New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 716474 link

Starred by 0 users

Issue metadata

Status: Fixed
Closed: May 2017
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac
Pri: 1
Type: Bug-Security

Sign in to add a comment

Security: Use-after-poison in blink::FrameView::AdjustMediaTypeForPrinting

Reported by, Apr 28 2017

Issue description

Chrome Version: 60.0.3083.0 Canary
Operating System: Windows 7

1. Open the testcase

==4160==ERROR: AddressSanitizer: use-after-poison on address 0x5e17b834 at pc 0x1685c04b bp 0x003ea8
bc sp 0x003ea8b0
READ of size 4 at 0x5e17b834 thread T0
    #0 0x1685c04a  (C:\Users\admin\Desktop\asan-win32-release-467954\chrome_child.dll+0x16b2c04a)
    #1 0x1685bbde  (C:\Users\admin\Desktop\asan-win32-release-467954\chrome_child.dll+0x16b2bbde)
    #2 0x1685e4c2  (C:\Users\admin\Desktop\asan-win32-release-467954\chrome_child.dll+0x16b2e4c2)
    #3 0x16f2bdd7  (C:\Users\admin\Desktop\asan-win32-release-467954\chrome_child.dll+0x171fbdd7)
    #4 0x16f2c091  (C:\Users\admin\Desktop\asan-win32-release-467954\chrome_child.dll+0x171fc091)
    #5 0x1735ce9a  (C:\Users\admin\Desktop\asan-win32-release-467954\chrome_child.dll+0x1762ce9a)
    #6 0x1617c236  (C:\Users\admin\Desktop\asan-win32-release-467954\chrome_child.dll+0x1644c236)
    #7 0x12b29a34  (C:\Users\admin\Desktop\asan-win32-release-467954\chrome_child.dll+0x12df9a34)
    #8 0x12b320ad  (C:\Users\admin\Desktop\asan-win32-release-467954\chrome_child.dll+0x12e020ad)
    #9 0x12b2b97d  (C:\Users\admin\Desktop\asan-win32-release-467954\chrome_child.dll+0x12dfb97d)
    #10 0x12b2c207  (C:\Users\admin\Desktop\asan-win32-release-467954\chrome_child.dll+0x12dfc207)
    #11 0x12b396ec  (C:\Users\admin\Desktop\asan-win32-release-467954\chrome_child.dll+0x12e096ec)
    #12 0x12b30dd9  (C:\Users\admin\Desktop\asan-win32-release-467954\chrome_child.dll+0x12e00dd9)
    #13 0x12b5a88c  (C:\Users\admin\Desktop\asan-win32-release-467954\chrome_child.dll+0x12e2a88c)
    #14 0x12be32df  (C:\Users\admin\Desktop\asan-win32-release-467954\chrome_child.dll+0x12eb32df)
    #15 0x1c0b70a2  (C:\Users\admin\Desktop\asan-win32-release-467954\chrome_child.dll+0x1c3870a2)
    #16 0x1694c2ea  (C:\Users\admin\Desktop\asan-win32-release-467954\chrome_child.dll+0x16c1c2ea)
    #17 0x169131d6  (C:\Users\admin\Desktop\asan-win32-release-467954\chrome_child.dll+0x16be31d6)
    #18 0x169141a6  (C:\Users\admin\Desktop\asan-win32-release-467954\chrome_child.dll+0x16be41a6)
    #19 0x169135b8  (C:\Users\admin\Desktop\asan-win32-release-467954\chrome_child.dll+0x16be35b8)
    #20 0x174049e6  (C:\Users\admin\Desktop\asan-win32-release-467954\chrome_child.dll+0x176d49e6)
    #21 0x17404418  (C:\Users\admin\Desktop\asan-win32-release-467954\chrome_child.dll+0x176d4418)
    #22 0x1737a7fd  (C:\Users\admin\Desktop\asan-win32-release-467954\chrome_child.dll+0x1764a7fd)
    #23 0x18badf6e  (C:\Users\admin\Desktop\asan-win32-release-467954\chrome_child.dll+0x18e7df6e)
    #24 0x188425d2  (C:\Users\admin\Desktop\asan-win32-release-467954\chrome_child.dll+0x18b125d2)
    #25 0x18baaf15  (C:\Users\admin\Desktop\asan-win32-release-467954\chrome_child.dll+0x18e7af15)
    #26 0x18baa0de  (C:\Users\admin\Desktop\asan-win32-release-467954\chrome_child.dll+0x18e7a0de)
    #27 0x188e81ff  (C:\Users\admin\Desktop\asan-win32-release-467954\chrome_child.dll+0x18bb81ff)
    #28 0x18a6204d  (C:\Users\admin\Desktop\asan-win32-release-467954\chrome_child.dll+0x18d3204d)
    #29 0x15b50fcb  (C:\Users\admin\Desktop\asan-win32-release-467954\chrome_child.dll+0x15e20fcb)
    #30 0x1a04be1c  (C:\Users\admin\Desktop\asan-win32-release-467954\chrome_child.dll+0x1a31be1c)
    #31 0x15b89635  (C:\Users\admin\Desktop\asan-win32-release-467954\chrome_child.dll+0x15e59635)
    #32 0x132a5f26  (C:\Users\admin\Desktop\asan-win32-release-467954\chrome_child.dll+0x13575f26)
    #33 0x1669d546  (C:\Users\admin\Desktop\asan-win32-release-467954\chrome_child.dll+0x1696d546)
    #34 0x16698567  (C:\Users\admin\Desktop\asan-win32-release-467954\chrome_child.dll+0x16968567)
    #35 0x15029b38  (C:\Users\admin\Desktop\asan-win32-release-467954\chrome_child.dll+0x152f9b38)
    #36 0x132a5f26  (C:\Users\admin\Desktop\asan-win32-release-467954\chrome_child.dll+0x13575f26)
    #37 0x13142ed0  (C:\Users\admin\Desktop\asan-win32-release-467954\chrome_child.dll+0x13412ed0)
    #38 0x13143d66  (C:\Users\admin\Desktop\asan-win32-release-467954\chrome_child.dll+0x13413d66)
    #39 0x131451b6  (C:\Users\admin\Desktop\asan-win32-release-467954\chrome_child.dll+0x134151b6)
    #40 0x132ac4fa  (C:\Users\admin\Desktop\asan-win32-release-467954\chrome_child.dll+0x1357c4fa)
    #41 0x13141d6a  (C:\Users\admin\Desktop\asan-win32-release-467954\chrome_child.dll+0x13411d6a)
    #42 0x131e27e4  (C:\Users\admin\Desktop\asan-win32-release-467954\chrome_child.dll+0x134b27e4)
    #43 0x1884bea5  (C:\Users\admin\Desktop\asan-win32-release-467954\chrome_child.dll+0x18b1bea5)
    #44 0x13005790  (C:\Users\admin\Desktop\asan-win32-release-467954\chrome_child.dll+0x132d5790)
    #45 0x13006d83  (C:\Users\admin\Desktop\asan-win32-release-467954\chrome_child.dll+0x132d6d83)
    #46 0x13008e46  (C:\Users\admin\Desktop\asan-win32-release-467954\chrome_child.dll+0x132d8e46)
    #47 0x13005474  (C:\Users\admin\Desktop\asan-win32-release-467954\chrome_child.dll+0x132d5474)
    #48 0xfd31232  (C:\Users\admin\Desktop\asan-win32-release-467954\chrome_child.dll+0x10001232)
    #49 0x1219d95  (C:\Users\admin\Desktop\asan-win32-release-467954\chrome.exe+0x409d95)
    #50 0x1211b84  (C:\Users\admin\Desktop\asan-win32-release-467954\chrome.exe+0x401b84)
    #51 0x14808ea  (C:\Users\admin\Desktop\asan-win32-release-467954\chrome.exe+0x6708ea)
    #52 0x752b3676  (C:\Windows\syswow64\kernel32.dll+0x7dd73676)
    #53 0x77579d71  (C:\Windows\SysWOW64\ntdll.dll+0x7dea9d71)
    #54 0x77579d44  (C:\Windows\SysWOW64\ntdll.dll+0x7dea9d44)

Address 0x5e17b834 is a wild pointer.
SUMMARY: AddressSanitizer: use-after-poison (C:\Users\admin\Desktop\asan-win32-release-467954\chrome
Shadow bytes around the buggy address:
  0x3bc2f6b0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x3bc2f6c0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x3bc2f6d0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x3bc2f6e0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x3bc2f6f0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
=>0x3bc2f700: f7 f7 f7 f7 f7 f7[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x3bc2f710: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x3bc2f720: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x3bc2f730: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x3bc2f740: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x3bc2f750: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
262 bytes View Download
Note: This is a security regression bug seen after the fix from  issue 707549 .
583 KB View Download
Project Member

Comment 2 by ClusterFuzz, Apr 28 2017

ClusterFuzz is analyzing your testcase. Developers can follow the progress at

Comment 3 by, Apr 28 2017

Components: Blink>Internals>Frames
Labels: Security_Severity-Medium Security_Impact-Stable M-58 OS-Android OS-Chrome OS-Linux OS-Mac OS-Windows Pri-1
Status: Assigned (was: Unconfirmed)
japhet, could you please take a look or re-assign to someone more appropriate? Thanks!
Actually, this is print preview's fault, I suspect this is from Lei Zhang's recent changes per  issue 707549 .
Components: -Blink>Internals>Frames UI>Browser>PrintPreview
Labels: -M-58 M-59
Well, before the  bug 707549  fix, the test case here would just trigger that bug instead.
hmm... sorry for the assumption :-)
I might have seen this crash once in my own testing for  bug 707549 , but I could not reproduce it. It took several reloads to repro, but that's still good.
So this crash is happening in Blink and I don't really understand Oilpan. +haraken to help take a look.
I believe Oilpan poisons object that aren't marked as live, so this may be a UaF.

What line is the use-after-poison happening on?
This is what I have locally:

ERROR: AddressSanitizer: use-after-poison on address 0x7e8706957a48 at pc 0x558af4d54c42 bp 0x7ffe7be47950 sp 0x7ffe7be47948
READ of size 8 at 0x7e8706957a48 thread T0 (chrome)
    #0 0x558af4d54c41 in operator blink::DOMWindow * third_party/WebKit/Source/platform/heap/Member.h:80:32
    #1 0x558af4d54c41 in DomWindow third_party/WebKit/Source/core/frame/LocalFrame.cpp:535
    #2 0x558af4d54c41 in blink::LocalFrame::GetDocument() const third_party/WebKit/Source/core/frame/LocalFrame.cpp:548
    #3 0x558af4d57734 in blink::LocalFrame::SetPrinting(bool, blink::FloatSize const&, blink::FloatSize const&, float) third_party/WebKit/Source/core/frame/LocalFrame.cpp:594:7
    #4 0x558af5503e20 in blink::PrintContext::EndPrintMode() third_party/WebKit/Source/core/page/PrintContext.cpp:197:11
    #5 0x558af550256f in blink::PrintContext::~PrintContext() third_party/WebKit/Source/core/page/PrintContext.cpp:57:5
    #6 0x558aed379c0e in Finalize third_party/WebKit/Source/platform/heap/HeapPage.cpp:103:5
    #7 0x558aed379c0e in blink::NormalPage::Sweep() third_party/WebKit/Source/platform/heap/HeapPage.cpp:1340
    #8 0x558aed372780 in SweepUnsweptPage third_party/WebKit/Source/platform/heap/HeapPage.cpp:284:11
    #9 0x558aed372780 in blink::BaseArena::LazySweepWithDeadline(double) third_party/WebKit/Source/platform/heap/HeapPage.cpp:313
    #10 0x558aed388e75 in blink::ThreadState::PerformIdleLazySweep(double) third_party/WebKit/Source/platform/heap/ThreadState.cpp:636:22
    #11 0x558af48e1d3f in Run base/callback.h:80:12
    #12 0x558af48e1d3f in operator() third_party/WebKit/Source/platform/wtf/Functional.h:221
    #13 0x558af48e1d3f in blink::(anonymous namespace)::IdleTaskRunner::Run(double) third_party/WebKit/Source/platform/WebScheduler.cpp:26
Oh, that seems pretty dangerous--a GCed object (PrintContext) cannot touch another GCed object (DOMWindow) during finalization, as the finalization order is not guaranteed. So like DOMWindow was already swept, and then PrintContext() tries to touch it in the destructor.
(Also: the usual solution to this is to perform some sort of explicit cleanup, like FrameView::dispose(), or potentially a pre-finalizer. Usually explicit cleanup is preferred)
As far as I look at the call sites of PrintContext, it seems easy to explicitly call PrintContext::dispose(). We can call EndPrintCode in PrintContext::dispose().

thestig, any update here?

If possible we'd like to get this fixed as part of the security fixit (see email to chromium-dev) this week. Thanks!
Just waiting for the code review to finish.
Status: Fixed (was: Assigned)
Project Member

Comment 20 by, May 3 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: Merge-Request-59
Project Member

Comment 22 by, May 5 2017

Labels: -Merge-Request-59 Hotlist-Merge-Approved Merge-Approved-59
Your change meets the bar and is auto-approved for M59. Please go ahead and merge the CL to branch 3071 manually. Please contact milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), gkihumba@(ChromeOS), Abdul Syed@(Desktop)

For more details visit - Your friendly Sheriffbot
Project Member

Comment 23 by, May 5 2017

Labels: -merge-approved-59 merge-merged-3071
The following revision refers to this bug:

commit 85199fb739f0c8b8e491cd6f1ac538efb4134ad0
Author: Lei Zhang <>
Date: Fri May 05 23:54:38 2017

M59: Clear the PrintContext in WebLocalFrameImpl::Close().

Also explicitly call PrintContext::EndPrintMode(), rather than calling
it in the destructor. Add a ScopedPrintMode helper class to do that

BUG= 716474 

Cr-Commit-Position: refs/heads/master@{#468882}
(cherry picked from commit 85b7d7b31f25da2481ab2fa569c7b37a42abdeb6)

Review-Url: .
Cr-Commit-Position: refs/branch-heads/3071@{#429}
Cr-Branched-From: a106f0abbf69dad349d4aaf4bcc4f5d376dd2377-refs/heads/master@{#464641}


Labels: reward-topanel
Labels: -Hotlist-Merge-Approved

Comment 26 by, May 10 2017

Labels: -Security_Severity-Medium Security_Severity-High
Labels: -reward-topanel reward-unpaid reward-2000
Congratulations! The panel decided to award $2,000 for this bug!  Though if you could provide symbolicated stack traces it would be greatly appreciated.
Labels: -reward-unpaid reward-inprocess
Labels: Release-0-M59
Labels: CVE-2017-5073
Project Member

Comment 32 by, Aug 9 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot
Labels: CVE_description-submitted

Sign in to add a comment