Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/5e1b52dd7e828fb2e4bd69f599c0c30eec3e873c (Revert "Revert "Use DocumentThreadableLoader for sync loading from worker thread."").

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

Fixed by a6aadcce39e544094dc0ec25d538d4636462d03e?

@horo: the stack report looks different, so not sure this is the same.

This is a critical security issue. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Humm, I think the stack report looks similar...

According to https://clusterfuzz.com/testcase?key=4641414265438208 , the UAF of this issue is happening in SharedURLLoaderFactory::InternalState.
---
WARNING: ThreadSanitizer: data race (pid=762)
Read of size 1 at 0x7b08000b9dad by main thread:
#0 0x55f15355b356 in base::subtle::RefCountedThreadSafeBase::AddRefImpl() const base/memory/ref_counted.h:191:5
#1 0x55f15355b2e9 in base::subtle::RefCountedThreadSafeBase::AddRef() const base/memory/ref_counted.h:171:25
#2 0x55f15531e139 in base::RefCountedThreadSafe<safe_browsing::SafeBrowsingNetworkContext::SharedURLLoaderFactory::InternalState, base::DefaultRefCountedThreadSafeTraits<safe_browsing::SafeBrowsingNetworkContext::SharedURLLoaderFactory::InternalState> >::AddRef() const base/memory/ref_counted.h:381:39
#3 0x55f15531e0fd in scoped_refptr<safe_browsing::SafeBrowsingNetworkContext::SharedURLLoaderFactory::InternalState>::AddRef(safe_browsing::SafeBrowsingNetworkContext::SharedURLLoaderFactory::InternalState*) base/memory/scoped_refptr.h:274:8
#4 0x55f15531e0c0 in scoped_refptr<safe_browsing::SafeBrowsingNetworkContext::SharedURLLoaderFactory::InternalState>::scoped_refptr(safe_browsing::SafeBrowsingNetworkContext::SharedURLLoaderFactory::InternalState*) base/memory/scoped_refptr.h:176:7
#5 0x55f15531cb51 in scoped_refptr<safe_browsing::SafeBrowsingNetworkContext::SharedURLLoaderFactory::InternalState> base::subtle::AdoptRefIfNeeded<safe_browsing::SafeBrowsingNetworkContext::SharedURLLoaderFactory::InternalState>(safe_browsing::SafeBrowsingNetworkContext::SharedURLLoaderFactory::InternalState*, base::subtle::StartRefCountFromZeroTag) base/memory/scoped_refptr.h:77:10
#6 0x55f15531c71d in scoped_refptr<safe_browsing::SafeBrowsingNetworkContext::SharedURLLoaderFactory::InternalState> base::MakeRefCounted<safe_browsing::SafeBrowsingNetworkContext::SharedURLLoaderFactory::InternalState, scoped_refptr<net::URLRequestContextGetter>&, mojo::InterfaceRequest<network::mojom::NetworkContext> >(scoped_refptr<net::URLRequestContextGetter>&&&, mojo::InterfaceRequest<network::mojom::NetworkContext>&&) base/memory/scoped_refptr.h:92:10
#7 0x55f15531c396 in safe_browsing::SafeBrowsingNetworkContext::SharedURLLoaderFactory::GetNetworkContext() components/safe_browsing/browser/safe_browsing_network_context.cc:36:25
#8 0x55f15532111c in safe_browsing::SafeBrowsingNetworkContext::SharedURLLoaderFactory::GetURLLoaderFactory() components/safe_browsing/browser/safe_browsing_network_context.cc:67:7
#9 0x55f155320c8a in safe_browsing::SafeBrowsingNetworkContext::SharedURLLoaderFactory::CreateLoaderAndStart(mojo::InterfaceRequest<network::mojom::URLLoader>, int, int, unsigned int, network::ResourceRequest const&, mojo::InterfacePtr<network::mojom::URLLoaderClient>, net::MutableNetworkTrafficAnnotationTag const&) components/safe_browsing/browser/safe_browsing_network_context.cc:59:5
#10 0x7fc927641918 in network::(anonymous namespace)::SimpleURLLoaderImpl::StartRequest(network::mojom::URLLoaderFactory*) services/network/public/cpp/simple_url_loader.cc:1276:23
#11 0x7fc92763b26c in network::(anonymous namespace)::SimpleURLLoaderImpl::Start(network::mojom::URLLoaderFactory*) services/network/public/cpp/simple_url_loader.cc:1255:3
#12 0x7fc927634da9 in network::(anonymous namespace)::SimpleURLLoaderImpl::DownloadToStringOfUnboundedSizeUntilCrashAndDie(network::mojom::URLLoaderFactory*, base::OnceCallback<void (std::__1::unique_ptr<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, std::__1::default_delete<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > >)>) services/network/public/cpp/simple_url_loader.cc:1058:3
#13 0x55f15c12a1de in safe_browsing::ModelLoader::StartFetch() chrome/browser/safe_browsing/client_side_model_loader.cc:162:16
#14 0x55f15c12dded in void base::internal::FunctorTraits<void (safe_browsing::ModelLoader::*)(), void>::Invoke<base::WeakPtr<safe_browsing::ModelLoader> >(void (safe_browsing::ModelLoader::*)(), base::WeakPtr<safe_browsing::ModelLoader>&&) base/bind_internal.h:447:12
#15 0x55f15c12dc66 in void base::internal::InvokeHelper<true, void>::MakeItSo<void (safe_browsing::ModelLoader::*)(), base::WeakPtr<safe_browsing::ModelLoader> >(void (safe_browsing::ModelLoader::*&&)(), base::WeakPtr<safe_browsing::ModelLoader>&&) base/bind_internal.h:550:5
#16 0x55f15c12dbcc in void base::internal::Invoker<base::internal::BindState<void (safe_browsing::ModelLoader::*)(), base::WeakPtr<safe_browsing::ModelLoader> >, void ()>::RunImpl<void (safe_browsing::ModelLoader::*)(), std::__1::tuple<base::WeakPtr<safe_browsing::ModelLoader> >, 0ul>(void (safe_browsing::ModelLoader::*&&)(), std::__1::tuple<base::WeakPtr<safe_browsing::ModelLoader> >&&, std::__1::integer_sequence<unsigned long, 0ul>) base/bind_internal.h:604:12
#17 0x55f15c12dacd in base::internal::Invoker<base::internal::BindState<void (safe_browsing::ModelLoader::*)(), base::WeakPtr<safe_browsing::ModelLoader> >, void ()>::RunOnce(base::internal::BindStateBase*) base/bind_internal.h:572:12
#18 0x7fc939d61b32 in base::OnceCallback<void ()>::Run() && base/callback.h:95:12
#19 0x7fc939df163d in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) base/debug/task_annotator.cc:61:33
#20 0x7fc939f05921 in base::internal::IncomingTaskQueue::RunTask(base::PendingTask*) base/message_loop/incoming_task_queue.cc:124:19
#21 0x7fc939f142e8 in base::MessageLoop::RunTask(base::PendingTask*) base/message_loop/message_loop.cc:391:25
#22 0x7fc939f14659 in base::MessageLoop::DeferOrRunPendingTask(base::PendingTask) base/message_loop/message_loop.cc:403:5
#23 0x7fc939f15001 in base::MessageLoop::DoDelayedWork(base::TimeTicks*) base/message_loop/message_loop.cc:487:10
#24 0x7fc939f26627 in base::MessagePumpGlib::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_glib.cc:314:27
#25 0x7fc939f137ab in base::MessageLoop::Run(bool) base/message_loop/message_loop.cc:342:12
#26 0x7fc939f13823 in non-virtual thunk to base::MessageLoop::Run(bool) base/message_loop/message_loop.cc
#27 0x7fc93a06db53 in base::RunLoop::Run() base/run_loop.cc:130:14
#28 0x55f1569b7d83 in ChromeBrowserMainParts::MainMessageLoopRun(int*) chrome/browser/chrome_browser_main.cc:2110:12
#29 0x7fc92ece1a57 in content::BrowserMainLoop::RunMainMessageLoopParts() content/browser/browser_main_loop.cc:1059:29
#30 0x7fc92ecf1119 in content::BrowserMainRunnerImpl::Run() content/browser/browser_main_runner.cc:161:17
#31 0x7fc92ecd0dec in content::BrowserMain(content::MainFunctionParams const&) content/browser/browser_main.cc:46:28
#32 0x7fc9328e1c32 in content::RunNamedProcessTypeMain(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, content::MainFunctionParams const&, content::ContentMainDelegate*) content/app/content_main_runner.cc:427:14
#33 0x7fc9328e64bc in content::ContentMainRunnerImpl::Run() content/app/content_main_runner.cc:706:12
#34 0x7fc9328d5ddf in content::ContentServiceManagerMainDelegate::RunEmbedderProcess() content/app/content_service_manager_main_delegate.cc:51:32
#35 0x7fc93a713e3e in service_manager::Main(service_manager::MainParams const&) services/service_manager/embedder/main.cc:453:29
#36 0x7fc9328e023a in content::ContentMain(content::ContentMainParams const&) content/app/content_main.cc:19:10
#37 0x55f1534b3f06 in ChromeMain chrome/app/chrome_main.cc:101:12
#38 0x55f1534b3ddc in main chrome/app/chrome_exe_main_aura.cc:17:10


According to https://logs.chromium.org/v/?s=chromium%2Fbb%2Fchromium.memory%2FLinux_ASan_LSan_Tests__1_%2F44439%2F%2B%2Frecipes%2Fsteps%2Fbrowser_tests%2F0%2Flogs%2FMSE_ExternalClearKey__x2f_EncryptedMediaTest.Playback_VP9Video_WebM_Subsample__x2f_0%2F0 , the cl a6aadcce39e544094dc0ec25d538d4636462d03e fixed UAF in SharedURLLoaderFactory::InternalState.

==14038==ERROR: AddressSanitizer: heap-use-after-free on address 0x6030006a52ed at pc 0x000007ce8482 bp 0x7ffe0cacde30 sp 0x7ffe0cacde28
READ of size 1 at 0x6030006a52ed thread T0 (browser_tests)
    #0 0x7ce8481 in AddRefImpl base/memory/ref_counted.h:191:5
    #1 0x7ce8481 in base::subtle::RefCountedThreadSafeBase::AddRef() const base/memory/ref_counted.h:171
    #2 0x10ec9125 in AddRef base/memory/ref_counted.h:381:39
    #3 0x10ec9125 in AddRef base/memory/scoped_refptr.h:274
    #4 0x10ec9125 in scoped_refptr base/memory/scoped_refptr.h:176
    #5 0x10ec9125 in AdoptRefIfNeeded<safe_browsing::SafeBrowsingNetworkContext::SharedURLLoaderFactory::InternalState> base/memory/scoped_refptr.h:77
    #6 0x10ec9125 in scoped_refptr<safe_browsing::SafeBrowsingNetworkContext::SharedURLLoaderFactory::InternalState> base::MakeRefCounted<safe_browsing::SafeBrowsingNetworkContext::SharedURLLoaderFactory::InternalState, scoped_refptr<net::URLRequestContextGetter>&, mojo::InterfaceRequest<network::mojom::NetworkContext> >(scoped_refptr<net::URLRequestContextGetter>&&&, mojo::InterfaceRequest<network::mojom::NetworkContext>&&) base/memory/scoped_refptr.h:92
    #7 0x10ec826c in safe_browsing::SafeBrowsingNetworkContext::SharedURLLoaderFactory::GetNetworkContext() components/safe_browsing/browser/safe_browsing_network_context.cc:36:25
    #8 0x10ecb112 in safe_browsing::SafeBrowsingNetworkContext::SharedURLLoaderFactory::GetURLLoaderFactory() components/safe_browsing/browser/safe_browsing_network_context.cc:67:7
    #9 0x10eca9ea in safe_browsing::SafeBrowsingNetworkContext::SharedURLLoaderFactory::CreateLoaderAndStart(mojo::InterfaceRequest<network::mojom::URLLoader>, int, int, unsigned int, network::ResourceRequest const&, mojo::InterfacePtr<network::mojom::URLLoaderClient>, net::MutableNetworkTrafficAnnotationTag const&) components/safe_browsing/browser/safe_browsing_network_context.cc:59:5
    #10 0x168fab55 in network::(anonymous namespace)::SimpleURLLoaderImpl::StartRequest(network::mojom::URLLoaderFactory*) services/network/public/cpp/simple_url_loader.cc:1276:23
    #11 0x168f58f1 in network::(anonymous namespace)::SimpleURLLoaderImpl::Start(network::mojom::URLLoaderFactory*) services/network/public/cpp/simple_url_loader.cc:1255:3
    #12 0x168f05e5 in network::(anonymous namespace)::SimpleURLLoaderImpl::DownloadToStringOfUnboundedSizeUntilCrashAndDie(network::mojom::URLLoaderFactory*, base::OnceCallback<void (std::__1::unique_ptr<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, std::__1::default_delete<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > >)>) services/network/public/cpp/simple_url_loader.cc:1058:3
    #13 0x1d2db7d0 in safe_browsing::ModelLoader::StartFetch() chrome/browser/safe_browsing/client_side_model_loader.cc:162:16
    #14 0x1d2dde49 in Invoke<base::WeakPtr<safe_browsing::ModelLoader>> base/bind_internal.h:447:12
    #15 0x1d2dde49 in MakeItSo<void (safe_browsing::ModelLoader::*)(), base::WeakPtr<safe_browsing::ModelLoader>> base/bind_internal.h:550
    #16 0x1d2dde49 in RunImpl<void (safe_browsing::ModelLoader::*)(), std::__1::tuple<base::WeakPtr<safe_browsing::ModelLoader> >, 0> base/bind_internal.h:604
    #17 0x1d2dde49 in base::internal::Invoker<base::internal::BindState<void (safe_browsing::ModelLoader::*)(), base::WeakPtr<safe_browsing::ModelLoader> >, void ()>::RunOnce(base::internal::BindStateBase*) base/bind_internal.h:572
    #18 0x14253120 in Run base/callback.h:95:12
    #19 0x14253120 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) base/debug/task_annotator.cc:61
    #20 0x142ec141 in base::internal::IncomingTaskQueue::RunTask(base::PendingTask*) base/message_loop/incoming_task_queue.cc:124:19
    #21 0x142e573b in base::MessageLoop::RunTask(base::PendingTask*) base/message_loop/message_loop.cc:391:25
    #22 0x142e62b8 in base::MessageLoop::DeferOrRunPendingTask(base::PendingTask) base/message_loop/message_loop.cc:403:5
    #23 0x142e75f3 in base::MessageLoop::DoDelayedWork(base::TimeTicks*) base/message_loop/message_loop.cc:487:10
    #24 0x142f61ff in HandleDispatch base/message_loop/message_pump_glib.cc:274:21
    #25 0x142f61ff in base::(anonymous namespace)::WorkSourceDispatch(_GSource*, int (*)(void*), void*) base/message_loop/message_pump_glib.cc:109
    #26 0x7f9d7b7dbe03 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x48e03)

ah sorry, I didn't know I have to click "show more" to see more stacks. once i did that, yes you're right it's the same.

ClusterFuzz testcase 4641414265438208 is still reproducing on tip-of-tree build (trunk).

Please re-test your fix against this testcase and if the fix was incorrect or incomplete, please re-open the bug. Otherwise, ignore this notification and add ClusterFuzz-Wrong label.

ClusterFuzz has detected this issue as fixed in range 551087:551089.

Detailed report: https://clusterfuzz.com/testcase?key=4641414265438208

Fuzzer: lcamtuf_cross_fuzz
Job Type: linux_tsan_chrome_mp
Platform Id: linux

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x7b08000a7d20
Crash State:
  base::internal::BindState<void
  
Sanitizer: thread (TSAN)

Recommended Security Severity: Critical

Regressed: https://clusterfuzz.com/revisions?job=linux_tsan_chrome_mp&range=546537:546540
Fixed: https://clusterfuzz.com/revisions?job=linux_tsan_chrome_mp&range=551087:551089

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4641414265438208

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 4641414265438208 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot