New issue
Advanced search Search tips

Issue 868724 link

Starred by 1 user
Status: Duplicate
Merged: issue 867370
Owner: ----
Closed: Jul 30
Cc:
mbarbe...@chromium.org
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug-Security



Sign in to add a comment

use-after-poison in mojo::InterfaceEndpointClient::HandleValidatedMessage

Reported by cdsrc2...@gmail.com, Jul 29 
UserAgent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36

Steps to reproduce the problem:
Version 70.0.3503.0 (Developer Build) (64-bit)
OS Version:Ubuntu 18.04.1 LTS

1.Get new version chrome:
 a) Build source code 
    config args.gn file as below:
		use_sanitizer_coverage = true
		is_asan = true
		is_debug = false
		enable_nacl = false
		treat_warnings_as_errors = false
	ninja -j16 -C out/chrome_asan content_shell

2. content_shell ./launcher.html

What is the expected behavior?

What went wrong?
==1==ERROR: AddressSanitizer: use-after-poison on address 0x7e8e56944628 at pc 0x7f455c11020f bp 0x7ffe7e6721d0 sp 0x7ffe7e6721c8
READ of size 8 at 0x7e8e56944628 thread T0 (content_shell)
    #0 0x7f455c11020e in mojo::InterfaceEndpointClient::HandleValidatedMessage(mojo::Message*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../mojo/public/cpp/bindings/lib/interface_endpoint_client.cc:423:32
    #1 0x7f455c121903 in mojo::internal::MultiplexRouter::ProcessIncomingMessage(mojo::internal::MultiplexRouter::MessageWrapper*, mojo::internal::MultiplexRouter::ClientCallBehavior, base::SequencedTaskRunner*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../mojo/public/cpp/bindings/lib/multiplex_router.cc:869:42
    #2 0x7f455c1200da in mojo::internal::MultiplexRouter::Accept(mojo::Message*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../mojo/public/cpp/bindings/lib/multiplex_router.cc:590:38
    #3 0x7f455c105baf in mojo::Connector::ReadSingleMessage(unsigned int*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../mojo/public/cpp/bindings/lib/connector.cc:457:51
    #4 0x7f455c107608 in mojo::Connector::ReadAllAvailableMessages() /home/cowboy/chromium/src/out/chrome_asan_shared/../../mojo/public/cpp/bindings/lib/connector.cc:486:10
    #5 0x7f455c1a3c77 in Run /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/callback.h:129:12
    #6 0x7f455c1a3c77 in mojo::SimpleWatcher::OnHandleReady(int, unsigned int, mojo::HandleSignalsState const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../mojo/public/cpp/system/simple_watcher.cc:273:0
    #7 0x7f455bae0310 in Run /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/callback.h:99:12
    #8 0x7f455bae0310 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/debug/task_annotator.cc:101:0
    #9 0x7f455bc6ccb5 in base::sequence_manager::internal::ThreadControllerImpl::DoWork(base::sequence_manager::internal::ThreadControllerImpl::WorkType) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/task/sequence_manager/thread_controller_impl.cc:166:21
    #10 0x7f455bae0310 in Run /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/callback.h:99:12
    #11 0x7f455bae0310 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/debug/task_annotator.cc:101:0
    #12 0x7f455bb5ab4d in base::MessageLoop::RunTask(base::PendingTask*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_loop.cc:421:46
    #13 0x7f455bb5bfcf in DeferOrRunPendingTask /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_loop.cc:432:5
    #14 0x7f455bb5bfcf in base::MessageLoop::DoWork() /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_loop.cc:480:0
    #15 0x7f455bb6167f in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_pump_default.cc:37:31
    #16 0x7f455bbe9270 in base::RunLoop::Run() /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/run_loop.cc:102:14
    #17 0x7f4558eb7c34 in content::RendererMain(content::MainFunctionParams const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../content/renderer/renderer_main.cc:200:23
    #18 0x7f455911e5e1 in content::RunZygote(content::ContentMainDelegate*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../content/app/content_main_runner_impl.cc:554:14
    #19 0x7f4559121e3c in content::ContentMainRunnerImpl::Run(bool) /home/cowboy/chromium/src/out/chrome_asan_shared/../../content/app/content_main_runner_impl.cc:951:10
    #20 0x7f454dbb1be1 in service_manager::Main(service_manager::MainParams const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../services/service_manager/embedder/main.cc:472:29
    #21 0x7f455911ccde in content::ContentMain(content::ContentMainParams const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../content/app/content_main.cc:19:10
    #22 0x733ab7 in main /home/cowboy/chromium/src/out/chrome_asan_shared/../../content/shell/app/shell_main.cc:39:10
    #23 0x7f453678fb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310:0

Address 0x7e8e56944628 is a wild pointer.
SUMMARY: AddressSanitizer: use-after-poison (/home/cowboy/chromium/src/out/chrome_asan_shared/./libbindings.so+0x2820e)
Shadow bytes around the buggy address:
  0x0fd24ad20870: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0fd24ad20880: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0fd24ad20890: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0fd24ad208a0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0fd24ad208b0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
=>0x0fd24ad208c0: f7 f7 f7 f7 f7[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0fd24ad208d0: f7 f7 f7 f7 f7 f7 f7 f7 f7 00 00 00 00 00 00 00
  0x0fd24ad208e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fd24ad208f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fd24ad20900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fd24ad20910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==1==ABORTING
Received signal 6
    #0 0x0000006a96f1 in __interceptor_backtrace /b/swarming/w/ir/kitchen-workdir/src/third_party/llvm/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:4024:13
    #1 0x7f455bd75cbe in base::debug::StackTrace::StackTrace(unsigned long) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/debug/stack_trace_posix.cc:808:41
    #2 0x7f455bd74c0d in base::debug::(anonymous namespace)::StackDumpSignalHandler(int, siginfo_t*, void*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/debug/stack_trace_posix.cc:334:3
    #3 0x7f453a469890 in __funlockfile ??:?
    #4 0x7f453a469890 in ?? ??:0
    #5 0x7f45367ace97 in __libc_signal_restore_set /build/glibc-OTsEL5/glibc-2.27/signal/../sysdeps/unix/sysv/linux/nptl-signals.h:80:0
    #6 0x7f45367ace97 in gsignal /build/glibc-OTsEL5/glibc-2.27/signal/../sysdeps/unix/sysv/linux/raise.c:48:0
    #7 0x7f45367ae801 in abort /build/glibc-OTsEL5/glibc-2.27/stdlib/abort.c:79:0
    #8 0x00000071f217 in __sanitizer::Abort() /b/swarming/w/ir/kitchen-workdir/src/third_party/llvm/compiler-rt/lib/sanitizer_common/sanitizer_posix_libcdep.cc:157:3
    #9 0x00000071dc61 in __sanitizer::Die() /b/swarming/w/ir/kitchen-workdir/src/third_party/llvm/compiler-rt/lib/sanitizer_common/sanitizer_termination.cc:59:5
    #10 0x00000070a049 in __asan::ScopedInErrorReport::~ScopedInErrorReport() _asan_rtl_:7
    #11 0x000000709543 in __asan::ReportGenericError(unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long, unsigned int, bool) _asan_rtl_:1
    #12 0x00000070a3fb in __asan_report_load8 _asan_rtl_:1
    #13 0x7f455c11020f in mojo::InterfaceEndpointClient::HandleValidatedMessage(mojo::Message*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../mojo/public/cpp/bindings/lib/interface_endpoint_client.cc:423:32
    #14 0x7f455c121904 in mojo::internal::MultiplexRouter::ProcessIncomingMessage(mojo::internal::MultiplexRouter::MessageWrapper*, mojo::internal::MultiplexRouter::ClientCallBehavior, base::SequencedTaskRunner*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../mojo/public/cpp/bindings/lib/multiplex_router.cc:869:42
    #15 0x7f455c1200db in mojo::internal::MultiplexRouter::Accept(mojo::Message*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../mojo/public/cpp/bindings/lib/multiplex_router.cc:590:38
    #16 0x7f455c105bb0 in mojo::Connector::ReadSingleMessage(unsigned int*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../mojo/public/cpp/bindings/lib/connector.cc:457:51
    #17 0x7f455c107609 in mojo::Connector::ReadAllAvailableMessages() /home/cowboy/chromium/src/out/chrome_asan_shared/../../mojo/public/cpp/bindings/lib/connector.cc:486:10
    #18 0x7f455c1a3c78 in Run /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/callback.h:129:12
    #19 0x7f455c1a3c78 in mojo::SimpleWatcher::OnHandleReady(int, unsigned int, mojo::HandleSignalsState const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../mojo/public/cpp/system/simple_watcher.cc:273:0
    #20 0x7f455bae0311 in Run /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/callback.h:99:12
    #21 0x7f455bae0311 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/debug/task_annotator.cc:101:0
    #22 0x7f455bc6ccb6 in base::sequence_manager::internal::ThreadControllerImpl::DoWork(base::sequence_manager::internal::ThreadControllerImpl::WorkType) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/task/sequence_manager/thread_controller_impl.cc:166:21
    #23 0x7f455bae0311 in Run /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/callback.h:99:12
    #24 0x7f455bae0311 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/debug/task_annotator.cc:101:0
    #25 0x7f455bb5ab4e in base::MessageLoop::RunTask(base::PendingTask*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_loop.cc:421:46
    #26 0x7f455bb5bfd0 in DeferOrRunPendingTask /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_loop.cc:432:5
    #27 0x7f455bb5bfd0 in base::MessageLoop::DoWork() /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_loop.cc:480:0
    #28 0x7f455bb61680 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_pump_default.cc:37:31
    #29 0x7f455bbe9271 in base::RunLoop::Run() /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/run_loop.cc:102:14
    #30 0x7f4558eb7c35 in content::RendererMain(content::MainFunctionParams const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../content/renderer/renderer_main.cc:200:23
    #31 0x7f455911e5e2 in content::RunZygote(content::ContentMainDelegate*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../content/app/content_main_runner_impl.cc:554:14
    #32 0x7f4559121e3d in content::ContentMainRunnerImpl::Run(bool) /home/cowboy/chromium/src/out/chrome_asan_shared/../../content/app/content_main_runner_impl.cc:951:10
    #33 0x7f454dbb1be2 in service_manager::Main(service_manager::MainParams const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../services/service_manager/embedder/main.cc:472:29
    #34 0x7f455911ccdf in content::ContentMain(content::ContentMainParams const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../content/app/content_main.cc:19:10
    #35 0x000000733ab8 in main /home/cowboy/chromium/src/out/chrome_asan_shared/../../content/shell/app/shell_main.cc:39:10
    #36 0x7f453678fb97 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310:0
    #37 0x00000065c02a in _start ??:0:0
  r8: 0000000000000000  r9: 00007ffe7e671210 r10: 0000000000000008 r11: 0000000000000246
 r12: 0000000000000000 r13: 00007ffe7e6721c8 r14: 00007ffe7e672170 r15: 0000000001cea318
  di: 0000000000000002  si: 00007ffe7e671210  bp: 00007ffe7e6721a0  bx: 0000000001c57e40
  dx: 0000000000000000  ax: 0000000000000000  cx: 00007f45367ace97  sp: 00007ffe7e671210
  ip: 00007f45367ace97 efl: 0000000000000246 cgf: 002b000000000033 erf: 0000000000000000
 trp: 0000000000000000 msk: 0000000000000000 cr2: 0000000000000000
[end of stack trace]
Calling _exit(1). Core file will not be generated.

Did this work before? N/A 

Chrome version: Version 70.0.3503.0 (Developer Build) (64-bit)  Channel: dev
OS Version: OS Version:Ubuntu 18.04.1 LTS
Flash Version: Shockwave Flash 30.0 r0
asan_symbolised.log
12.2 KB View Download
crash.html
295 bytes View Download
launcher.html
306 bytes View Download
normal.png
1010 bytes View Download

Comment 1 by mbarbe...@chromium.org, Jul 30

Cc: mbarbe...@chromium.org
Mergedinto: 867370
Status: Duplicate (was: Unconfirmed)
Thanks for the report. We have another bug open for this issue but were having some trouble reproducing it, so this may still be useful.
Project Member

Comment 2 by sheriffbot@chromium.org, Nov 16

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment