Issue metadata
Sign in to add a comment
|
AddressSanitizer: heap-use-after-free in YuvResourceFormat or get sig11 0x08 software_compositor
Reported by
cdsrc2...@gmail.com,
May 22 2018
|
||||||||||||||||||||||||
Issue description
UserAgent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Steps to reproduce the problem:
Version 68.0.3437.0 (Developer Build) (64-bit)
ubuntu version: 16.04
AddressSanitizer: heap-use-after-free in YuvResourceFormat or get sig11 0x08 software_compositor
1.Get new version chrome:
a) Build source code
config args.gn file as below:
use_sanitizer_coverage = true
is_asan = true
is_debug = false
enable_nacl = false
treat_warnings_as_errors = false
ninja -j16 -C out/chrome_asan chrome
2. ./crhome crash.html
What is the expected behavior?
What went wrong?
get sig11 0x08,occasionally get UAF.Because of some race issue, 0x08 is relatively stable,
but UAF is repro about 10 times in my local pc.
Did this work before? N/A
Chrome version: Version 68.0.3437.0 (Developer Build) (64-bit) Channel: dev
OS Version: Ubuntu 16.04
Flash Version: Shockwave Flash 29.0 r0
,
May 23 2018
,
May 23 2018
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
May 23 2018
,
May 23 2018
This is a video-in-surfaces use of VideoResourceProvider, it looks like after it is destroyed.
#0 0x55fe6619ca91 in __interceptor_backtrace /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:3980:13
#1 0x55fe6e259ace in base::debug::StackTrace::StackTrace(unsigned long) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/debug/stack_trace_posix.cc:808:41
#2 0x55fe6e2589e5 in base::debug::(anonymous namespace)::StackDumpSignalHandler(int, siginfo_t*, void*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/debug/stack_trace_posix.cc:334:3
#3 0x7faeece2c390 in __funlockfile ??:?
#4 0x7faeece2c390 in ?? ??:0
#5 0x55fe7c058413 in software_compositor /home/cowboy/chromium/src/out/chrome_asan_shared/../../cc/resources/video_resource_updater.h:133:45
#6 0x55fe7c058413 in cc::VideoResourceUpdater::CreateForSoftwarePlanes(scoped_refptr<media::VideoFrame>) /home/cowboy/chromium/src/out/chrome_asan_shared/../../cc/resources/video_resource_updater.cc:773:0
#7 0x55fe7c054d91 in cc::VideoResourceUpdater::CreateExternalResourcesFromVideoFrame(scoped_refptr<media::VideoFrame>) /home/cowboy/chromium/src/out/chrome_asan_shared/../../cc/resources/video_resource_updater.cc:549:12
#8 0x55fe7c053edc in cc::VideoResourceUpdater::ObtainFrameResources(scoped_refptr<media::VideoFrame>) /home/cowboy/chromium/src/out/chrome_asan_shared/../../cc/resources/video_resource_updater.cc:372:7
#9 0x55fe7c052c03 in blink::VideoFrameResourceProvider::AppendQuads(viz::RenderPass*, scoped_refptr<media::VideoFrame>, media::VideoRotation) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/platform/graphics/video_frame_resource_provider.cc:86:22
#10 0x55fe7c04cb69 in blink::VideoFrameSubmitter::SubmitFrame(viz::BeginFrameAck, scoped_refptr<media::VideoFrame>) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/platform/graphics/video_frame_submitter.cc:202:23
#11 0x55fe7c051708 in Invoke<void (blink::VideoFrameSubmitter::*)(viz::BeginFrameAck, scoped_refptr<media::VideoFrame>), base::WeakPtr<blink::VideoFrameSubmitter>, viz::BeginFrameAck, scoped_refptr<media::VideoFrame> > /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/bind_internal.h:447:12
#12 0x55fe7c051708 in MakeItSo<void (blink::VideoFrameSubmitter::*)(viz::BeginFrameAck, scoped_refptr<media::VideoFrame>), base::WeakPtr<blink::VideoFrameSubmitter>, viz::BeginFrameAck, scoped_refptr<media::VideoFrame> > /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/bind_internal.h:567:0
#13 0x55fe7c051708 in RunImpl<void (blink::VideoFrameSubmitter::*)(viz::BeginFrameAck, scoped_refptr<media::VideoFrame>), std::__1::tuple<base::WeakPtr<blink::VideoFrameSubmitter>, viz::BeginFrameAck, scoped_refptr<media::VideoFrame> >, 0, 1, 2> /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/bind_internal.h:621:0
#14 0x55fe7c051708 in base::internal::Invoker<base::internal::BindState<void (blink::VideoFrameSubmitter::*)(viz::BeginFrameAck, scoped_refptr<media::VideoFrame>), base::WeakPtr<blink::VideoFrameSubmitter>, viz::BeginFrameAck, scoped_refptr<media::VideoFrame> >, void ()>::RunOnce(base::internal::BindStateBase*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/bind_internal.h:589:0
#15 0x55fe6e022ec9 in Run /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/callback.h:96:12
#16 0x55fe6e022ec9 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/debug/task_annotator.cc:101:0
#17 0x55fe6e08c071 in base::MessageLoop::RunTask(base::PendingTask*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_loop.cc:319:25
,
May 23 2018
=> lethalantidote. i suspect this is the same case that will be fixed by: https://chromium-review.googlesource.com/c/chromium/src/+/1069843
,
May 23 2018
,
Aug 30
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by dominickn@chromium.org
, May 23 2018Components: Internals>Services>Viz
Labels: Security_Severity-Medium Security_Impact-Head
Owner: danakj@chromium.org
Status: Assigned (was: Unconfirmed)