New issue
Advanced search Search tips

Issue 880665 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Sep 27
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 1
Type: Bug-Security



Sign in to add a comment

Heap-use-after-free in base::debug::TaskAnnotator::RunTask

Project Member Reported by ClusterFuzz, Sep 5

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=4823965235937280

Fuzzer: lcamtuf_cross_fuzz
Job Type: mac_asan_chrome
Platform Id: mac

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x61300016a9d8
Crash State:
  base::debug::TaskAnnotator::RunTask
  base::MessageLoop::RunTask
  base::MessageLoop::DoWork
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4823965235937280

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.

Note: This crash might not be reproducible with the provided testcase. That said, for the past 14 days we've been seeing this crash frequently. If you are unable to reproduce this, please try a speculative fix based on the crash stacktrace in the report. The fix can be verified by looking at the crash statistics in the report, a day after the fix is deployed. We will auto-close the bug if the crash is not seen for 14 days.
 
Project Member

Comment 1 by ClusterFuzz, Sep 5

Components: Internals>Core
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 2 by sheriffbot@chromium.org, Sep 5

Labels: Pri-1
Components: -Internals>Core Blink>WebMIDI
Labels: Security_Impact-Stable
Owner: toyoshim@chromium.org
Status: Assigned (was: Untriaged)
toyoshim: Any idea what might be going on here? We're seeing a lot of non-reproducible crashes with this stack. Feel free to pass it back to me for re-triage if you don't think it's related to midi.
Project Member

Comment 4 by sheriffbot@chromium.org, Sep 6

Labels: M-69 Target-69
Project Member

Comment 5 by sheriffbot@chromium.org, Sep 19

toyoshim: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Cc: yhirano@chromium.org
Status: Started (was: Assigned)
Uh oh! Sorry I didn't notice this issue was assigned to me.
I just checked code around, and notice there could be a race between the main and io threads. I can have a fix soon.

But, as far as I understand, there is only once chance to cause this crash per one browser session on shutting down.

Windows code has a correct thread-safe code and should not cause this issue.

cc:yhirano in advance for code review.
Project Member

Comment 7 by bugdroid1@chromium.org, Sep 27

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/01567e2e304544d17f45a97ca374ee97df2edf9a

commit 01567e2e304544d17f45a97ca374ee97df2edf9a
Author: Takashi Toyoshima <toyoshim@chromium.org>
Date: Thu Sep 27 11:20:52 2018

MidiManager: Fix a potential race on macOS

CompleteInitialization can be posted at a place after DeleteSoon's
task, and it can potentially cause a UAF crash. This happens only on
browser's shutdown sequence, and it won't practically. But just in case
and to make ASAN bots happy:)

Bug:  880665 , 672793
Change-Id: I8435290b4df7068d456368624935d3007a2c52d7
Reviewed-on: https://chromium-review.googlesource.com/1238297
Commit-Queue: Takashi Toyoshima <toyoshim@chromium.org>
Reviewed-by: Yutaka Hirano <yhirano@chromium.org>
Cr-Commit-Position: refs/heads/master@{#594667}
[modify] https://crrev.com/01567e2e304544d17f45a97ca374ee97df2edf9a/media/midi/midi_manager.cc
[modify] https://crrev.com/01567e2e304544d17f45a97ca374ee97df2edf9a/media/midi/midi_manager.h
[modify] https://crrev.com/01567e2e304544d17f45a97ca374ee97df2edf9a/media/midi/midi_manager_android.cc
[modify] https://crrev.com/01567e2e304544d17f45a97ca374ee97df2edf9a/media/midi/midi_manager_mac.cc
[modify] https://crrev.com/01567e2e304544d17f45a97ca374ee97df2edf9a/media/midi/midi_manager_mac.h
[modify] https://crrev.com/01567e2e304544d17f45a97ca374ee97df2edf9a/media/midi/midi_manager_usb.cc
[modify] https://crrev.com/01567e2e304544d17f45a97ca374ee97df2edf9a/media/midi/midi_manager_usb.h
[modify] https://crrev.com/01567e2e304544d17f45a97ca374ee97df2edf9a/media/midi/midi_manager_winrt.cc
[modify] https://crrev.com/01567e2e304544d17f45a97ca374ee97df2edf9a/media/midi/midi_service.cc

should be fixed now.
I triggered a REDO TASK to check if the issue still reproduces.
Project Member

Comment 9 by ClusterFuzz, Sep 27

ClusterFuzz has detected this issue as fixed in range 568548:568568.

Detailed report: https://clusterfuzz.com/testcase?key=4823965235937280

Fuzzer: lcamtuf_cross_fuzz
Job Type: mac_asan_chrome
Platform Id: mac

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x61300016a9d8
Crash State:
  base::debug::TaskAnnotator::RunTask
  base::MessageLoop::RunTask
  base::MessageLoop::DoWork
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Fixed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=568548:568568

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4823965235937280

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 10 by ClusterFuzz, Sep 27

Labels: ClusterFuzz-Verified
Status: Verified (was: Started)
ClusterFuzz testcase 4823965235937280 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 11 by sheriffbot@chromium.org, Sep 28

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: -M-69 -Target-69 Target-71 M-71
Project Member

Comment 13 by sheriffbot@chromium.org, Oct 26

Labels: Merge-Request-71
Project Member

Comment 14 by sheriffbot@chromium.org, Oct 26

Labels: -Merge-Request-71 Hotlist-Merge-Review Merge-Review-71
This bug requires manual review: M71 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: benmason@(Android), kariahda@(iOS), kbleicher@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: -Hotlist-Merge-Review -Merge-Review-71
(Already in 71)
Labels: Release-0-M71
Project Member

Comment 17 by sheriffbot@chromium.org, Jan 4

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment