a WorkerThread, this was probably fixed with r429842 https://codereview.chromium.org/2471023004 .
,
Nov 14 2016
Regarding c#12, keishi@'s fix was in 56.0.2910.0 and the reporter's version was 56.0.2913.0, so this could be fixed by other changes or still exist in ToT.
,
Nov 14 2016
I'll check whether this is actually fixed. (Currently, there're some crash issues around worker thread shutdown and we, blink-worker team, are actively working on them. This stacktrace looks very similar to some of them.)
,
Nov 28 2016
nhiroki: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Dec 1 2016
ClusterFuzz has detected this issue as fixed in range 431617:431655. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5766565447598080 Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x7ed3f36e1a18 Crash State: blink::PersistentBase<blink::DummyGCBase, blink::CrossThreadPersistentRegion::prepareForThreadStateTermination blink::ThreadState::runTerminationGC Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=424153:424757 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=431617:431655 Minimized Testcase (0.46 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97EKkL8kfLL_iK6bSNh6MVaVrHjtAKgON7Dr_21P3QaUd3qQUGReo_8sbYUFGa09iluR0BO2ZlDEsFkhvJXS_RyWm5Nv7iXdtjT92RLQN4YPJpu7KBVZZlZfN0hU9E_UxDAEvQmH8963YRGJ7ikNZGrWkK1cg?testcase_id=5766565447598080 Additional requirements: Requires HTTP See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Dec 2 2016
,
Dec 7 2016
Is this fixed? Please close the bug if that's the case.
,
Dec 8 2016
Moving to ReleaseBlock-Stable so this still gets tracked in the milestone
,
Dec 9 2016
Sorry for my delayed action. I'll take a closer look today (JST) and update this issue.
,
Dec 9 2016
Let me mark this as fixed because the fuzzer believes this was fixed and also I cannot reproduce this, I haven't identified a change that fixed this yet though.
,
Dec 13 2016
,
Dec 13 2016
,
Dec 14 2016
Is there any reason to label it as "reward-NA"? The bug was confirmed by clusterfuzz and there is no duplicate.
,
Dec 14 2016
Your change meets the bar and is auto-approved for M56 (branch: 2924)
,
Dec 19 2016
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Dec 20 2016
According to comment 21: "I haven't identified a change that fixed this yet though." So there is nothing to merge.
,
Mar 17 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by ClusterFuzz
, Nov 8 2016