Heap-use-after-free in base::internal::Invoker<base::internal::BindState<void |
||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5560853278752768 Fuzzer: mbarbella_js_mutation_layout Job Type: linux_asan_chrome_v8 Platform Id: linux Crash Type: Heap-use-after-free READ 8 Crash Address: 0x61800008cdb8 Crash State: base::internal::Invoker<base::internal::BindState<void void IPC::ChannelProxy::BindAssociatedInterfaceRequest<content::mojom::RouteProv base::internal::Invoker<base::internal::BindState<void Sanitizer: address (ASAN) Recommended Security Severity: High Regressed: V8: 42372:42387 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95IbQpvpOo0QAGXvKZW8T3hqr-x6LQmIC3p-eHcvMgFptfF6A30ZN6kRAwVo7wCMQKXHZV8mBD5QHz7GBLGd1qeduKwlZUdj0dQtJg6rLmT036OfUIZZAyS6Q9MGy7HNTPclIysB0GcP3OnCetYGNpDPXXx2D_8Qkem68Fv42AG_m3TZp__hBOmZPe0_Lw63ZV7ZqPlG-be1JD6NyK_DRFNEGbT1Zmivswr3KqklnSoFYu3X5uI_MNDp8ti9Psxm24yHLvyUjFDZpnqBI4uyLz4gett4-klmxHPrDApRoX5GehGF0SqCGGFATRxNOeDDJTjnROrW8dkCaCuEfIgPvf74HiqLFtASvT0uHBeHpZ7niTxUgU?testcase_id=5560853278752768 Additional requirements: Requires Gestures Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jan 23 2017
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 23 2017
,
Jan 24 2017
,
Jan 24 2017
I think it's because the callback is bound with Unretained: https://chromium.googlesource.com/chromium/src/+blame/master/content/browser/renderer_host/render_process_host_impl.cc#1196
,
Jan 24 2017
Err, no, that wouldn't do it. The callback can only be invoked as long as |channel_| is alive, and |channel_|'s lifetime is of course bounded by |this|'s lifetime.
,
Jan 24 2017
I'm not so sure about that. From what I can tell, when we get a request, we look it up in the list we registered it in. Since we supplied a |factory| callback, we invoke it: https://cs.chromium.org/chromium/src/ipc/ipc_channel_mojo.cc?rcl=1485202678&l=355 For things that use ChannelProxy, this is bound in: https://cs.chromium.org/chromium/src/ipc/ipc_channel_proxy.cc?rcl=1485202678&l=394 |listener_task_runner_| is the UI thread, since that's where RenderProcessHostImpl lives. And the trampoline we bind it to just forwards things back to the UI thread: https://cs.chromium.org/chromium/src/ipc/ipc_channel_proxy.cc?rcl=1485202678&l=36 My understanding is the IPC channel itself is shutdown on the IO thread, which means there is a race here. The RenderProcessHostImpl being destroyed will destroy the ChannelProxy, which releases the Channel on the IO thread. If we get a request between RenderProcessHostImpl destruction and Channel destruction, then I think this can invoke the callback we originally registered.
,
Jan 24 2017
I see, you're right. I thought I had undone that mess already :{ Well, the solution is pretty straightforward, so I'll upload a fix tomorrow. Thanks!
