Issue metadata
Sign in to add a comment
|
heap-use-after-free in memory_instrumentation::CoordinatorImpl::OnQueuedRequestTimedOut
Reported by
rkuk...@yandex-team.ru,
Jun 26 2018
|
||||||||||||||||||||||
Issue description
UserAgent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 YaBrowser/18.4.1.871 Yowser/2.5 Safari/537.36
Steps to reproduce the problem:
The problem occurs occasionally on our windows ASAN bots in tests:
browser_tests.DefaultIsolation/TaskManagerOOPIFBrowserTest.NavigateToSiteWithSubframeToOriginalSite/0
browser_tests.DefaultIsolation/TaskManagerOOPIFBrowserTest.OrderingOfDependentRows/0
browser_tests.MemoryTracingBrowserTest.TestBackgroundMemoryInfra
browser_tests.PrerenderBrowserTest.FirstContentfulPaintTimingTimeout
browser_tests.PrintPreviewBrowserTest.TaskManagerNewPrintPreview
browser_tests.SitePerProcess/TaskManagerOOPIFBrowserTest.OrderingOfDependentRows/0
browser_tests.SitePerProcess/TaskManagerOOPIFBrowserTest.SubframeHistoryNavigation/0
browser_tests.TaskManagerBrowserTest.HistoryNavigationInNewTab
browser_tests.TaskManagerBrowserTest.NavigateAwayFromHungRenderer
browser_tests.TaskManagerBrowserTest.NoticeHostedAppTabChanges
browser_tests.TaskManagerBrowserTest.ReloadExtension
browser_tests.TaskManagerViewTest.SelectionConsistency
What is the expected behavior?
What went wrong?
==7032==ERROR: AddressSanitizer: heap-use-after-free on address 0x106f90976390 at pc 0x7ff65bd1fc3c bp 0x10c9a086c320 sp 0x10c9a086c368
READ of size 4 at 0x106f90976390 thread T3
==7032==*** WARNING: Failed to initialize DbgHelp! ***
==7032==*** Most likely this means that the app is already ***
==7032==*** using DbgHelp, possibly with incompatible flags. ***
==7032==*** Due to technical reasons, symbolization might crash ***
==7032==*** or produce wrong results. ***
#0 0x7ff65bd1fc3b in base::Lock::CheckUnheldAndMark /src/base/synchronization/lock.cc:32
#1 0x7ff65bd82f12 in base::ThreadCheckerImpl::CalledOnValidThread /src/base/threading/thread_checker_impl.cc:19
#2 0x7ff6575d2849 in memory_instrumentation::CoordinatorImpl::OnQueuedRequestTimedOut /src/services/resource_coordinator/memory_instrumentation/coordinator_impl.cc:309
#3 0x7ff65be84f15 in base::debug::TaskAnnotator::RunTask /src/base/debug/task_annotator.cc:101
#4 0x7ff65bf0275a in base::internal::IncomingTaskQueue::RunTask /src/base/message_loop/incoming_task_queue.cc:124
#5 0x7ff65bcc60af in base::MessageLoop::RunTask /src/base/message_loop/message_loop.cc:330
#6 0x7ff65bcc6e11 in base::MessageLoop::DeferOrRunPendingTask /src/base/message_loop/message_loop.cc:340
#7 0x7ff65bcc8138 in base::MessageLoop::DoDelayedWork /src/base/message_loop/message_loop.cc:424
#8 0x7ff65bdf471e in base::MessagePumpForIO::DoRunLoop /src/base/message_loop/message_pump_win.cc:487
#9 0x7ff65bdf0c18 in base::MessagePumpWin::Run /src/base/message_loop/message_pump_win.cc:56
#10 0x7ff65bcc4c4b in base::MessageLoop::Run /src/base/message_loop/message_loop.cc:272
#11 0x7ff65bbc7113 in base::RunLoop::Run /src/base/run_loop.cc:131
#12 0x7ff65bd31183 in base::Thread::Run /src/base/threading/thread.cc:255
#13 0x7ff655cb89ee in content::BrowserProcessSubThread::IOThreadRun /src/content/browser/browser_process_sub_thread.cc:159
#14 0x7ff655cb868e in content::BrowserProcessSubThread::Run /src/content/browser/browser_process_sub_thread.cc:109
#15 0x7ff65bd31a8d in base::Thread::ThreadMain /src/base/threading/thread.cc:337
#16 0x7ff65bc37781 in base::`anonymous namespace'::ThreadFunc /src/base/threading/platform_thread_win.cc:92
#17 0x7ff65bb01178 in __asan::AsanThread::ThreadStart /src/third_party/llvm/projects/compiler-rt/lib/asan/asan_thread.cc:259
#18 0x7ff89e6313d1 in BaseThreadInitThunk+0x21 /src/(C:/Windows/system32/KERNEL32.DLL+0x1800013d1)
#19 0x7ff89f1c54f3 in RtlUserThreadStart+0x33 /src/(C:/Windows/SYSTEM32/ntdll.dll+0x1800154f3)
0x106f90976390 is located 336 bytes inside of 368-byte region [0x106f90976240,0x106f909763b0)
freed by thread T3 here:
#0 0x7ff65bb09950 in free /src/third_party/llvm/projects/compiler-rt/lib/asan/asan_malloc_win.cc:44
#1 0x7ff6575d6302 in memory_instrumentation::CoordinatorImpl::`vector deleting destructor'+0x22 /src/out/Default/browser_tests.exe+0x1482f6302)
#2 0x7ff65765bcac in resource_coordinator::ResourceCoordinatorService::~ResourceCoordinatorService /src/services/resource_coordinator/resource_coordinator_service.cc:29
#3 0x7ff65765d87f in resource_coordinator::ResourceCoordinatorService::~ResourceCoordinatorService /src/services/resource_coordinator/resource_coordinator_service.cc:29
#4 0x7ff65d171187 in service_manager::ServiceContext::~ServiceContext /src/services/service_manager/public/cpp/service_context.cc:91
#5 0x7ff65d17256f in service_manager::ServiceContext::~ServiceContext /src/services/service_manager/public/cpp/service_context.cc:91
#6 0x7ff65ee8220e in std::_Tree<std::_Tmap_traits<gfx::Image::RepresentationType,std::unique_ptr<gfx::internal::ImageRep,std::default_delete<gfx::internal::ImageRep> >,std::less<gfx::Image::RepresentationType>,std::allocator<std::pair<const gfx::Image::RepresentationType,std::unique_ptr<gfx::internal::ImageRep,std::default_delete<gfx::internal::ImageRep> > > >,0> >::_Erase /src/users/teamcity/.depot_tools/win_toolchain/vs_files/85f72bbe740097cc8984b34f107e53b3c9a3f184/vc/tools/msvc/14.11.25503/include/xtree:1997
#7 0x7ff6619af822 in service_manager::EmbeddedInstanceManager::QuitOnServiceSequence /src/services/service_manager/embedder/embedded_instance_manager.cc:108
#8 0x7ff6619af368 in service_manager::EmbeddedInstanceManager::ShutDown /src/services/service_manager/embedder/embedded_instance_manager.cc:57
#9 0x7ff6619a8b6c in service_manager::EmbeddedServiceRunner::~EmbeddedServiceRunner /src/services/service_manager/embedder/embedded_service_runner.cc:23
#10 0x7ff653e1c428 in std::unique_ptr<service_manager::EmbeddedServiceRunner,std::default_delete<service_manager::EmbeddedServiceRunner> >::~unique_ptr /src/users/teamcity/.depot_tools/win_toolchain/vs_files/85f72bbe740097cc8984b34f107e53b3c9a3f184/vc/tools/msvc/14.11.25503/include/memory:2203
#11 0x7ff653e1c383 in std::_Tree<std::_Tmap_traits<std::basic_string<char,std::char_traits<char>,std::allocator<char> >,std::unique_ptr<service_manager::EmbeddedServiceRunner,std::default_delete<service_manager::EmbeddedServiceRunner> >,std::less<std::basic_string<char,std::char_traits<char>,std::allocator<char> > >,std::allocator<std::pair<const std::basic_string<char,std::char_traits<char>,std::allocator<char> >,std::unique_ptr<service_manager::EmbeddedServiceRunner,std::default_delete<service_manager::EmbeddedServiceRunner> > > >,0> >::_Erase /src/users/teamcity/.depot_tools/win_toolchain/vs_files/85f72bbe740097cc8984b34f107e53b3c9a3f184/vc/tools/msvc/14.11.25503/include/xtree:1997
#12 0x7ff653e23895 in content::ServiceManagerConnectionImpl::IOThreadContext::ShutDownOnIOThread /src/content/common/service_manager/service_manager_connection_impl.cc:227
#13 0x7ff65be84f15 in base::debug::TaskAnnotator::RunTask /src/base/debug/task_annotator.cc:101
#14 0x7ff65bf0275a in base::internal::IncomingTaskQueue::RunTask /src/base/message_loop/incoming_task_queue.cc:124
#15 0x7ff65bcc60af in base::MessageLoop::RunTask /src/base/message_loop/message_loop.cc:330
#16 0x7ff65bcc6e11 in base::MessageLoop::DeferOrRunPendingTask /src/base/message_loop/message_loop.cc:340
#17 0x7ff65bcc7682 in base::MessageLoop::DoWork /src/base/message_loop/message_loop.cc:384
#18 0x7ff65bdf4824 in base::MessagePumpForIO::DoRunLoop /src/base/message_loop/message_pump_win.cc:478
#19 0x7ff65bdf0c18 in base::MessagePumpWin::Run /src/base/message_loop/message_pump_win.cc:56
#20 0x7ff65bcc4c4b in base::MessageLoop::Run /src/base/message_loop/message_loop.cc:272
#21 0x7ff65bbc7113 in base::RunLoop::Run /src/base/run_loop.cc:131
#22 0x7ff65bd31183 in base::Thread::Run /src/base/threading/thread.cc:255
#23 0x7ff655cb89ee in content::BrowserProcessSubThread::IOThreadRun /src/content/browser/browser_process_sub_thread.cc:159
#24 0x7ff655cb868e in content::BrowserProcessSubThread::Run /src/content/browser/browser_process_sub_thread.cc:109
#25 0x7ff65bd31a8d in base::Thread::ThreadMain /src/base/threading/thread.cc:337
#26 0x7ff65bc37781 in base::`anonymous namespace'::ThreadFunc /src/base/threading/platform_thread_win.cc:92
#27 0x7ff65bb01178 in __asan::AsanThread::ThreadStart /src/third_party/llvm/projects/compiler-rt/lib/asan/asan_thread.cc:259
#28 0x7ff89e6313d1 in BaseThreadInitThunk+0x21 /src/(C:/Windows/system32/KERNEL32.DLL+0x1800013d1)
#29 0x7ff89f1c54f3 in RtlUserThreadStart+0x33 /src/(C:/Windows/SYSTEM32/ntdll.dll+0x1800154f3)
previously allocated by thread T3 here:
#0 0x7ff65bb09a30 in malloc /src/third_party/llvm/projects/compiler-rt/lib/asan/asan_malloc_win.cc:60
#1 0x7ff67107e53e in operator new /src/heap/new_scalar.cpp:19
#2 0x7ff65765c62b in resource_coordinator::ResourceCoordinatorService::OnStart /src/services/resource_coordinator/resource_coordinator_service.cc:65
#3 0x7ff65d171b4f in service_manager::ServiceContext::OnStart /src/services/service_manager/public/cpp/service_context.cc:130
#4 0x7ff65f2db459 in service_manager::mojom::ServiceStubDispatch::AcceptWithResponder /src/gen/services/service_manager/public/mojom/service.mojom.cc:483
#5 0x7ff65d177de8 in service_manager::mojom::ServiceStub<mojo::RawPtrImplRefTraits<service_manager::mojom::Service> >::AcceptWithResponder /src/gen/services/service_manager/public/mojom/service.mojom.h:174
#6 0x7ff65e935e90 in mojo::InterfaceEndpointClient::HandleValidatedMessage /src/mojo/public/cpp/bindings/lib/interface_endpoint_client.cc:394
#7 0x7ff65e9533ac in mojo::FilterChain::Accept /src/mojo/public/cpp/bindings/lib/filter_chain.cc:40
#8 0x7ff65e939e86 in mojo::InterfaceEndpointClient::HandleIncomingMessage /src/mojo/public/cpp/bindings/lib/interface_endpoint_client.cc:306
#9 0x7ff65e918e82 in mojo::internal::MultiplexRouter::ProcessIncomingMessage /src/mojo/public/cpp/bindings/lib/multiplex_router.cc:865
#10 0x7ff65e917b54 in mojo::internal::MultiplexRouter::Accept /src/mojo/public/cpp/bindings/lib/multiplex_router.cc:589
#11 0x7ff65e9533ac in mojo::FilterChain::Accept /src/mojo/public/cpp/bindings/lib/filter_chain.cc:40
#12 0x7ff65e92f318 in mojo::Connector::ReadSingleMessage /src/mojo/public/cpp/bindings/lib/connector.cc:443
