New issue
Advanced search Search tips

Issue 873529 link

Starred by 1 user
Status: Fixed
Owner:
thestig@chromium.org
Closed: Aug 16
Cc:
attek...@gmail.com
rmcelrath@chromium.org
wfh@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Chrome
Pri: 0
Type: Bug-Security



Sign in to add a comment

Heap-use-after-free in base::MessageLoop::DeletePendingTasks

Project Member Reported by ClusterFuzz, Aug 12 
Detailed report: https://clusterfuzz.com/testcase?key=5265605691965440

Fuzzer: attekett_webaudio_fuzzer
Job Type: linux_asan_chrome_chromeos
Platform Id: linux

Crash Type: Heap-use-after-free WRITE 4
Crash Address: 0x6140004f6308
Crash State:
  base::MessageLoop::DeletePendingTasks
  base::MessageLoop::~MessageLoop
  base::MessageLoopForUI::~MessageLoopForUI
  
Sanitizer: address (ASAN)

Recommended Security Severity: Critical

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5265605691965440

Additional requirements: Requires Gestures

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.

Note: This crash might not be reproducible with the provided testcase. That said, for the past 14 days we've been seeing this crash frequently. If you are unable to reproduce this, please try a speculative fix based on the crash stacktrace in the report. The fix can be verified by looking at the crash statistics in the report, a day after the fix is deployed. We will auto-close the bug if the crash is not seen for 14 days.
Project Member

Comment 1 by ClusterFuzz, Aug 12

Labels: OS-Linux
Project Member

Comment 2 by ClusterFuzz, Aug 12

Components: Internals>Core
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 3 by sheriffbot@chromium.org, Aug 13

Labels: Pri-0

Comment 4 by jialiul@chromium.org, Aug 13

Components: Internals>Sandbox

Comment 5 by jialiul@chromium.org, Aug 13 

Hmm, this is a flaky one not always reproducible in each run. 

Stacktraces are hard to interpret. It seems the error happens on the following line:
[24059:24059:0811/052008.709399:ERROR:sandbox_linux.cc(379)] InitializeSandbox() called with multiple threads in process gpu-process.

Comment 6 by carlosil@chromium.org, Aug 14

Labels: Security_Impact-Head

Comment 7 by carlosil@chromium.org, Aug 14

Labels: M-70
Project Member

Comment 8 by sheriffbot@chromium.org, Aug 15

Labels: ReleaseBlock-Beta
This is a critical security issue. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 9 by carlosil@chromium.org, Aug 15

Components: Services>CloudPrint
Owner: thestig@chromium.org
Status: Assigned (was: Untriaged)
Looks like this is caused by a call from CloudPrint, thestig, can you take a look (and reassign if appropriate)?

Comment 10 by thestig@chromium.org, Aug 15 

Is this really a P0? I have some ideas for simplifying PrivetTrafficDetector to make its lifetime saner. e.g. not be:

base::RefCountedThreadSafe<PrivetTrafficDetector, content::BrowserThread::DeleteOnIOThread>

Maybe that will help...

Comment 11 by thestig@chromium.org, Aug 15

Cc: rmcelrath@chromium.org
+rmcelrath FYI.
Project Member

Comment 12 by bugdroid1@chromium.org, Aug 16 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/10f13475d328718cba6149d14f377fbf92ae4c68

commit 10f13475d328718cba6149d14f377fbf92ae4c68
Author: Lei Zhang <thestig@chromium.org>
Date: Thu Aug 16 21:10:08 2018

Make PrivetTrafficDetector live on the UI thread.

Split all IO thread code into a separate helper class. Now there is no
refcounting, so ownership is clearer. Now only the helper class has a
WeakPtrFactory, so WeakPtrs are only used on the IO thread.

BUG= 873529 

Change-Id: I326aa6f69839c193507df4c63250aa1560bbd0ef
Reviewed-on: https://chromium-review.googlesource.com/1177444
Commit-Queue: Lei Zhang <thestig@chromium.org>
Reviewed-by: Robbie McElrath <rmcelrath@chromium.org>
Cr-Commit-Position: refs/heads/master@{#583813}
[modify] https://crrev.com/10f13475d328718cba6149d14f377fbf92ae4c68/chrome/browser/printing/cloud_print/privet_notifications.cc
[modify] https://crrev.com/10f13475d328718cba6149d14f377fbf92ae4c68/chrome/browser/printing/cloud_print/privet_notifications.h
[modify] https://crrev.com/10f13475d328718cba6149d14f377fbf92ae4c68/chrome/browser/printing/cloud_print/privet_traffic_detector.cc
[modify] https://crrev.com/10f13475d328718cba6149d14f377fbf92ae4c68/chrome/browser/printing/cloud_print/privet_traffic_detector.h

Comment 13 by thestig@chromium.org, Aug 16

Status: Fixed (was: Assigned)
Given CF marked the bug as unreproducible, it is hard to say if my CL actually fixed this issue. I'd like to think it does.
Project Member

Comment 14 by sheriffbot@chromium.org, Aug 17

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 15 by awhalley@chromium.org, Aug 27

Labels: -reward-topanel reward-0
(found by many, including internal, fuzzers)

Comment 16 by awhalley@google.com, Aug 28

Labels: -ReleaseBlock-Beta
Project Member

Comment 17 by sheriffbot@chromium.org, Nov 23

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment