New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 800349 link

Starred by 1 user
Status: Fixed
Owner:
sashab@chromium.org
Last visit > 30 days ago
Closed: Feb 2018
Cc:
creis@chromium.org
wfh@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug



Sign in to add a comment

Use after free of StoragePartitionImpl via RequestStorageQuota mojo IPC

Project Member Reported by chrisha@chromium.org, Jan 9 2018 
Chrome Version: 65.0.3306.1
OS: Windows

This is seen on recent ASAN releases. For an example crash, refer to go/crash/764cd5f6a4a3d248

Assigning to creis@ for quick triage.

Stack traces included here for convenience:

Stack Quality100%Show frame trust levels
0x59e40e13	(chrome.dll -quota_dispatcher_host.cc:77 )	content::QuotaDispatcherHost::RequestStorageQuota(__int64,url::Origin const &,storage::StorageType,unsigned __int64,base::OnceCallback<void >)
0x598b4828	(chrome.dll -quota_dispatcher_host.mojom.cc:518 )	content::mojom::QuotaDispatcherHostStubDispatch::AcceptWithResponder(content::mojom::QuotaDispatcherHost *,mojo::Message *,std::unique_ptr<mojo::MessageReceiverWithStatus,std::default_delete<mojo::MessageReceiverWithStatus> >)
0x59e4059a	(chrome.dll -quota_dispatcher_host.mojom.h:167 )	content::mojom::QuotaDispatcherHostStub<mojo::RawPtrImplRefTraits<content::mojom::QuotaDispatcherHost> >::AcceptWithResponder(mojo::Message *,std::unique_ptr<mojo::MessageReceiverWithStatus,std::default_delete<mojo::MessageReceiverWithStatus> >)
0x5a4c4af0	(chrome.dll -interface_endpoint_client.cc:394 )	mojo::InterfaceEndpointClient::HandleValidatedMessage(mojo::Message *)
0x5a4c7f19	(chrome.dll -filter_chain.cc:40 )	mojo::FilterChain::Accept(mojo::Message *)
0x5a4c48e5	(chrome.dll -interface_endpoint_client.cc:306 )	mojo::InterfaceEndpointClient::HandleIncomingMessage(mojo::Message *)
0x5a4bee83	(chrome.dll -multiplex_router.cc:879 )	mojo::internal::MultiplexRouter::ProcessIncomingMessage(mojo::internal::MultiplexRouter::MessageWrapper *,mojo::internal::MultiplexRouter::ClientCallBehavior,base::SequencedTaskRunner *)
0x5a4bcdf5	(chrome.dll -multiplex_router.cc:604 )	mojo::internal::MultiplexRouter::Accept(mojo::Message *)
0x5a4c7f19	(chrome.dll -filter_chain.cc:40 )	mojo::FilterChain::Accept(mojo::Message *)
0x5a4ba4c9	(chrome.dll -connector.cc:444 )	mojo::Connector::ReadSingleMessage(unsigned int *)
0x5a4ba13a	(chrome.dll -connector.cc:474 )	mojo::Connector::ReadAllAvailableMessages()
0x5a4b9d05	(chrome.dll -connector.cc:375 )	mojo::Connector::OnHandleReadyInternal(unsigned int)
0x5b378d61	(chrome.dll -bind_internal.h:350 )	base::internal::Invoker<base::internal::BindState<void ( BookmarksMessageHandler::*)(base::ListValue const *),base::internal::UnretainedWrapper<BookmarksMessageHandler> >,void >::Run(base::internal::BindStateBase *,base::ListValue const *)
0x5ae1ca02	(chrome.dll -history_service.cc:79 )	history::`anonymous namespace'::RunWithFaviconResult
0x5b13e8e5	(chrome.dll -bind_internal.h:350 )	base::internal::Invoker<base::internal::BindState<void (*)(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,base::RepeatingCallback<void > const &),std::basic_string<char,std::char_traits<char>,std::allocator<char> > >,void >::Run(base::internal::BindStateBase *,std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,base::RepeatingCallback<void > const &)
0x5a4d0c12	(chrome.dll -simple_watcher.cc:276 )	mojo::SimpleWatcher::OnHandleReady(int,unsigned int,mojo::HandleSignalsState const &)
0x5a4d0aab	(chrome.dll -simple_watcher.cc:107 )	mojo::SimpleWatcher::Context::Notify(unsigned int,MojoHandleSignalsState,unsigned int)
0x5a4d06ed	(chrome.dll -simple_watcher.cc:57 )	mojo::SimpleWatcher::Context::CallNotify(unsigned int,unsigned int,MojoHandleSignalsState,unsigned int)
0x5ac85cae	(chrome.dll -watcher_dispatcher.cc:84 )	mojo::edk::WatcherDispatcher::InvokeWatchCallback(unsigned int,unsigned int,mojo::HandleSignalsState const &,unsigned int)
0x5ac9318a	(chrome.dll -watch.cc:78 )	mojo::edk::Watch::InvokeCallback(unsigned int,mojo::HandleSignalsState const &,unsigned int)
0x5ac83114	(chrome.dll -request_context.cc:66 )	mojo::edk::RequestContext::~RequestContext()
0x5ac90ee8	(chrome.dll -node_channel.cc:757 )	mojo::edk::NodeChannel::OnChannelMessage(void const *,unsigned int,std::vector<mojo::edk::ScopedPlatformHandle,std::allocator<mojo::edk::ScopedPlatformHandle> >)
0x5ac8f3ed	(chrome.dll -channel.cc:725 )	mojo::edk::Channel::OnReadComplete(unsigned int,unsigned int *)
0x5ac9493e	(chrome.dll -channel_win.cc:233 )	mojo::edk::`anonymous namespace'::ChannelWin::OnIOCompleted
0x58fde154	(chrome.dll -message_pump_win.cc:531 )	base::MessagePumpForIO::WaitForIOCompletion(unsigned long,base::MessagePumpForIO::IOHandler *)
0x58fddd08	(chrome.dll -message_pump_win.cc:479 )	base::MessagePumpForIO::DoRunLoop()
0x58fdca80	(chrome.dll -message_pump_win.cc:56 )	base::MessagePumpWin::Run(base::MessagePump::Delegate *)
0x58f29e02	(chrome.dll -run_loop.cc:130 )	base::RunLoop::Run()
0x58f55bff	(chrome.dll -thread.cc:255 )	base::Thread::Run(base::RunLoop *)
0x59be8f85	(chrome.dll -browser_thread_impl.cc:248 )	content::BrowserThreadImpl::IOThreadRun(base::RunLoop *)
0x59be9d25	(chrome.dll -browser_thread_impl.cc:283 )	content::BrowserThreadImpl::Run(base::RunLoop *)
0x58f5638f	(chrome.dll -thread.cc:338 )	base::Thread::ThreadMain()
0x58f3dfcd	(chrome.dll -platform_thread_win.cc:89 )	base::`anonymous namespace'::ThreadFunc
0x74be8463	(KERNEL32.dll + 0x00018463 )	BaseThreadInitThunk
0x77642d67	(ntdll.dll + 0x00062d67 )	__RtlUserThreadStart
0x77642d37	(ntdll.dll + 0x00062d37 )	_RtlUserThreadStart
ASAN Free Stack Trace (TID: 14352)
Stack QualityUnknownShow frame trust levels
0x6adfb83b	(syzyasan_rtl.dll -block_heap_manager.cc:315 )	agent::asan::heap_managers::BlockHeapManager::Free(unsigned int,void *)
0x6adf424d	(syzyasan_rtl.dll -rtl_impl.cc:124 )	asan_HeapFree
0x58fcc3bb	(chrome.dll -allocator_shim_default_dispatch_to_winheap.cc:55 )	`anonymous namespace'::DefaultWinHeapFreeImpl
0x58ef7932	(chrome.dll -allocator_shim_override_ucrt_symbols_win.h:55 )	free
0x5af3037c	(chrome.dll + 0x0212037c )	storage::QuotaManager::`scalar deleting destructor'(unsigned int)
0x58fc80b0	(chrome.dll -activity_tracker.cc:1740 )	base::debug::GlobalActivityTracker::OnTLSDestroy(void *)
0x58f36a4c	(chrome.dll -bind_internal.h:336 )	base::internal::Invoker<base::internal::BindState<void (*)(void const *),void const *>,void >::RunOnce(base::internal::BindStateBase *)
0x59000686	(chrome.dll -task_annotator.cc:55 )	base::debug::TaskAnnotator::RunTask(char const *,base::PendingTask *)
0x58f4c595	(chrome.dll -message_loop.cc:392 )	base::MessageLoop::RunTask(base::PendingTask *)
0x58f4c906	(chrome.dll -message_loop.cc:403 )	base::MessageLoop::DeferOrRunPendingTask(base::PendingTask)
0x58f4ce1b	(chrome.dll -message_loop.cc:447 )	base::MessageLoop::DoWork()
0x58fdde89	(chrome.dll -message_pump_win.cc:475 )	base::MessagePumpForIO::DoRunLoop()
0x58fdca81	(chrome.dll -message_pump_win.cc:58 )	base::MessagePumpWin::Run(base::MessagePump::Delegate *)
0x58f29e03	(chrome.dll -run_loop.cc:133 )	base::RunLoop::Run()
0x58f55c00	(chrome.dll -thread.cc:256 )	base::Thread::Run(base::RunLoop *)
0x59be8f86	(chrome.dll -browser_thread_impl.cc:249 )	content::BrowserThreadImpl::IOThreadRun(base::RunLoop *)
0x59be9d26	(chrome.dll -browser_thread_impl.cc:283 )	content::BrowserThreadImpl::Run(base::RunLoop *)
0x58f56390	(chrome.dll -thread.cc:338 )	base::Thread::ThreadMain()
0x58f3dfce	(chrome.dll -platform_thread_win.cc:91 )	base::`anonymous namespace'::ThreadFunc