#13 0x7ff65e931478 in mojo::Connector::ReadAllAvailableMessages /src/mojo/public/cpp/bindings/lib/connector.cc:472
#14 0x7ff65e930dbc in mojo::Connector::OnHandleReadyInternal /src/mojo/public/cpp/bindings/lib/connector.cc:373
#15 0x7ff65c52a4f6 in mojo::SimpleWatcher::OnHandleReady /src/mojo/public/cpp/system/simple_watcher.cc:274
#16 0x7ff65be84f15 in base::debug::TaskAnnotator::RunTask /src/base/debug/task_annotator.cc:101
#17 0x7ff65bf0275a in base::internal::IncomingTaskQueue::RunTask /src/base/message_loop/incoming_task_queue.cc:124
#18 0x7ff65bcc60af in base::MessageLoop::RunTask /src/base/message_loop/message_loop.cc:330
#19 0x7ff65bcc6e11 in base::MessageLoop::DeferOrRunPendingTask /src/base/message_loop/message_loop.cc:340
#20 0x7ff65bcc7682 in base::MessageLoop::DoWork /src/base/message_loop/message_loop.cc:384
#21 0x7ff65bdf4824 in base::MessagePumpForIO::DoRunLoop /src/base/message_loop/message_pump_win.cc:478
#22 0x7ff65bdf0c18 in base::MessagePumpWin::Run /src/base/message_loop/message_pump_win.cc:56
#23 0x7ff65bcc4c4b in base::MessageLoop::Run /src/base/message_loop/message_loop.cc:272
#24 0x7ff65bbc7113 in base::RunLoop::Run /src/base/run_loop.cc:131
#25 0x7ff65bd31183 in base::Thread::Run /src/base/threading/thread.cc:255
#26 0x7ff655cb89ee in content::BrowserProcessSubThread::IOThreadRun /src/content/browser/browser_process_sub_thread.cc:159
#27 0x7ff655cb868e in content::BrowserProcessSubThread::Run /src/content/browser/browser_process_sub_thread.cc:109
#28 0x7ff65bd31a8d in base::Thread::ThreadMain /src/base/threading/thread.cc:337
#29 0x7ff65bc37781 in base::`anonymous namespace'::ThreadFunc /src/base/threading/platform_thread_win.cc:92
Thread T3 created by T0 here:
#0 0x7ff65bb000a0 in __asan_wrap_CreateThread /src/third_party/llvm/projects/compiler-rt/lib/asan/asan_win.cc:146
#1 0x7ff65bc36030 in base::`anonymous namespace'::CreateThreadInternal /src/base/threading/platform_thread_win.cc:131
#2 0x7ff65bc35de2 in base::PlatformThread::CreateWithPriority /src/base/threading/platform_thread_win.cc:215
#3 0x7ff65bd2fa48 in base::Thread::StartWithOptions /src/base/threading/thread.cc:112
#4 0x7ff655c8c503 in content::BrowserMainLoop::InitializeIOThread /src/content/browser/browser_main_loop.cc:1516
#5 0x7ff655c8a497 in content::BrowserMainLoop::PostMainMessageLoopStart /src/content/browser/browser_main_loop.cc:662
#6 0x7ff655c9bc07 in content::BrowserMainRunnerImpl::Initialize /src/content/browser/browser_main_runner.cc:128
#7 0x7ff655c86684 in content::BrowserMain /src/content/browser/browser_main.cc:44
#8 0x7ff65b99eca7 in content::RunNamedProcessTypeMain /src/content/app/content_main_runner.cc:662
#9 0x7ff65b9a02d4 in content::ContentMainRunnerImpl::Run /src/content/app/content_main_runner.cc:969
#10 0x7ff6619ab8c5 in service_manager::Main /src/services/service_manager/embedder/main.cc:452
#11 0x7ff65b99e966 in content::ContentMain /src/content/app/content_main.cc:19
#12 0x7ff65c3890e5 in content::BrowserTestBase::SetUp /src/content/public/test/browser_test_base.cc:321
#13 0x7ff65c031986 in InProcessBrowserTest::SetUp /src/chrome/test/base/in_process_browser_test.cc:264
#14 0x7ff652f01026 in testing::Test::Run /src/googletest
#15 0x7ff652f02be6 in testing::TestInfo::Run /src/googletest
#16 0x7ff652f03d27 in testing::TestCase::Run /src/googletest
#17 0x7ff652f1be69 in testing::internal::UnitTestImpl::RunAllTests /src/googletest
#18 0x7ff652f1b3a5 in testing::UnitTest::Run /src/googletest
#19 0x7ff65c0a8677 in base::TestSuite::Run /src/base/test/test_suite.cc:275
#20 0x7ff66d401b99 in ChromeTestSuiteRunner::RunTestSuite /src/chrome/test/base/chrome_test_launcher.cc:65
#21 0x7ff65c3b88c5 in content::LaunchTests /src/content/public/test/test_launcher.cc:630
#22 0x7ff66d402a33 in LaunchChromeTests /src/chrome/test/base/chrome_test_launcher.cc:170
#23 0x7ff66d3ffd61 in main /src/chrome/test/base/browser_tests_main.cc:36
#24 0x7ff67107ee28 in __scrt_common_main_seh /src/startup/exe_common.inl:283
#25 0x7ff89e6313d1 in BaseThreadInitThunk+0x21 /src/(C:/Windows/system32/KERNEL32.DLL+0x1800013d1)
#26 0x7ff89f1c54f3 in RtlUserThreadStart+0x33 /src/(C:/Windows/SYSTEM32/ntdll.dll+0x1800154f3)
SUMMARY: AddressSanitizer: heap-use-after-free /../../base/synchronization/lock.cc:32 in base::Lock::CheckUnheldAndMark
Shadow bytes around the buggy address:
0x025782a2ec20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x025782a2ec30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x025782a2ec40: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x025782a2ec50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x025782a2ec60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x025782a2ec70: fd fd[fd]fd fd fd fa fa fa fa fa fa fa fa fa fa
0x025782a2ec80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x025782a2ec90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x025782a2eca0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x025782a2ecb0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x025782a2ecc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==7032==ABORTING
Did this work before? N/A
Chrome version: dev 3df24d27fb05805b8e15b8515bfbf12a9bd8c29c Channel: n/a
OS Version: Windows Server 2012 R2
Flash Version: No
,
Jun 29 2018
Keeping at high severity (not critical) since unsure if this can be hit outside tests. Please try to triage this use-after-free soon and access impact.
,
Jun 29 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/fa76a9f7ef6a028f83f97c181b150ecfd2b13be1 commit fa76a9f7ef6a028f83f97c181b150ecfd2b13be1 Author: Roman Kuksin <rkuksin@yandex-team.ru> Date: Fri Jun 29 17:45:54 2018 Fix heap-use-after-free by using weak factory instead of Unretained Bug: 856578 Change-Id: Ifb2a1b7e6c22e1af36e12eedba72427f51d925b9 Reviewed-on: https://chromium-review.googlesource.com/1114617 Reviewed-by: Hector Dearman <hjd@chromium.org> Commit-Queue: Hector Dearman <hjd@chromium.org> Cr-Commit-Position: refs/heads/master@{#571528} [modify] https://crrev.com/fa76a9f7ef6a028f83f97c181b150ecfd2b13be1/services/resource_coordinator/memory_instrumentation/coordinator_impl.cc [modify] https://crrev.com/fa76a9f7ef6a028f83f97c181b150ecfd2b13be1/services/resource_coordinator/memory_instrumentation/coordinator_impl.h
,
Jul 2
#3 seems to have fixed that (thanks rkuksin@!). WRT severity, I think this is unlikely to be hit for real in production. AFAICT the memory_instrumentation::CoordinatorImpl is long-lived (as long as the process) and this could be hit only during browser shutdown.
,
Jul 2
,
Jul 16
,
Jul 23
Hi rkuksin@ - I'm afraid the VRP panel declined to reward for this, but said they would take another look if you could show how this could be used in an exploit.
,
Aug 16
,
Sep 4
,
Sep 4
,
Oct 8
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 4
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by dtapu...@chromium.org
, Jun 28 2018Labels: -Type-Bug Type-Bug-Security