search

anmar7889 / chromiumembedded

Automatically exported from code.google.com/p/chromiumembedded
0 stars 1 forks source link

Linux: heap-buffer-overflow in GeolocationTest.HandlerAllow #1457

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
Ubuntu 14.04.1 64-bit
CEF version 3.2171.1932

What steps will reproduce the problem?
1. Build CEF with AddressSanitizer enabled: 
http://www.chromium.org/developers/testing/addresssanitizer
2. Run unit tests:

marshall@ubuntu:~/code/chromium_git/chromium/src$ ./out/Release/cef_unittests 
2>&1 | tools/valgrind/asan/asan_symbolize.py

What is the expected output? What do you see instead?
All tests should succeed. Instead, crashes with the following:

[ RUN      ] GeolocationTest.HandlerAllow
=================================================================
==49623==ERROR: AddressSanitizer: container-overflow on address 0x6030003967a0 
at pc 0x7fdfae6e8664 bp 0x7fffaf6e5490 sp 0x7fffaf6e5488
READ of size 8 at 0x6030003967a0 thread T0 (cef_unittests)
    #0 0x7fdfae6e8663 in operator= /home/marshall/code/chromium_git/chromium/src/out/Release/../../base/memory/ref_counted.h:320:5
    #1 0x7fdfae6e8663 in operator= /home/marshall/code/chromium_git/chromium/src/out/Release/../../base/memory/ref_counted.h:328:0
    #2 0x7fdfae6e8663 in operator= /home/marshall/code/chromium_git/chromium/src/out/Release/../../base/callback_internal.h:37:0
    #3 0x7fdfae6e8663 in operator= /home/marshall/code/chromium_git/chromium/src/out/Release/../../base/callback_forward.h:11:0
    #4 0x7fdfae6e8663 in CefContentBrowserClient::RequestGeolocationPermission(content::WebContents*, int, GURL const&, bool, base::Callback<void (bool)>, base::Callback<void ()>*) /home/marshall/code/chromium_git/chromium/src/out/Release/../../cef/libcef/browser/content_browser_client.cc:836:0
    #5 0x7fdfb62c371d in content::GeolocationDispatcherHost::OnRequestPermission(content::RenderFrameHost*, int, GURL const&, bool) /home/marshall/code/chromium_git/chromium/src/out/Release/../../content/browser/geolocation/geolocation_dispatcher_host.cc:159:3
    #6 0x7fdfb62c2d01 in Dispatch<content::GeolocationDispatcherHost, content::GeolocationDispatcherHost, content::RenderFrameHost, int, const GURL &, bool> /home/marshall/code/chromium_git/chromium/src/out/Release/../../content/common/geolocation_messages.h:47:1
    #7 0x7fdfb62c2d01 in content::GeolocationDispatcherHost::OnMessageReceived(IPC::Message const&, content::RenderFrameHost*) /home/marshall/code/chromium_git/chromium/src/out/Release/../../content/browser/geolocation/geolocation_dispatcher_host.cc:112:0
    #8 0x7fdfb67d9ba8 in content::WebContentsImpl::OnMessageReceived(content::RenderViewHost*, content::RenderFrameHost*, IPC::Message const&) /home/marshall/code/chromium_git/chromium/src/out/Release/../../content/browser/web_contents/web_contents_impl.cc:527:11
    #9 0x7fdfb6280e42 in content::RenderFrameHostImpl::OnMessageReceived(IPC::Message const&) /home/marshall/code/chromium_git/chromium/src/out/Release/../../content/browser/frame_host/render_frame_host_impl.cc:338:7
    #10 0x7fdfb65c2a46 in content::RenderProcessHostImpl::OnMessageReceived(IPC::Message const&) /home/marshall/code/chromium_git/chromium/src/out/Release/../../content/browser/renderer_host/render_process_host_impl.cc:1407:10
    #11 0x7fdfb4a4259e in IPC::ChannelProxy::Context::OnDispatchMessage(IPC::Message const&) /home/marshall/code/chromium_git/chromium/src/out/Release/../../ipc/ipc_channel_proxy.cc:274:3
    #12 0x7fdfae97a13c in Run /home/marshall/code/chromium_git/chromium/src/out/Release/../../base/callback.h:401:12
    #13 0x7fdfae97a13c in base::debug::TaskAnnotator::RunTask(char const*, char const*, base::PendingTask const&) /home/marshall/code/chromium_git/chromium/src/out/Release/../../base/debug/task_annotator.cc:62:0
    #14 0x7fdfaea039dc in base::MessageLoop::RunTask(base::PendingTask const&) /home/marshall/code/chromium_git/chromium/src/out/Release/../../base/message_loop/message_loop.cc:445:3
    #15 0x7fdfaea04b37 in DeferOrRunPendingTask /home/marshall/code/chromium_git/chromium/src/out/Release/../../base/message_loop/message_loop.cc:455:5
    #16 0x7fdfaea04b37 in base::MessageLoop::DoWork() /home/marshall/code/chromium_git/chromium/src/out/Release/../../base/message_loop/message_loop.cc:564:0
    #17 0x7fdfae94dca6 in HandleDispatch /home/marshall/code/chromium_git/chromium/src/out/Release/../../base/message_loop/message_pump_glib.cc:267:7
    #18 0x7fdfae94dca6 in base::(anonymous namespace)::WorkSourceDispatch(_GSource*, int (*)(void*), void*) /home/marshall/code/chromium_git/chromium/src/out/Release/../../base/message_loop/message_pump_glib.cc:109:0
    #19 0x7fdfac301e03 in g_main_context_dispatch ??:0:0
    #20 0x7fdfac302047 in g_main_context_dispatch ??:?
    #21 0x7fdfac3020eb in g_main_context_iteration ??:0:0
    #22 0x7fdfae94d50f in base::MessagePumpGlib::Run(base::MessagePump::Delegate*) /home/marshall/code/chromium_git/chromium/src/out/Release/../../base/message_loop/message_pump_glib.cc:309:30
    #23 0x7fdfaea3a5d5 in base::RunLoop::Run() /home/marshall/code/chromium_git/chromium/src/out/Release/../../base/run_loop.cc:54:3
    #24 0x7fdfaea02334 in base::MessageLoop::Run() /home/marshall/code/chromium_git/chromium/src/out/Release/../../base/message_loop/message_loop.cc:307:3
    #25 0x76e41d in main /home/marshall/code/chromium_git/chromium/src/out/Release/../../cef/tests/unittests/run_all_unittests.cc:159:5
    #26 0x7fdfa81bfec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287:0
    #27 0x43045f in _start ??:0:0

0x6030003967a0 is located 16 bytes inside of 32-byte region 
[0x603000396790,0x6030003967b0)
allocated by thread T0 (cef_unittests) here:
    #0 0x4b2b9b in operator new(unsigned long) ??:0:0
    #1 0x7fdfb62c65ed in __allocate /home/marshall/code/chromium_git/chromium/src/out/Release/../../third_party/libc++/trunk/include/new:156:10
    #2 0x7fdfb62c65ed in allocate /home/marshall/code/chromium_git/chromium/src/out/Release/../../third_party/libc++/trunk/include/memory:1634:0
    #3 0x7fdfb62c65ed in allocate /home/marshall/code/chromium_git/chromium/src/out/Release/../../third_party/libc++/trunk/include/memory:1439:0
    #4 0x7fdfb62c65ed in __split_buffer /home/marshall/code/chromium_git/chromium/src/out/Release/../../third_party/libc++/trunk/include/__split_buffer:325:0
    #5 0x7fdfb62c65ed in void std::__1::vector<content::GeolocationDispatcherHost::PendingPermission, std::__1::allocator<content::GeolocationDispatcherHost::PendingPermission> >::__push_back_slow_path<content::GeolocationDispatcherHost::PendingPermission const&>(content::GeolocationDispatcherHost::PendingPermission const&) /home/marshall/code/chromium_git/chromium/src/out/Release/../../third_party/libc++/trunk/include/vector:1567:0
    #6 0x7fdfb62c3484 in push_back /home/marshall/code/chromium_git/chromium/src/out/Release/../../third_party/libc++/trunk/include/vector:1587:9
    #7 0x7fdfb62c3484 in content::GeolocationDispatcherHost::OnRequestPermission(content::RenderFrameHost*, int, GURL const&, bool) /home/marshall/code/chromium_git/chromium/src/out/Release/../../content/browser/geolocation/geolocation_dispatcher_host.cc:157:0
    #8 0x7fdfb62c2d01 in Dispatch<content::GeolocationDispatcherHost, content::GeolocationDispatcherHost, content::RenderFrameHost, int, const GURL &, bool> /home/marshall/code/chromium_git/chromium/src/out/Release/../../content/common/geolocation_messages.h:47:1
    #9 0x7fdfb62c2d01 in content::GeolocationDispatcherHost::OnMessageReceived(IPC::Message const&, content::RenderFrameHost*) /home/marshall/code/chromium_git/chromium/src/out/Release/../../content/browser/geolocation/geolocation_dispatcher_host.cc:112:0
    #10 0x7fdfb67d9ba8 in content::WebContentsImpl::OnMessageReceived(content::RenderViewHost*, content::RenderFrameHost*, IPC::Message const&) /home/marshall/code/chromium_git/chromium/src/out/Release/../../content/browser/web_contents/web_contents_impl.cc:527:11
    #11 0x7fdfb6280e42 in content::RenderFrameHostImpl::OnMessageReceived(IPC::Message const&) /home/marshall/code/chromium_git/chromium/src/out/Release/../../content/browser/frame_host/render_frame_host_impl.cc:338:7
    #12 0x7fdfb65c2a46 in content::RenderProcessHostImpl::OnMessageReceived(IPC::Message const&) /home/marshall/code/chromium_git/chromium/src/out/Release/../../content/browser/renderer_host/render_process_host_impl.cc:1407:10
    #13 0x7fdfb4a4259e in IPC::ChannelProxy::Context::OnDispatchMessage(IPC::Message const&) /home/marshall/code/chromium_git/chromium/src/out/Release/../../ipc/ipc_channel_proxy.cc:274:3
    #14 0x7fdfae97a13c in Run /home/marshall/code/chromium_git/chromium/src/out/Release/../../base/callback.h:401:12
    #15 0x7fdfae97a13c in base::debug::TaskAnnotator::RunTask(char const*, char const*, base::PendingTask const&) /home/marshall/code/chromium_git/chromium/src/out/Release/../../base/debug/task_annotator.cc:62:0
    #16 0x7fdfaea039dc in base::MessageLoop::RunTask(base::PendingTask const&) /home/marshall/code/chromium_git/chromium/src/out/Release/../../base/message_loop/message_loop.cc:445:3
    #17 0x7fdfaea04b37 in DeferOrRunPendingTask /home/marshall/code/chromium_git/chromium/src/out/Release/../../base/message_loop/message_loop.cc:455:5
    #18 0x7fdfaea04b37 in base::MessageLoop::DoWork() /home/marshall/code/chromium_git/chromium/src/out/Release/../../base/message_loop/message_loop.cc:564:0
    #19 0x7fdfae94dca6 in HandleDispatch /home/marshall/code/chromium_git/chromium/src/out/Release/../../base/message_loop/message_pump_glib.cc:267:7
    #20 0x7fdfae94dca6 in base::(anonymous namespace)::WorkSourceDispatch(_GSource*, int (*)(void*), void*) /home/marshall/code/chromium_git/chromium/src/out/Release/../../base/message_loop/message_pump_glib.cc:109:0
    #21 0x7fdfac301e03 in g_main_context_dispatch ??:0:0

SUMMARY: AddressSanitizer: container-overflow ??:0 ??
Shadow bytes around the buggy address:
  0x0c068006aca0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c068006acb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c068006acc0: fa fa 00 00 00 00 fa fa fd fd fd fa fa fa fd fd
  0x0c068006acd0: fd fa fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x0c068006ace0: fd fd fd fa fa fa 00 00 00 00 fa fa 00 00 00 fa
=>0x0c068006acf0: fa fa fc fc[fc]fc fa fa fd fd fd fa fa fa fd fd
  0x0c068006ad00: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa
  0x0c068006ad10: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa
  0x0c068006ad20: fa fa fd fd fd fa fa fa fd fd fd fa fa fa 00 00
  0x0c068006ad30: 00 fa fa fa fd fd fd fa fa fa fd fd fd fd fa fa
  0x0c068006ad40: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  ASan internal:           fe
==49623==ABORTING

Please use labels and text to provide additional information.

Original issue reported on code.google.com by magreenb...@gmail.com on 26 Nov 2014 at 11:21

GoogleCodeExporter commented 9 years ago 
This no longer occurs with trunk tested at revision 2039.

Original comment by magreenb...@gmail.com on 2 Mar 2015 at 5:54