Security: Desktop web payments crash when processing address fields
Reported by
chromium...@gmail.com,
Nov 25 2017
|
|||||||||||||||||||
Issue descriptionVERSION Chrome Version: 64.0.3278.0 Operating System: Mac REPRODUCTION CASE This crash occurs when I fill address fields on "desktop web payments" then I click on done. Looks like it can take several tries to repo. I've seen similar reports like this before (e.g issue 721988 ) Crash/b471e56399768c66
,
Nov 26 2017
WinDbg output: 0:000> k *** Stack trace for last set context - .thread/.cxr resets it Child-SP RetAddr Call Site 00000016`395fd490 00007ffd`e0271653 chrome_7ffddddc0000!payments::ShippingAddressEditorViewController::ValidateModelAndSave+0x1cb [C:\b\c\b\win64_clang\src\chrome\browser\ui\views\payments\shipping_address_editor_view_controller.cc @ 144] 00000016`395fd8b0 00007ffd`e02621a1 chrome_7ffddddc0000!payments::EditorViewController::ButtonPressed+0x1d [C:\b\c\b\win64_clang\src\chrome\browser\ui\views\payments\editor_view_controller.cc @ 167] 00000016`395fd8e0 00007ffd`de203ced chrome_7ffddddc0000!payments::PaymentRequestSheetController::PerformPrimaryButtonAction+0x5f [C:\b\c\b\win64_clang\src\chrome\browser\ui\views\payments\payment_request_sheet_controller.cc @ 398] 00000016`395fd9f0 00007ffd`de203b91 chrome_7ffddddc0000!ui::AcceleratorManager::Process+0x69 [C:\b\c\b\win64_clang\src\ui\base\accelerators\accelerator_manager.cc @ 100] 00000016`395fda50 00007ffd`de2039fb chrome_7ffddddc0000!views::FocusManager::OnKeyEvent+0x17d [C:\b\c\b\win64_clang\src\ui\views\focus\focus_manager.cc @ 87] 00000016`395fdae0 00007ffd`de0b92ef chrome_7ffddddc0000!views::FocusManagerEventHandler::OnKeyEvent+0x35 [C:\b\c\b\win64_clang\src\ui\views\widget\focus_manager_event_handler.cc @ 25] 00000016`395fdb20 00007ffd`de0b922e chrome_7ffddddc0000!ui::EventDispatcher::DispatchEvent+0x3b [C:\b\c\b\win64_clang\src\ui\events\event_dispatcher.cc @ 192] 00000016`395fdb70 00007ffd`de0b900e chrome_7ffddddc0000!ui::EventDispatcher::DispatchEventToEventHandlers+0xa0 [C:\b\c\b\win64_clang\src\ui\events\event_dispatcher.cc @ 170] 00000016`395fdbd0 00007ffd`de0b8f38 chrome_7ffddddc0000!ui::EventDispatcher::ProcessEvent+0x66 [C:\b\c\b\win64_clang\src\ui\events\event_dispatcher.cc @ 127] 00000016`395fdc20 00007ffd`de0b825b chrome_7ffddddc0000!ui::EventDispatcherDelegate::DispatchEventToTarget+0x56 [C:\b\c\b\win64_clang\src\ui\events\event_dispatcher.cc @ 86] 00000016`395fdcb0 00007ffd`de0b735c chrome_7ffddddc0000!ui::EventDispatcherDelegate::DispatchEvent+0xe3 [C:\b\c\b\win64_clang\src\ui\events\event_dispatcher.cc @ 58] 00000016`395fdd20 00007ffd`de20384a chrome_7ffddddc0000!ui::EventProcessor::OnEventFromSource+0x160 [C:\b\c\b\win64_clang\src\ui\events\event_processor.cc @ 57] 00000016`395fddc0 00007ffd`de203803 chrome_7ffddddc0000!aura::WindowTreeHost::DispatchKeyEventPostIME+0x2c [C:\b\c\b\win64_clang\src\ui\aura\window_tree_host.cc @ 219] 00000016`395fde00 00007ffd`dfed0d06 chrome_7ffddddc0000!ui::InputMethodBase::DispatchKeyEventPostIME+0x31 [C:\b\c\b\win64_clang\src\ui\base\ime\input_method_base.cc @ 136] 00000016`395fde50 00007ffd`dfed0bd7 chrome_7ffddddc0000!ui::InputMethodWin::ProcessUnhandledKeyEvent+0x28 [C:\b\c\b\win64_clang\src\ui\base\ime\input_method_win.cc @ 212] 00000016`395fded0 00007ffd`de20373b chrome_7ffddddc0000!ui::InputMethodWin::DispatchKeyEvent+0x429 [C:\b\c\b\win64_clang\src\ui\base\ime\input_method_win.cc @ 196] 00000016`395fe060 00007ffd`de0b8462 chrome_7ffddddc0000!aura::WindowEventDispatcher::PreDispatchKeyEvent+0x6d [C:\b\c\b\win64_clang\src\ui\aura\window_event_dispatcher.cc @ 1031] 00000016`395fe0c0 00007ffd`de0b81c9 chrome_7ffddddc0000!aura::WindowEventDispatcher::PreDispatchEvent+0x1f0 [C:\b\c\b\win64_clang\src\ui\aura\window_event_dispatcher.cc @ 570] 00000016`395fe120 00007ffd`de0b735c chrome_7ffddddc0000!ui::EventDispatcherDelegate::DispatchEvent+0x51 [C:\b\c\b\win64_clang\src\ui\events\event_dispatcher.cc @ 54] 00000016`395fe190 00007ffd`de0b70b3 chrome_7ffddddc0000!ui::EventProcessor::OnEventFromSource+0x160 [C:\b\c\b\win64_clang\src\ui\events\event_processor.cc @ 57] 00000016`395fe230 00007ffd`de20362b chrome_7ffddddc0000!ui::EventSource::SendEventToSink+0xdb [C:\b\c\b\win64_clang\src\ui\events\event_source.cc @ 52] 00000016`395fe2c0 00007ffd`de202d30 chrome_7ffddddc0000!views::DesktopWindowTreeHostWin::HandleKeyEvent+0x27 [C:\b\c\b\win64_clang\src\ui\views\widget\desktop_aura\desktop_window_tree_host_win.cc @ 853] 00000016`395fe300 00007ffd`ddfa98fd chrome_7ffddddc0000!views::HWNDMessageHandler::OnKeyEvent+0x78 [C:\b\c\b\win64_clang\src\ui\views\win\hwnd_message_handler.cc @ 1648] 00000016`395fe470 00007ffd`ddfaa43e chrome_7ffddddc0000!views::HWNDMessageHandler::_ProcessWindowMessage+0x535 [C:\b\c\b\win64_clang\src\ui\views\win\hwnd_message_handler.h @ 392] 00000016`395fe500 00007ffd`dde2cb71 chrome_7ffddddc0000!views::HWNDMessageHandler::OnWndProc+0xa6 [C:\b\c\b\win64_clang\src\ui\views\win\hwnd_message_handler.cc @ 941] 00000016`395fe5a0 00007ffd`fe581169 chrome_7ffddddc0000!base::win::WrappedWindowProc<&gfx::WindowImpl::WndProc>+0xf [C:\b\c\b\win64_clang\src\base\win\wrapped_window_proc.h @ 79] 00000016`395fe5d0 00007ffd`fe580c97 USER32!DispatchMessageW+0x689 00000016`395fe6c0 00007ffd`de0b39d7 USER32!DispatchMessageW+0x1b7 00000016`395fe740 00007ffd`dde92b0f chrome_7ffddddc0000!base::MessagePumpForUI::ProcessMessageHelper+0xd7 [C:\b\c\b\win64_clang\src\base\message_loop\message_pump_win.cc @ 363] 00000016`395fe870 00007ffd`ddde8995 chrome_7ffddddc0000!base::MessagePumpForUI::DoRunLoop+0x7f [C:\b\c\b\win64_clang\src\base\message_loop\message_pump_win.cc @ 198] 00000016`395fe920 00007ffd`ddddb904 chrome_7ffddddc0000!base::MessagePumpWin::Run+0x65 [C:\b\c\b\win64_clang\src\base\message_loop\message_pump_win.cc @ 58] 00000016`395fe980 00007ffd`de0a943a chrome_7ffddddc0000!base::RunLoop::Run+0x34 [C:\b\c\b\win64_clang\src\base\run_loop.cc @ 114] 00000016`395fe9b0 00007ffd`de0a9231 chrome_7ffddddc0000!ChromeBrowserMainParts::MainMessageLoopRun+0x9c [C:\b\c\b\win64_clang\src\chrome\browser\chrome_browser_main.cc @ 1944] 00000016`395feaa0 00007ffd`de0a91df chrome_7ffddddc0000!content::BrowserMainLoop::RunMainMessageLoopParts+0x45 [C:\b\c\b\win64_clang\src\content\browser\browser_main_loop.cc @ 1203] 00000016`395feb60 00007ffd`dddd5a6b chrome_7ffddddc0000!content::BrowserMainRunnerImpl::Run+0x11 [C:\b\c\b\win64_clang\src\content\browser\browser_main_runner.cc @ 140] 00000016`395feb90 00007ffd`dddd58b3 chrome_7ffddddc0000!content::BrowserMain+0xc3 [C:\b\c\b\win64_clang\src\content\browser\browser_main.cc @ 46] 00000016`395fec70 00007ffd`dddd363a chrome_7ffddddc0000!content::RunNamedProcessTypeMain+0x117 [C:\b\c\b\win64_clang\src\content\app\content_main_runner.cc @ 427] 00000016`395fedd0 00007ffd`dddc4e90 chrome_7ffddddc0000!content::ContentMainRunnerImpl::Run+0x11e [C:\b\c\b\win64_clang\src\content\app\content_main_runner.cc @ 705] 00000016`395fee70 00007ffd`dddc4a26 chrome_7ffddddc0000!service_manager::Main+0x39a [C:\b\c\b\win64_clang\src\services\service_manager\embedder\main.cc @ 456] 00000016`395ff1b0 00007ffd`dddc2321 chrome_7ffddddc0000!content::ContentMain+0x3e [C:\b\c\b\win64_clang\src\content\app\content_main.cc @ 19] 00000016`395ff240 00007ff6`233434aa chrome_7ffddddc0000!ChromeMain+0x12e [C:\b\c\b\win64_clang\src\chrome\app\chrome_main.cc @ 128] 00000016`395ff310 00007ff6`2334169d chrome!MainDllLoader::Launch+0x26a [C:\b\c\b\win64_clang\src\chrome\app\main_dll_loader_win.cc @ 199] 00000016`395ff400 00007ff6`2341bc53 chrome!wWinMain+0x69d [C:\b\c\b\win64_clang\src\chrome\app\chrome_exe_main_win.cc @ 230] 00000016`395ff7e0 00007ffd`ff4c8102 chrome!__scrt_common_main_seh+0x117 [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 283] 00000016`395ff820 00007ffd`ff5bc264 KERNEL32!BaseThreadInitThunk+0x22 00000016`395ff850 00000000`00000000 ntdll!RtlUserThreadStart+0x34
,
Nov 26 2017
anthonyvd@, could you help repro and triage this issue? Thanks!
,
Nov 27 2017
,
Nov 27 2017
Seems the crash type is EXC_BAD_ACCESS, so it is more of a stability bug rather than security one. Change bug type to BUG.
,
Nov 27 2017
But on windows seems like a heap-use-after-free.
,
Nov 27 2017
=================================================================
==4940==ERROR: AddressSanitizer: heap-use-after-free on address 0x2229ab80 at pc 0x6905f5d4 bp 0x0018cbe4 sp 0x0018cbd8
READ of size 4 at 0x2229ab80 thread T0
#0 0x6905f5d3 (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x1a0ef5d3)
#1 0x6905f892 (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x1a0ef892)
#2 0x6905f915 (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x1a0ef915)
#3 0x61d01a2a (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x12d91a2a)
#4 0x61d03b09 (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x12d93b09)
#5 0x61ce0145 (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x12d70145)
#6 0x61cf84ec (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x12d884ec)
#7 0x61cf8442 (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x12d88442)
#8 0x61cdece6 (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x12d6ece6)
#9 0x61ce08dd (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x12d708dd)
#10 0x6902a985 (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x1a0ba985)
#11 0x68ec6c39 (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x19f56c39)
#12 0x68eca1b5 (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x19f5a1b5)
#13 0x68ec9f59 (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x19f59f59)
#14 0x68eb7569 (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x19f47569)
#15 0x5f7c3fda (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x10853fda)
#16 0x68eb8d35 (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x19f48d35)
#17 0x63fd89c7 (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x150689c7)
#18 0x63fbd34e (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x1504d34e)
#19 0x63fbc2d7 (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x1504c2d7)
#20 0x63fce6e4 (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x1505e6e4)
#21 0x63fcf94f (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x1505f94f)
#22 0x63fcf5a6 (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x1505f5a6)
#23 0x6671f0d1 (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x177af0d1)
#24 0x67520d58 (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x185b0d58)
#25 0x66b548ee (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x17be48ee)
#26 0x64000909 (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x15090909)
#27 0x64001523 (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x15091523)
#28 0x62399dfc (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x13429dfc)
#29 0x62324ef2 (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x133b4ef2)
#30 0x6217467a (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x1320467a)
#31 0x621757f6 (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x132057f6)
#32 0x62175c92 (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x13205c92)
#33 0x6232cb53 (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x133bcb53)
#34 0x6232ba55 (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x133bba55)
#35 0x62173943 (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x13203943)
#36 0x621410a0 (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x131d10a0)
#37 0x61f1d64e (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x12fad64e)
#38 0x5ffd4d32 (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x11064d32)
#39 0x5ffe4691 (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x11074691)
#40 0x5ffc897b (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x1105897b)
#41 0x61c5469f (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x12ce469f)
#42 0x61c55af3 (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x12ce5af3)
#43 0x61cbfbd4 (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x12d4fbd4)
#44 0x61c543d2 (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x12ce43d2)
#45 0x5ef71341 (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x10001341)
#46 0x13c7ef6 (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.exe+0x407ef6)
#47 0x13c1a54 (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.exe+0x401a54)
#48 0x1741239 (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.exe+0x781239)
#49 0x777138f3 (C:\Windows\SYSTEM32\KERNEL32.DLL+0x6b8138f3)
#50 0x77a15662 (C:\Windows\SYSTEM32\ntdll.dll+0x4b2e5662)
#51 0x77a1562d (C:\Windows\SYSTEM32\ntdll.dll+0x4b2e562d)
0x2229ab80 is located 0 bytes inside of 552-byte region [0x2229ab80,0x2229ada8)
freed by thread T0 here:
#0 0x172ddc8 (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.exe+0x76ddc8)
#1 0x66cb456c (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x17d4456c)
#2 0x61cdefdb (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x12d6efdb)
#3 0x61ce08dd (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x12d708dd)
#4 0x6902a985 (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x1a0ba985)
#5 0x68ec6c39 (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x19f56c39)
#6 0x68eca1b5 (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x19f5a1b5)
#7 0x68ec9f59 (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x19f59f59)
#8 0x68eb7569 (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x19f47569)
#9 0x5f7c3fda (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x10853fda)
#10 0x68eb8d35 (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x19f48d35)
#11 0x63fd89c7 (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x150689c7)
#12 0x63fbd34e (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x1504d34e)
#13 0x63fbc2d7 (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x1504c2d7)
#14 0x63fce6e4 (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x1505e6e4)
#15 0x63fcf94f (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x1505f94f)
#16 0x63fcf5a6 (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x1505f5a6)
#17 0x6671f0d1 (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x177af0d1)
#18 0x67520d58 (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x185b0d58)
#19 0x66b548ee (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x17be48ee)
#20 0x64000909 (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x15090909)
#21 0x64001523 (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x15091523)
#22 0x62399dfc (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x13429dfc)
#23 0x62324ef2 (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x133b4ef2)
#24 0x6217467a (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x1320467a)
#25 0x621757f6 (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x132057f6)
#26 0x62175c92 (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x13205c92)
#27 0x6232cb53 (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x133bcb53)
#28 0x6232ba55 (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x133bba55)
previously allocated by thread T0 here:
#0 0x172deac (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.exe+0x76deac)
#1 0x69736b29 (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x1a7c6b29)
#2 0x69026249 (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x1a0b6249)
#3 0x69024bce (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x1a0b4bce)
#4 0x6901ec89 (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x1a0aec89)
#5 0x6901d3cf (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x1a0ad3cf)
#6 0x6902a9c7 (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x1a0ba9c7)
#7 0x68ec6c39 (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x19f56c39)
#8 0x68ec5d20 (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x19f55d20)
#9 0x6739b21a (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x1842b21a)
#10 0x6904ac4d (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x1a0dac4d)
#11 0x69063e3a (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x1a0f3e3a)
#12 0x6902a840 (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x1a0ba840)
#13 0x6902c38b (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x1a0bc38b)
#14 0x62492248 (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x13522248)
#15 0x61d05e03 (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x12d95e03)
#16 0x61d30f3a (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x12dc0f3a)
#17 0x63f856c6 (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x150156c6)
#18 0x63f87de8 (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x15017de8)
#19 0x63f877e8 (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x150177e8)
#20 0x63f8700c (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x1501700c)
#21 0x63f86b9e (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x15016b9e)
#22 0x63f86862 (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x15016862)
#23 0x63f9acb3 (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x1502acb3)
#24 0x64b30df6 (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x15bc0df6)
#25 0x67eede33 (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x18f7de33)
#26 0x67ef3e54 (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x18f83e54)
#27 0x67ef306c (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x18f8306c)
#28 0x64b3bb20 (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x15bcbb20)
SUMMARY: AddressSanitizer: heap-use-after-free (C:\Users\admin\Desktop\asan-win32-release-519187\chrome.dll+0x1a0ef5d3)
Shadow bytes around the buggy address:
0x34453520: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x34453530: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x34453540: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x34453550: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
0x34453560: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x34453570:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x34453580: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x34453590: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x344535a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x344535b0: fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa
0x344535c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==4940==ABORTING
,
Nov 27 2017
Adding back security label then.
,
Nov 29 2017
,
Nov 29 2017
,
Nov 29 2017
Anthony: Who would be the best person to look into this?
,
Nov 29 2017
Tommy was going to since I was trying to ship our PwG integration but I'll see if I can since it looks like he couldn't get to it.
,
Nov 29 2017
I can't repro this at all on Linux @ ToT and the stack traces in #2 and #4 seem to be crashing in wildly different bits of code. Any way to get more reliable repro steps? Any one else able to repro this?
,
Nov 29 2017
Does this have to be in asan compile flags? If so, these instructions should help with repro: https://www.chromium.org/developers/testing/addresssanitizer
,
Nov 30 2017
Ah, got it! The key is to not modify the address before clicking "Done". I'll look into it.
,
Nov 30 2017
,
Dec 1 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/c692ab0941d7cd6278f4537e859fbf42ca1e0601 commit c692ab0941d7cd6278f4537e859fbf42ca1e0601 Author: Anthony Vallee-Dubois <anthonyvd@chromium.org> Date: Fri Dec 01 16:16:21 2017 [Web Payments] Don't update views while waiting for updateWith The way the current code is set up, selecting a shipping address will kick off a view update under the spinner screen while waiting for the merchant to call update with. Not only is this wasteful (the view will update again on updateWith, as the spinner is hidden) but it's also a source of use-after-free crashes when updateWith is called in the middle of the view update because the two updates race to updating and deleting some view objects. BUG= 788514 Change-Id: I86f48907632d679e7702b3bbf9e09d893b1b8c7a Reviewed-on: https://chromium-review.googlesource.com/801835 Reviewed-by: Rouslan Solomakhin <rouslan@chromium.org> Reviewed-by: Tommy Martino <tmartino@chromium.org> Commit-Queue: anthonyvd <anthonyvd@chromium.org> Cr-Commit-Position: refs/heads/master@{#520951} [modify] https://crrev.com/c692ab0941d7cd6278f4537e859fbf42ca1e0601/components/payments/content/payment_request_state.cc [modify] https://crrev.com/c692ab0941d7cd6278f4537e859fbf42ca1e0601/components/payments/content/payment_request_state_unittest.cc
,
Dec 1 2017
r520951 should fix this issue. I'll request a merge to 64 if it turns out we missed the branch with it.
,
Dec 1 2017
,
Dec 2 2017
,
Dec 4 2017
,
Dec 4 2017
,
Dec 5 2017
,
Dec 6 2017
Your change meets the bar and is auto-approved for M64. Please go ahead and merge the CL to branch 3282 manually. Please contact milestone owner if you have questions. Owners: cmasso@(Android), cmasso@(iOS), kbleicher@(ChromeOS), abdulsyed@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Dec 8 2017
The VRP panel took a look at this, and deem it to be unexploitable, I'm afraid. Moving back to type bug.
,
Dec 11 2017
@anthonyvd, Could you please take a look at this issue 793440 ?
,
Dec 11 2017
I don't have permission to see that one (probably because it's considered a security issue). Someone would have to CC me on it.
,
Dec 11 2017
No permissions for me either.
,
Dec 12 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/08edf0360fad06aa4e35fa3bc0795d5c3a87d28d commit 08edf0360fad06aa4e35fa3bc0795d5c3a87d28d Author: Anthony Vallee-Dubois <anthonyvd@chromium.org> Date: Tue Dec 12 16:03:27 2017 [Web Payments] Don't update views while waiting for updateWith The way the current code is set up, selecting a shipping address will kick off a view update under the spinner screen while waiting for the merchant to call update with. Not only is this wasteful (the view will update again on updateWith, as the spinner is hidden) but it's also a source of use-after-free crashes when updateWith is called in the middle of the view update because the two updates race to updating and deleting some view objects. BUG= 788514 Change-Id: I86f48907632d679e7702b3bbf9e09d893b1b8c7a Reviewed-on: https://chromium-review.googlesource.com/801835 Reviewed-by: Rouslan Solomakhin <rouslan@chromium.org> Reviewed-by: Tommy Martino <tmartino@chromium.org> Commit-Queue: anthonyvd <anthonyvd@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#520951}(cherry picked from commit c692ab0941d7cd6278f4537e859fbf42ca1e0601) Reviewed-on: https://chromium-review.googlesource.com/820071 Reviewed-by: anthonyvd <anthonyvd@chromium.org> Cr-Commit-Position: refs/branch-heads/3282@{#172} Cr-Branched-From: 5fdc0fab22ce7efd32532ee989b223fa12f8171e-refs/heads/master@{#520840} [modify] https://crrev.com/08edf0360fad06aa4e35fa3bc0795d5c3a87d28d/components/payments/content/payment_request_state.cc [modify] https://crrev.com/08edf0360fad06aa4e35fa3bc0795d5c3a87d28d/components/payments/content/payment_request_state_unittest.cc
,
Dec 12 2017
@anthonyvd, Cc'd to issue 793440 |
|||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||
Comment 1 by chromium...@gmail.com
, Nov 26 201711.8 KB
11.8 KB View Download