0x74be8464	(KERNEL32.dll + 0x00018464 )	BaseThreadInitThunk
0x77642d68	(ntdll.dll + 0x00062d68 )	__RtlUserThreadStart
0x77642d38	(ntdll.dll + 0x00062d38 )	_RtlUserThreadStart
ASAN Allocation Stack Trace (TID: 9852)
Stack QualityUnknownShow frame trust levels
0x6adfb579	(syzyasan_rtl.dll -block_heap_manager.cc:211 )	agent::asan::heap_managers::BlockHeapManager::Allocate(unsigned int,unsigned int)
0x6adf41a3	(syzyasan_rtl.dll -rtl_impl.cc:103 )	asan_HeapAlloc
0x58fcc2ea	(chrome.dll -allocator_shim_default_dispatch_to_winheap.cc:18 )	`anonymous namespace'::DefaultWinHeapMallocImpl
0x58ef78ea	(chrome.dll -allocator_shim_override_ucrt_symbols_win.h:51 )	malloc
0x5b82c3e9	(chrome.dll -new_scalar.cpp:19 )	operator new(unsigned int)
0x59f876a1	(chrome.dll -storage_partition_impl.cc:514 )	content::StoragePartitionImpl::Create(content::BrowserContext *,bool,base::FilePath const &)
0x59f8bd24	(chrome.dll -storage_partition_impl_map.cc:398 )	content::StoragePartitionImplMap::Get(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,bool,bool)
0x59bda40d	(chrome.dll -browser_context.cc:133 )	content::`anonymous namespace'::GetStoragePartitionFromConfig
0x59bda398	(chrome.dll -browser_context.cc:292 )	content::BrowserContext::GetStoragePartitionForSite(content::BrowserContext *,GURL const &,bool)
0x59eba272	(chrome.dll -render_process_host_impl.cc:901 )	content::`anonymous namespace'::ShouldFindReusableProcessHostForSite
0x59eb55f6	(chrome.dll -render_process_host_impl.cc:3557 )	content::RenderProcessHostImpl::GetProcessHostForSiteInstance(content::BrowserContext *,content::SiteInstanceImpl *)
0x59f79588	(chrome.dll -site_instance_impl.cc:128 )	content::SiteInstanceImpl::GetProcess()
0x59fb1f6d	(chrome.dll -web_contents_impl.cc:1753 )	content::WebContentsImpl::Init(content::WebContents::CreateParams const &)
0x59facb72	(chrome.dll -web_contents_impl.cc:735 )	content::WebContentsImpl::CreateWithOpener(content::WebContents::CreateParams const &,content::RenderFrameHostImpl *)
0x59fab70e	(chrome.dll -web_contents_impl.cc:308 )	content::WebContents::Create(content::WebContents::CreateParams const &)
0x5a123867	(chrome.dll -extension_host.cc:72 )	extensions::ExtensionHost::ExtensionHost(extensions::Extension const *,content::SiteInstance *,GURL const &,extensions::ViewType)
0x5a164976	(chrome.dll -process_manager.cc:355 )	extensions::ProcessManager::CreateBackgroundHost(extensions::Extension const *,GURL const &)
0x5a15ff1a	(chrome.dll -lazy_background_task_queue.cc:122 )	extensions::LazyBackgroundTaskQueue::AddPendingTask(content::BrowserContext *,std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,base::OnceCallback<void >)
0x5a15ffef	(chrome.dll -lazy_background_task_queue.cc:92 )	extensions::LazyBackgroundTaskQueue::AddPendingTaskToDispatchEvent(extensions::LazyContextId *,base::OnceCallback<void >)
0x5a119d60	(chrome.dll -lazy_event_dispatcher.cc:125 )	extensions::LazyEventDispatcher::QueueEventDispatch(extensions::LazyContextId *,extensions::Extension const *,base::DictionaryValue const *)
0x5a11996b	(chrome.dll -lazy_event_dispatcher.cc:75 )	extensions::LazyEventDispatcher::DispatchToLazyContext(extensions::LazyContextId *,base::DictionaryValue const *)
0x5a11990b	(chrome.dll -lazy_event_dispatcher.cc:35 )	extensions::LazyEventDispatcher::DispatchToEventPage(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,base::DictionaryValue const *)
0x5a116aee	(chrome.dll -event_router.cc:528 )	extensions::EventRouter::DispatchEventImpl(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,linked_ptr<extensions::Event> const &)
0x5a116c82	(chrome.dll -event_router.cc:493 )	extensions::EventRouter::DispatchEventToExtension(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,std::unique_ptr<extensions::Event,std::default_delete<extensions::Event> >)
0x5a22f497	(chrome.dll -runtime_api.cc:145 )	extensions::`anonymous namespace'::DispatchOnStartupEventImpl
0x5a22f27d	(chrome.dll -runtime_api.cc:431 )	extensions::RuntimeEventRouter::DispatchOnStartupEvent(content::BrowserContext *,std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &)
0x5a22f78c	(chrome.dll -runtime_api.cc:259 )	extensions::RuntimeAPI::OnBackgroundHostStartup(extensions::Extension const *)
0x5a164b20	(chrome.dll -process_manager.cc:657 )	extensions::ProcessManager::CreateStartupBackgroundHosts()
0x5a16556d	(chrome.dll -process_manager.cc:381 )	extensions::ProcessManager::MaybeCreateStartupBackgroundHosts()
0x5a165791	(chrome.dll -process_manager.cc:610 )	extensions::ProcessManager::Observe(int,content::NotificationSource const &,content::NotificationDetails const &)
0x59e10c91	(chrome.dll -notification_service_impl.cc:128 )	content::NotificationServiceImpl::Notify(int,content::NotificationSource const &,content::NotificationDetails const &)
0x5b03794d	(chrome.dll -extension_service.cc:1261 )	ExtensionService::SetReadyAndNotifyListeners()
0x5b034725	(chrome.dll -extension_service.cc:443 )	ExtensionService::Init()
0x5b0ca735	(chrome.dll -extension_system_impl.cc:277 )	extensions::ExtensionSystemImpl::Shared::Init(bool)
0x5b0ca8e8	(chrome.dll -extension_system_impl.cc:379 )	extensions::ExtensionSystemImpl::InitForRegularProfile(bool)
0x5b58a608	(chrome.dll -profile_manager.cc:1244 )	ProfileManager::DoFinalInitForServices(Profile *,bool)
0x5b58a4ff	(chrome.dll -profile_manager.cc:1210 )	ProfileManager::DoFinalInit(Profile *,bool)
0x5b588dc2	(chrome.dll -profile_manager.cc:1380 )	ProfileManager::AddProfile(Profile *)
0x5b589e1f	(chrome.dll -profile_manager.cc:1396 )	ProfileManager::CreateAndInitializeProfile(base::FilePath const &)
0x5b58ba25	(chrome.dll -profile_manager.cc:505 )	ProfileManager::GetProfile(base::FilePath const &)
0x5b3496e1	(chrome.dll -startup_browser_creator.cc:976 )	GetStartupProfile(base::FilePath const &,base::CommandLine const &)
0x5a4395d5	(chrome.dll -chrome_browser_main.cc:450 )	`anonymous namespace'::CreatePrimaryProfile
0x5a43c1ae	(chrome.dll -chrome_browser_main.cc:1595 )	ChromeBrowserMainParts::PreMainMessageLoopRunImpl()
0x5a43b915	(chrome.dll -chrome_browser_main.cc:1218 )	ChromeBrowserMainParts::PreMainMessageLoopRun()
0x59be02aa	(chrome.dll -browser_main_loop.cc:1178 )	content::BrowserMainLoop::PreMainMessageLoopRun()
0x59f82f02	(chrome.dll -startup_task_runner.cc:45 )	content::StartupTaskRunner::RunAllTasksNow()
0x59be1991	(chrome.dll -browser_main_runner.cc:120 )	content::BrowserMainRunnerImpl::Initialize(content::MainFunctionParams const &)
0x59bdb94f	(chrome.dll -browser_main.cc:42 )	content::BrowserMain(content::MainFunctionParams const &)
0x5a362c37	(chrome.dll -content_main_runner.cc:427 )	content::RunNamedProcessTypeMain(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,content::MainFunctionParams const &,content::ContentMainDelegate *)
0x5a362b2a	(chrome.dll -content_main_runner.cc:710 )	content::ContentMainRunnerImpl::Run()
0x5a3826af	(chrome.dll -main.cc:456 )	service_manager::Main(service_manager::MainParams const &)
0x5a362233	(chrome.dll -content_main.cc:19 )	content::ContentMain(content::ContentMainParams const &)
0x5970043f	(chrome.dll -chrome_main.cc:128 )	ChromeMain
0x00dee8ce	(chrome.exe -main_dll_loader_win.cc:201 )	MainDllLoader::Launch(HINSTANCE__ *,base::TimeTicks)
0x00dedaa2	(chrome.exe -chrome_exe_main_win.cc:231 )	wWinMain
0x00e15f28	(chrome.exe -exe_common.inl:283 )	__scrt_common_main_seh
0x74be8464	(KERNEL32.dll + 0x00018464 )	BaseThreadInitThunk
0x77642d68	(ntdll.dll + 0x00062d68 )	__RtlUserThreadStart
0x77642d38	(ntdll.dll + 0x00062d38 )	_RtlUserThreadStart

Comment 1 by nasko@chromium.org, Jan 10 2018

Cc: creis@chromium.org
Owner: sashab@chromium.org
Reassigning to sashab@ (based on quota_dispatcher_host.cc history), as there doesn't seem to be anything specific to Site Isolation in the stacks above. It look like a request to QuotaDispatcherHost is being made after the StoragePartition is torn down.

Comment 2 by chrisha@chromium.org, Jan 10 2018 

Sorry for the initial misroute. A quick look at other bugs involving StoragePartition were marked as being SiteIsolation related.
Project Member

Comment 3 by bugdroid1@chromium.org, Feb 2 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/e2db7866bc3634b8515c44df45986cd82932f99e

commit e2db7866bc3634b8515c44df45986cd82932f99e
Author: Sasha Morrissey <sashab@chromium.org>
Date: Fri Feb 02 01:20:26 2018

Changed QuotaManager to be refcounted in QuotaDispatcherHost

Bug:  800349 
Change-Id: I4555b66e001907803ec47597cdc2111cc62807bd
Reviewed-on: https://chromium-review.googlesource.com/895230
Reviewed-by: Kinuko Yasuda <kinuko@chromium.org>
Commit-Queue: Sasha Morrissey <sashab@chromium.org>
Cr-Commit-Position: refs/heads/master@{#533892}
[modify] https://crrev.com/e2db7866bc3634b8515c44df45986cd82932f99e/content/browser/quota_dispatcher_host.h

Comment 4 by sashab@chromium.org, Feb 2 2018

Status: Fixed (was: Untriaged)
Project Member

Comment 5 by bugdroid1@chromium.org, Feb 15 2018

Labels: merge-merged-3325
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/27998bc1acad09af8d91295ec6116ccbbe7e2148

commit 27998bc1acad09af8d91295ec6116ccbbe7e2148
Author: Sasha Morrissey <sashab@chromium.org>
Date: Thu Feb 15 06:48:00 2018

Changed QuotaManager to be refcounted in QuotaDispatcherHost

Bug:  800349 
Change-Id: I4555b66e001907803ec47597cdc2111cc62807bd
Reviewed-on: https://chromium-review.googlesource.com/895230
Reviewed-by: Kinuko Yasuda <kinuko@chromium.org>
Commit-Queue: Sasha Morrissey <sashab@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#533892}(cherry picked from commit e2db7866bc3634b8515c44df45986cd82932f99e)
Reviewed-on: https://chromium-review.googlesource.com/920962
Reviewed-by: Sasha Morrissey <sashab@chromium.org>
Cr-Commit-Position: refs/branch-heads/3325@{#474}
Cr-Branched-From: bc084a8b5afa3744a74927344e304c02ae54189f-refs/heads/master@{#530369}
[modify] https://crrev.com/27998bc1acad09af8d91295ec6116ccbbe7e2148/content/browser/quota_dispatcher_host.h

Sign in to add a comment