Issue metadata
Sign in to add a comment
|
Heap-use-after-free in views::Slider::SetValueInternal |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5334762047406080 Fuzzer: attekett_webaudio_fuzzer Job Type: linux_asan_chrome_chromeos Platform Id: linux Crash Type: Heap-use-after-free READ 8 Crash Address: 0x6110063e1348 Crash State: views::Slider::SetValueInternal ash::UnifiedSliderView::SetSliderValue chromeos::CrasAudioHandler::OutputNodeVolumeChanged Sanitizer: address (ASAN) Recommended Security Severity: High Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5334762047406080 Additional requirements: Requires Gestures Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information. Note: This crash might not be reproducible with the provided testcase. That said, for the past 14 days we've been seeing this crash frequently. If you are unable to reproduce this, please try a speculative fix based on the crash stacktrace in the report. The fix can be verified by looking at the crash statistics in the report, a day after the fix is deployed. We will auto-close the bug if the crash is not seen for 14 days.
,
Jul 24
Below is the ASAN report for convenience. Looking at the code suggests that the AudioObserver::OutputNodeVolumeChanged() callback fires and leads to a call to UnifiedVolumeSliderController::SliderValueChanged() when the controller object has already been deleted via UnifiedSliderBubbleController::CloseBubble().
Likely not not useful for remote attacks as the attacker would probably have to be able to change system audio volume to trigger this code path, so downgrading to medium severity.
Assigning to tetsui@ whose name is all over the relevant code :)
==5298==ERROR: AddressSanitizer: heap-use-after-free on address 0x6110063e1348 at pc 0x55e84e73c467 bp 0x7ffd59122ec0 sp 0x7ffd59122eb8
READ of size 8 at 0x6110063e1348 thread T0 (chrome)
SCARINESS: 51 (8-byte-read-heap-use-after-free)
#0 0x55e84e73c466 in views::Slider::SetValueInternal(float, views::SliderChangeReason) ui/views/controls/slider.cc:139:16
#1 0x55e847dd4d14 in ash::UnifiedSliderView::SetSliderValue(float, bool) ash/system/unified/unified_slider_view.cc:112:12
#2 0x55e841821425 in chromeos::CrasAudioHandler::OutputNodeVolumeChanged(unsigned long, int) chromeos/audio/cras_audio_handler.cc:754:14
#3 0x55e841ad21f7 in chromeos::FakeCrasAudioClient::NotifyOutputNodeVolumeChangedForTesting(unsigned long, int) chromeos/dbus/fake_cras_audio_client.cc:247:14
#4 0x55e84181d95c in SetOutputNodeVolume chromeos/audio/cras_audio_handler.cc:936:25
#5 0x55e84181d95c in SetOutputNodeVolumePercent chromeos/audio/cras_audio_handler.cc:954
#6 0x55e84181d95c in SetOutputVolumePercent chromeos/audio/cras_audio_handler.cc:518
#7 0x55e84181d95c in chromeos::CrasAudioHandler::AdjustOutputVolumeToAudibleLevel() chromeos/audio/cras_audio_handler.cc:556
#8 0x55e84890aba4 in VolumeController::VolumeUp() chrome/browser/ui/ash/volume_controller.cc:85:20
#9 0x55e83a459e82 in ash::mojom::VolumeControllerStubDispatch::Accept(ash::mojom::VolumeController*, mojo::Message*) gen/ash/public/interfaces/volume.mojom.cc:222:13
#10 0x55e840a2243e in mojo::InterfaceEndpointClient::HandleValidatedMessage(mojo::Message*) mojo/public/cpp/bindings/lib/interface_endpoint_client.cc:423:32
#11 0x55e840a34481 in mojo::internal::MultiplexRouter::ProcessIncomingMessage(mojo::internal::MultiplexRouter::MessageWrapper*, mojo::internal::MultiplexRouter::ClientCallBehavior, base::SequencedTaskRunner*) mojo/public/cpp/bindings/lib/multiplex_router.cc:869:42
#12 0x55e840a32591 in mojo::internal::MultiplexRouter::Accept(mojo::Message*) mojo/public/cpp/bindings/lib/multiplex_router.cc:590:38
#13 0x55e840a1c078 in mojo::Connector::ReadSingleMessage(unsigned int*) mojo/public/cpp/bindings/lib/connector.cc:457:51
#14 0x55e840a1dd8f in mojo::Connector::ReadAllAvailableMessages() mojo/public/cpp/bindings/lib/connector.cc:486:10
#15 0x55e840a04967 in Run base/callback.h:129:12
#16 0x55e840a04967 in mojo::SimpleWatcher::OnHandleReady(int, unsigned int, mojo::HandleSignalsState const&) mojo/public/cpp/system/simple_watcher.cc:273
#17 0x55e83f48f09f in Run base/callback.h:99:12
#18 0x55e83f48f09f in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) base/debug/task_annotator.cc:101
#19 0x55e83f26f384 in base::MessageLoop::RunTask(base::PendingTask*) base/message_loop/message_loop.cc:421:46
#20 0x55e83f2707af in DeferOrRunPendingTask base/message_loop/message_loop.cc:432:5
#21 0x55e83f2707af in base::MessageLoop::DoWork() base/message_loop/message_loop.cc:476
#22 0x55e83f483691 in base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_libevent.cc:210:31
#23 0x55e83f2ee9db in base::RunLoop::Run() base/run_loop.cc:102:14
#24 0x55e83e601c0c in ChromeBrowserMainParts::MainMessageLoopRun(int*) chrome/browser/chrome_browser_main.cc:2092:15
#25 0x55e837fdef88 in content::BrowserMainLoop::RunMainMessageLoopParts() content/browser/browser_main_loop.cc:1034:29
#26 0x55e837fe8071 in content::BrowserMainRunnerImpl::Run() content/browser/browser_main_runner_impl.cc:162:15
#27 0x55e837fd1c28 in content::BrowserMain(content::MainFunctionParams const&) content/browser/browser_main.cc:47:28
#28 0x55e83e5c785f in RunBrowserProcessMain content/app/content_main_runner_impl.cc:596:10
#29 0x55e83e5c785f in content::ContentMainRunnerImpl::Run(bool) content/app/content_main_runner_impl.cc:947
#30 0x55e83e5e1069 in service_manager::Main(service_manager::MainParams const&) services/service_manager/embedder/main.cc:472:29
#31 0x55e83e5c1181 in content::ContentMain(content::ContentMainParams const&) content/app/content_main.cc:19:10
#32 0x55e834d79fad in ChromeMain chrome/app/chrome_main.cc:101:12
#33 0x7f7de8e6482f in libc.so.6
0x6110063e1348 is located 8 bytes inside of 32-byte region [0x6110063e1340,0x6110063e1360)
freed by thread T0 (chrome) here:
#0 0x55e834d77a62 in operator delete(void*) _asan_rtl_:3
#1 0x55e847dd1c18 in operator() buildtools/third_party/libc++/trunk/include/memory:2321:5
#2 0x55e847dd1c18 in reset buildtools/third_party/libc++/trunk/include/memory:2634
#3 0x55e847dd1c18 in ash::UnifiedSliderBubbleController::CloseBubble() ash/system/unified/unified_slider_bubble_controller.cc:53
#4 0x55e83f3b5936 in Run base/callback.h:129:12
#5 0x55e83f3b5936 in base::internal::TimerBase::RunScheduledTask() base/timer/timer.cc:262
#6 0x55e83f48f09f in Run base/callback.h:99:12
#7 0x55e83f48f09f in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) base/debug/task_annotator.cc:101
#8 0x55e83f26f384 in base::MessageLoop::RunTask(base::PendingTask*) base/message_loop/message_loop.cc:421:46
#9 0x55e83f270e25 in DeferOrRunPendingTask base/message_loop/message_loop.cc:432:5
#10 0x55e83f270e25 in base::MessageLoop::DoDelayedWork(base::TimeTicks*) base/message_loop/message_loop.cc:517
#11 0x55e83f483395 in base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_libevent.cc:220:27
#12 0x55e83f2ee9db in base::RunLoop::Run() base/run_loop.cc:102:14
#13 0x55e83e601c0c in ChromeBrowserMainParts::MainMessageLoopRun(int*) chrome/browser/chrome_browser_main.cc:2092:15
#14 0x55e837fdef88 in content::BrowserMainLoop::RunMainMessageLoopParts() content/browser/browser_main_loop.cc:1034:29
#15 0x55e837fe8071 in content::BrowserMainRunnerImpl::Run() content/browser/browser_main_runner_impl.cc:162:15
#16 0x55e837fd1c28 in content::BrowserMain(content::MainFunctionParams const&) content/browser/browser_main.cc:47:28
#17 0x55e83e5c785f in RunBrowserProcessMain content/app/content_main_runner_impl.cc:596:10
#18 0x55e83e5c785f in content::ContentMainRunnerImpl::Run(bool) content/app/content_main_runner_impl.cc:947
#19 0x55e83e5e1069 in service_manager::Main(service_manager::MainParams const&) services/service_manager/embedder/main.cc:472:29
#20 0x55e83e5c1181 in content::ContentMain(content::ContentMainParams const&) content/app/content_main.cc:19:10
#21 0x55e834d79fad in ChromeMain chrome/app/chrome_main.cc:101:12
#22 0x7f7de8e6482f in libc.so.6
previously allocated by thread T0 (chrome) here:
#0 0x55e834d76e22 in operator new(unsigned long) _asan_rtl_:3
#1 0x55e847dd34dc in make_unique<ash::UnifiedVolumeSliderController, nullptr_t> buildtools/third_party/libc++/trunk/include/memory:3114:28
#2 0x55e847dd34dc in ash::UnifiedSliderBubbleController::CreateSliderController() ash/system/unified/unified_slider_bubble_controller.cc:175
#3 0x55e847dd24d4 in ash::UnifiedSliderBubbleController::ShowBubble(ash::UnifiedSliderBubbleController::SliderType) ash/system/unified/unified_slider_bubble_controller.cc:133:3
#4 0x55e841821425 in chromeos::CrasAudioHandler::OutputNodeVolumeChanged(unsigned long, int) chromeos/audio/cras_audio_handler.cc:754:14
#5 0x55e841ad21f7 in chromeos::FakeCrasAudioClient::NotifyOutputNodeVolumeChangedForTesting(unsigned long, int) chromeos/dbus/fake_cras_audio_client.cc:247:14
#6 0x55e84181b6b5 in chromeos::CrasAudioHandler::SetOutputVolumePercent(int) chromeos/audio/cras_audio_handler.cc:518:7
#7 0x55e83a459f45 in ash::mojom::VolumeControllerStubDispatch::Accept(ash::mojom::VolumeController*, mojo::Message*) gen/ash/public/interfaces/volume.mojom.cc:193:13
#8 0x55e840a2243e in mojo::InterfaceEndpointClient::HandleValidatedMessage(mojo::Message*) mojo/public/cpp/bindings/lib/interface_endpoint_client.cc:423:32
#9 0x55e840a34481 in mojo::internal::MultiplexRouter::ProcessIncomingMessage(mojo::internal::MultiplexRouter::MessageWrapper*, mojo::internal::MultiplexRouter::ClientCallBehavior, base::SequencedTaskRunner*) mojo/public/cpp/bindings/lib/multiplex_router.cc:869:42
#10 0x55e840a32591 in mojo::internal::MultiplexRouter::Accept(mojo::Message*) mojo/public/cpp/bindings/lib/multiplex_router.cc:590:38
#11 0x55e840a1c078 in mojo::Connector::ReadSingleMessage(unsigned int*) mojo/public/cpp/bindings/lib/connector.cc:457:51
#12 0x55e840a1dd8f in mojo::Connector::ReadAllAvailableMessages() mojo/public/cpp/bindings/lib/connector.cc:486:10
#13 0x55e840a04967 in Run base/callback.h:129:12
#14 0x55e840a04967 in mojo::SimpleWatcher::OnHandleReady(int, unsigned int, mojo::HandleSignalsState const&) mojo/public/cpp/system/simple_watcher.cc:273
#15 0x55e83f48f09f in Run base/callback.h:99:12
#16 0x55e83f48f09f in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) base/debug/task_annotator.cc:101
#17 0x55e83f26f384 in base::MessageLoop::RunTask(base::PendingTask*) base/message_loop/message_loop.cc:421:46
#18 0x55e83f2707af in DeferOrRunPendingTask base/message_loop/message_loop.cc:432:5
#19 0x55e83f2707af in base::MessageLoop::DoWork() base/message_loop/message_loop.cc:476
#20 0x55e83f483691 in base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_libevent.cc:210:31
#21 0x55e83f2ee9db in base::RunLoop::Run() base/run_loop.cc:102:14
#22 0x55e83e601c0c in ChromeBrowserMainParts::MainMessageLoopRun(int*) chrome/browser/chrome_browser_main.cc:2092:15
#23 0x55e837fdef88 in content::BrowserMainLoop::RunMainMessageLoopParts() content/browser/browser_main_loop.cc:1034:29
#24 0x55e837fe8071 in content::BrowserMainRunnerImpl::Run() content/browser/browser_main_runner_impl.cc:162:15
#25 0x55e837fd1c28 in content::BrowserMain(content::MainFunctionParams const&) content/browser/browser_main.cc:47:28
#26 0x55e83e5c785f in RunBrowserProcessMain content/app/content_main_runner_impl.cc:596:10
#27 0x55e83e5c785f in content::ContentMainRunnerImpl::Run(bool) content/app/content_main_runner_impl.cc:947
#28 0x55e83e5e1069 in service_manager::Main(service_manager::MainParams const&) services/service_manager/embedder/main.cc:472:29
#29 0x55e83e5c1181 in content::ContentMain(content::ContentMainParams const&) content/app/content_main.cc:19:10
#30 0x55e834d79fad in ChromeMain chrome/app/chrome_main.cc:101:12
#31 0x7f7de8e6482f in libc.so.6
,
Jul 24
M-70 feature
,
Jul 25
,
Jul 27
yamaguchi@: Could you take a look? Thank you.
,
Aug 2
https://crrev.com/c/1159924
,
Aug 2
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/c17b12c192944187e1b2d218d7ba279c76474d5e commit c17b12c192944187e1b2d218d7ba279c76474d5e Author: Tetsui Ohkubo <tetsui@chromium.org> Date: Thu Aug 02 06:08:54 2018 Unified: Fix asan failure for slider bubble. UnifiedSliderBubbleController was not handling events properly when the previous bubble was closing e.g. volume key was pressed during brightness slider is fading out. TEST=manual BUG= 866301 Change-Id: I93087c01b38cbd7d5f64f8c99c9e0c539113f8d8 Reviewed-on: https://chromium-review.googlesource.com/1159924 Reviewed-by: Yoshiki Iguchi <yoshiki@chromium.org> Commit-Queue: Tetsui Ohkubo <tetsui@chromium.org> Cr-Commit-Position: refs/heads/master@{#580088} [modify] https://crrev.com/c17b12c192944187e1b2d218d7ba279c76474d5e/ash/system/unified/unified_slider_bubble_controller.cc
,
Aug 2
,
Aug 2
,
Aug 13
(hit by internal fuzzers)
,
Nov 8
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by sheriffbot@chromium.org
, Jul 22