New issue
Advanced search Search tips

Issue 674610 link

Starred by 2 users
Status: WontFix
Owner: ----
Closed: Feb 2017
Cc:
ajha@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Mac
Pri: 2
Type: Bug



Sign in to add a comment

heap-use-after-free After Closing chrome://plugins/ tab

Reported by 41.w4r...@gmail.com, Dec 15 2016 
UserAgent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0

Steps to reproduce the problem:
1. Open chrome://plugins/ in tab
2. Disable/Enable Flash plugin
3. Open another tab
4. Close tab in which chrome://plugins/ is opened

What is the expected behavior?
Should not cause heap-use-after-free

What went wrong?
==1136==ERROR: AddressSanitizer: heap-use-after-free on address 0x0920ff44 at pc 0x12c28ed9 bp 0x00d7e65c sp 0x00d7e650
READ of size 4 at 0x0920ff44 thread T0
    #0 0x12c28ed8  (D:\win32-release_asan-win32-release-433514\asan-win32-release-433514\chrome_child.dll+0x133f8ed8)
    #1 0x18452950  (D:\win32-release_asan-win32-release-433514\asan-win32-release-433514\chrome_child.dll+0x18c22950)
    #2 0x1ce35d56  (D:\win32-release_asan-win32-release-433514\asan-win32-release-433514\chrome_child.dll+0x1d605d56)
    #3 0x16640d2a  (D:\win32-release_asan-win32-release-433514\asan-win32-release-433514\chrome_child.dll+0x16e10d2a)
    #4 0x14e33fbb  (D:\win32-release_asan-win32-release-433514\asan-win32-release-433514\chrome_child.dll+0x15603fbb)
    #5 0x14e3412d  (D:\win32-release_asan-win32-release-433514\asan-win32-release-433514\chrome_child.dll+0x1560412d)
    #6 0x14c20fcd  (D:\win32-release_asan-win32-release-433514\asan-win32-release-433514\chrome_child.dll+0x153f0fcd)
    #7 0x14c1e6ea  (D:\win32-release_asan-win32-release-433514\asan-win32-release-433514\chrome_child.dll+0x153ee6ea)
    #8 0x1c87bc6c  (D:\win32-release_asan-win32-release-433514\asan-win32-release-433514\chrome_child.dll+0x1d04bc6c)
    #9 0x18d445f0  (D:\win32-release_asan-win32-release-433514\asan-win32-release-433514\chrome_child.dll+0x195145f0)
    #10 0x1c827e88  (D:\win32-release_asan-win32-release-433514\asan-win32-release-433514\chrome_child.dll+0x1cff7e88)
    #11 0x14a721b7  (D:\win32-release_asan-win32-release-433514\asan-win32-release-433514\chrome_child.dll+0x152421b7)
    #12 0x14a73a4f  (D:\win32-release_asan-win32-release-433514\asan-win32-release-433514\chrome_child.dll+0x15243a4f)
    #13 0x14a71d04  (D:\win32-release_asan-win32-release-433514\asan-win32-release-433514\chrome_child.dll+0x15241d04)
    #14 0xf8311d7  (D:\win32-release_asan-win32-release-433514\asan-win32-release-433514\chrome_child.dll+0x100011d7)
    #15 0x6a5ab  (D:\win32-release_asan-win32-release-433514\asan-win32-release-433514\chrome.exe+0x40a5ab)
    #16 0x61b27  (D:\win32-release_asan-win32-release-433514\asan-win32-release-433514\chrome.exe+0x401b27)
    #17 0x4cca8c  (D:\win32-release_asan-win32-release-433514\asan-win32-release-433514\chrome.exe+0x86ca8c)
    #18 0x77513389  (C:\Windows\syswow64\kernel32.dll+0x7dd73389)
    #19 0x77af9901  (C:\Windows\SysWOW64\ntdll.dll+0x7dea9901)
    #20 0x77af98d4  (C:\Windows\SysWOW64\ntdll.dll+0x7dea98d4)

0x0920ff44 is located 3396 bytes inside of 17648-byte region [0x0920f200,0x092136f0)
freed by thread T0 here:
    #0 0x4b0d78  (D:\win32-release_asan-win32-release-433514\asan-win32-release-433514\chrome.exe+0x850d78)
    #1 0x12c15cf5  (D:\win32-release_asan-win32-release-433514\asan-win32-release-433514\chrome_child.dll+0x133e5cf5)
    #2 0x1845526c  (D:\win32-release_asan-win32-release-433514\asan-win32-release-433514\chrome_child.dll+0x18c2526c)
    #3 0x193ca6c5  (D:\win32-release_asan-win32-release-433514\asan-win32-release-433514\chrome_child.dll+0x19b9a6c5)
    #4 0x193cadcf  (D:\win32-release_asan-win32-release-433514\asan-win32-release-433514\chrome_child.dll+0x19b9adcf)
    #5 0x193c6dc3  (D:\win32-release_asan-win32-release-433514\asan-win32-release-433514\chrome_child.dll+0x19b96dc3)
    #6 0x1925eeb3  (D:\win32-release_asan-win32-release-433514\asan-win32-release-433514\chrome_child.dll+0x19a2eeb3)
    #7 0x1c87bc1a  (D:\win32-release_asan-win32-release-433514\asan-win32-release-433514\chrome_child.dll+0x1d04bc1a)
    #8 0x18d445f0  (D:\win32-release_asan-win32-release-433514\asan-win32-release-433514\chrome_child.dll+0x195145f0)
    #9 0x1c827e88  (D:\win32-release_asan-win32-release-433514\asan-win32-release-433514\chrome_child.dll+0x1cff7e88)
    #10 0x14a721b7  (D:\win32-release_asan-win32-release-433514\asan-win32-release-433514\chrome_child.dll+0x152421b7)
    #11 0x14a73a4f  (D:\win32-release_asan-win32-release-433514\asan-win32-release-433514\chrome_child.dll+0x15243a4f)
    #12 0x14a71d04  (D:\win32-release_asan-win32-release-433514\asan-win32-release-433514\chrome_child.dll+0x15241d04)
    #13 0xf8311d7  (D:\win32-release_asan-win32-release-433514\asan-win32-release-433514\chrome_child.dll+0x100011d7)
    #14 0x6a5ab  (D:\win32-release_asan-win32-release-433514\asan-win32-release-433514\chrome.exe+0x40a5ab)
    #15 0x61b27  (D:\win32-release_asan-win32-release-433514\asan-win32-release-433514\chrome.exe+0x401b27)
    #16 0x4cca8c  (D:\win32-release_asan-win32-release-433514\asan-win32-release-433514\chrome.exe+0x86ca8c)
    #17 0x77513389  (C:\Windows\syswow64\kernel32.dll+0x7dd73389)
    #18 0x77af9901  (C:\Windows\SysWOW64\ntdll.dll+0x7dea9901)
    #19 0x77af98d4  (C:\Windows\SysWOW64\ntdll.dll+0x7dea98d4)

previously allocated by thread T0 here:
    #0 0x4b0e5c  (D:\win32-release_asan-win32-release-433514\asan-win32-release-433514\chrome.exe+0x850e5c)
    #1 0x1fd6f4d2  (D:\win32-release_asan-win32-release-433514\asan-win32-release-433514\chrome_child.dll+0x2053f4d2)
    #2 0x1180b105  (D:\win32-release_asan-win32-release-433514\asan-win32-release-433514\chrome_child.dll+0x11fdb105)
    #3 0x18454d5d  (D:\win32-release_asan-win32-release-433514\asan-win32-release-433514\chrome_child.dll+0x18c24d5d)
    #4 0x18454b3c  (D:\win32-release_asan-win32-release-433514\asan-win32-release-433514\chrome_child.dll+0x18c24b3c)
    #5 0x193c9d8b  (D:\win32-release_asan-win32-release-433514\asan-win32-release-433514\chrome_child.dll+0x19b99d8b)
    #6 0x193ca75a  (D:\win32-release_asan-win32-release-433514\asan-win32-release-433514\chrome_child.dll+0x19b9a75a)
    #7 0x193c5a71  (D:\win32-release_asan-win32-release-433514\asan-win32-release-433514\chrome_child.dll+0x19b95a71)
    #8 0x1925eba5  (D:\win32-release_asan-win32-release-433514\asan-win32-release-433514\chrome_child.dll+0x19a2eba5)
    #9 0x1c874d1e  (D:\win32-release_asan-win32-release-433514\asan-win32-release-433514\chrome_child.dll+0x1d044d1e)
    #10 0x1c870df0  (D:\win32-release_asan-win32-release-433514\asan-win32-release-433514\chrome_child.dll+0x1d040df0)
    #11 0x1c86fe8f  (D:\win32-release_asan-win32-release-433514\asan-win32-release-433514\chrome_child.dll+0x1d03fe8f)
    #12 0x1c86f213  (D:\win32-release_asan-win32-release-433514\asan-win32-release-433514\chrome_child.dll+0x1d03f213)
    #13 0x1c827d2a  (D:\win32-release_asan-win32-release-433514\asan-win32-release-433514\chrome_child.dll+0x1cff7d2a)
    #14 0x14a721b7  (D:\win32-release_asan-win32-release-433514\asan-win32-release-433514\chrome_child.dll+0x152421b7)
    #15 0x14a73a4f  (D:\win32-release_asan-win32-release-433514\asan-win32-release-433514\chrome_child.dll+0x15243a4f)
    #16 0x14a71d04  (D:\win32-release_asan-win32-release-433514\asan-win32-release-433514\chrome_child.dll+0x15241d04)
    #17 0xf8311d7  (D:\win32-release_asan-win32-release-433514\asan-win32-release-433514\chrome_child.dll+0x100011d7)
    #18 0x6a5ab  (D:\win32-release_asan-win32-release-433514\asan-win32-release-433514\chrome.exe+0x40a5ab)
    #19 0x61b27  (D:\win32-release_asan-win32-release-433514\asan-win32-release-433514\chrome.exe+0x401b27)
    #20 0x4cca8c  (D:\win32-release_asan-win32-release-433514\asan-win32-release-433514\chrome.exe+0x86ca8c)
    #21 0x77513389  (C:\Windows\syswow64\kernel32.dll+0x7dd73389)
    #22 0x77af9901  (C:\Windows\SysWOW64\ntdll.dll+0x7dea9901)
    #23 0x77af98d4  (C:\Windows\SysWOW64\ntdll.dll+0x7dea98d4)

SUMMARY: AddressSanitizer: heap-use-after-free (D:\win32-release_asan-win32-release-433514\asan-win32-release-433514\chrome_child.dll+0x133f8ed8)
Shadow bytes around the buggy address:
  0x31241f90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x31241fa0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x31241fb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x31241fc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x31241fd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x31241fe0: fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd
  0x31241ff0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x31242000: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x31242010: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x31242020: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x31242030: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1136==ABORTING

Did this work before? N/A 

Chrome version: Chromium	57.0.2927.0 (Developer Build) (32-bit) Revision	02691189bd4100f6fb137625730deb528285e3a8-refs/heads/master@{#433514} OS	Windows  JavaScript	V8 5.7.3 Flash	22.0.0.209 User Agent	Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2927.0 Safari/537.36 Command Line	chrome.exe --no-sandbox --flag-switches-begin --flag-switches-end Executable Path	D:\win32-release_asan-win32-release-433514\asan-win32-release-433514\chrome.exe Profile Path	C:\Users\Die-Hard\AppData\Local\Chromium\User Data\Default Variations	90757ebb-3f4a17df b3888d8d-afba0f91 74785582-3f4a17df 241fff6c-ca7d8d80 1e528f0f-15305a2 2a33b90e-3f4a17df cdd7eadf-f5ae51c9 ba3f87da-a6404135 775ebbd7-3f4a17df 76b48ab8-a2567007 9d315c2-ca7d8d80 5274eb09-3f4a17df 8ca44045-3f4a17df 9773d3bd-3f4a17df 93731dca-3f4a17df 2e109477-e2e291f1 1d3ad72e-3f4a17df 9e243dd-3f4a17df 64cbdfc2-3f4a17df 6b121ae7-3f4a17df 5139837c-3f4a17df 7f8176d9-3f4a17df f79cb77b-3d47f4f4 b7786474-d93a0620 23a898eb-e0e2610f 7382e39a-3f4a17df 868bda90-3f4a17df 630a1b64-3f4a17df 4ea303a6-3f4a17df ce152c12-3f4a17df 3a007b7-3f4a17df 9736de91-3f4a17df dbffab5d-f51b51 64005e71-fb487281 3326cd71-3f4a17df b2612322-8a9180b2 ca314179-ea08a3f2 c5073fab-3f4a17df 867c4c68-3f4a17df 7fc902e8-3f4a17df d747916f-d747916f 477f6800-72c07fe0 6844d8aa-669a04e0 fe05be5f-4ad60575 828a5926-d8f52f32 Compiler	clang  Channel: n/a
OS Version: 6.1 (Windows 7, Windows Server 2008 R2)
Flash Version: Flash	22.0.0.209

This probably not security issue but still flagged for safe side.

Comment 1 by mbarbe...@chromium.org, Dec 19 2016

Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Stability-Crash OS-Linux OS-Mac Type-Bug
Status: Untriaged (was: Unconfirmed)
Not something we'd usually consider a security issue due to the specific user interaction required on a chrome:// page, but I am able to reproduce this.

Flipping some labels around to get it out of the security queue, but thanks for the report and repro steps regardless!

Comment 2 by ajha@chromium.org, Feb 22 2017

Cc: ajha@chromium.org
Components: Internals>Plugins>Flash
Labels: Needs-Feedback
@reporter: Could you please confirm if this is still seen on the latest stable(56.0.2924.87). As per the above update this looks to be chromium specific, also please let us know how you are enabling the flash in chromium.

Comment 3 by 41.w4r...@gmail.com, Feb 22 2017 

stable(56.0.2924.87) not crashing anymore. thanks.

Comment 4 by ajha@chromium.org, Feb 22 2017

Labels: -Needs-Feedback
Status: WontFix (was: Untriaged)
Thanks for the quick update. Closing the issue as per C#3.

Sign in to add a comment