New issue
Advanced search Search tips

Issue 874460 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Aug 20
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 1
Type: Bug-Security



Sign in to add a comment

Heap-use-after-free in message_center::MessagePopupView::UpdateContents

Project Member Reported by ClusterFuzz, Aug 15

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=4744367789834240

Fuzzer: inferno_flicker
Job Type: linux_asan_chrome_chromeos
Platform Id: linux

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x61600049be80
Crash State:
  message_center::MessagePopupView::UpdateContents
  message_center::MessagePopupCollection::OnNotificationUpdated
  message_center::MessageCenterImpl::MarkSinglePopupAsShown
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_chromeos&range=581473:581474

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4744367789834240

Additional requirements: Requires Gestures

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
 
Project Member

Comment 1 by ClusterFuzz, Aug 15

Components: UI>Notifications
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 2 by ClusterFuzz, Aug 15

Labels: Test-Predator-Auto-Owner
Owner: dtseng@chromium.org
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/feb758c3648069733c99f2d48a88982879acfcc0 (Only alert accessibility when a notification's text changes).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
Owner: ----
Status: Unconfirmed (was: Assigned)
I can't reproduce this locally using the cluster fuzz script.

Output:


New crash type: 
New crash state:
  

Original crash type: 
Original crash state:
  
There's no crash logging in either case?

Project Member

Comment 4 by sheriffbot@chromium.org, Aug 16

Labels: Target-70 M-70
Project Member

Comment 5 by sheriffbot@chromium.org, Aug 16

Labels: ReleaseBlock-Stable
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 6 by sheriffbot@chromium.org, Aug 16

Labels: Pri-1
Owner: dtseng@chromium.org
Status: Assigned (was: Unconfirmed)
Pretty sure the MessagePopupView object referred to by |this| has been deleted, and the |message_view_| member access is thus failing. The code is as follows:

    69	void MessagePopupView::UpdateContents(const Notification& notification) {
    70	  ui::AXNodeData old_data;
    71	  message_view_->GetAccessibleNodeData(&old_data);
    72	  message_view_->UpdateWithNotification(notification);
    73	  popup_collection_->NotifyPopupResized();
    74	  if (notification.rich_notification_data()
    75	          .should_make_spoken_feedback_for_popup_updates) {
    76	    ui::AXNodeData new_data;
    77	    message_view_->GetAccessibleNodeData(&new_data);
    78	    if (old_data.GetStringAttribute(ax::mojom::StringAttribute::kName) !=
    79	        new_data.GetStringAttribute(ax::mojom::StringAttribute::kName))
    80	      NotifyAccessibilityEvent(ax::mojom::Event::kAlert, true);
    81	  }
    82	}

The access fails in line 77. The ASAN report includes information about where the object was freed, and that points at a side-effect of line 73, where NotifyPopupResized() gets called. Note that the stack trace doesn't report MessagePopupCollection::NotifyPopupResized, but MessagePopupCollection::Update(), which is most likely an artifact of compiler optimization (a call to MessagePopupCollection::Update is the the last statement in MessagePopupCollection::NotifyPopupResized).

Thus, any access to |this| after line 73 is unsafe because |this| may no longer be valid at that point.

Re-assigning to dtseng@ since https://chromium.googlesource.com/chromium/src/+/feb758c3648069733c99f2d48a88982879acfcc0%5E%21/ indeed introduced this.

Here's the ASAN output quoted for convenience:


==14991==ERROR: AddressSanitizer: heap-use-after-free on address 0x619000b98100 at pc 0x563ccab36718 bp 0x7ffed8a5a130 sp 0x7ffed8a5a128
READ of size 8 at 0x619000b98100 thread T0 (chrome)
SCARINESS: 51 (8-byte-read-heap-use-after-free)
#0 0x563ccab36717 in message_center::MessagePopupView::UpdateContents(message_center::Notification const&) ui/message_center/views/message_popup_view.cc:77:5
    #1 0x563ccab3082b in message_center::MessagePopupCollection::OnNotificationUpdated(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) ui/message_center/views/message_popup_collection.cc:165:19
    #2 0x563ccab1a876 in message_center::MessageCenterImpl::MarkSinglePopupAsShown(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, bool) ui/message_center/message_center_impl.cc:415:16
    #3 0x563cbaa65849 in Run base/callback.h:99:12
    #4 0x563cbaa65849 in base::OneShotTimer::RunUserTask() base/timer/timer.cc:268
    #5 0x563cbab479df in Run base/callback.h:99:12
    #6 0x563cbab479df in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) base/debug/task_annotator.cc:101
    #7 0x563cba913564 in base::MessageLoop::RunTask(base::PendingTask*) base/message_loop/message_loop.cc:431:46
    #8 0x563cba91502b in DeferOrRunPendingTask base/message_loop/message_loop.cc:442:5
    #9 0x563cba91502b in base::MessageLoop::DoDelayedWork(base::TimeTicks*) base/message_loop/message_loop.cc:555
    #10 0x563cbab3bce5 in base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_libevent.cc:220:27
    #11 0x563cba99329b in base::RunLoop::Run() base/run_loop.cc:102:14
    #12 0x563cb9c1cb03 in ChromeBrowserMainParts::MainMessageLoopRun(int*) chrome/browser/chrome_browser_main.cc:2065:15
    #13 0x563cb350eb98 in content::BrowserMainLoop::RunMainMessageLoopParts() content/browser/browser_main_loop.cc:1040:29
    #14 0x563cb3518361 in content::BrowserMainRunnerImpl::Run() content/browser/browser_main_runner_impl.cc:162:15
    #15 0x563cb3501608 in content::BrowserMain(content::MainFunctionParams const&) content/browser/browser_main.cc:47:28
    #16 0x563cb9a9b3b2 in RunBrowserProcessMain content/app/content_main_runner_impl.cc:536:10
    #17 0x563cb9a9b3b2 in content::ContentMainRunnerImpl::Run(bool) content/app/content_main_runner_impl.cc:888
    #18 0x563cb9bfc0ee in service_manager::Main(service_manager::MainParams const&) services/service_manager/embedder/main.cc:472:29
    #19 0x563cb9a95471 in content::ContentMain(content::ContentMainParams const&) content/app/content_main.cc:19:10
    #20 0x563caffc831d in ChromeMain chrome/app/chrome_main.cc:101:12
    #21 0x7fa1fa5c182f in libc.so.6
0x619000b98100 is located 512 bytes inside of 552-byte region [0x619000b97f00,0x619000b98128)
freed by thread T0 (chrome) here:
#0 0x563caffc5e12 in operator delete(void*) _asan_rtl_:3
#1 0x563cc0e377c7 in views::Widget::OnNativeWidgetDestroyed() ui/views/widget/widget.cc:1094:21
#2 0x563cc0e6de84 in OnWindowDestroyed ui/views/widget/native_widget_aura.cc:899:14
#3 0x563cc0e6de84 in non-virtual thunk to views::NativeWidgetAura::OnWindowDestroyed(aura::Window*) ui/views/widget/native_widget_aura.cc:0
#4 0x563cbfe43c7c in aura::Window::~Window() ui/aura/window.cc:138:16
#5 0x563cbfe455ec in aura::Window::~Window() ui/aura/window.cc:93:19
#6 0x563cc0e30678 in views::Widget::CloseNow() ui/views/widget/widget.cc:600:19
#7 0x563ccab2e73b in ClosePopupsOutsideWorkArea ui/message_center/views/message_popup_collection.cc:498:17
#8 0x563ccab2e73b in message_center::MessagePopupCollection::TransitionToAnimation() ui/message_center/views/message_popup_collection.cc:272
#9 0x563ccab2c9ac in message_center::MessagePopupCollection::Update() ui/message_center/views/message_popup_collection.cc:58:5
#10 0x563ccab36280 in message_center::MessagePopupView::UpdateContents(message_center::Notification const&) ui/message_center/views/message_popup_view.cc:73:22
    #11 0x563ccab3082b in message_center::MessagePopupCollection::OnNotificationUpdated(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) ui/message_center/views/message_popup_collection.cc:165:19
    #12 0x563ccab1a876 in message_center::MessageCenterImpl::MarkSinglePopupAsShown(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, bool) ui/message_center/message_center_impl.cc:415:16
    #13 0x563cbaa65849 in Run base/callback.h:99:12
    #14 0x563cbaa65849 in base::OneShotTimer::RunUserTask() base/timer/timer.cc:268
    #15 0x563cbab479df in Run base/callback.h:99:12
    #16 0x563cbab479df in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) base/debug/task_annotator.cc:101
    #17 0x563cba913564 in base::MessageLoop::RunTask(base::PendingTask*) base/message_loop/message_loop.cc:431:46
    #18 0x563cba91502b in DeferOrRunPendingTask base/message_loop/message_loop.cc:442:5
    #19 0x563cba91502b in base::MessageLoop::DoDelayedWork(base::TimeTicks*) base/message_loop/message_loop.cc:555
    #20 0x563cbab3bce5 in base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_libevent.cc:220:27
    #21 0x563cba99329b in base::RunLoop::Run() base/run_loop.cc:102:14
    #22 0x563cb9c1cb03 in ChromeBrowserMainParts::MainMessageLoopRun(int*) chrome/browser/chrome_browser_main.cc:2065:15
    #23 0x563cb350eb98 in content::BrowserMainLoop::RunMainMessageLoopParts() content/browser/browser_main_loop.cc:1040:29
    #24 0x563cb3518361 in content::BrowserMainRunnerImpl::Run() content/browser/browser_main_runner_impl.cc:162:15
    #25 0x563cb3501608 in content::BrowserMain(content::MainFunctionParams const&) content/browser/browser_main.cc:47:28
    #26 0x563cb9a9b3b2 in RunBrowserProcessMain content/app/content_main_runner_impl.cc:536:10
    #27 0x563cb9a9b3b2 in content::ContentMainRunnerImpl::Run(bool) content/app/content_main_runner_impl.cc:888
    #28 0x563cb9bfc0ee in service_manager::Main(service_manager::MainParams const&) services/service_manager/embedder/main.cc:472:29
    #29 0x563cb9a95471 in content::ContentMain(content::ContentMainParams const&) content/app/content_main.cc:19:10
    #30 0x563caffc831d in ChromeMain chrome/app/chrome_main.cc:101:12
    #31 0x7fa1fa5c182f in libc.so.6
previously allocated by thread T0 (chrome) here:
#0 0x563caffc51d2 in operator new(unsigned long) _asan_rtl_:3
#1 0x563ccab30ba5 in message_center::MessagePopupCollection::CreatePopup(message_center::Notification const&) ui/message_center/views/message_popup_collection.cc:189:10
#2 0x563ccab32506 in message_center::MessagePopupCollection::AddPopup() ui/message_center/views/message_popup_collection.cc:391:18
#3 0x563ccab2e380 in message_center::MessagePopupCollection::TransitionToAnimation() ui/message_center/views/message_popup_collection.cc:260:16
#4 0x563ccab2c9ac in message_center::MessagePopupCollection::Update() ui/message_center/views/message_popup_collection.cc:58:5
#5 0x563cc3513fae in ash::UnifiedSystemTray::UiDelegate::ShowPopups() ash/system/unified/unified_system_tray.cc:90:30
#6 0x563cc379dff1 in ShowPopupBubble ash/message_center/message_center_ui_controller.cc:88:32
#7 0x563cc379dff1 in ash::MessageCenterUiController::OnMessageCenterChanged() ash/message_center/message_center_ui_controller.cc:159
#8 0x563ccab12f6e in message_center::MessageCenterImpl::AddNotification(std::__1::unique_ptr<message_center::Notification, std::__1::default_delete<message_center::Notification> >) ui/message_center/message_center_impl.cc:0:16
#9 0x563cc324f84c in ShowDeprecatedAcceleratorNotification ash/accelerators/accelerator_controller.cc:177:41
#10 0x563cc324f84c in ash::AcceleratorController::MaybeDeprecatedAcceleratorPressed(ash::AcceleratorAction, ui::Accelerator const&) const ash/accelerators/accelerator_controller.cc:1799
#11 0x563cc324e921 in ash::AcceleratorController::AcceleratorPressed(ui::Accelerator const&) ash/accelerators/accelerator_controller.cc:1141:7
#12 0x563cc9657152 in ui::AcceleratorManager::Process(ui::Accelerator const&) ui/base/accelerators/accelerator_manager.cc:101:18
#13 0x563cc0dc6b07 in ProcessAccelerator ui/views/focus/focus_manager.cc:514:34
#14 0x563cc0dc6b07 in views::FocusManager::OnKeyEvent(ui::KeyEvent const&) ui/views/focus/focus_manager.cc:101
#15 0x563cc0e39adf in views::Widget::OnKeyEvent(ui::KeyEvent*) ui/views/widget/widget.cc:1167:27
#16 0x563cbcf5e9a1 in ui::EventHandler::OnEvent(ui::Event*) ui/events/event_handler.cc:0:5
#17 0x563cbcf5ae55 in DispatchEvent ui/events/event_dispatcher.cc:191:12
#18 0x563cbcf5ae55 in ui::EventDispatcher::ProcessEvent(ui::EventTarget*, ui::Event*) ui/events/event_dispatcher.cc:139
#19 0x563cbcf5a711 in DispatchEventToTarget ui/events/event_dispatcher.cc:86:14
#20 0x563cbcf5a711 in ui::EventDispatcherDelegate::DispatchEvent(ui::EventTarget*, ui::Event*) ui/events/event_dispatcher.cc:58
#21 0x563cc97e702a in ui::EventProcessor::OnEventFromSource(ui::Event*) ui/events/event_processor.cc:57:17
#22 0x563cbfe85c66 in aura::WindowTreeHost::DispatchKeyEventPostIME(ui::KeyEvent*) ui/aura/window_tree_host.cc:252:21
#23 0x563cc9d5e10d in ui::InputMethodBase::DispatchKeyEventPostIME(ui::KeyEvent*, base::OnceCallback<void (bool)>) const ui/base/ime/input_method_base.cc:178:20
#24 0x563cc9d64e52 in ui::InputMethodChromeOS::ProcessUnfilteredKeyPressEvent(ui::KeyEvent*, base::OnceCallback<void (bool)>) ui/base/ime/input_method_chromeos.cc:461:10
#25 0x563cc9d64048 in ui::InputMethodChromeOS::DispatchKeyEvent(ui::KeyEvent*, base::OnceCallback<void (bool)>) ui/base/ime/input_method_chromeos.cc:127:14
#26 0x563cc9d653b4 in ui::InputMethodChromeOS::DispatchKeyEvent(ui::KeyEvent*) ui/base/ime/input_method_chromeos.cc:180:10
#27 0x563cbfe660d3 in PreDispatchKeyEvent ui/aura/window_event_dispatcher.cc:1073:54
#28 0x563cbfe660d3 in aura::WindowEventDispatcher::PreDispatchEvent(ui::EventTarget*, ui::Event*) ui/aura/window_event_dispatcher.cc:598
#29 0x563cbcf5a636 in ui::EventDispatcherDelegate::DispatchEvent(ui::EventTarget*, ui::Event*) ui/events/event_dispatcher.cc:54:34
#30 0x563cc97e702a in ui::EventProcessor::OnEventFromSource(ui::Event*) ui/events/event_processor.cc:57:17
#31 0x563cc97e8748 in DeliverEventToSink ui/events/event_source.cc:107:16
#32 0x563cc97e8748 in ui::EventSource::SendEventToSinkFromRewriter(ui::Event*, ui::EventRewriter const*) ui/events/event_source.cc:85
#33 0x563cc3327e32 in ash::AshWindowTreeHostPlatform::DispatchEvent(ui::Event*) ash/host/ash_window_tree_host_platform.cc:172:3
#34 0x563cbcf68c96 in Run base/callback.h:99:12
#35 0x563cbcf68c96 in ui::DispatchEventFromNativeUiEvent(ui::Event* const&, base::OnceCallback<void (ui::Event*)>) ui/events/ozone/events_ozone.cc:20
#36 0x563cb2183409 in ui::X11WindowOzone::DispatchEvent(ui::Event* const&) ui/ozone/platform/x11/x11_window_ozone.cc:81:5
#37 0x563cbc2f2b2e in ui::PlatformEventSource::DispatchEvent(ui::Event*) ui/events/platform/platform_event_source.cc:91:29
#38 0x563cbf074f07 in ui::X11EventSourceLibevent::DispatchPlatformEvent(ui::Event* const&, _XEvent*) ui/events/platform/x11/x11_event_source_libevent.cc:222:3
#39 0x563cbf074370 in ui::X11EventSourceLibevent::ProcessXEvent(_XEvent*) ui/events/platform/x11/x11_event_source_libevent.cc:189:5
#40 0x563cbf077e40 in ExtractCookieDataDispatchEvent ui/events/platform/x11/x11_event_source.cc:246:14
#41 0x563cbf077e40 in ui::X11EventSource::DispatchXEvents() ui/events/platform/x11/x11_event_source.cc:139
#42 0x563cbab3b420 in base::MessagePumpLibevent::OnLibeventNotification(int, short, void*) base/message_loop/message_pump_libevent.cc:0:13
#43 0x563cbab9e592 in event_process_active base/third_party/libevent/event.c:381:4
#44 0x563cbab9e592 in event_base_loop base/third_party/libevent/event.c:521
#45 0x563cbab3bf05 in base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_libevent.cc:247:9
#46 0x563cba99329b in base::RunLoop::Run() base/run_loop.cc:102:14
#47 0x563cb9c1cb03 in ChromeBrowserMainParts::MainMessageLoopRun(int*) chrome/browser/chrome_browser_main.cc:2065:15
#48 0x563cb350eb98 in content::BrowserMainLoop::RunMainMessageLoopParts() content/browser/browser_main_loop.cc:1040:29
#49 0x563cb3518361 in content::BrowserMainRunnerImpl::Run() content/browser/browser_main_runner_impl.cc:162:15
#50 0x563cb3501608 in content::BrowserMain(content::MainFunctionParams const&) content/browser/browser_main.cc:47:28
#51 0x563cb9a9b3b2 in RunBrowserProcessMain content/app/content_main_runner_impl.cc:536:10
#52 0x563cb9a9b3b2 in content::ContentMainRunnerImpl::Run(bool) content/app/content_main_runner_impl.cc:888
#53 0x563cb9bfc0ee in service_manager::Main(service_manager::MainParams const&) services/service_manager/embedder/main.cc:472:29
#54 0x563cb9a95471 in content::ContentMain(content::ContentMainParams const&) content/app/content_main.cc:19:10
#55 0x563caffc831d in ChromeMain chrome/app/chrome_main.cc:101:12
#56 0x7fa1fa5c182f in libc.so.6
SUMMARY: AddressSanitizer: heap-use-after-free (/mnt/scratch0/clusterfuzz/slave-bot/builds/chromium-browser-asan_linux-release-chromeos_4392242b7f59878a2775b4607420a2b37e17ff13/symbolized/release/asan-linux-release-583200/chrome+0x1ecd1717)
Project Member

Comment 8 by ClusterFuzz, Aug 20

ClusterFuzz has detected this issue as fixed in range 584360:584361.

Detailed report: https://clusterfuzz.com/testcase?key=4744367789834240

Fuzzer: inferno_flicker
Job Type: linux_asan_chrome_chromeos
Platform Id: linux

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x61600049be80
Crash State:
  message_center::MessagePopupView::UpdateContents
  message_center::MessagePopupCollection::OnNotificationUpdated
  message_center::MessageCenterImpl::MarkSinglePopupAsShown
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_chromeos&range=581473:581474
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_chromeos&range=584360:584361

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4744367789834240

Additional requirements: Requires Gestures

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 9 by ClusterFuzz, Aug 20

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 4744367789834240 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 10 by sheriffbot@chromium.org, Aug 20

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: -ReleaseBlock-Stable
Project Member

Comment 12 by sheriffbot@chromium.org, Nov 26

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment