New issue
Advanced search Search tips

Issue 682219 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Jan 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 0
Type: Bug-Security



Sign in to add a comment

Heap-use-after-free in base::WaitableEvent::TimedWaitUntil

Project Member Reported by ClusterFuzz, Jan 18 2017

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5240258263515136

Fuzzer: meacer_extension_apis
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x617000009cf8
Crash State:
  base::WaitableEvent::TimedWaitUntil
  base::WaitableEvent::Wait
  ChromeHistoryBackendClient::GetBookmarks
  
Sanitizer: address (ASAN)

Recommended Security Severity: Critical

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95LM5yINjrWtAk9_CY77WEltgzcbooMv5LZYq-LcJTGEGoOEeUIpa9DUcHqejMGZn8aX27Z3nQeWtMg085n85ZzUX_Nol8FNwcUVo4hkHLVr5OhqGTo8PDNQYjIa9hb-ByyfuSft0ik631hJWY2VW_5cmkui3NYjeg-kNx-HuPp1fOF0n5eDB40liex4j8Nc6lobplGmD-Tqh9geIW-F-tNkqHUyGJxibFOB75wFwdHrD6wLIvGSw4iQVon276YHCX_ClcCGYdROyORGLGPgsy3VZ6FHjaCcpP1CL4pj8B7cUQe6ySGvBS7K90TJGf62cVmGmm0gTLf7MMsOVBMAU0LUx2ml-IbkByUa9kmjolWFYa97Vw?testcase_id=5240258263515136


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Project Member

Comment 1 by sheriffbot@chromium.org, Jan 18 2017

Labels: M-55
Project Member

Comment 2 by sheriffbot@chromium.org, Jan 18 2017

Labels: Pri-0

Comment 3 by palmer@chromium.org, Jan 18 2017

Cc: gab@chromium.org
Components: Internals>Core
Owner: stanisc@chromium.org
This might affect all POSIX, not just Linux?

Comment 4 by palmer@chromium.org, Jan 18 2017

Status: Assigned (was: Untriaged)
I am traveling and won't be able to take a good look at this until Monday.
I doubt it is related to my change because on Posix side it was just a slight refactoring that didn't touch any core logic: 
https://codereview.chromium.org/2433773005/diff/160001/base/synchronization/waitable_event_posix.cc
Cc: sky@chromium.org
sky@, it is possible for bookmark model to be destroyed while history backend is blocked waiting in BookmarkModel::BlockTillLoaded()?
Components: -Internals>Core UI>Browser>History UI>Browser>Bookmarks
I think the actual issue is in BookmarkModel or HistoryBackend, or ChromeHistoryBackendClient. This looks like a race condition where on the main thread the entire profile including Bookmark model gets destroyed and on another thread HistoryBackend runs history::HistoryBackend::ExpireHistoryBetween task which blocks while it is trying to get bookmark model loaded. Basically the main thread deletes a WaitableEvent instance while the background thread is waiting on that instance.

I don't know who should own this. Any suggestions? 

Comment 8 by sky@chromium.org, Jan 19 2017

Owner: sky@chromium.org

Comment 9 by gab@chromium.org, Jan 20 2017

Components: Internals>TaskScheduler
Project Member

Comment 10 by bugdroid1@chromium.org, Jan 20 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/8f3596ad8588a28907ccfca0f9c9af984e3c5681

commit 8f3596ad8588a28907ccfca0f9c9af984e3c5681
Author: gab <gab@chromium.org>
Date: Fri Jan 20 01:56:12 2017

Revert of Enable BrowserScheduler.RedirectHistoryService experiment on trunk. (patchset #7 id:140001 of https://codereview.chromium.org/2592813002/ )

Reason for revert:
Suspected culprit  http://crbug.com/680698  and  http://crbug.com/682219  per HistoryService tasks no longer being guaranteed to be flushed in ~HistoryService -- which BookmarksModel depends on.

Original issue's description:
> Enable BrowserScheduler.RedirectHistoryService experiment on trunk.
>
> BUG=661143
> Committed: https://crrev.com/4aa30591e0953da7e0c54ffdb91856e496d16b5f
> Cr-Commit-Position: refs/heads/master@{#440418}
>
> Reverted: https://crrev.com/2885403f92c9ab0a8769c2c41e859502da5a7e6f
> Cr-Commit-Position: refs/heads/master@{#440479}
> Cause of revert fixed in https://codereview.chromium.org/2611053003/.
>
> Review-Url: https://codereview.chromium.org/2592813002
> Cr-Commit-Position: refs/heads/master@{#441997}
> Committed: https://chromium.googlesource.com/chromium/src/+/344517411399fc467e5a6938e4793650729b3506

TBR=rkaplow@chromium.org
# Not skipping CQ checks because original CL landed more than 1 days ago.
BUG=661143, 680698 , 682219 

Review-Url: https://codereview.chromium.org/2642253002
Cr-Commit-Position: refs/heads/master@{#444942}

[modify] https://crrev.com/8f3596ad8588a28907ccfca0f9c9af984e3c5681/testing/variations/fieldtrial_testing_config.json

Project Member

Comment 11 by ClusterFuzz, Jan 20 2017

ClusterFuzz has detected this issue as fixed in range 444912:444973.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5240258263515136

Fuzzer: meacer_extension_apis
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x617000009cf8
Crash State:
  base::WaitableEvent::TimedWaitUntil
  base::WaitableEvent::Wait
  ChromeHistoryBackendClient::GetBookmarks
  
Sanitizer: address (ASAN)

Recommended Security Severity: Critical

Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=444912:444973

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95LM5yINjrWtAk9_CY77WEltgzcbooMv5LZYq-LcJTGEGoOEeUIpa9DUcHqejMGZn8aX27Z3nQeWtMg085n85ZzUX_Nol8FNwcUVo4hkHLVr5OhqGTo8PDNQYjIa9hb-ByyfuSft0ik631hJWY2VW_5cmkui3NYjeg-kNx-HuPp1fOF0n5eDB40liex4j8Nc6lobplGmD-Tqh9geIW-F-tNkqHUyGJxibFOB75wFwdHrD6wLIvGSw4iQVon276YHCX_ClcCGYdROyORGLGPgsy3VZ6FHjaCcpP1CL4pj8B7cUQe6ySGvBS7K90TJGf62cVmGmm0gTLf7MMsOVBMAU0LUx2ml-IbkByUa9kmjolWFYa97Vw?testcase_id=5240258263515136


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 12 by ClusterFuzz, Jan 20 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 5240258263515136 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 13 by sheriffbot@chromium.org, Jan 20 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: M-57 Release-0-M57
Project Member

Comment 15 by sheriffbot@chromium.org, Mar 17 2017

Labels: Merge-Request-58
Project Member

Comment 16 by sheriffbot@chromium.org, Mar 17 2017

Labels: -Merge-Request-58 Merge-Review-58 Hotlist-Merge-Review
This bug requires manual review: Reverts referenced in bugdroid comments after merge request.
Please contact the milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), bhthompson@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Before we approve M58 Merge request, can you please confirm if this is well tested in Canary?
Labels: -Merge-Review-58 Merge-Rejected-57
Looks like this is already in M58, no merge needed.
Labels: -Hotlist-Merge-Review
Project Member

Comment 20 by sheriffbot@chromium.org, Apr 28 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment