New issue
Advanced search Search tips

Issue 831033 link

Starred by 1 user
Status: WontFix
Owner:
carlosil@chromium.org
Closed: May 2018
Cc:
carlosil@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug-Security



Sign in to add a comment

Security: Heap-use-after-free crash during shutdown if PageInfo bubble is open.

Reported by chromium...@gmail.com, Apr 10 2018 
VERSION
Chrome Version: 67.0.3391.0 (Developer Build) Chromium ASAN (64-bit)
Operating System: Windows 7

REPRODUCTION CASE
1. Lunch Chromium ASan build 
2. Load google.com 
3. Click on lock icon and close the browser


==3596==ERROR: AddressSanitizer: heap-use-after-free on address 0x012340e99620 at pc 0x07fedad2708e bp 0x0000002dbd50 sp 0x00
00002dbd98
READ of size 8 at 0x012340e99620 thread T0
    #0 0x7fedad2708d  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.dll+0x18647708d)
    #1 0x7fedad1bd93  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.dll+0x18646bd93)
    #2 0x7fedad1c993  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.dll+0x18646c993)
    #3 0x7fedad1c94a  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.dll+0x18646c94a)
    #4 0x7fedaccaf3f  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.dll+0x18641af3f)
    #5 0x7fedaccc1b1  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.dll+0x18641c1b1)
    #6 0x7fedac97d45  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.dll+0x1863e7d45)
    #7 0x7fedac97c6f  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.dll+0x1863e7c6f)
    #8 0x7fedac937ea  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.dll+0x1863e37ea)
    #9 0x7fedac8bd46  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.dll+0x1863dbd46)
    #10 0x7fedac9bcaf  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.dll+0x1863ebcaf)
    #11 0x7fedaca3848  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.dll+0x1863f3848)
    #12 0x7fed817951c  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.dll+0x1838c951c)
    #13 0x7fed810a8e6  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.dll+0x18385a8e6)
    #14 0x7fed8117d79  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.dll+0x183867d79)
    #15 0x7fed811a81b  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.dll+0x18386a81b)
    #16 0x7fed80b7fed  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.dll+0x183807fed)
    #17 0x7fed61948cb  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.dll+0x1818e48cb)
    #18 0x7fed619c2c0  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.dll+0x1818ec2c0)
    #19 0x7fed618765c  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.dll+0x1818d765c)
    #20 0x7fed7ddd709  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.dll+0x18352d709)
    #21 0x7fed7dde89a  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.dll+0x18352e89a)
    #22 0x7fed7e4b7da  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.dll+0x18359b7da)
    #23 0x7fed7ddd35e  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.dll+0x18352d35e)
    #24 0x7fed48b13e7  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.dll+0x1800013e7)
    #25 0x13fd97c6c  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.exe+0x140007c6c)
    #26 0x13fd92349  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.exe+0x140002349)
    #27 0x1400d6f48  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.exe+0x140346f48)
    #28 0x7716f56c  (C:\Windows\system32\kernel32.dll+0x78d3f56c)
    #29 0x773a3280  (C:\Windows\SYSTEM32\ntdll.dll+0x78e83280)

0x012340e99620 is located 32 bytes inside of 256-byte region [0x012340e99600,0x012340e99700)
freed by thread T0 here:
    #0 0x13fdca3e0  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.exe+0x14003a3e0)
    #1 0x7fedacc9a75  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.dll+0x186419a75)
    #2 0x7fedacc9ab5  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.dll+0x186419ab5)
    #3 0x7fedaccaf1e  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.dll+0x18641af1e)
    #4 0x7fedaccc1b1  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.dll+0x18641c1b1)
    #5 0x7fedac97d45  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.dll+0x1863e7d45)
    #6 0x7fedac97c6f  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.dll+0x1863e7c6f)
    #7 0x7fedac937ea  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.dll+0x1863e37ea)
    #8 0x7fedac8bd46  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.dll+0x1863dbd46)
    #9 0x7fedac9bcaf  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.dll+0x1863ebcaf)
    #10 0x7fedaca3848  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.dll+0x1863f3848)
    #11 0x7fed817951c  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.dll+0x1838c951c)
    #12 0x7fed810a8e6  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.dll+0x18385a8e6)
    #13 0x7fed8117d79  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.dll+0x183867d79)
    #14 0x7fed811a81b  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.dll+0x18386a81b)
    #15 0x7fed80b7fed  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.dll+0x183807fed)
    #16 0x7fed61948cb  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.dll+0x1818e48cb)
    #17 0x7fed619c2c0  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.dll+0x1818ec2c0)
    #18 0x7fed618765c  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.dll+0x1818d765c)
    #19 0x7fed7ddd709  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.dll+0x18352d709)
    #20 0x7fed7dde89a  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.dll+0x18352e89a)
    #21 0x7fed7e4b7da  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.dll+0x18359b7da)
    #22 0x7fed7ddd35e  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.dll+0x18352d35e)
    #23 0x7fed48b13e7  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.dll+0x1800013e7)
    #24 0x13fd97c6c  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.exe+0x140007c6c)
    #25 0x13fd92349  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.exe+0x140002349)
    #26 0x1400d6f48  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.exe+0x140346f48)
    #27 0x7716f56c  (C:\Windows\system32\kernel32.dll+0x78d3f56c)
    #28 0x773a3280  (C:\Windows\SYSTEM32\ntdll.dll+0x78e83280)

previously allocated by thread T14 here:
    #0 0x13fdca5a5  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.exe+0x14003a5a5)
    #1 0x7fedad1e0d4  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.dll+0x18646e0d4)
    #2 0x7fedac9b4d3  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.dll+0x1863eb4d3)
    #3 0x7fedacad81a  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.dll+0x1863fd81a)
    #4 0x7fed84dfc70  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.dll+0x183c2fc70)
    #5 0x7fed84e5ea5  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.dll+0x183c35ea5)
    #6 0x7fed84e46d7  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.dll+0x183c346d7)
    #7 0x7fed85002f0  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.dll+0x183c502f0)
    #8 0x7fed8279bff  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.dll+0x1839c9bff)
    #9 0x13fdc1fc8  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.exe+0x140031fc8)
    #10 0x7716f56c  (C:\Windows\system32\kernel32.dll+0x78d3f56c)
    #11 0x773a3280  (C:\Windows\SYSTEM32\ntdll.dll+0x78e83280)

Thread T14 created by T0 here:
    #0 0x13fdc0ef0  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.exe+0x140030ef0)
    #1 0x7fed827915b  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.dll+0x1839c915b)
    #2 0x7fed84ff04a  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.dll+0x183c4f04a)
    #3 0x7fed84fec94  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.dll+0x183c4ec94)
    #4 0x7fed84f4063  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.dll+0x183c44063)
    #5 0x7fed84f34cb  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.dll+0x183c434cb)
    #6 0x7fed84c5c7d  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.dll+0x183c15c7d)
    #7 0x7fed618f22e  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.dll+0x1818df22e)
    #8 0x7fed6f39edf  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.dll+0x182689edf)
    #9 0x7fed618e7fb  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.dll+0x1818de7fb)
    #10 0x7fed619af45  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.dll+0x1818eaf45)
    #11 0x7fed61875e8  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.dll+0x1818d75e8)
    #12 0x7fed7ddd709  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.dll+0x18352d709)
    #13 0x7fed7dde89a  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.dll+0x18352e89a)
    #14 0x7fed7e4b7da  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.dll+0x18359b7da)
    #15 0x7fed7ddd35e  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.dll+0x18352d35e)
    #16 0x7fed48b13e7  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.dll+0x1800013e7)
    #17 0x13fd97c6c  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.exe+0x140007c6c)
    #18 0x13fd92349  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.exe+0x140002349)
    #19 0x1400d6f48  (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.exe+0x140346f48)
    #20 0x7716f56c  (C:\Windows\system32\kernel32.dll+0x78d3f56c)
    #21 0x773a3280  (C:\Windows\SYSTEM32\ntdll.dll+0x78e83280)

SUMMARY: AddressSanitizer: heap-use-after-free (C:\Users\admin\Desktop\asan-win32-release_x64-549078\chrome.dll+0x18647708d)

Shadow bytes around the buggy address:
  0x0025a8fd3270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0025a8fd3280: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
  0x0025a8fd3290: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0025a8fd32a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0025a8fd32b0: fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0025a8fd32c0: fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd
  0x0025a8fd32d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0025a8fd32e0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0025a8fd32f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0025a8fd3300: fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa
  0x0025a8fd3310: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==3596==ABORTING
screen.mov
7.2 MB View Download

Comment 1 by carlosil@chromium.org, Apr 12 2018

Labels: Needs-Feedback
I tried this one both on Windows and Linux, on a 67.0.3395 ASan build, and can't get it to repro. Reporter: is there any other prerequisite to get the crash?

Comment 2 by carlosil@chromium.org, Apr 12 2018

Cc: carlosil@chromium.org

Comment 3 by chromium...@gmail.com, Apr 12 2018 

No. I'm still able to repro this on 67.0.3396.0 ASan build.
Project Member

Comment 4 by sheriffbot@chromium.org, Apr 12 2018

Labels: -Needs-Feedback
Thank you for providing more feedback. Adding the requester to the cc list.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 5 by carlosil@chromium.org, Apr 13 2018 

I added a video of me trying to repro, is there anything I'm doing differently? This is on an asan build on Windows
out-1.ogv
1.4 MB View Download

Comment 6 by chromium...@gmail.com, Apr 14 2018 

No, weird!
Recording #1.mp4
1.5 MB View Download

Comment 7 by carlosil@chromium.org, Apr 16 2018

Components: UI>Browser>Bubbles>PageInfo
Labels: Team-Security-UX Security_Severity-Low Security_Impact-Head OS-Windows Pri-2
Status: Available (was: Unconfirmed)
Summary: Security: Heap-use-after-free crash during shutdown if PageInfo bubble is open. (was: Security: Heap-use-after-free crash during shutdown)

Comment 8 by tsepez@chromium.org, May 2 2018

Owner: carlosil@chromium.org
Status: (was: Available)
khalil - did you download one of our official ASAN builds or is this a custom build?

carlosil - please take another crack at reproducing this, and close as wontfix otherwise.  It may be something strange on the reporter's machine.  We'll get crash reports if it is a common problem in the field.

Comment 9 by carlosil@chromium.org, May 2 2018 

Tried again on 68.0.3418, and still couldn't repro, I'll wait to see if khalil has any other information, and wontfix if I can't reproduce after that.

Comment 10 by carlosil@chromium.org, May 2 2018

Labels: Needs-Feedback

Comment 11 by chromium...@gmail.com, May 3 2018 

No more of repro on chromium-browser-asan/win32-release_x64 (asan-win32-release_x64-555612.zip) on Windows.

Comment 12 by carlosil@chromium.org, May 3 2018

Status: WontFix
Thanks for the update, if it no longer reproduces for you either, then I'll close this one.
Project Member

Comment 13 by sheriffbot@chromium.org, Aug 9

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment