Issue metadata
Sign in to add a comment
|
Security: heap-use-after-free in blink::PaintLayerScrollableArea::MaximumScrollOffsetInt
Reported by
cloudfuz...@gmail.com,
Sep 5 2017
|
||||||||||||||||||||
Issue description
VULNERABILITY DETAILS
The following testcase crashes the latest ASAN build of content_shell when loaded from a HTTP server.
ASAN output:
=================================================================
==10659==ERROR: AddressSanitizer: heap-use-after-free on address 0x60f000016940 at pc 0x5609bd4d409b bp 0x7fff70f67db0 sp 0x7fff70f67da8
READ of size 8 at 0x60f000016940 thread T0 (chrome)
#0 0x5609bd4d409a in GetLayoutBox third_party/WebKit/Source/core/paint/PaintLayer.h:233:12
#1 0x5609bd4d409a in Box third_party/WebKit/Source/core/paint/PaintLayerScrollableArea.cpp:722
#2 0x5609bd4d409a in blink::PaintLayerScrollableArea::MaximumScrollOffsetInt() const third_party/WebKit/Source/core/paint/PaintLayerScrollableArea.cpp:538
#3 0x5609bc63ca11 in blink::ScrollableArea::MaximumScrollOffset() const third_party/WebKit/Source/platform/scroll/ScrollableArea.h:238:25
#4 0x5609c1d2058e in ClampScrollOffset third_party/WebKit/Source/platform/scroll/ScrollableArea.cpp:620:33
#5 0x5609c1d2058e in blink::ScrollableArea::SetScrollOffset(blink::FloatSize const&, blink::ScrollType, blink::ScrollBehavior) third_party/WebKit/Source/platform/scroll/ScrollableArea.cpp:183
#6 0x5609c1d6bd43 in AnimationFinished third_party/WebKit/Source/platform/scroll/ProgrammaticScrollAnimator.cpp:197:18
#7 0x5609c1d6bd43 in blink::ProgrammaticScrollAnimator::TickAnimation(double) third_party/WebKit/Source/platform/scroll/ProgrammaticScrollAnimator.cpp:90
#8 0x5609c1d24d37 in blink::ScrollableArea::ServiceScrollAnimations(double) third_party/WebKit/Source/platform/scroll/ScrollableArea.cpp:526:35
#9 0x5609bc68e8e0 in blink::RootFrameViewport::ServiceScrollAnimations(double) third_party/WebKit/Source/core/frame/RootFrameViewport.cpp:461:20
#10 0x5609bd342560 in blink::PageAnimator::ServiceScriptedAnimations(double) third_party/WebKit/Source/core/page/PageAnimator.cpp:56:26
#11 0x5609c284e9d2 in blink::WebViewImpl::BeginFrame(double) third_party/WebKit/Source/core/exported/WebViewImpl.cpp:1839:3
#12 0x5609be2dda1c in BeginMainFrame content/renderer/gpu/render_widget_compositor.cc:1203:14
#13 0x5609be2dda1c in non-virtual thunk to content::RenderWidgetCompositor::BeginMainFrame(viz::BeginFrameArgs const&) content/renderer/gpu/render_widget_compositor.cc
#14 0x5609b683d902 in cc::ProxyMain::BeginMainFrame(std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> >) cc/trees/proxy_main.cc:185:21
#15 0x5609b68aa012 in Invoke<base::WeakPtr<cc::ProxyMain>, std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> > > base/bind_internal.h:194:12
#16 0x5609b68aa012 in MakeItSo<void (cc::ProxyMain::*)(std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> >), base::WeakPtr<cc::ProxyMain>, std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> > > base/bind_internal.h:297
#17 0x5609b68aa012 in void base::internal::Invoker<base::internal::BindState<void (cc::ProxyMain::*)(std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> >), base::WeakPtr<cc::ProxyMain>, base::internal::PassedWrapper<std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> > > >, void ()>::RunImpl<void (cc::ProxyMain::*)(std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> >), std::__1::tuple<base::WeakPtr<cc::ProxyMain>, base::internal::PassedWrapper<std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> > > >, 0ul, 1ul>(void (cc::ProxyMain::*&&)(std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> >), std::__1::tuple<base::WeakPtr<cc::ProxyMain>, base::internal::PassedWrapper<std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> > > >&&, std::__1::integer_sequence<unsigned long, 0ul, 1ul>) base/bind_internal.h:349
#18 0x5609b3c7f030 in Run base/callback.h:64:12
#19 0x5609b3c7f030 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) base/debug/task_annotator.cc:65
#20 0x5609b2b24cdd in blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue(blink::scheduler::internal::WorkQueue*, bool, blink::scheduler::LazyNow, base::TimeTicks*) third_party/WebKit/Source/platform/scheduler/base/task_queue_manager.cc:515:19
#21 0x5609b2b1e9ad in blink::scheduler::TaskQueueManager::DoWork(bool) third_party/WebKit/Source/platform/scheduler/base/task_queue_manager.cc:312:13
#22 0x5609b3c7f030 in Run base/callback.h:64:12
#23 0x5609b3c7f030 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) base/debug/task_annotator.cc:65
#24 0x5609b3cf19b2 in base::MessageLoop::RunTask(base::PendingTask*) base/message_loop/message_loop.cc:406:25
#25 0x5609b3cf3718 in DeferOrRunPendingTask base/message_loop/message_loop.cc:417:5
#26 0x5609b3cf3718 in base::MessageLoop::DoWork() base/message_loop/message_loop.cc:524
#27 0x5609b3cf8d0f in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_default.cc:33:31
#28 0x5609b3d7c929 in base::RunLoop::Run() base/run_loop.cc:123:14
#29 0x5609bdfa136e in content::RendererMain(content::MainFunctionParams const&) content/renderer/renderer_main.cc:220:23
#30 0x5609b2fb3990 in content::RunZygote(content::MainFunctionParams const&, content::ContentMainDelegate*) content/app/content_main_runner.cc:354:14
#31 0x5609b2fb77fa in content::ContentMainRunnerImpl::Run() content/app/content_main_runner.cc:709:12
#32 0x5609b2fda08a in service_manager::Main(service_manager::MainParams const&) services/service_manager/embedder/main.cc:469:29
#33 0x5609b2fb3044 in content::ContentMain(content::ContentMainParams const&) content/app/content_main.cc:19:10
#34 0x5609ad18a497 in ChromeMain chrome/app/chrome_main.cc:122:12
#35 0x7f2b72cdb82f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
0x60f000016940 is located 16 bytes inside of 168-byte region [0x60f000016930,0x60f0000169d8)
freed by thread T0 (chrome) here:
#0 0x5609ad15e512 in __interceptor_free (/home/nils/fuzzer3/asan-linux-release-499408/chrome+0x3215512)
#1 0x5609bccda688 in DestroyLayer third_party/WebKit/Source/core/layout/LayoutBoxModelObject.cpp:488:23
#2 0x5609bccda688 in blink::LayoutBoxModelObject::WillBeDestroyed() third_party/WebKit/Source/core/layout/LayoutBoxModelObject.cpp:224
#3 0x5609bcc6c4ea in blink::LayoutBox::WillBeDestroyed() third_party/WebKit/Source/core/layout/LayoutBox.cpp:136:25
#4 0x5609bce8f1a2 in blink::LayoutObject::Destroy() third_party/WebKit/Source/core/layout/LayoutObject.cpp:2820:3
#5 0x5609bce8ef99 in blink::LayoutObject::DestroyAndCleanupAnonymousWrappers() third_party/WebKit/Source/core/layout/LayoutObject.cpp
#6 0x5609c262965c in blink::Node::DetachLayoutTree(blink::Node::AttachContext const&) third_party/WebKit/Source/core/dom/Node.cpp:1042:24
#7 0x5609c247858b in blink::ContainerNode::DetachLayoutTree(blink::Node::AttachContext const&) third_party/WebKit/Source/core/dom/ContainerNode.cpp:937:9
#8 0x5609c2577329 in blink::Element::DetachLayoutTree(blink::Node::AttachContext const&) third_party/WebKit/Source/core/dom/Element.cpp:1904:18
#9 0x5609c247851d in blink::ContainerNode::DetachLayoutTree(blink::Node::AttachContext const&) third_party/WebKit/Source/core/dom/ContainerNode.cpp:934:12
#10 0x5609c2577329 in blink::Element::DetachLayoutTree(blink::Node::AttachContext const&) third_party/WebKit/Source/core/dom/Element.cpp:1904:18
#11 0x5609c2476c3b in blink::ContainerNode::RemoveBetween(blink::Node*, blink::Node*, blink::Node&) third_party/WebKit/Source/core/dom/ContainerNode.cpp:699:15
#12 0x5609c2477792 in blink::ContainerNode::RemoveChildren(blink::SubtreeModificationAction) third_party/WebKit/Source/core/dom/ContainerNode.cpp:776:9
#13 0x5609c24dba69 in blink::Document::ImplicitOpen(blink::ParserSynchronizationPolicy) third_party/WebKit/Source/core/dom/Document.cpp:2982:3
#14 0x5609c24c1be2 in blink::Document::open() third_party/WebKit/Source/core/dom/Document.cpp:2947:3
#15 0x5609c24db919 in blink::Document::open(blink::Document*, blink::ExceptionState&) third_party/WebKit/Source/core/dom/Document.cpp:2914:3
#16 0x5609c24e1913 in blink::Document::write(blink::SegmentedString const&, blink::Document*, blink::ExceptionState&) third_party/WebKit/Source/core/dom/Document.cpp:3523:5
#17 0x5609c24e206d in blink::Document::write(WTF::String const&, blink::Document*, blink::ExceptionState&) third_party/WebKit/Source/core/dom/Document.cpp:3536:3
#18 0x5609c24e35a4 in blink::Document::write(blink::LocalDOMWindow*, WTF::Vector<WTF::String, 0ul, WTF::PartitionAllocator> const&, blink::ExceptionState&) third_party/WebKit/Source/core/dom/Document.cpp:3555:3
#19 0x5609c142c810 in writeMethod out/Release/gen/blink/bindings/core/v8/V8Document.cpp:3666:9
#20 0x5609c142c810 in blink::V8Document::writeMethodCallback(v8::FunctionCallbackInfo<v8::Value> const&) out/Release/gen/blink/bindings/core/v8/V8Document.cpp:6460
#21 0x5609b0ceff50 in v8::internal::FunctionCallbackArguments::Call(void (*)(v8::FunctionCallbackInfo<v8::Value> const&)) v8/src/api-arguments.cc:25:3
#22 0x5609b0efb1ed in v8::internal::MaybeHandle<v8::internal::Object> v8::internal::(anonymous namespace)::HandleApiCallHelper<false>(v8::internal::Isolate*, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::FunctionTemplateInfo>, v8::internal::Handle<v8::internal::Object>, v8::internal::BuiltinArguments) v8/src/builtins/builtins-api.cc:112:36
#23 0x5609b0ef8830 in v8::internal::Builtin_Impl_HandleApiCall(v8::internal::BuiltinArguments, v8::internal::Isolate*) v8/src/builtins/builtins-api.cc:142:5
#24 0x7f2b3a88449c (<unknown module>)
#25 0x7f2b3a98af1f (<unknown module>)
#26 0x7f2b3a9896b8 (<unknown module>)
#27 0x7f2b3a884100 (<unknown module>)
#28 0x5609b17bc643 in v8::internal::(anonymous namespace)::Invoke(v8::internal::Isolate*, bool, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*, v8::internal::Handle<v8::internal::Object>, v8::internal::Execution::MessageHandling) v8/src/execution.cc:145:13
#29 0x5609b17bbe72 in CallInternal v8/src/execution.cc:181:10
#30 0x5609b17bbe72 in v8::internal::Execution::Call(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*) v8/src/execution.cc:191
#31 0x5609b0d5af43 in v8::Function::Call(v8::Local<v8::Context>, v8::Local<v8::Value>, int, v8::Local<v8::Value>*) v8/src/api.cc:5387:7
#32 0x5609c129986f in blink::V8ScriptRunner::CallFunction(v8::Local<v8::Function>, blink::ExecutionContext*, v8::Local<v8::Value>, int, v8::Local<v8::Value>*, v8::Isolate*) third_party/WebKit/Source/bindings/core/v8/V8ScriptRunner.cpp:672:17
previously allocated by thread T0 (chrome) here:
#0 0x5609ad15e853 in __interceptor_malloc (/home/nils/fuzzer3/asan-linux-release-499408/chrome+0x3215853)
#1 0x5609bd44669e in PartitionAlloc base/allocator/partition_allocator/partition_alloc.h:704:18
#2 0x5609bd44669e in blink::PaintLayer::operator new(unsigned long) third_party/WebKit/Source/core/paint/PaintLayer.cpp:1263
#3 0x5609bccdd9b9 in make_unique<blink::PaintLayer, blink::LayoutBoxModelObject &> buildtools/third_party/libc++/trunk/include/memory:3065:28
#4 0x5609bccdd9b9 in MakeUnique<blink::PaintLayer, blink::LayoutBoxModelObject &> third_party/WebKit/Source/platform/wtf/PtrUtil.h:40
#5 0x5609bccdd9b9 in blink::LayoutBoxModelObject::CreateLayerAfterStyleChange() third_party/WebKit/Source/core/layout/LayoutBoxModelObject.cpp:480
#6 0x5609bccdb9c4 in blink::LayoutBoxModelObject::StyleDidChange(blink::StyleDifference, blink::ComputedStyle const*) third_party/WebKit/Source/core/layout/LayoutBoxModelObject.cpp:307:7
#7 0x5609bcc6e411 in blink::LayoutBox::StyleDidChange(blink::StyleDifference, blink::ComputedStyle const*) third_party/WebKit/Source/core/layout/LayoutBox.cpp:230:25
#8 0x5609bcba8003 in blink::LayoutBlock::StyleDidChange(blink::StyleDifference, blink::ComputedStyle const*) third_party/WebKit/Source/core/layout/LayoutBlock.cpp:217:14
#9 0x5609bcc0a9b6 in blink::LayoutBlockFlow::StyleDidChange(blink::StyleDifference, blink::ComputedStyle const*) third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:2885:16
#10 0x5609bce76b7f in blink::LayoutObject::SetStyle(WTF::RefPtr<blink::ComputedStyle>) third_party/WebKit/Source/core/layout/LayoutObject.cpp:1603:3
#11 0x5609c25e4136 in blink::LayoutTreeBuilderForElement::CreateLayoutObject() third_party/WebKit/Source/core/dom/LayoutTreeBuilder.cpp:132:22
#12 0x5609c2573ed9 in CreateLayoutObjectIfNeeded third_party/WebKit/Source/core/dom/LayoutTreeBuilder.h:91:7
#13 0x5609c2573ed9 in blink::Element::AttachLayoutTree(blink::Node::AttachContext&) third_party/WebKit/Source/core/dom/Element.cpp:1818
#14 0x5609c24782b4 in blink::ContainerNode::AttachLayoutTree(blink::Node::AttachContext&) third_party/WebKit/Source/core/dom/ContainerNode.cpp:920:14
#15 0x5609c2574b2f in blink::Element::AttachLayoutTree(blink::Node::AttachContext&) third_party/WebKit/Source/core/dom/Element.cpp:1852:18
#16 0x5609c257e63f in blink::Element::RebuildLayoutTree(blink::WhitespaceAttacher&) third_party/WebKit/Source/core/dom/Element.cpp:2164:5
#17 0x5609c24d1842 in blink::Document::UpdateStyle() third_party/WebKit/Source/core/dom/Document.cpp:2245:25
#18 0x5609c24c3de8 in blink::Document::UpdateStyleAndLayoutTree() third_party/WebKit/Source/core/dom/Document.cpp:2166:3
#19 0x5609c277ce83 in GetCommand third_party/WebKit/Source/core/editing/commands/DocumentExecCommand.cpp:50:13
#20 0x5609c277ce83 in blink::Document::execCommand(WTF::String const&, bool, WTF::String const&, blink::ExceptionState&) third_party/WebKit/Source/core/editing/commands/DocumentExecCommand.cpp:87
#21 0x5609c142eb6c in execCommandMethod out/Release/gen/blink/bindings/core/v8/V8Document.cpp:3730:23
#22 0x5609c142eb6c in blink::V8Document::execCommandMethodCallback(v8::FunctionCallbackInfo<v8::Value> const&) out/Release/gen/blink/bindings/core/v8/V8Document.cpp:6480
#23 0x5609b0ceff50 in v8::internal::FunctionCallbackArguments::Call(void (*)(v8::FunctionCallbackInfo<v8::Value> const&)) v8/src/api-arguments.cc:25:3
#24 0x5609b0efb1ed in v8::internal::MaybeHandle<v8::internal::Object> v8::internal::(anonymous namespace)::HandleApiCallHelper<false>(v8::internal::Isolate*, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::FunctionTemplateInfo>, v8::internal::Handle<v8::internal::Object>, v8::internal::BuiltinArguments) v8/src/builtins/builtins-api.cc:112:36
#25 0x5609b0ef8830 in v8::internal::Builtin_Impl_HandleApiCall(v8::internal::BuiltinArguments, v8::internal::Isolate*) v8/src/builtins/builtins-api.cc:142:5
#26 0x7f2b3a88449c (<unknown module>)
#27 0x7f2b3a98af1f (<unknown module>)
#28 0x7f2b3a98475e (<unknown module>)
#29 0x7f2b3a9896b8 (<unknown module>)
#30 0x7f2b3a884100 (<unknown module>)
#31 0x5609b17bc643 in v8::internal::(anonymous namespace)::Invoke(v8::internal::Isolate*, bool, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*, v8::internal::Handle<v8::internal::Object>, v8::internal::Execution::MessageHandling) v8/src/execution.cc:145:13
#32 0x5609b17bbe72 in CallInternal v8/src/execution.cc:181:10
#33 0x5609b17bbe72 in v8::internal::Execution::Call(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*) v8/src/execution.cc:191
#34 0x5609b0d5af43 in v8::Function::Call(v8::Local<v8::Context>, v8::Local<v8::Value>, int, v8::Local<v8::Value>*) v8/src/api.cc:5387:7
#35 0x5609c129986f in blink::V8ScriptRunner::CallFunction(v8::Local<v8::Function>, blink::ExecutionContext*, v8::Local<v8::Value>, int, v8::Local<v8::Value>*, v8::Isolate*) third_party/WebKit/Source/bindings/core/v8/V8ScriptRunner.cpp:672:17
#36 0x5609c137f664 in blink::V8EventListener::CallListenerFunction(blink::ScriptState*, v8::Local<v8::Value>, blink::Event*) third_party/WebKit/Source/bindings/core/v8/V8EventListener.cpp:115:8
SUMMARY: AddressSanitizer: heap-use-after-free third_party/WebKit/Source/core/paint/PaintLayer.h:233:12 in GetLayoutBox
Shadow bytes around the buggy address:
0x0c1e7fffacd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c1e7ffface0: fd fd fa fa fa fa fa fa fa fa fd fd fd fd fd fd
0x0c1e7fffacf0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
0x0c1e7fffad00: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c1e7fffad10: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
=>0x0c1e7fffad20: fa fa fa fa fa fa fd fd[fd]fd fd fd fd fd fd fd
0x0c1e7fffad30: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
0x0c1e7fffad40: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x0c1e7fffad50: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
0x0c1e7fffad60: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c1e7fffad70: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==10659==ABORTING
VERSION
Chrome Version: Linux
Operating System: asan-linux-release-499408
REPRODUCTION CASE
Load the attached crash.html from a HTTP server with crash.xml in the same directory
FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: tab
,
Dec 22 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by infe...@chromium.org
, Sep 5 2017Status: Duplicate (was: Unconfirmed)