,
Jan 24 2017
URGENT - PLEASE REVIEW ASAP Greetings from the release team! This bug is marked as an M-57 beta blocker, which means it needs to be fixed on trunk by THIS FRIDAY, Jan 27 in order to be merged back to the M57 branch on time. Please prioritize fixing this issue. Unsure if this bug should block the beta release, or know it should block but you won't be able to fix it in time? CC me to this bug and we can discuss. If you're absolutely sure this should not block beta, the bug can be punted to stable (by changing ReleaseBlock-Beta to ReleaseBlock-Stable), or if the bug should not block the release at all simply remove the release block tag. Thanks, Alex
,
Jan 25 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/70bbb59493f1111361e3b1bedd04a14fedb334f4 commit 70bbb59493f1111361e3b1bedd04a14fedb334f4 Author: rockot <rockot@chromium.org> Date: Wed Jan 25 00:56:51 2017 Remove associated interface registration from ChannelProxy ChannelProxy already delegates incoming associated interface requests to its Listener if they weren't handled by the Channel. We use this instead of having ChannelProxy register UI-thread-posting binders on the Channel itself. It's simpler and safer this way. BUG= 683773 R=jam@chromium.org Review-Url: https://codereview.chromium.org/2653973002 Cr-Commit-Position: refs/heads/master@{#445886} [modify] https://crrev.com/70bbb59493f1111361e3b1bedd04a14fedb334f4/content/browser/renderer_host/render_process_host_impl.cc [modify] https://crrev.com/70bbb59493f1111361e3b1bedd04a14fedb334f4/content/browser/renderer_host/render_process_host_impl.h [modify] https://crrev.com/70bbb59493f1111361e3b1bedd04a14fedb334f4/content/child/child_thread_impl.cc [modify] https://crrev.com/70bbb59493f1111361e3b1bedd04a14fedb334f4/content/child/child_thread_impl.h [modify] https://crrev.com/70bbb59493f1111361e3b1bedd04a14fedb334f4/content/common/associated_interface_registry_impl.cc [modify] https://crrev.com/70bbb59493f1111361e3b1bedd04a14fedb334f4/content/common/associated_interface_registry_impl.h [modify] https://crrev.com/70bbb59493f1111361e3b1bedd04a14fedb334f4/content/gpu/gpu_child_thread.cc [modify] https://crrev.com/70bbb59493f1111361e3b1bedd04a14fedb334f4/content/renderer/render_thread_impl.cc [modify] https://crrev.com/70bbb59493f1111361e3b1bedd04a14fedb334f4/ipc/ipc_channel_mojo_unittest.cc [modify] https://crrev.com/70bbb59493f1111361e3b1bedd04a14fedb334f4/ipc/ipc_channel_proxy.cc [modify] https://crrev.com/70bbb59493f1111361e3b1bedd04a14fedb334f4/ipc/ipc_channel_proxy.h
,
Jan 25 2017
,
Jan 25 2017
,
Jan 25 2017
Your change meets the bar and is auto-approved for M57. Please go ahead and merge the CL to branch 2987 manually. Please contact milestone owner if you have questions. Owners: amineer@(clank), cmasso@(bling), ketakid@(cros), govind@(desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 25 2017
,
Jan 25 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/fa8f94e282f6577b9b7b93e6a42a283f7f2015e4 commit fa8f94e282f6577b9b7b93e6a42a283f7f2015e4 Author: Ken Rockot <rockot@chromium.org> Date: Wed Jan 25 15:59:23 2017 Remove associated interface registration from ChannelProxy ChannelProxy already delegates incoming associated interface requests to its Listener if they weren't handled by the Channel. We use this instead of having ChannelProxy register UI-thread-posting binders on the Channel itself. It's simpler and safer this way. BUG= 683773 R=jam@chromium.org Review-Url: https://codereview.chromium.org/2653973002 Cr-Commit-Position: refs/heads/master@{#445886} (cherry picked from commit 70bbb59493f1111361e3b1bedd04a14fedb334f4) Review-Url: https://codereview.chromium.org/2653943003 . Cr-Commit-Position: refs/branch-heads/2987@{#86} Cr-Branched-From: ad51088c0e8776e8dcd963dbe752c4035ba6dab6-refs/heads/master@{#444943} [modify] https://crrev.com/fa8f94e282f6577b9b7b93e6a42a283f7f2015e4/content/browser/renderer_host/render_process_host_impl.cc [modify] https://crrev.com/fa8f94e282f6577b9b7b93e6a42a283f7f2015e4/content/browser/renderer_host/render_process_host_impl.h [modify] https://crrev.com/fa8f94e282f6577b9b7b93e6a42a283f7f2015e4/content/child/child_thread_impl.cc [modify] https://crrev.com/fa8f94e282f6577b9b7b93e6a42a283f7f2015e4/content/child/child_thread_impl.h [modify] https://crrev.com/fa8f94e282f6577b9b7b93e6a42a283f7f2015e4/content/common/associated_interface_registry_impl.cc [modify] https://crrev.com/fa8f94e282f6577b9b7b93e6a42a283f7f2015e4/content/common/associated_interface_registry_impl.h [modify] https://crrev.com/fa8f94e282f6577b9b7b93e6a42a283f7f2015e4/content/renderer/render_thread_impl.cc [modify] https://crrev.com/fa8f94e282f6577b9b7b93e6a42a283f7f2015e4/ipc/ipc_channel_mojo_unittest.cc [modify] https://crrev.com/fa8f94e282f6577b9b7b93e6a42a283f7f2015e4/ipc/ipc_channel_proxy.cc [modify] https://crrev.com/fa8f94e282f6577b9b7b93e6a42a283f7f2015e4/ipc/ipc_channel_proxy.h
,
Jan 25 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/3594a5c4754dfd0d80df18d05bf5b6c94193d781 commit 3594a5c4754dfd0d80df18d05bf5b6c94193d781 Author: Ken Rockot <rockot@chromium.org> Date: Wed Jan 25 18:34:07 2017 Remove associated interface registration from ChannelProxy ChannelProxy already delegates incoming associated interface requests to its Listener if they weren't handled by the Channel. We use this instead of having ChannelProxy register UI-thread-posting binders on the Channel itself. It's simpler and safer this way. This is a reland of the previous merge, now with 100% fewer compile failures! BUG= 683773 R=jam@chromium.org Review-Url: https://codereview.chromium.org/2653973002 Cr-Commit-Position: refs/heads/master@{#445886} (cherry picked from commit 70bbb59493f1111361e3b1bedd04a14fedb334f4) Review-Url: https://codereview.chromium.org/2651053004 . Cr-Commit-Position: refs/branch-heads/2987@{#92} Cr-Branched-From: ad51088c0e8776e8dcd963dbe752c4035ba6dab6-refs/heads/master@{#444943} [modify] https://crrev.com/3594a5c4754dfd0d80df18d05bf5b6c94193d781/content/browser/renderer_host/render_process_host_impl.cc [modify] https://crrev.com/3594a5c4754dfd0d80df18d05bf5b6c94193d781/content/browser/renderer_host/render_process_host_impl.h [modify] https://crrev.com/3594a5c4754dfd0d80df18d05bf5b6c94193d781/content/child/child_thread_impl.cc [modify] https://crrev.com/3594a5c4754dfd0d80df18d05bf5b6c94193d781/content/child/child_thread_impl.h [modify] https://crrev.com/3594a5c4754dfd0d80df18d05bf5b6c94193d781/content/common/associated_interface_registry_impl.cc [modify] https://crrev.com/3594a5c4754dfd0d80df18d05bf5b6c94193d781/content/common/associated_interface_registry_impl.h [modify] https://crrev.com/3594a5c4754dfd0d80df18d05bf5b6c94193d781/content/gpu/gpu_child_thread.cc [modify] https://crrev.com/3594a5c4754dfd0d80df18d05bf5b6c94193d781/content/renderer/render_thread_impl.cc [modify] https://crrev.com/3594a5c4754dfd0d80df18d05bf5b6c94193d781/ipc/ipc_channel_mojo_unittest.cc [modify] https://crrev.com/3594a5c4754dfd0d80df18d05bf5b6c94193d781/ipc/ipc_channel_proxy.cc [modify] https://crrev.com/3594a5c4754dfd0d80df18d05bf5b6c94193d781/ipc/ipc_channel_proxy.h
,
Jan 26 2017
ClusterFuzz has detected this issue as fixed in range 42638:42644. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5560853278752768 Fuzzer: mbarbella_js_mutation_layout Job Type: linux_asan_chrome_v8 Platform Id: linux Crash Type: Heap-use-after-free READ 8 Crash Address: 0x61800008cdb8 Crash State: base::internal::Invoker<base::internal::BindState<void void IPC::ChannelProxy::BindAssociatedInterfaceRequest<content::mojom::RouteProv base::internal::Invoker<base::internal::BindState<void Sanitizer: address (ASAN) Recommended Security Severity: High Regressed: V8: 42372:42387 Fixed: V8: 42638:42644 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95IbQpvpOo0QAGXvKZW8T3hqr-x6LQmIC3p-eHcvMgFptfF6A30ZN6kRAwVo7wCMQKXHZV8mBD5QHz7GBLGd1qeduKwlZUdj0dQtJg6rLmT036OfUIZZAyS6Q9MGy7HNTPclIysB0GcP3OnCetYGNpDPXXx2D_8Qkem68Fv42AG_m3TZp__hBOmZPe0_Lw63ZV7ZqPlG-be1JD6NyK_DRFNEGbT1Zmivswr3KqklnSoFYu3X5uI_MNDp8ti9Psxm24yHLvyUjFDZpnqBI4uyLz4gett4-klmxHPrDApRoX5GehGF0SqCGGFATRxNOeDDJTjnROrW8dkCaCuEfIgPvf74HiqLFtASvT0uHBeHpZ7niTxUgU?testcase_id=5560853278752768 Additional requirements: Requires Gestures See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jan 27 2017
,
May 3 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||||||||
►
Sign in to add a comment |
||||||||||||
Comment 1 by sheriffbot@chromium.org
, Jan 23 2017