New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 870419 link

Starred by 1 user
Status: Duplicate
Owner:
tetsui@chromium.org
Closed: Aug 22
Cc:
yoshiki@chromium.org
ellyjo...@chromium.org
peter@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 1
Type: Bug-Security



Sign in to add a comment

Heap-use-after-free in ChromeViewsDelegate::NotifyAccessibilityEvent

Project Member Reported by ClusterFuzz, Aug 2 
Detailed report: https://clusterfuzz.com/testcase?key=5418517936209920

Fuzzer: mbarbella_webgl
Job Type: linux_asan_chrome_chromeos
Platform Id: linux

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x619000df5418
Crash State:
  ChromeViewsDelegate::NotifyAccessibilityEvent
  views::View::NotifyAccessibilityEvent
  message_center::MessagePopupCollection::OnNotificationUpdated
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_chromeos&range=554393:554396

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5418517936209920

Additional requirements: Requires Gestures

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
Project Member

Comment 1 by ClusterFuzz, Aug 2

Components: UI>Notifications UI>Shell
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Comment 2 by kerrnel@chromium.org, Aug 3

Owner: ellyjo...@chromium.org
Elly, any idea who we can route this to? I'm not sure if its Chrome OS specific or generic views code.
Project Member

Comment 3 by sheriffbot@chromium.org, Aug 3

Labels: M-68 Target-68
Project Member

Comment 4 by sheriffbot@chromium.org, Aug 3

Labels: Pri-1
Project Member

Comment 5 by sheriffbot@chromium.org, Aug 3

Status: Assigned (was: Untriaged)

Comment 6 by ellyjo...@chromium.org, Aug 6

Cc: ellyjo...@chromium.org
Owner: dewittj@chromium.org
The crash stack is via some cros-specific code. The UAF stack:

#0 0x556e2de50ad5 in ChromeViewsDelegate::NotifyAccessibilityEvent(views::View*, ax::mojom::Event) chrome/browser/ui/views/chrome_views_delegate.cc:132:33
#1 0x556e2a36fc65 in views::View::NotifyAccessibilityEvent(ax::mojom::Event, bool) ui/views/view.cc:1466:35
#2 0x556e345012cb in message_center::MessagePopupCollection::OnNotificationUpdated(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) ui/message_center/views/message_popup_collection.cc:153:19
#3 0x556e344e342e in message_center::MessageCenterImpl::AddNotification(std::__1::unique_ptr<message_center::Notification, std::__1::default_delete<message_center::Notification> >) ui/message_center/message_center_impl.cc:0:16
#4 0x556e2cabb582 in ShowDeprecatedAcceleratorNotification ash/accelerators/accelerator_controller.cc:177:41
#5 0x556e2cabb582 in ash::AcceleratorController::MaybeDeprecatedAcceleratorPressed(ash::AcceleratorAction, ui::Accelerator const&) const ash/accelerators/accelerator_controller.cc:1813
#6 0x556e2caba611 in ash::AcceleratorController::AcceleratorPressed(ui::Accelerator const&) ash/accelerators/accelerator_controller.cc:1155:7
#7 0x556e32d17252 in ui::AcceleratorManager::Process(ui::Accelerator const&) ui/base/accelerators/accelerator_manager.cc:101:18
#8 0x556e2e77eb09 in views::UnhandledKeyboardEventHandler::HandleKeyboardEvent(content::NativeWebKeyboardEvent const&, views::FocusManager*) ui/views/controls/webview/unhandled_keyboard_event_handler.cc:48:24
#9 0x556e1de96017 in content::RenderWidgetHostImpl::OnKeyboardEventAck(content::EventWithLatencyInfo<content::NativeWebKeyboardEvent> const&, content::InputEventAckSource, content::InputEventAckState) content/browser/renderer_host/render_widget_host_impl.cc:2545:16
#10 0x556e1dc625b8 in content::InputRouterImpl::KeyboardEventHandled(content::EventWithLatencyInfo<content::NativeWebKeyboardEvent> const&, content::InputEventAckSource, ui::LatencyInfo const&, content::InputEventAckState, base::Optional<ui::DidOverscrollParams> const&, base::Optional<cc::TouchAction> const&) content/browser/renderer_host/input/input_router_impl.cc:502:25
#11 0x556e1dc6c003 in Invoke<void (content::InputRouterImpl::*)(const content::EventWithLatencyInfo<content::NativeWebKeyboardEvent> &, content::InputEventAckSource, const ui::LatencyInfo &, content::InputEventAckState, const base::Optional<ui::DidOverscrollParams> &, const base::Optional<cc::TouchAction> &), base::WeakPtr<content::InputRouterImpl>, content::EventWithLatencyInfo<content::NativeWebKeyboardEvent>, content::InputEventAckSource, const ui::LatencyInfo &, content::InputEventAckState, const base::Optional<ui::DidOverscrollParams> &, const base::Optional<cc::TouchAction> &> base/bind_internal.h:516:12
#12 0x556e1dc6c003 in MakeItSo<void (content::InputRouterImpl::*)(const content::EventWithLatencyInfo<content::NativeWebKeyboardEvent> &, content::InputEventAckSource, const ui::LatencyInfo &, content::InputEventAckState, const base::Optional<ui::DidOverscrollParams> &, const base::Optional<cc::TouchAction> &), base::WeakPtr<content::InputRouterImpl>, content::EventWithLatencyInfo<content::NativeWebKeyboardEvent>, content::InputEventAckSource, const ui::LatencyInfo &, content::InputEventAckState, const base::Optional<ui::DidOverscrollParams> &, const base::Optional<cc::TouchAction> &> base/bind_internal.h:636
#13 0x556e1dc6c003 in RunImpl<void (content::InputRouterImpl::*)(const content::EventWithLatencyInfo<content::NativeWebKeyboardEvent> &, content::InputEventAckSource, const ui::LatencyInfo &, content::InputEventAckState, const base::Optional<ui::DidOverscrollParams> &, const base::Optional<cc::TouchAction> &), std::__1::tuple<base::WeakPtr<content::InputRouterImpl>, content::EventWithLatencyInfo<content::NativeWebKeyboardEvent> >, 0, 1> base/bind_internal.h:689
#14 0x556e1dc6c003 in base::internal::Invoker<base::internal::BindState<void (content::InputRouterImpl::*)(content::EventWithLatencyInfo<content::NativeWebKeyboardEvent> const&, content::InputEventAckSource, ui::LatencyInfo const&, content::InputEventAckState, base::Optional<ui::DidOverscrollParams> const&, base::Optional<cc::TouchAction> const&), base::WeakPtr<content::InputRouterImpl>, content::EventWithLatencyInfo<content::NativeWebKeyboardEvent> >, void (content::InputEventAckSource, ui::LatencyInfo const&, content::InputEventAckState, base::Optional<ui::DidOverscrollParams> const&, base::Optional<cc::TouchAction> const&)>::RunOnce(base::internal::BindStateBase*, content::InputEventAckSource, ui::LatencyInfo const&, content::InputEventAckState, base::Optional<ui::DidOverscrollParams> const&, base::Optional<cc::TouchAction> const&) base/bind_internal.h:658
#15 0x556e1b29f2d3 in Run base/callback.h:99:12
#16 0x556e1b29f2d3 in content::mojom::WidgetInputHandler_DispatchEvent_ForwardToCallback::Accept(mojo::Message*) gen/content/common/input/input_handler.mojom.cc:2000
#17 0x556e25dfa7ee in mojo::InterfaceEndpointClient::HandleValidatedMessage(mojo::Message*) mojo/public/cpp/bindings/lib/interface_endpoint_client.cc:418:23
#18 0x556e25e0c411 in mojo::internal::MultiplexRouter::ProcessIncomingMessage(mojo::internal::MultiplexRouter::MessageWrapper*, mojo::internal::MultiplexRouter::ClientCallBehavior, base::SequencedTaskRunner*) mojo/public/cpp/bindings/lib/multiplex_router.cc:869:42
#19 0x556e25e0a521 in mojo::internal::MultiplexRouter::Accept(mojo::Message*) mojo/public/cpp/bindings/lib/multiplex_router.cc:590:38
#20 0x556e25df3f68 in mojo::Connector::ReadSingleMessage(unsigned int*) mojo/public/cpp/bindings/lib/connector.cc:457:51
#21 0x556e25df5c7f in mojo::Connector::ReadAllAvailableMessages() mojo/public/cpp/bindings/lib/connector.cc:486:10
#22 0x556e25ddc7d7 in Run base/callback.h:129:12
#23 0x556e25ddc7d7 in mojo::SimpleWatcher::OnHandleReady(int, unsigned int, mojo::HandleSignalsState const&) mojo/public/cpp/system/simple_watcher.cc:273
#24 0x556e247e9a8f in Run base/callback.h:99:12
#25 0x556e247e9a8f in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) base/debug/task_annotator.cc:101
#26 0x556e245c1724 in base::MessageLoop::RunTask(base::PendingTask*) base/message_loop/message_loop.cc:431:46
#27 0x556e245c2bac in DeferOrRunPendingTask base/message_loop/message_loop.cc:442:5
#28 0x556e245c2bac in base::MessageLoop::DoWork() base/message_loop/message_loop.cc:514
#29 0x556e247de091 in base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_libevent.cc:210:31
#30 0x556e246455eb in base::RunLoop::Run() base/run_loop.cc:102:14
#31 0x556e2391addc in ChromeBrowserMainParts::MainMessageLoopRun(int*) chrome/browser/chrome_browser_main.cc:2092:15
#32 0x556e1d1f0a98 in content::BrowserMainLoop::RunMainMessageLoopParts() content/browser/browser_main_loop.cc:1034:29
#33 0x556e1d1fa261 in content::BrowserMainRunnerImpl::Run() content/browser/browser_main_runner_impl.cc:162:15
#34 0x556e1d1e3778 in content::BrowserMain(content::MainFunctionParams const&) content/browser/browser_main.cc:47:28
#35 0x556e2379957f in RunBrowserProcessMain content/app/content_main_runner_impl.cc:569:10
#36 0x556e2379957f in content::ContentMainRunnerImpl::Run(bool) content/app/content_main_runner_impl.cc:920
#37 0x556e238fa27e in service_manager::Main(service_manager::MainParams const&) services/service_manager/embedder/main.cc:472:29
#38 0x556e237931c1 in content::ContentMain(content::ContentMainParams const&) content/app/content_main.cc:19:10
#39 0x556e19faa2bd in ChromeMain chrome/app/chrome_main.cc:101:12
#40 0x7fd3fa4a282f in libc.so.6

And the free stack:

#0 0x556e19fa7db2 in operator delete(void*) _asan_rtl_:3
#1 0x556e2a3a1587 in views::Widget::OnNativeWidgetDestroyed() ui/views/widget/widget.cc:1096:21
#2 0x556e2a3d78c4 in OnWindowDestroyed ui/views/widget/native_widget_aura.cc:883:14
#3 0x556e2a3d78c4 in non-virtual thunk to views::NativeWidgetAura::OnWindowDestroyed(aura::Window*) ui/views/widget/native_widget_aura.cc:0
#4 0x556e293d46fc in aura::Window::~Window() ui/aura/window.cc:130:16
#5 0x556e293d600c in aura::Window::~Window() ui/aura/window.cc:82:19
#6 0x556e2a39a4a8 in views::Widget::CloseNow() ui/views/widget/widget.cc:602:19
#7 0x556e344ff2f1 in ClosePopupsOutsideWorkArea ui/message_center/views/message_popup_collection.cc:488:17
#8 0x556e344ff2f1 in message_center::MessagePopupCollection::TransitionToAnimation() ui/message_center/views/message_popup_collection.cc:260
#9 0x556e344fd914 in message_center::MessagePopupCollection::Update() ui/message_center/views/message_popup_collection.cc:56:5
#10 0x556e34506d2a in message_center::MessagePopupView::UpdateContents(message_center::Notification const&) ui/message_center/views/message_popup_view.cc:69:22
#11 0x556e345012cb in message_center::MessagePopupCollection::OnNotificationUpdated(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) ui/message_center/views/message_popup_collection.cc:153:19
#12 0x556e344e342e in message_center::MessageCenterImpl::AddNotification(std::__1::unique_ptr<message_center::Notification, std::__1::default_delete<message_center::Notification> >) ui/message_center/message_center_impl.cc:0:16
#13 0x556e2cabb582 in ShowDeprecatedAcceleratorNotification ash/accelerators/accelerator_controller.cc:177:41
#14 0x556e2cabb582 in ash::AcceleratorController::MaybeDeprecatedAcceleratorPressed(ash::AcceleratorAction, ui::Accelerator const&) const ash/accelerators/accelerator_controller.cc:1813
#15 0x556e2caba611 in ash::AcceleratorController::AcceleratorPressed(ui::Accelerator const&) ash/accelerators/accelerator_controller.cc:1155:7
#16 0x556e32d17252 in ui::AcceleratorManager::Process(ui::Accelerator const&) ui/base/accelerators/accelerator_manager.cc:101:18
#17 0x556e2e77eb09 in views::UnhandledKeyboardEventHandler::HandleKeyboardEvent(content::NativeWebKeyboardEvent const&, views::FocusManager*) ui/views/controls/webview/unhandled_keyboard_event_handler.cc:48:24
#18 0x556e1de96017 in content::RenderWidgetHostImpl::OnKeyboardEventAck(content::EventWithLatencyInfo<content::NativeWebKeyboardEvent> const&, content::InputEventAckSource, content::InputEventAckState) content/browser/renderer_host/render_widget_host_impl.cc:2545:16
#19 0x556e1dc625b8 in content::InputRouterImpl::KeyboardEventHandled(content::EventWithLatencyInfo<content::NativeWebKeyboardEvent> const&, content::InputEventAckSource, ui::LatencyInfo const&, content::InputEventAckState, base::Optional<ui::DidOverscrollParams> const&, base::Optional<cc::TouchAction> const&) content/browser/renderer_host/input/input_router_impl.cc:502:25
#20 0x556e1dc6c003 in Invoke<void (content::InputRouterImpl::*)(const content::EventWithLatencyInfo<content::NativeWebKeyboardEvent> &, content::InputEventAckSource, const ui::LatencyInfo &, content::InputEventAckState, const base::Optional<ui::DidOverscrollParams> &, const base::Optional<cc::TouchAction> &), base::WeakPtr<content::InputRouterImpl>, content::EventWithLatencyInfo<content::NativeWebKeyboardEvent>, content::InputEventAckSource, const ui::LatencyInfo &, content::InputEventAckState, const base::Optional<ui::DidOverscrollParams> &, const base::Optional<cc::TouchAction> &> base/bind_internal.h:516:12
#21 0x556e1dc6c003 in MakeItSo<void (content::InputRouterImpl::*)(const content::EventWithLatencyInfo<content::NativeWebKeyboardEvent> &, content::InputEventAckSource, const ui::LatencyInfo &, content::InputEventAckState, const base::Optional<ui::DidOverscrollParams> &, const base::Optional<cc::TouchAction> &), base::WeakPtr<content::InputRouterImpl>, content::EventWithLatencyInfo<content::NativeWebKeyboardEvent>, content::InputEventAckSource, const ui::LatencyInfo &, content::InputEventAckState, const base::Optional<ui::DidOverscrollParams> &, const base::Optional<cc::TouchAction> &> base/bind_internal.h:636
#22 0x556e1dc6c003 in RunImpl<void (content::InputRouterImpl::*)(const content::EventWithLatencyInfo<content::NativeWebKeyboardEvent> &, content::InputEventAckSource, const ui::LatencyInfo &, content::InputEventAckState, const base::Optional<ui::DidOverscrollParams> &, const base::Optional<cc::TouchAction> &), std::__1::tuple<base::WeakPtr<content::InputRouterImpl>, content::EventWithLatencyInfo<content::NativeWebKeyboardEvent> >, 0, 1> base/bind_internal.h:689
#23 0x556e1dc6c003 in base::internal::Invoker<base::internal::BindState<void (content::InputRouterImpl::*)(content::EventWithLatencyInfo<content::NativeWebKeyboardEvent> const&, content::InputEventAckSource, ui::LatencyInfo const&, content::InputEventAckState, base::Optional<ui::DidOverscrollParams> const&, base::Optional<cc::TouchAction> const&), base::WeakPtr<content::InputRouterImpl>, content::EventWithLatencyInfo<content::NativeWebKeyboardEvent> >, void (content::InputEventAckSource, ui::LatencyInfo const&, content::InputEventAckState, base::Optional<ui::DidOverscrollParams> const&, base::Optional<cc::TouchAction> const&)>::RunOnce(base::internal::BindStateBase*, content::InputEventAckSource, ui::LatencyInfo const&, content::InputEventAckState, base::Optional<ui::DidOverscrollParams> const&, base::Optional<cc::TouchAction> const&) base/bind_internal.h:658
#24 0x556e1b29f2d3 in Run base/callback.h:99:12
#25 0x556e1b29f2d3 in content::mojom::WidgetInputHandler_DispatchEvent_ForwardToCallback::Accept(mojo::Message*) gen/content/common/input/input_handler.mojom.cc:2000
#26 0x556e25dfa7ee in mojo::InterfaceEndpointClient::HandleValidatedMessage(mojo::Message*) mojo/public/cpp/bindings/lib/interface_endpoint_client.cc:418:23
#27 0x556e25e0c411 in mojo::internal::MultiplexRouter::ProcessIncomingMessage(mojo::internal::MultiplexRouter::MessageWrapper*, mojo::internal::MultiplexRouter::ClientCallBehavior, base::SequencedTaskRunner*) mojo/public/cpp/bindings/lib/multiplex_router.cc:869:42
#28 0x556e25e0a521 in mojo::internal::MultiplexRouter::Accept(mojo::Message*) mojo/public/cpp/bindings/lib/multiplex_router.cc:590:38
#29 0x556e25df3f68 in mojo::Connector::ReadSingleMessage(unsigned int*) mojo/public/cpp/bindings/lib/connector.cc:457:51
#30 0x556e25df5c7f in mojo::Connector::ReadAllAvailableMessages() mojo/public/cpp/bindings/lib/connector.cc:486:10
#31 0x556e25ddc7d7 in Run base/callback.h:129:12
#32 0x556e25ddc7d7 in mojo::SimpleWatcher::OnHandleReady(int, unsigned int, mojo::HandleSignalsState const&) mojo/public/cpp/system/simple_watcher.cc:273
#33 0x556e247e9a8f in Run base/callback.h:99:12
#34 0x556e247e9a8f in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) base/debug/task_annotator.cc:101
#35 0x556e245c1724 in base::MessageLoop::RunTask(base::PendingTask*) base/message_loop/message_loop.cc:431:46
#36 0x556e245c2bac in DeferOrRunPendingTask base/message_loop/message_loop.cc:442:5
#37 0x556e245c2bac in base::MessageLoop::DoWork() base/message_loop/message_loop.cc:514
#38 0x556e247de091 in base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_libevent.cc:210:31
#39 0x556e246455eb in base::RunLoop::Run() base/run_loop.cc:102:14

So, a Widget (I guess the notification) is being deallocated while someone else is still holding a reference to it. My guess is that this crash happens when the user expands a notification that is outside the "work area" using the keyboard - then MessagePopupCollection::ClosePopupsOutsideWorkArea() will free the popup? Not sure.

Anyway, to dewittj@ for //ui/message_center

Comment 7 by dewittj@chromium.org, Aug 16

Owner: yoshiki@chromium.org
Over to yoshiki@ for diagnosis in ChromeOS
Project Member

Comment 8 by sheriffbot@chromium.org, Aug 17 

yoshiki: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 9 by yoshiki@chromium.org, Aug 22

Cc: yoshiki@chromium.org
Owner: tetsui@chromium.org
Tetsui-san, could you take a look? It may be related with your recent change in message_center::MessagePopupCollection::OnNotificationUpdated().

Comment 10 by tetsui@chromium.org, Aug 22

Mergedinto: 874777
Status: Duplicate (was: Assigned)
Project Member

Comment 11 by sheriffbot@chromium.org, Nov 29

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment