ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=5589220029890560.

+ some people who might know about that code.

rtoy: the use of audio in the repro case might be incidental, but FYI.

Detailed report: https://clusterfuzz.com/testcase?key=5589220029890560

Job Type: linux_asan_chrome_mp
Crash Type: Abrt
Crash Address: 0x03e900000001
Crash State:
  blink::ReportFatalErrorInMainThread
  v8::V8::ToLocalEmpty
  blink::V8ContextSnapshot::CreateContextFromSnapshot
  
Sanitizer: address (ASAN)

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5589220029890560

Additional requirements: Requires HTTP

See https://github.com/google/clusterfuzz-tools for more information.

Note: This crash might not be reproducible with the provided testcase. That said, for the past 14 days we've been seeing this crash frequently. If you are unable to reproduce this, please try a speculative fix based on the crash stacktrace in the report. The fix can be verified by looking at the crash statistics in the report, a day after the fix is deployed. We will auto-close the bug if the crash is not seen for 14 days.

Adding V8 memory sheriffs and Kentaro for Oilpan.

yukishiino: Would you mind taking a look?

yukishiino: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

I'm sorry for the late response.

peria@, could you take a look?  It seems hitting ToLocalChecked() when creating a new v8::Context from the snapshot.

I'm not 100% sure, but this could be fixed at some point.  Kicked clusterfuzz tasks to confirm it.

Ignore #9.  The issue has reproduced on ToT.

Re #10, correction: #3 reproduced on GNU/Linux but it's different from the original UAF report.  UAF doesn't reproduce on my GNU/Linux (Note that the original report is on Windows).

peria: Uh oh! This issue still open and hasn't been updated in the last 28 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Using the HTML file in #3, https://crrev.com/496511 seems to be a trigger.
Crash reproduces after the commit, even on release build.

I'll investigate the details.

Hmm, the CL just adds a line
  EventTargetWithInlineData::TraceWrappers(visitor);
but it causes the crash.

A direct reason of the crash is a failure in creating a V8 context or a Window wrapper. The HTML tries to reload so frequently, so some race condition can be a reason.

jbroman@, could you take a look this?

Hmm. The ASAN report shows that we're accessing what the sanitizer believes to be a freed audio buffer.

Either the ScriptState was legally allocated in the address space where the audio buffer previously was (but the sanitizer is unaware of this for some reason), or we were able to allocate an audio buffer and get a ScriptState pointer into it (which would be, ahem, bad).

The context creation one seems to be failing when trying to load the extensions::SafeBuiltins extension, but the ASAN failure only occurs with --verify-heap.

The failure while loading extensions::SafeBuiltins is this:

0x7fd7e31cd809: [JS_API_OBJECT_TYPE]
 - map = 0x7fd7e4c17de1 [FastProperties]
 - prototype = 0x7fd7e31cb351
 - elements = 0x7fd7e8b82251 <FixedArray[0]> [HOLEY_SMI_ELEMENTS]
 - embedder fields: 2
 - properties = 0x7fd7e31cdc89 <PropertyArray[3]> {
    #stack: 0x7fd7e8bad401 <AccessorInfo> (const accessor descriptor)
    0x7fd7e8bad479 <Symbol: DOMException#Error>: 0x7fd7e31cd859 <Error map = 0x7fd7e4c20341> (data field 0) properties[0]
 }  
 - embedder fields = {
    0x5633c64363e0
    0x7eb0b273bb68
 }  
c"InvalidStateError: Failed to execute 'resume' on 'MediaRecorder': The MediaRecorder's state is 'inactive'."

So it looks to me like this exception was left on the isolate from some earlier failure?

AsyncCallErrorCallback in RTCPeerConnection.cpp looks quite suspicious to me. It posts a microtask to invoke the error callback, but doesn't seem to deal with the thrown exception in any way.

When V8 internally enqueues a JSFunction as a microtask, it does so via Execution in Isolate::RunMicrotasksInternal, which seems to catch the exception.

If this is so, though, it seems like invoking handleEvent on a callback interface is a trap that could lead to exceptions being incorrectly handled in a number of cases. :/

Digging further...

I think that handleEvent is killing an exception with
    v8::TryCatch tryCatch;
    tryCatch.SetVerbose(true);
    // without tryCatch.Rethrow();
so no exception should be being thrown.  I'm not quite sure though, and it could be imperfect though.

I mean, that's what should be happening, but I don't see that anywhere in the call path. Where are you seeing the verbose TryCatch?

[microtask callback]
V8RTCPeerConnectionErrorCallback::handleEvent
V8ScriptRunner::CallFunction
v8::Function::Call

None of these seems to contain a TryCatch. It's not immediately clear to me whether the callback interfaces should be generating the TryCatch, or if the caller (RTCPeerConnection) should be responsible for that.

Just confirmed locally that adding such a TryCatch fixes the crash in #3.

My reading of https://heycam.github.io/webidl/#call-a-user-objects-operation suggests that Blink should be prepared for an exception to be thrown from a callback interface (because there's nothing that says such things are caught at the WebIDL/ES level).

It's also interesting to note that we *do* have such a TryCatch inside the generated code for IDL callbacks, but not for IDL callback interfaces. This suggests that might be a reasonable place for it.

I'm slightly wary about some existing use relying on exceptions being thrown inside such a callback interface, but since we don't really provide a way for callers to handle it, I'm hoping not.

Slight correction: if the callback interface method returns a boolean, then we *do* catch it.

Friendly ping from the security sheriff; any updates on this bug?

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d492b2554f1154552ff5893b84afd7164d8bccd7

commit d492b2554f1154552ff5893b84afd7164d8bccd7
Author: Jeremy Roman <jbroman@chromium.org>
Date: Wed Nov 08 12:13:07 2017

Catch exceptions thrown by author script inside callback interfaces.

Failing to do so can cause them to be spuriously thrown later on in the V8
runtime, leading to confusing spooky-action-at-a-distance problems.

This fixes the issue in comment 3 of the linked bug.

Bug:  767359 
Change-Id: I79982316f9631d10f9b76f452103b78bd1e7ef67
Reviewed-on: https://chromium-review.googlesource.com/751294
Commit-Queue: Yuki Shiino <yukishiino@chromium.org>
Reviewed-by: Kentaro Hara <haraken@chromium.org>
Reviewed-by: Yuki Shiino <yukishiino@chromium.org>
Cr-Commit-Position: refs/heads/master@{#514805}
[add] https://crrev.com/d492b2554f1154552ff5893b84afd7164d8bccd7/third_party/WebKit/LayoutTests/fast/peerconnection/RTCPeerConnection-error-callback-exception.html
[modify] https://crrev.com/d492b2554f1154552ff5893b84afd7164d8bccd7/third_party/WebKit/Source/bindings/templates/callback_interface.cpp.tmpl
[modify] https://crrev.com/d492b2554f1154552ff5893b84afd7164d8bccd7/third_party/WebKit/Source/bindings/tests/results/core/V8TestCallbackInterface.cpp

Thanks jbroman! Do you think the CL in #26 solves the problem, or just a symptom? If it's a true fix, please mark this bug as Fixed so the rest of our process can proceed (I'm hoping we have a chance to make the 60-day guarantee for High severity bugs). Thank you!

jbroman@ is ooo this week.

peria@, could you confirm if the issue is fixed or not if you still have a repro environment.  I think that the fix is a true fix.

+cc: peria@  (somehow dropped from cc: list)

peria@, could you confirm if the issue is fixed or not if you still have a repro environment?

I couldn't reproduce the UAF, but jbroman@'s change in #26 seems to fix the crash with the HTML file.

Detailed report: https://clusterfuzz.com/testcase?key=5589220029890560

Job Type: linux_asan_chrome_mp
Crash Type: Abrt
Crash Address: 0x03e900000001
Crash State:
  blink::ReportFatalErrorInMainThread
  v8::V8::ToLocalEmpty
  blink::V8ContextSnapshot::CreateContextFromSnapshot
  
Sanitizer: address (ASAN)

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5589220029890560

Additional requirements: Requires HTTP

See https://github.com/google/clusterfuzz-tools for more information.

Detailed report: https://clusterfuzz.com/testcase?key=5589220029890560

Job Type: linux_asan_chrome_mp
Crash Type: Abrt
Crash Address: 0x03e900000001
Crash State:
  blink::ReportFatalErrorInMainThread
  v8::V8::ToLocalEmpty
  blink::V8ContextSnapshot::CreateContextFromSnapshot
  
Sanitizer: address (ASAN)

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5589220029890560

Additional requirements: Requires HTTP

See https://github.com/google/clusterfuzz-tools for more information.

Detailed report: https://clusterfuzz.com/testcase?key=5589220029890560

Job Type: linux_asan_chrome_mp
Crash Type: Abrt
Crash Address: 0x03e900000001
Crash State:
  blink::ReportFatalErrorInMainThread
  v8::V8::ToLocalEmpty
  blink::V8ContextSnapshot::CreateContextFromSnapshot
  
Sanitizer: address (ASAN)

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5589220029890560

Additional requirements: Requires HTTP

See https://github.com/google/clusterfuzz-tools for more information.

This bug requires manual review: M63 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), gkihumba@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Detailed report: https://clusterfuzz.com/testcase?key=5589220029890560

Job Type: linux_asan_chrome_mp
Crash Type: Abrt
Crash Address: 0x03e900000001
Crash State:
  blink::ReportFatalErrorInMainThread
  v8::V8::ToLocalEmpty
  blink::V8ContextSnapshot::CreateContextFromSnapshot
  
Sanitizer: address (ASAN)

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5589220029890560

Additional requirements: Requires HTTP

See https://github.com/google/clusterfuzz-tools for more information.

+awhalley@ (Security TPM)

Detailed report: https://clusterfuzz.com/testcase?key=5589220029890560

Job Type: linux_asan_chrome_mp
Crash Type: Abrt
Crash Address: 0x03e900000001
Crash State:
  blink::ReportFatalErrorInMainThread
  v8::V8::ToLocalEmpty
  blink::V8ContextSnapshot::CreateContextFromSnapshot
  
Sanitizer: address (ASAN)

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5589220029890560

Additional requirements: Requires HTTP

See https://github.com/google/clusterfuzz-tools for more information.

Merged to M63 as refs/branch-heads/3239@{#485}:

https://chromium.googlesource.com/chromium/src/+/33aeed18843e4fa3b1697cbdaba1573d08885908

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/33aeed18843e4fa3b1697cbdaba1573d08885908

commit 33aeed18843e4fa3b1697cbdaba1573d08885908
Author: Jeremy Roman <jbroman@chromium.org>
Date: Tue Nov 14 19:06:29 2017

Catch exceptions thrown by author script inside callback interfaces.

Failing to do so can cause them to be spuriously thrown later on in the V8
runtime, leading to confusing spooky-action-at-a-distance problems.

This fixes the issue in comment 3 of the linked bug.

Bug:  767359 
Change-Id: I79982316f9631d10f9b76f452103b78bd1e7ef67
Reviewed-on: https://chromium-review.googlesource.com/751294
Commit-Queue: Yuki Shiino <yukishiino@chromium.org>
Reviewed-by: Kentaro Hara <haraken@chromium.org>
Reviewed-by: Yuki Shiino <yukishiino@chromium.org>
Cr-Commit-Position: refs/heads/master@{#514805}

(cherry picked from commit d492b2554f1154552ff5893b84afd7164d8bccd7)

Change-Id: I65fca0892837e9918d70050afb778552ae6e2949
Reviewed-on: https://chromium-review.googlesource.com/769387
Reviewed-by: Jeremy Roman <jbroman@chromium.org>
Cr-Commit-Position: refs/branch-heads/3239@{#485}
Cr-Branched-From: adb61db19020ed8ecee5e91b1a0ea4c924ae2988-refs/heads/master@{#508578}
[add] https://crrev.com/33aeed18843e4fa3b1697cbdaba1573d08885908/third_party/WebKit/LayoutTests/fast/peerconnection/RTCPeerConnection-error-callback-exception.html
[modify] https://crrev.com/33aeed18843e4fa3b1697cbdaba1573d08885908/third_party/WebKit/Source/bindings/templates/callback_interface.cpp.tmpl
[modify] https://crrev.com/33aeed18843e4fa3b1697cbdaba1573d08885908/third_party/WebKit/Source/bindings/tests/results/core/V8TestCallbackInterface.cpp

The CL should have fixed the issue ClusterFuzz was showing with incorrect exception handling (though the result in that case seems to have been a clean crash), but we haven't been able to reproduce the Windows ASAN UAF, either on Win ASan Release builds from about that time or more recent ones, so we haven't been able to take action on that.

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=5263441970593792.

ClusterFuzz testcase 5589220029890560 is still reproducing on tip-of-tree build (trunk).

Please re-test your fix against this testcase and if the fix was incorrect or incomplete, please re-open the bug. Otherwise, ignore this notification and add ClusterFuzz-Wrong label.

Detailed report: https://clusterfuzz.com/testcase?key=5263441970593792

Job Type: linux_asan_chrome_mp
Crash Type: Abrt
Crash Address: 0x03e900000001
Crash State:
  blink::ReportFatalErrorInMainThread
  v8::V8::ToLocalEmpty
  blink::V8ContextSnapshot::CreateContextFromSnapshot
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=500820:500829

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5263441970593792

See https://github.com/google/clusterfuzz-tools for more information.

ClusterFuzz has detected this issue as fixed in range 514498:517698.

Detailed report: https://clusterfuzz.com/testcase?key=5263441970593792

Job Type: linux_asan_chrome_mp
Crash Type: Abrt
Crash Address: 0x03e900000001
Crash State:
  blink::ReportFatalErrorInMainThread
  v8::V8::ToLocalEmpty
  blink::V8ContextSnapshot::CreateContextFromSnapshot
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=500820:500829
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=514498:517698

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5263441970593792

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz has detected this issue as fixed in range 514498:517698.

Detailed report: https://clusterfuzz.com/testcase?key=5589220029890560

Job Type: linux_asan_chrome_mp
Crash Type: Abrt
Crash Address: 0x03e900000001
Crash State:
  blink::ReportFatalErrorInMainThread
  v8::V8::ToLocalEmpty
  blink::V8ContextSnapshot::CreateContextFromSnapshot
  
Sanitizer: address (ASAN)

Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=514498:517698

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5589220029890560

Additional requirements: Requires HTTP

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5589220029890560 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Hi loobenyang@ - the VRP panel took a look at this and declined to reward, as we've not been able to reproduce the UAF security issue. If you've able to provide steps that allow us to reproduce and fix the issue, we're happy to reconsider it for reward.  Cheers!

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot