New issue
Advanced search Search tips

Issue 793871 link

Starred by 1 user

Issue metadata

Status: Duplicate
Owner:
Closed: Dec 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 1
Type: Bug-Security
Team-Accessibility



Sign in to add a comment

chrome_child!blink::AXARIAGrid::AddRow memory corruption

Reported by j00sean....@gmail.com, Dec 11 2017

Issue description

UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36

Steps to reproduce the problem:
+ Page heap turned on for chrome:

C:\Program Files (x86)\Windows Kits\10\Debuggers\x64>gflags.exe /i chrome.exe
Current Registry Settings for chrome.exe executable are: 02109870
    htc - Enable heap tail checking
    hfc - Enable heap free checking
    hpc - Enable heap parameter checking
    htg - Enable heap tagging
    ust - Create user mode stack trace database
    htd - Enable heap tagging by DLL
    scb - Enable system critical breaks
    hpa - Enable page heap

C:\Program Files (x86)\Windows Kits\10\Debuggers\x64>echo %CHROME_ALLOCATOR%
winheap

+ Launch chrome with switches --no-sandbox and --force-renderer-accessibility:

C:\Program Files (x86)\Windows Kits\10\Debuggers\x64>windbg.exe -g -G -o "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --no-sandbox --force-renderer-accessibility http://127.0.0.1:8000/1.html

(38bc.1380): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
chrome_child!blink::AXARIAGrid::AddRow+0x8 [inlined in chrome_child!blink::AXARIAGrid::ComputeRows+0x36]:
00007ffc`46b864aa ff9088000000    call    qword ptr [rax+88h] ds:00007ffc`00000088=????????????????
4:038> k
 # Child-SP          RetAddr           Call Site
00 (Inline Function) --------`-------- chrome_child!blink::AXARIAGrid::AddRow+0x8 [c:\b\c\b\win64_pgo\src\third_party\webkit\source\modules\accessibility\axariagrid.cpp @ 49] 
01 000000b3`3d3fdbb0 00007ffc`46b8657b chrome_child!blink::AXARIAGrid::ComputeRows+0x36 [c:\b\c\b\win64_pgo\src\third_party\webkit\source\modules\accessibility\axariagrid.cpp @ 62] 
02 000000b3`3d3fdbf0 00007ffc`46b8657b chrome_child!blink::AXARIAGrid::ComputeRows+0x107 [c:\b\c\b\win64_pgo\src\third_party\webkit\source\modules\accessibility\axariagrid.cpp @ 61] 
03 000000b3`3d3fdc30 00007ffc`46b8657b chrome_child!blink::AXARIAGrid::ComputeRows+0x107 [c:\b\c\b\win64_pgo\src\third_party\webkit\source\modules\accessibility\axariagrid.cpp @ 61] 
04 000000b3`3d3fdc70 00007ffc`46b8657b chrome_child!blink::AXARIAGrid::ComputeRows+0x107 [c:\b\c\b\win64_pgo\src\third_party\webkit\source\modules\accessibility\axariagrid.cpp @ 61] 
05 000000b3`3d3fdcb0 00007ffc`46b862b5 chrome_child!blink::AXARIAGrid::ComputeRows+0x107 [c:\b\c\b\win64_pgo\src\third_party\webkit\source\modules\accessibility\axariagrid.cpp @ 61] 
06 000000b3`3d3fdcf0 00007ffc`46b7a618 chrome_child!blink::AXARIAGrid::AddChildren+0x3d [c:\b\c\b\win64_pgo\src\third_party\webkit\source\modules\accessibility\axariagrid.cpp @ 113] 
07 (Inline Function) --------`-------- chrome_child!blink::AXObject::UpdateChildrenIfNecessary+0x12 [c:\b\c\b\win64_pgo\src\third_party\webkit\source\modules\accessibility\axobject.cpp @ 1750] 
08 000000b3`3d3fdd30 00007ffc`46b6e6ea chrome_child!blink::AXLayoutObject::UpdateChildrenIfNecessary+0x34 [c:\b\c\b\win64_pgo\src\third_party\webkit\source\modules\accessibility\axlayoutobject.cpp @ 1665] 
09 (Inline Function) --------`-------- chrome_child!blink::AXObject::Children+0xc [c:\b\c\b\win64_pgo\src\third_party\webkit\source\modules\accessibility\axobject.cpp @ 1682] 
0a 000000b3`3d3fdd60 00007ffc`460b7adc chrome_child!blink::AXTableRow::Cells+0x12 [c:\b\c\b\win64_pgo\src\third_party\webkit\source\modules\accessibility\axtablerow.h @ 57] 
0b 000000b3`3d3fdd90 00007ffc`461c6afb chrome_child!blink::WebAXObject::ChildCount+0x28 [c:\b\c\b\win64_pgo\src\third_party\webkit\source\modules\exported\webaxobject.cpp @ 208] 
0c 000000b3`3d3fddc0 00007ffc`4618c9fc chrome_child!content::BlinkAXTreeSource::GetChildren+0xbf [c:\b\c\b\win64_pgo\src\content\renderer\accessibility\blink_ax_tree_source.cc @ 379] 
0d 000000b3`3d3fde30 00007ffc`4618ca3c chrome_child!ui::AXTreeSerializer<blink::WebAXObject,content::AXContentNodeData,content::AXContentTreeData>::WalkAllDescendants+0x58 [c:\b\c\b\win64_pgo\src\ui\accessibility\ax_tree_serializer.h @ 546] 
0e 000000b3`3d3fde80 00007ffc`4618c2fc chrome_child!ui::AXTreeSerializer<blink::WebAXObject,content::AXContentNodeData,content::AXContentTreeData>::WalkAllDescendants+0x98 [c:\b\c\b\win64_pgo\src\ui\accessibility\ax_tree_serializer.h @ 546] 
0f 000000b3`3d3fded0 00007ffc`4618b6fb chrome_child!ui::AXTreeSerializer<blink::WebAXObject,content::AXContentNodeData,content::AXContentTreeData>::SerializeChanges+0x204 [c:\b\c\b\win64_pgo\src\ui\accessibility\ax_tree_serializer.h @ 382] 
10 000000b3`3d3fe040 00007ffc`443413c2 chrome_child!content::RenderAccessibilityImpl::SendPendingAccessibilityEvents+0x237 [c:\b\c\b\win64_pgo\src\content\renderer\accessibility\render_accessibility_impl.cc @ 420] 
11 (Inline Function) --------`-------- chrome_child!base::internal::FunctorTraits<void (__cdecl cc::ResourcePool::*)(void),void>::Invoke+0x1f [c:\b\c\b\win64_pgo\src\base\bind_internal.h @ 194] 
12 (Inline Function) --------`-------- chrome_child!base::internal::InvokeHelper<1,void>::MakeItSo+0x2e [c:\b\c\b\win64_pgo\src\base\bind_internal.h @ 297] 
13 (Inline Function) --------`-------- chrome_child!base::internal::Invoker<base::internal::BindState<void (__cdecl cc::ResourcePool::*)(void),base::WeakPtr<cc::ResourcePool> >,void __cdecl(void)>::RunImpl+0x32 [c:\b\c\b\win64_pgo\src\base\bind_internal.h @ 349] 
14 000000b3`3d3fe4b0 00007ffc`443ceb8e chrome_child!base::internal::Invoker<base::internal::BindState<void (__cdecl cc::ResourcePool::*)(void) __ptr64,base::WeakPtr<cc::ResourcePool> >,void __cdecl(void)>::RunOnce+0x3e [c:\b\c\b\win64_pgo\src\base\bind_internal.h @ 322] 
15 (Inline Function) --------`-------- chrome_child!base::OnceCallback<void __cdecl(void)>::Run+0x22 [c:\b\c\b\win64_pgo\src\base\callback.h @ 64] 
16 000000b3`3d3fe4f0 00007ffc`44360106 chrome_child!base::debug::TaskAnnotator::RunTask+0xda [c:\b\c\b\win64_pgo\src\base\debug\task_annotator.cc @ 57] 
17 000000b3`3d3fe5e0 00007ffc`443ce2a6 chrome_child!blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue+0x1b2 [c:\b\c\b\win64_pgo\src\third_party\webkit\source\platform\scheduler\base\task_queue_manager.cc @ 534] 
18 000000b3`3d3fe8a0 00007ffc`44358a3b chrome_child!blink::scheduler::TaskQueueManager::DoWork+0x18e [c:\b\c\b\win64_pgo\src\third_party\webkit\source\platform\scheduler\base\task_queue_manager.cc @ 322] 
19 (Inline Function) --------`-------- chrome_child!base::internal::FunctorTraits<void (__cdecl blink::scheduler::TaskQueueManager::*)(bool),void>::Invoke+0x27 [c:\b\c\b\win64_pgo\src\base\bind_internal.h @ 194] 
1a (Inline Function) --------`-------- chrome_child!base::internal::InvokeHelper<1,void>::MakeItSo+0x40 [c:\b\c\b\win64_pgo\src\base\bind_internal.h @ 297] 
1b (Inline Function) --------`-------- chrome_child!base::internal::Invoker<base::internal::BindState<void (__cdecl blink::scheduler::TaskQueueManager::*)(bool),base::WeakPtr<blink::scheduler::TaskQueueManager>,bool>,void __cdecl(void)>::RunImpl+0x44 [c:\b\c\b\win64_pgo\src\base\bind_internal.h @ 349] 
1c 000000b3`3d3fea20 00007ffc`443ceb8e chrome_child!base::internal::Invoker<base::internal::BindState<void (__cdecl blink::scheduler::TaskQueueManager::*)(bool) __ptr64,base::WeakPtr<blink::scheduler::TaskQueueManager>,bool>,void __cdecl(void)>::Run+0x4b [c:\b\c\b\win64_pgo\src\base\bind_internal.h @ 334] 
1d (Inline Function) --------`-------- chrome_child!base::OnceCallback<void __cdecl(void)>::Run+0x22 [c:\b\c\b\win64_pgo\src\base\callback.h @ 64] 
1e 000000b3`3d3fea60 00007ffc`4435edd1 chrome_child!base::debug::TaskAnnotator::RunTask+0xda [c:\b\c\b\win64_pgo\src\base\debug\task_annotator.cc @ 57] 
1f (Inline Function) --------`-------- chrome_child!base::internal::IncomingTaskQueue::RunTask+0x1a [c:\b\c\b\win64_pgo\src\base\message_loop\incoming_task_queue.cc @ 130] 
20 000000b3`3d3feb50 00007ffc`443cf052 chrome_child!base::MessageLoop::RunTask+0xb9 [c:\b\c\b\win64_pgo\src\base\message_loop\message_loop.cc @ 395] 
21 (Inline Function) --------`-------- chrome_child!base::MessageLoop::DeferOrRunPendingTask+0x12 [c:\b\c\b\win64_pgo\src\base\message_loop\message_loop.cc @ 406] 
22 000000b3`3d3fec70 00007ffc`443ce035 chrome_child!base::MessageLoop::DoWork+0x1aa [c:\b\c\b\win64_pgo\src\base\message_loop\message_loop.cc @ 450] 
23 000000b3`3d3fedc0 00007ffc`444df55c chrome_child!base::MessagePumpDefault::Run+0x31 [c:\b\c\b\win64_pgo\src\base\message_loop\message_pump_default.cc @ 37] 
24 000000b3`3d3fee50 00007ffc`444df4fc chrome_child!base::MessageLoop::Run+0x28 [c:\b\c\b\win64_pgo\src\base\message_loop\message_loop.cc @ 347] 
25 000000b3`3d3fee80 00007ffc`447f15a6 chrome_child!base::RunLoop::Run+0x68 [c:\b\c\b\win64_pgo\src\base\run_loop.cc @ 120] 
26 000000b3`3d3feef0 00007ffc`446cf612 chrome_child!content::RendererMain+0x1ee [c:\b\c\b\win64_pgo\src\content\renderer\renderer_main.cc @ 220] 
27 000000b3`3d3ff090 00007ffc`445a3b7c chrome_child!content::RunNamedProcessTypeMain+0xb6 [c:\b\c\b\win64_pgo\src\content\app\content_main_runner.cc @ 448] 
28 000000b3`3d3ff1e0 00007ffc`446d018f chrome_child!content::ContentMainRunnerImpl::Run+0xbc [c:\b\c\b\win64_pgo\src\content\app\content_main_runner.cc @ 710] 
29 000000b3`3d3ff270 00007ffc`44385b87 chrome_child!service_manager::Main+0x1e7 [c:\b\c\b\win64_pgo\src\services\service_manager\embedder\main.cc @ 458] 
2a 000000b3`3d3ff400 00007ffc`44385b2a chrome_child!content::ContentMain+0x27 [c:\b\c\b\win64_pgo\src\content\app\content_main.cc @ 19] 
2b 000000b3`3d3ff470 00007ff7`6e027164 chrome_child!ChromeMain+0x17e [c:\b\c\b\win64_pgo\src\chrome\app\chrome_main.cc @ 125] 
2c 000000b3`3d3ff520 00007ff7`6e02256e chrome!MainDllLoader::Launch+0x3c4 [c:\b\c\b\win64_pgo\src\chrome\app\main_dll_loader_win.cc @ 201] 
2d 000000b3`3d3ff650 00007ff7`6e0f73e3 chrome!wWinMain+0x336 [c:\b\c\b\win64_pgo\src\chrome\app\chrome_exe_main_win.cc @ 231] 
2e (Inline Function) --------`-------- chrome!invoke_main+0x21 [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 118] 
2f 000000b3`3d3ff840 00007ffc`75121fe4 chrome!__scrt_common_main_seh+0x117 [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 283] 
30 000000b3`3d3ff880 00007ffc`7658ef91 KERNEL32!BaseThreadInitThunk+0x14
31 000000b3`3d3ff8b0 00000000`00000000 ntdll!RtlUserThreadStart+0x21

+ Tescase (1.html):

<html>
<head><style>#divparent {-webkit-user-modify: read-only }</style></head>
<body>
<div id="divparent"><div role="grid"><div><canvas><div><div role="row"></div></canvas>
</body>
</html>

+ Tested on:

OS => Microsoft Windows [Version 10.0.16299.98]
Chrome => Version 63.0.3239.84 (Official Build) (64-bit)

OS => Microsoft Windows [Version 6.1.7601]
Chrome => Version 63.0.3239.84 (Official Build) (32-bit)

+ Note this bug didn't reproduce in canary channel.
+ This bug was found thanks to Domato: https://github.com/google/domato

What is the expected behavior?
testcase works fine

What went wrong?
tab crash

Did this work before? N/A 

Chrome version: 63.0.3239.84  Channel: stable
OS Version: 10.0
Flash Version:
 
Components: Blink>Accessibility
Labels: Security_Severity-Medium M-63 Security_Impact-Stable
Owner: aleventhal@chromium.org
Status: Assigned (was: Unconfirmed)
PTAL?

Unfortunately, upload of the Test Case to ClusterFuzz is broken at the moment.
Project Member

Comment 2 by sheriffbot@chromium.org, Dec 13 2017

Labels: -Pri-2 Pri-1
@elawrence, I think the CL that should have fixed this was already cherry picked. 
For reference: https://chromium-review.googlesource.com/c/chromium/src/+/747982#message-4ba87989a8a6977e1981a575ba32f0c93d09f446
Labels: Merge-Request-M63
Status: Fixed (was: Assigned)
Mergedinto: 778966
Status: Duplicate (was: Fixed)
This was originally fixed on trunk (in the dupe), and I did the merge to M63 incorrectly until just now. 
Could someone give me access into the issue 778966?
Still waiting for accessing to the first report
Project Member

Comment 8 by sheriffbot@chromium.org, Mar 24 2018

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment