Issue metadata
Sign in to add a comment
|
Heap-use-after-free in blink::PaintLayerScrollableArea::Box |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4805056263356416 Fuzzer: inferno_twister Job Type: windows_asan_content_shell Platform Id: windows Crash Type: Heap-use-after-free READ 4 Crash Address: 0x1bb0f92c Crash State: blink::PaintLayerScrollableArea::Box blink::PaintLayerScrollableArea::MaximumScrollOffsetInt blink::ScrollableArea::MaximumScrollOffset Sanitizer: address (ASAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=windows_asan_content_shell&range=497410:497433 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4805056263356416 Additional requirements: Requires Gestures Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Aug 27 2017
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 27 2017
,
Aug 28 2017
skobes@, I wonder if you are the right person to fix this. Thank you.
,
Sep 2 2017
This is caused by a scroller being removed during a sequenced scroll animation from Element.scrollIntoView. I've attached a better test case. The clusterfuzz test case regressed with r497433, but the bug existed before that. The stack trace looks like this: #4 0x7fc38ebeedfc blink::LayoutObject::LayoutObjectBitfields::IsBox() #5 0x7fc38ebeeda9 blink::LayoutObject::IsBox() #6 0x7fc38fae7bc0 blink::PaintLayer::GetLayoutBox() #7 0x7fc38fef2f8c blink::PaintLayerScrollableArea::Box() #8 0x7fc38fef4425 blink::PaintLayerScrollableArea::MaximumScrollOffsetInt() #9 0x7fc38ec7404c blink::ScrollableArea::MaximumScrollOffset() #10 0x7fc38d72da5f blink::ScrollableArea::ClampScrollOffset() #11 0x7fc38d72d852 blink::ScrollableArea::SetScrollOffset() #12 0x7fc38d73a8a4 blink::SmoothScrollSequencer::RunQueuedAnimations() #13 0x7fc38d726bc0 blink::ProgrammaticScrollAnimator::AnimationFinished() #14 0x7fc38d726b06 blink::ProgrammaticScrollAnimator::TickAnimation() #15 0x7fc38d72f1f5 blink::ScrollableArea::ServiceScrollAnimations() #16 0x7fc38fe1ac9a blink::PageAnimator::ServiceScriptedAnimations() #17 0x7fc38fe20ead blink::PageWidgetDelegate::Animate() #18 0x7fc38f3bb78d blink::WebViewImpl::BeginFrame() #19 0x7fc38f4f625b blink::WebViewFrameWidget::BeginFrame() #20 0x7fc39a8d92f6 content::RenderWidget::BeginMainFrame() #21 0x7fc39a6f46e5 content::RenderWidgetCompositor::BeginMainFrame() #22 0x7fc3970e4523 cc::LayerTreeHost::BeginMainFrame() #23 0x7fc3971d4669 cc::ProxyMain::BeginMainFrame() Sandra, could you take a look?
,
Sep 5 2017
,
Sep 5 2017
Issue 762108 has been merged into this issue.
,
Sep 6 2017
,
Sep 8 2017
bokan@, could you take a look at this patch and take over if it is emergent? I will be on vacation for a month starting next week. Thanks! I took a quick look at the bug, seems we need to figure out in ScrollableArea whether its LayoutBox is still alive. But as we are doing this, we need to access the freed memory first. I'm wondering where is the correct place to check this.
,
Sep 8 2017
Ok, I'll have a look.
,
Sep 11 2017
I'm on a flight to Tokyo today but am still tracking this, will take a look tomorrow.
,
Sep 14 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/f623f1662f53a1974712358656ee2afd23b786b7 commit f623f1662f53a1974712358656ee2afd23b786b7 Author: David Bokan <bokan@chromium.org> Date: Thu Sep 14 01:23:32 2017 Fix use-after-free in smooth sequenced scrolling. When a scroll into view is done smoothly, all the scrolls are queued up in the SmoothScrollSequencer. However, if a scroller is removed, the sequencer may end up touching it in ways that cause a use-after-free. While the ScrollableArea isn't GC'd yet, the PaintLayer isn't on the GC heap and so it's already deleted. This CL fixes the issue by iterating the sequencer's ScrollableAreas and aborting the entire sequence if one of them is removed. This is done when the ScrollableArea is disposed, which happens during PaintLayer destruction. Bug: 759354 Cq-Include-Trybots: master.tryserver.chromium.linux:linux_layout_tests_slimming_paint_v2 Change-Id: I412cea1657da19a28b7bef9300877c650281a065 Reviewed-on: https://chromium-review.googlesource.com/664329 Reviewed-by: Kent Tamura <tkent@chromium.org> Reviewed-by: Steve Kobes <skobes@chromium.org> Commit-Queue: David Bokan <bokan@chromium.org> Cr-Commit-Position: refs/heads/master@{#501829} [modify] https://crrev.com/f623f1662f53a1974712358656ee2afd23b786b7/third_party/WebKit/Source/core/page/scrolling/SmoothScrollTest.cpp [modify] https://crrev.com/f623f1662f53a1974712358656ee2afd23b786b7/third_party/WebKit/Source/core/paint/PaintLayerScrollableArea.cpp [modify] https://crrev.com/f623f1662f53a1974712358656ee2afd23b786b7/third_party/WebKit/Source/platform/scroll/SmoothScrollSequencer.cpp [modify] https://crrev.com/f623f1662f53a1974712358656ee2afd23b786b7/third_party/WebKit/Source/platform/scroll/SmoothScrollSequencer.h
,
Sep 14 2017
ClusterFuzz has detected this issue as fixed in range 501804:501840. Detailed report: https://clusterfuzz.com/testcase?key=4805056263356416 Fuzzer: inferno_twister Job Type: windows_asan_content_shell Platform Id: windows Crash Type: Heap-use-after-free READ 4 Crash Address: 0x1bb0f92c Crash State: blink::PaintLayerScrollableArea::Box blink::PaintLayerScrollableArea::MaximumScrollOffsetInt blink::ScrollableArea::MaximumScrollOffset Sanitizer: address (ASAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=windows_asan_content_shell&range=497410:497433 Fixed: https://clusterfuzz.com/revisions?job=windows_asan_content_shell&range=501804:501840 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4805056263356416 Additional requirements: Requires Gestures See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Sep 14 2017
This should be merged back to 62.
,
Sep 14 2017
ClusterFuzz testcase 4805056263356416 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Sep 14 2017
,
Sep 15 2017
This bug requires manual review: M62 has already been promoted to the beta branch, so this requires manual review Please contact the milestone owner if you have questions. Owners: amineer@(Android), cmasso@(iOS), bhthompson@(ChromeOS), abdulsyed@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 15 2017
Approving merge to M62. Branch:3202
,
Sep 17 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/4f53fa14ad054a787b7d7c71c00968d70086a1a4 commit 4f53fa14ad054a787b7d7c71c00968d70086a1a4 Author: David Bokan <bokan@chromium.org> Date: Sun Sep 17 05:22:14 2017 Fix use-after-free in smooth sequenced scrolling. When a scroll into view is done smoothly, all the scrolls are queued up in the SmoothScrollSequencer. However, if a scroller is removed, the sequencer may end up touching it in ways that cause a use-after-free. While the ScrollableArea isn't GC'd yet, the PaintLayer isn't on the GC heap and so it's already deleted. This CL fixes the issue by iterating the sequencer's ScrollableAreas and aborting the entire sequence if one of them is removed. This is done when the ScrollableArea is disposed, which happens during PaintLayer destruction. TBR=bokan@chromium.org (cherry picked from commit f623f1662f53a1974712358656ee2afd23b786b7) Bug: 759354 Cq-Include-Trybots: master.tryserver.chromium.linux:linux_layout_tests_slimming_paint_v2 Change-Id: I412cea1657da19a28b7bef9300877c650281a065 Reviewed-on: https://chromium-review.googlesource.com/664329 Reviewed-by: Kent Tamura <tkent@chromium.org> Reviewed-by: Steve Kobes <skobes@chromium.org> Commit-Queue: David Bokan <bokan@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#501829} Reviewed-on: https://chromium-review.googlesource.com/670224 Reviewed-by: David Bokan <bokan@chromium.org> Cr-Commit-Position: refs/branch-heads/3202@{#276} Cr-Branched-From: fa6a5d87adff761bc16afc5498c3f5944c1daa68-refs/heads/master@{#499098} [modify] https://crrev.com/4f53fa14ad054a787b7d7c71c00968d70086a1a4/third_party/WebKit/Source/core/page/scrolling/SmoothScrollTest.cpp [modify] https://crrev.com/4f53fa14ad054a787b7d7c71c00968d70086a1a4/third_party/WebKit/Source/core/paint/PaintLayerScrollableArea.cpp [modify] https://crrev.com/4f53fa14ad054a787b7d7c71c00968d70086a1a4/third_party/WebKit/Source/platform/scroll/SmoothScrollSequencer.cpp [modify] https://crrev.com/4f53fa14ad054a787b7d7c71c00968d70086a1a4/third_party/WebKit/Source/platform/scroll/SmoothScrollSequencer.h
,
Oct 5 2017
,
Dec 21 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by sheriffbot@chromium.org
, Aug 27 2017