Issue metadata
Sign in to add a comment
|
Heap-use-after-free in Decrement on already dead ChromeBlobStorageContext created by StoragePartitionImpl::Create |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6677180852207616 Fuzzer: bcrane-css-mutator Job Type: linux_asan_content_shell_drt Platform Id: linux Crash Type: Heap-use-after-free WRITE 4 Crash Address: 0x6080000290a0 Crash State: Decrement ReleaseImpl Release Sanitizer: address (ASAN) Recommended Security Severity: High Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6677180852207616 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information. Note: This crash might not be reproducible with the provided testcase. That said, for the past 14 days we've been seeing this crash frequently. If you are unable to reproduce this, please try a speculative fix based on the crash stacktrace in the report. The fix can be verified by looking at the crash statistics in the report, a day after the fix is deployed. We will auto-close the bug if the crash is not seen for 14 days.
,
Aug 3
,
Aug 3
hanxi@, could you please take a look?
,
Aug 16
Friendly security sheriff ping, any updates here?
,
Aug 16
+gab@: is it something that you are aware of?
,
Aug 16
Here are the stacks, so it looks like the ChromeBlobStorageContext object has one to many refs released early (the ref being freed in ~MessageLoop() is just because it's deleting a task which still has a ref to it but somehow that hits a ref count which had already been made 0); I suspect this is because of an explicit extra Release() somewhere in the shutdown sequence @kinuko whom introduced ChromeBlobStorageContext @ storage_partition_impl.cc:649 from what I can tell (a while back but I have no better guess). #0 0x97eaba2 in fetch_sub buildtools/third_party/libc++/trunk/include/atomic:1026:17 #1 0x97eaba2 in Decrement base/atomic_ref_count.h:37 #2 0x97eaba2 in ReleaseImpl base/memory/ref_counted.h:205 #3 0x97eaba2 in Release base/memory/ref_counted.h:170 #4 0x97eaba2 in Release base/memory/ref_counted.h:385 #5 0x97eaba2 in Release base/memory/scoped_refptr.h:284 #6 0x97eaba2 in ~scoped_refptr base/memory/scoped_refptr.h:208 #7 0x97eaba2 in ~__tuple_leaf buildtools/third_party/libc++/trunk/include/tuple:170 #8 0x97eaba2 in ~tuple buildtools/third_party/libc++/trunk/include/tuple:469 #9 0x97eaba2 in ~BindState base/bind_internal.h:799 #10 0x97eaba2 in base::internal::BindState<void (content::URLLoaderFactoryGetter::*)(), scoped_refptr<content::URLLoaderFactoryGetter> >::Destroy(base::internal::BindStateBase const*) base/bind_internal.h:802 #11 0xaab9ee3 in base::internal::IncomingTaskQueue::TriageQueue::Clear() base/message_loop/incoming_task_queue.cc:147:3 #12 0xaab4498 in DeletePendingTasks base/message_loop/message_loop.cc:445:40 #13 0xaab4498 in base::MessageLoop::~MessageLoop() base/message_loop/message_loop.cc:172 #14 0xaab551c in base::MessageLoopForUI::~MessageLoopForUI() base/message_loop/message_loop.h:351:19 #15 0x83f0876 in operator() buildtools/third_party/libc++/trunk/include/memory:2321:5 #16 0x83f0876 in reset buildtools/third_party/libc++/trunk/include/memory:2634 #17 0x83f0876 in content::ContentMainRunnerImpl::Shutdown() content/app/content_main_runner_impl.cc:968 #18 0xf9adf22 in service_manager::Main(service_manager::MainParams const&) services/service_manager/embedder/main.cc:492:15 #19 0x5c1eece in content::ContentMain(content::ContentMainParams const&) content/app/content_main.cc:19:10 #20 0x351f3c7 in main content/shell/app/shell_main.cc:39:10 #21 0x7f20de00e82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 0x6080000290a0 is located 0 bytes inside of 88-byte region [0x6080000290a0,0x6080000290f8) freed by thread T3 (Chrome_IOThread) here: #0 0x351cf22 in operator delete(void*) third_party/llvm/compiler-rt/lib/asan/asan_new_delete.cc:167:3 #1 0xaab7f9c in Run base/callback.h:99:12 #2 0xaab7f9c in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) base/debug/task_annotator.cc:101 #3 0xaab2314 in base::MessageLoop::RunTask(base::PendingTask*) base/message_loop/message_loop.cc:421:46 #4 0xaab376f in DeferOrRunPendingTask base/message_loop/message_loop.cc:432:5 #5 0xaab376f in base::MessageLoop::DoWork() base/message_loop/message_loop.cc:480 #6 0xacda6f1 in base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_libevent.cc:210:31 #7 0xab2a21b in base::RunLoop::Run() base/run_loop.cc:102:14 #8 0x87cdb49 in content::BrowserProcessSubThread::IOThreadRun(base::RunLoop*) content/browser/browser_process_sub_thread.cc:178:11 #9 0xabfa00e in base::Thread::ThreadMain() base/threading/thread.cc:337:3 #10 0xacd053a in base::(anonymous namespace)::ThreadFunc(void*) base/threading/platform_thread_posix.cc:76:13 #11 0x7f20e3f726b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9) previously allocated by thread T0 (content_shell) here: #0 0x351c2e2 in operator new(unsigned long) third_party/llvm/compiler-rt/lib/asan/asan_new_delete.cc:106:3 #1 0x9798db7 in content::StoragePartitionImpl::Create(content::BrowserContext*, bool, base::FilePath const&) content/browser/storage_partition_impl.cc:649:43 #2 0x97abf5f in content::StoragePartitionImplMap::Get(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, bool, bool) content/browser/storage_partition_impl_map.cc:398:7 #3 0x8792cd5 in content::(anonymous namespace)::GetStoragePartitionFromConfig(content::BrowserContext*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, bool, bool) content/browser/browser_context.cc:158:25 #4 0x8792904 in content::BrowserContext::GetStoragePartition(content::BrowserContext*, content::SiteInstance*, bool) content/browser/browser_context.cc:321:10 #5 0x93d1db5 in MaybeTakeSpareRenderProcessHost content/browser/renderer_host/render_process_host_impl.cc:601:9 #6 0x93d1db5 in content::RenderProcessHostImpl::GetProcessHostForSiteInstance(content::BrowserContext*, content::SiteInstanceImpl*) content/browser/renderer_host/render_process_host_impl.cc:3757 #7 0x9760ca2 in content::SiteInstanceImpl::GetProcess() content/browser/site_instance_impl.cc:136:16 #8 0x982ef5e in content::WebContentsImpl::Init(content::WebContents::CreateParams const&) content/browser/web_contents/web_contents_impl.cc:1920:38 #9 0x98007f9 in content::WebContentsImpl::CreateWithOpener(content::WebContents::CreateParams const&, content::RenderFrameHostImpl*) content/browser/web_contents/web_contents_impl.cc:736:17 #10 0x980008a in content::WebContents::Create(content::WebContents::CreateParams const&) content/browser/web_contents/web_contents_impl.cc:291:10 #11 0xa9904c6 in content::Shell::CreateNewWindow(content::BrowserContext*, GURL const&, scoped_refptr<content::SiteInstance> const&, gfx::Size const&) content/shell/browser/shell.cc:231:7 #12 0xa89c312 in content::BlinkTestController::PrepareForLayoutTest(GURL const&, base::FilePath const&, bool, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) content/shell/browser/layout_test/blink_test_controller.cc:387:20 #13 0xa89768a in RunOneTest content/shell/browser/layout_test/layout_test_browser_main.cc:50:31 #14 0xa89768a in RunTests content/shell/browser/layout_test/layout_test_browser_main.cc:96 #15 0xa89768a in LayoutTestBrowserMain(content::MainFunctionParams const&, std::__1::unique_ptr<content::BrowserMainRunner, std::__1::default_delete<content::BrowserMainRunner> > const&) content/shell/browser/layout_test/layout_test_browser_main.cc:166 #16 0xa8957cf in content::ShellMainDelegate::RunProcess(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, content::MainFunctionParams const&) content/shell/app/shell_main_delegate.cc:351:16 #17 0x83f0184 in RunBrowserProcessMain content/app/content_main_runner_impl.cc:586:29 #18 0x83f0184 in content::ContentMainRunnerImpl::Run(bool) content/app/content_main_runner_impl.cc:947 #19 0xf9ad2ce in service_manager::Main(service_manager::MainParams const&) services/service_manager/embedder/main.cc:472:29 #20 0x5c1eece in content::ContentMain(content::ContentMainParams const&) content/app/content_main.cc:19:10 #21 0x351f3c7 in main content/shell/app/shell_main.cc:39:10 #22 0x7f20de00e82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 Thread T3 (Chrome_IOThread) created by T0 (content_shell) here: #0 0x34d863d in __interceptor_pthread_create third_party/llvm/compiler-rt/lib/asan/asan_interceptors.cc:210:3 #1 0xaccf8af in base::(anonymous namespace)::CreateThread(unsigned long, bool, base::PlatformThread::Delegate*, base::PlatformThreadHandle*, base::ThreadPriority) base/threading/platform_thread_posix.cc:115:13 #2 0xabf90d1 in base::Thread::StartWithOptions(base::Thread::Options const&) base/threading/thread.cc:112:15 #3 0x87cd457 in content::BrowserProcessSubThread::CreateIOThread() content/browser/browser_process_sub_thread.cc:91:19 #4 0x83efea8 in content::ContentMainRunnerImpl::Run(bool) content/app/content_main_runner_impl.cc:927:29 #5 0xf9ad2ce in service_manager::Main(service_manager::MainParams const&) services/service_manager/embedder/main.cc:472:29 #6 0x5c1eece in content::ContentMain(content::ContentMainParams const&) content/app/content_main.cc:19:10 #7 0x351f3c7 in main content/shell/app/shell_main.cc:39:10 #8 0x7f20de00e82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
,
Aug 16
,
Aug 17
kinuko: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 24
ClusterFuzz testcase 6677180852207616 is flaky and no longer crashes, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Dec 1
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by ClusterFuzz
, Aug 3Labels: Test-Predator-Auto-Components