New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 0 users
Status: Fixed
Owner:
Last visit > 30 days ago
Closed: Jul 2014
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows
Pri: 1
Type: Bug-Security
Nag



Sign in to add a comment
Heap-use-after-free in WebCore::RenderBlockFlow::determineStartPosition
Project Member Reported by ClusterFuzz, May 26 2014 Back to list
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4626369600290816

Fuzzer: J00ru_htmlcss_fuzz
Job Type: Windows_asan_chrome

Crash Type: Heap-use-after-free READ 4
Crash Address: 0x0387c620
Crash State:
  - crash stack -
  WebCore::RenderBlockFlow::determineStartPosition
  WebCore::RenderBlockFlow::layoutRunsAndFloats
  - free stack -
  WebCore::RenderWordBreak::`scalar
  WebCore::RenderObject::postDestroy
 
Cc: kcc@chromium.org
[Please note this was detected with an experimental Clang-based ASan on Windows]

FTR, I see similar issues on other configurations:  issue 322617 ,  issue 368488 .
Also there are issues  317423 ,  322937  and  326860  that are marked as fixed but have very similar stack traces.
Project Member Comment 2 by ClusterFuzz, May 26 2014
Labels: Pri-1
Project Member Comment 3 by ClusterFuzz, May 27 2014
ClusterFuzz is analyzing your testcase. See https://cluster-fuzz.appspot.com/testcase?key=4853613065142272
Comment 4 by wfh@chromium.org, May 27 2014
Labels: os-Linux Cr-Blink-Rendering
Also reproduces on Linux.
Project Member Comment 5 by ClusterFuzz, May 28 2014
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5670400753139712

Uploader: wfh@chromium.org
Job Type: Linux_asan_chrome_mp

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x60c000180d00
Crash State:
  - crash stack -
  WebCore::RenderBlockFlow::determineStartPosition
  WebCore::RenderBlockFlow::layoutRunsAndFloats
  - free stack -
  WebCore::Node::detach
  WebCore::ContainerNode::removeChild
  

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96_EVcDiqNf4r48tzt8P2wJFB_wKws_Cc__5q0MMgcn9XUv9BpUgmo3_ts0ODLu3kggOXiut0IzzrleG4FvEz3yLsDuNt0mPPgZkKMpplTuL8mtz7mT0nQWN-Nj1fTaTDpCNYnBzLSY7fcuK1-fr6sVwZmsXOoZGN-Kn0xxmBY3hk_3GxE

Additional requirements: Requires HTTP


Comment 6 by wfh@chromium.org, May 28 2014
Labels: -os-Linux OS-Linux Security_Impact-Stable Security_Impact-Beta Security_Impact-Head
Project Member Comment 7 by ClusterFuzz, May 28 2014
Labels: -Security_Impact-Head M-35
Project Member Comment 8 by ClusterFuzz, May 29 2014
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5670400753139712

Uploader: wfh@chromium.org
Job Type: Linux_asan_chrome_mp

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x60c000180d00
Crash State:
  - crash stack -
  WebCore::RenderBlockFlow::determineStartPosition
  WebCore::RenderBlockFlow::layoutRunsAndFloats
  - free stack -
  WebCore::Node::detach
  WebCore::ContainerNode::removeChild
  


Additional requirements: Requires HTTP


Project Member Comment 9 by ClusterFuzz, May 29 2014
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5670400753139712

Uploader: wfh@chromium.org
Job Type: Linux_asan_chrome_mp

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x60c000180d00
Crash State:
  - crash stack -
  WebCore::RenderBlockFlow::determineStartPosition
  WebCore::RenderBlockFlow::layoutRunsAndFloats
  - free stack -
  WebCore::Node::detach
  WebCore::ContainerNode::removeChild
  


Additional requirements: Requires HTTP


Project Member Comment 10 by ClusterFuzz, May 29 2014
Labels: Missing_Owner-1
Comment 11 by wfh@chromium.org, May 29 2014
Cc: eseidel@chromium.org
Owner: le...@chromium.org
leviw@ can you take a look at this and triage?  Looks similar to some other bugs you've looked at before.
Cc: robhogan@chromium.org
Project Member Comment 13 by ClusterFuzz, Jun 7 2014
Labels: Nag
Status: Assigned
leviw@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member Comment 14 by ClusterFuzz, Jun 15 2014
leviw@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member Comment 15 by ClusterFuzz, Jun 23 2014
Labels: -M-35 M-36
Cc: timwillis@chromium.org
Hey Levi - per c#11, have you taken a look at this yet? Not sure if you've triaged this yet but it's currently tagged as a high severity security issue. Grateful if you could provide an update to keep this moving.
Cc: robho...@gmail.com
Project Member Comment 18 by ClusterFuzz, Jun 23 2014
leviw@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member Comment 19 by ClusterFuzz, Jul 2 2014
leviw@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Bump - Levi?
From the stack in the test case looks like we've removed a Node, and thus it's RenderObject, but the RenderObject is still in a floats list?
Cc: e...@chromium.org
Labels: -Missing_Owner-1 -M-36 Merge-NA M-38 Release-0-M38
Status: Fixed
This does not reproduce anymore on CF. Tried twice and it tells that something in http://build.chromium.org/f/chromium/perf/dashboard/ui/changelog_blink.html?url=/trunk&range=176561:176685&mode=html fixed it. There are several interesting changes that could have fixed this.
Comment 23 by e...@chromium.org, Jul 8 2014
blink r176566 would be my guess.
If you have time to verify and r176556 is confirmed, then we can merge it back to m37, m36.
Project Member Comment 25 by ClusterFuzz, Jul 8 2014
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member Comment 26 by ClusterFuzz, Oct 15 2014
Labels: -Restrict-View-SecurityNotify
Bulk update: removing view restriction from closed bugs.
Labels: -Cr-Blink-Rendering Cr-Blink-Layout
Migrate from Cr-Blink-Rendering to Cr-Blink-Layout
Project Member Comment 28 by ClusterFuzz, Feb 2 2016
Labels: -Security_Impact-Beta
Project Member Comment 29 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 30 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment