New issue
Advanced search Search tips

Issue 666616 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Nov 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment

Heap-use-after-free in printing::PrintWebViewHelper::RequestPrintPreview

Project Member Reported by ClusterFuzz, Nov 18 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5765158006947840

Fuzzer: mbarbella_js_mutation_layout
Job Type: linux_asan_chrome_v8
Platform Id: linux

Crash Type: Heap-use-after-free WRITE 1
Crash Address: 0x61100001b419
Crash State:
  printing::PrintWebViewHelper::RequestPrintPreview
  printing::PrintWebViewHelper::ScriptedPrint
  content::RenderFrameImpl::ScriptedPrint
  
Recommended Security Severity: High

Regressed: V8: r41058:41075

Minimized Testcase (0.07 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94YSihmr-pDnJ7JED_5Jl0NVFZRVB8sNhUDh1hiJlWC-TPqVhLKwnT5gZg_vlxeEEOFwmNbp5HA5vwajMKc7FriPuoPVqek3u8z3DZ-qs9vdhJ7LQs8fwpmLgTiRbd0sXaaje_0UPAY1EQgKo3pKFIOKK_Gfg?testcase_id=5765158006947840
<script>
   try {
    __f_73();
} catch(e) { print(); }
  </script>


Additional requirements: Requires Gestures

Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Project Member

Comment 1 by sheriffbot@chromium.org, Nov 18 2016

Labels: M-56
Project Member

Comment 2 by sheriffbot@chromium.org, Nov 18 2016

Labels: ReleaseBlock-Beta
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 3 by sheriffbot@chromium.org, Nov 18 2016

Labels: Pri-1
Owner: thestig@chromium.org
Status: Assigned (was: Untriaged)
thestig@, since you are listed in the printing OWNERS file, can you take a look at this or send it to someone who can? Thanks.
Components: UI>Browser>PrintPreview
This may be  bug 666714 ?

Comment 7 by creis@chromium.org, Nov 22 2016

Cc: creis@chromium.org lfg@chromium.org

Comment 8 by lfg@chromium.org, Nov 22 2016

This is very easy to repro:

1) Call 'window.print()' from anyhwhere.
2) Type any cross-origin domain in the omnibox.
3) PrintWebViewHelper::RequestPrintPreview writes PrintWebViewHelper::is_scripted_preview_delayed_ after it is freed.

I'm guessing this wasn't a problem before because RenderViews have a much longer life time than RenderFrames. Now PrintWebViewHelper (which is really PrintWebFrameHelper) gets deleted much easier because RenderFrames go away quicker/earlier.

Without removing the nested message loop, can we move it out of PrintWebViewHelper and into either a static function or some other class like RenderThread? In addition, we need some RenderFrame lifetime tracking. Combined, when the nested message loop ends, we can check if the calling RenderFrame is still alive, and only reset |is_scripted_preview_delayed_| if that's the case.
And indeed very easy to repro. Needs more testing.
Status: Started (was: Assigned)
It tursn out PrintWebViewHelper has a WeakPtr factory, and now we have: https://codereview.chromium.org/2522313003
Project Member

Comment 13 by ClusterFuzz, Nov 29 2016

ClusterFuzz has detected this issue as fixed in range 41323:41324.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5765158006947840

Fuzzer: mbarbella_js_mutation_layout
Job Type: linux_asan_chrome_v8
Platform Id: linux

Crash Type: Heap-use-after-free WRITE 1
Crash Address: 0x61100001b419
Crash State:
  printing::PrintWebViewHelper::RequestPrintPreview
  printing::PrintWebViewHelper::ScriptedPrint
  content::RenderFrameImpl::ScriptedPrint
  
Recommended Security Severity: High

Regressed: V8: r41058:41075
Fixed: V8: r41323:41324

Minimized Testcase (0.07 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94YSihmr-pDnJ7JED_5Jl0NVFZRVB8sNhUDh1hiJlWC-TPqVhLKwnT5gZg_vlxeEEOFwmNbp5HA5vwajMKc7FriPuoPVqek3u8z3DZ-qs9vdhJ7LQs8fwpmLgTiRbd0sXaaje_0UPAY1EQgKo3pKFIOKK_Gfg?testcase_id=5765158006947840
<script>
   try {
    __f_73();
} catch(e) { print(); }
  </script>


Additional requirements: Requires Gestures

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 14 by ClusterFuzz, Nov 29 2016

Labels: ClusterFuzz-Verified
Status: Verified (was: Started)
ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 15 by sheriffbot@chromium.org, Nov 29 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: Merge-Request-56
Status: Started (was: Verified)
This needs a M56 merge.

Comment 17 by dimu@chromium.org, Nov 30 2016

Labels: -Merge-Request-56 Merge-Approved-56 Hotlist-Merge-Approved
Your change meets the bar and is auto-approved for M56 (branch: 2924)
Project Member

Comment 18 by bugdroid1@chromium.org, Nov 30 2016

Labels: -merge-approved-56 merge-merged-2924
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/26f89f0ea0aef159e490d099b30d258da2816ed8

commit 26f89f0ea0aef159e490d099b30d258da2816ed8
Author: Lei Zhang <thestig@chromium.org>
Date: Wed Nov 30 11:21:03 2016

M56: Check for PrintWebViewHelper validity when running nested message loops.

BUG= 666616 

Review-Url: https://codereview.chromium.org/2522313003
Cr-Commit-Position: refs/heads/master@{#434734}
(cherry picked from commit d5c9ff3d4eb3de0945a0537288a4bee31c2ee4cf)

Review URL: https://codereview.chromium.org/2532323004 .

Cr-Commit-Position: refs/branch-heads/2924@{#185}
Cr-Branched-From: 3a87aecc31cd1ffe751dd72c04e5a96a1fc8108a-refs/heads/master@{#433059}

[modify] https://crrev.com/26f89f0ea0aef159e490d099b30d258da2816ed8/components/printing/renderer/print_web_view_helper.cc
[modify] https://crrev.com/26f89f0ea0aef159e490d099b30d258da2816ed8/components/printing/renderer/print_web_view_helper.h

Status: Fixed (was: Started)
Labels: -ReleaseBlock-Beta -Hotlist-Merge-Approved
Project Member

Comment 21 by sheriffbot@chromium.org, Mar 8 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment