Issue metadata
Sign in to add a comment
|
multithreaded use-after-free in message_loop
Reported by
jeffwalt...@gmail.com,
Aug 25 2017
|
||||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36 Steps to reproduce the problem: We ran a dynamic tool for detecting multithreaded use-after-free bugs in Chromium trunk (commit a0b867b844d0e05d5b5699016468870581a12ad4), the tool reported several use-after-frees. What is the expected behavior? What went wrong? ------- thread #10 free call stack base/message_loop/incoming_task_queue.cc:144 base/message_loop/message_loop_task_runner.cc:51 base/task_runner.cc:63 base/task_runner.cc:67 base/message_loop/message_loop.cc:45 base/message_loop/message_loop.cc:95 base/threading/thread.cc:363 base/threading/platform_thread_posix.cc:77 ------- thread #0 use call stack /archive/jeff/git/chromium/src/out/tsan3/../../base/containers/vector_buffer.h:64 base/message_loop/incoming_task_queue.cc:86 base/message_loop/message_loop_task_runner.cc:32 base/task_runner.cc:47 base/threading/thread.cc:212 base/threading/platform_thread.h:97 gpu/command_buffer/service/gpu_tracer.cc:62 gpu/command_buffer/service/gpu_tracer.cc:53 base/memory/ref_counted.h:538 gpu/command_buffer/service/gles2_cmd_decoder.cc:18077 gpu/command_buffer/service/gles2_cmd_decoder.cc:5310 gpu/command_buffer/service/command_buffer_service.cc:90 buildtools/third_party/libc++/trunk/include/memory:2554 base/tuple.h:77 gpu/ipc/service/gpu_command_buffer_stub.cc:308 ipc/message_router.cc:56 gpu/ipc/service/gpu_channel.cc:1007 base/bind_internal.h:310 base/callback.h:92 base/bind_internal.h:323 base/callback.h:92 buildtools/third_party/libc++/trunk/include/vector:644 base/message_loop/message_loop.cc:528 base/message_loop/message_pump_glib.cc:267 ------- #0 use call stack base/atomic_ref_count.h:37 base/threading/platform_thread.h:97 gpu/command_buffer/service/gpu_tracer.cc:62 gpu/command_buffer/service/gpu_tracer.cc:53 base/memory/ref_counted.h:538 gpu/command_buffer/service/gles2_cmd_decoder.cc:18077 gpu/command_buffer/service/gles2_cmd_decoder.cc:5310 crtstuff.c:? gpu/command_buffer/service/command_buffer_service.cc:90 buildtools/third_party/libc++/trunk/include/memory:2554 base/tuple.h:77 gpu/ipc/service/gpu_command_buffer_stub.cc:308 ipc/message_router.cc:56 gpu/ipc/service/gpu_channel.cc:1007 base/bind_internal.h:310 base/callback.h:92 base/bind_internal.h:323 base/callback.h:92 buildtools/third_party/libc++/trunk/include/vector:644 base/message_loop/message_loop.cc:528 base/message_loop/message_pump_glib.cc:267 ------- #8 free call stack ipc/ipc_sync_channel.cc:370 base/bind_internal.h:480 base/callback_internal.cc:82 base/callback.h:92 buildtools/third_party/libc++/trunk/include/vector:644 base/message_loop/message_loop.cc:528 base/message_loop/message_pump_libevent.cc:220 ------- #0 use call stack buildtools/third_party/libc++/trunk/include/tuple:387 ipc/ipc_channel_proxy.cc:544 ipc/ipc_sync_channel.cc:602 gpu/ipc/service/gpu_channel.cc:756 gpu/ipc/service/gpu_channel.cc:867 gpu/ipc/service/gpu_command_buffer_stub.cc:337 gpu/ipc/service/gpu_command_buffer_stub.cc:367 gpu/ipc/service/gpu_command_buffer_stub.cc:? gpu/ipc/service/pass_through_image_transport_surface.cc:220 buildtools/third_party/libc++/trunk/include/memory:2583 gpu/command_buffer/service/gles2_cmd_decoder.cc:15752 gpu/command_buffer/service/gles2_cmd_decoder_autogen.h:4499 gpu/command_buffer/service/gles2_cmd_decoder.cc:5310 gpu/command_buffer/service/gles2_cmd_decoder.cc:? gpu/command_buffer/service/command_buffer_service.cc:90 Did this work before? N/A Chrome version: 51.0.2704.103 Channel: n/a OS Version: OS X 10.11.5 Flash Version: Shockwave Flash 26.0 r0 We could not confirm if they are real vulnerabilities or how serious they are, but perhaps worth taking a look by Chromium developers.
,
Aug 26 2017
Unfortunately we do not have test cases. The dynamic tool is modified from Tsan2, it collects traces from the instrumented browser at runtime and analyzes the traces offline. We did a number of browser actions related to PDF and printing, and opened tabs for Youtube and Facebook.
,
Aug 26 2017
Thank you for providing more feedback. Adding requester "tanin@google.com" to the cc list and removing "Needs-Feedback" label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 26 2017
,
Aug 26 2017
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 26 2017
,
Aug 28 2017
Report mentions 51, not 61 - assuming that's correct changing to Security_Impact-Stable
,
Aug 28 2017
ccameron@, I wonder if you can take a look at this.
,
Sep 9 2017
ccameron: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 21 2017
Sorry, this doesn't have enough for me to go on.
,
Sep 21 2017
,
Dec 29 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by ta...@google.com
, Aug 26 2017Labels: Security_Severity-High Security_Impact-Beta Needs-Feedback