New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 0 users

Issue metadata

Status: Fixed
Owner:
Closed: Feb 2015
Cc:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment

Bad-cast to blink::ShadowRoot from blink::HTMLDocument;ShadowRoot.h:165:1

Project Member Reported by ClusterFuzz, Aug 4 2014

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5964979285000192

Fuzzer: Lcamtuf_cross_fuzz
Job Type: Linux_ubsan_vptr_chrome

Crash Type: Bad-cast
Crash Address: 0x2b52d9005fb0
Crash State:
  - crash stack -
  Bad-cast to blink::ShadowRoot from blink::HTMLDocument
  ShadowRoot.h:165:1
  

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95V_ooe1nWyiXdwrZv6ewm-e-sMl8HLnCn1HesKlsBHUBkVcybnL1-wpElUGz1olHeiLSmHHKz1XDlyWIZX_6wx2V7eJat0qku36zGp1YfyDZNMpfJt2snCyK1dafF3pzWzSLycrhrJLIWemDzxHEDctnlAOSPUf3RU4pjNUAkNb-RZ9nE


Filer: aarya
 
Cc: samsonov@google.com tkent@chromium.org yutak@chromium.org yosin@chromium.org
Owner: byoungyoung@chromium.org
Status: Assigned
Byoungyoung, why is there no stacktrace in report. Some reports have stack (e.g. https://cluster-fuzz.appspot.com/testcase?key=5413745465491456) whereas this one does not. We have 'UBSAN_OPTIONS' set to 'symbolize=0 print_stacktrace=1'.
Let me take a look.
I got a stacktrace locally with the same binary, and attached the head results below (please note that symbolization is done manually). Let me further take a look why there were no traces in CF.

----------------------------------------------------------------------
byoungyoung@byoungyoung0:~/Downloads/ubsan-vptr-linux-release-287284$ cat ./tmp.txt |asan_symbolize |c++filt 
byoungyoung@byoungyoung0:~/Downloads/ubsan-vptr-linux-release-287284$ UBSAN_OPTIONS='print_stacktrace=1' ./chrome --allow-file-access-from-files --disable-click-to-play --disable-hang-monitor --disable-metrics --disable-popup-blocking --disable-prompt-on-repost --enable-experimental-extension-apis --enable-extension-apps --enable-extension-timeline-api --enable-nacl --enable-search-provider-api-v2 --enable-video-track --js-flags="--expose-gc" --new-window --no-default-browser-check --no-first-run --no-process-singleton-dialog --enable-shadow-dom --enable-media-stream --use-gl=osmesa --use-fake-device-for-media-stream --use-fake-ui-for-media-stream ~/tmp/fuzz-crossfuzz-136189888.html 2>&1
../../third_party/WebKit/Source/core/dom/shadow/ShadowRoot.h:165:1: runtime error: downcast of address 0x296e37e05fb0 which does not point to an object of type 'blink::ShadowRoot'
0x296e37e05fb0: note: object is of type 'blink::HTMLDocument'
 00 00 00 00  50 ed 2e 37 17 7f 00 00  c1 b5 65 e8 85 23 00 00  17 00 00 00 05 14 00 01  00 00 00 00
              ^~~~~~~~~~~~~~~~~~~~~~~
              vptr for 'blink::HTMLDocument'
    #0 0x7f172f4c8672 in toShadowRoot /mnt/data/b/build/slave/UBSan_vptr_Release/build/src/out/Release/../../third_party/WebKit/Source/core/dom/shadow/ShadowRoot.h:165
    #1 0x7f172f4d25c9 in blink::CharacterIterator::advance(int) /mnt/data/b/build/slave/UBSan_vptr_Release/build/src/out/Release/../../third_party/WebKit/Source/core/editing/TextIterator.cpp:1576
    #2 0x7f172f4d45b3 in blink::findPlainTextInternal(blink::CharacterIterator&, WTF::String const&, unsigned int, unsigned long&) /mnt/data/b/build/slave/UBSan_vptr_Release/build/src/out/Release/../../third_party/WebKit/Source/core/editing/TextIterator.cpp:2156
    #3 0x7f172f4d48b0 in blink::findPlainText(blink::Position const&, blink::Position const&, WTF::String const&, unsigned int, blink::Position&, blink::Position&) /mnt/data/b/build/slave/UBSan_vptr_Release/build/src/out/Release/../../third_party/WebKit/Source/core/editing/TextIterator.cpp:2216
    #4 0x7f172f458f45 in blink::findStringBetweenPositions(WTF::String const&, blink::Position const&, blink::Position const&, unsigned int) /mnt/data/b/build/slave/UBSan_vptr_Release/build/src/out/Release/../../third_party/WebKit/Source/core/editing/Editor.cpp:1192
    #5 0x7f172f45863e in blink::Editor::rangeOfString(WTF::String const&, blink::Range*, unsigned int) /mnt/data/b/build/slave/UBSan_vptr_Release/build/src/out/Release/../../third_party/WebKit/Source/core/editing/Editor.cpp:1232
    #6 0x7f172f45803e in blink::Editor::findString(WTF::String const&, unsigned int) /mnt/data/b/build/slave/UBSan_vptr_Release/build/src/out/Release/../../third_party/WebKit/Source/core/editing/Editor.cpp:1160
    #7 0x7f172f5aee11 in blink::LocalDOMWindow::find(WTF::String const&, bool, bool, bool, bool, bool, bool) const /mnt/data/b/build/slave/UBSan_vptr_Release/build/src/out/Release/../../third_party/WebKit/Source/core/frame/LocalDOMWindow.cpp:1079
    #8 0x7f173028b725 in findMethod /mnt/data/b/build/slave/UBSan_vptr_Release/build/src/out/Release/gen/blink/bindings/core/v8/V8Window.cpp:5135
    #9 0x7f172ea5d97a in v8::internal::FunctionCallbackArguments::Call(void (*)(v8::FunctionCallbackInfo<v8::Value> const&)) /mnt/data/b/build/slave/UBSan_vptr_Release/build/src/out/Release/../../v8/src/arguments.cc:33
    #10 0x7f172e28181b in HandleApiCallHelper<false> /mnt/data/b/build/slave/UBSan_vptr_Release/build/src/out/Release/../../v8/src/builtins.cc:1208
    #11 0x19eba77066ed (<unknown module>)


Cc: -yutak@chromium.org byoungyoung@chromium.org
Owner: yutak@chromium.org
Actually now that i think about it, might be because we don't have end-markers for ubsan reports. We can bailout as soon as we see the vptr for line, and won't wait for stacktrace. Lets see if stack fixes after minimization completes.

Yutak@, you fixed a similar bug before, can you please take a look.
Yes I agree. As this testcase pops up lots of windows, it may cause to slowdown flushing out stack traces after the error signature and CF failed to pickup the trace.
Labels: Pri-1
Yutak@, why don't we do a cast check here - https://code.google.com/p/chromium/codesearch#chromium/src/third_party/WebKit/Source/core/editing/TextIterator.cpp&rcl=1407117011&l=515. We shouldn't be doing the cast blindly unless there is a huge performance cost. Most places in blink do the cast check explicitly, can you please fix it so that this type of bug does not come back again.

Comment 7 by yutak@chromium.org, Aug 5 2014

Cc: yutak@chromium.org
Owner: ----
I don't understand. The assertion failure should not happen logically. If that ever
happens, somebody should have broken the assumption of the code. I'd like to
understand the scenario to reach the failure condition.

I'm strongly opposed to the idea of adding a type check without knowing the real
cause, because that is just hiding the real issue behind. There is a reason to have
an assertion there. Please don't nerf it without a good justification.

I tried to examine the test case, but I just gave up. It was just impossible to
decrypt the test contents. The test case wasn't minimized nor isolated. I couldn't
even figure out what was the core of the test.

I was not able to reproduce the issue either. The reproduce steps were totally unclear. What's ubsan? What options do I need to specify to run the test?

Please, please give out enough context so people can debug issues effectively.
It's simply a waste of time for everybody to have to reverse-engineer cluster fuzz
tests.

Unassigning myself for now. Please let me know when the enough amount of information
is ready so the issue can be debugged.
Hi Yutak,

UBSAN is undefined behavior sanitizer, which we have recently introduced to chrome LKGR build bots (http://dev.chromium.org/developers/testing/undefinedbehaviorsanitizer). This also includes bad-casting detection routines (which we call ubsan-vptr), which instruments extra code to check the RTTI in runtime. 

The ubsan-vptr binary can be found and downloadable from http://commondatastorage.googleapis.com/chromium-browser-ubsan/index.html?prefix=linux-release-vptr/. For this specific case, you can download ubsan-vptr-linux-release-287284.zip. 

I assume you've already downloaded the testcase and it is extracted to ~/tmp/fuzz-crossfuzz-136189888.html,
the running parameter would be as follows (on Ubuntu 12.04 where I tested this case); 

UBSAN_OPTIONS='print_stacktrace=1' ./chrome --allow-file-access-from-files --disable-click-to-play --disable-hang-monitor --disable-metrics --disable-popup-blocking --disable-prompt-on-repost --enable-experimental-extension-apis --enable-extension-apps --enable-extension-timeline-api --enable-nacl --enable-search-provider-api-v2 --enable-video-track --js-flags="--expose-gc" --new-window --no-default-browser-check --no-first-run --no-process-singleton-dialog --enable-shadow-dom --enable-media-stream --use-gl=osmesa --use-fake-device-for-media-stream --use-fake-ui-for-media-stream ~/tmp/fuzz-crossfuzz-136189888.html

If you want to further symbolize the stacktrace, you can do like below.

UBSAN_OPTIONS='print_stacktrace=1' ./chrome --allow-file-access-from-files --disable-click-to-play --disable-hang-monitor --disable-metrics --disable-popup-blocking --disable-prompt-on-repost --enable-experimental-extension-apis --enable-extension-apps --enable-extension-timeline-api --enable-nacl --enable-search-provider-api-v2 --enable-video-track --js-flags="--expose-gc" --new-window --no-default-browser-check --no-first-run --no-process-singleton-dialog --enable-shadow-dom --enable-media-stream --use-gl=osmesa --use-fake-device-for-media-stream --use-fake-ui-for-media-stream ~/tmp/fuzz-crossfuzz-136189888.html 2>&1|asan_symbolize|c++filt



I'm working on reducing the testcase, and added the unroll code to cross_fuzz to see the complete orders of fuzzing invocations (i.e., calls and property assignments). Attached the current results, and i can keep working on this tmrw.
unroll.txt
63.8 KB View Download
Project Member

Comment 10 by ClusterFuzz, Aug 5 2014

ClusterFuzz has detected this issue as fixed in range 287359:287501.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5964979285000192

Fuzzer: Lcamtuf_cross_fuzz
Job Type: Linux_ubsan_vptr_chrome

Crash Type: Bad-cast
Crash Address: 0x0b1d36005520
Crash State:
  - crash stack -
  Bad-cast to blink::ShadowRoot from blink::HTMLDocument
  ShadowRoot.h:165:1
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_chrome&range=287200:287259
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_chrome&range=287359:287501

Minimized Testcase (4.33 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95DKTNHSbbsrLlAfeSNYDq_unOCZ1cd_QVN1KCxFTDKIQ2pTk1V0qae8BC3TdKN9ISMVVfJrdYjiOUTYIi7bAnbYs5s8MdRhidl8E4-bPS6h6r4cQ4M_txSU-N5qUxu5TPsskT1ipRWCHz4xf1EZPiZSQInHg

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.

Cc: chrishtr@chromium.org vsevik@chromium.org
Status: Fixed
either http://src.chromium.org/viewvc/blink?view=rev&revision=179480 or http://src.chromium.org/viewvc/blink?view=rev&revision=179483

Will reopen if i see the same stack again.
Project Member

Comment 12 by ClusterFuzz, Aug 7 2014

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5607444891828224

Fuzzer: Lcamtuf_cross_fuzz
Job Type: Linux_ubsan_vptr_chrome

Crash Type: Bad-cast
Crash Address: 0x04e273805fb0
Crash State:
  - crash stack -
  Bad-cast to blink::ShadowRoot from blink::HTMLDocument
  ShadowRoot.h:165:1
  

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94CuLApko2RV3k3a36IAdm8XaB19yqH48N9iR72lRqMqMzKkUNMAxXMIaA-yrx5mr_m8V-lmSxldlAPruYCMo7v8t5vlTr9CqcbVz7UoHfk5zhg4LFyqPOUeY-rd2aj_KU2tzu27ikWA6RiDgkdX8nZ570kLlA7y6jrJbQVCQEMVcTE1h4


Filer: byoungyoung
CF missed a stack trace, so attached the trace from the local box with r288028. Note that this newly found testcase (https://cluster-fuzz.appspot.com/testcase?key=5607444891828224) is simply crashing ubsan-vptr on r287284 without bad-casting reports.
stack_trace.txt
10.7 KB View Download
Cc: -vsevik@chromium.org yoichio@chromium.org
My patch was simply reverting another one. Adding original patch author instead of me.
Project Member

Comment 15 by ClusterFuzz, Aug 8 2014

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6253610256039936

Uploader: byoungyoung@google.com
Job Type: Linux_ubsan_vptr_chrome

Crash Type: Bad-cast
Crash Address: 0x17c635c05520
Crash State:
  - crash stack -
  Bad-cast to blink::ShadowRoot from blink::HTMLDocument
  ShadowRoot.h:165:1
  

Minimized Testcase (1.05 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96ezhIHLshEAI6rqn5ozLZ97vfywFYBabK1Ns41hVQkh0CeJyaMG5IaQd57n76KffoJf7jqP-5oR18RrYtmap2JU76cZRCicrA7n9Rlbx24v0PLuLli_iUGU8H0-wlq_NHdytFX0GfCXv_oBFYOu4qxFTqxxg

Filer: byoungyoung
Labels: Security_Impact-Stable
Owner: yutak@chromium.org
Status: Assigned
Reopening the bug since it started hitting on trunk.

Assigning to yutak@ since the testcase is now reduced, see the one in c#15. You don't really need to build ubsan, you can just breakpoint around the crashing line to see the wrong object type. To build ubsan, see instructions at http://dev.chromium.org/developers/testing/undefinedbehaviorsanitizer and set UBSAN_OPTIONS env variable as 'symbolize=0 print_stacktrace=1'
Project Member

Comment 17 by ClusterFuzz, Aug 8 2014

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6253610256039936

Uploader: byoungyoung@google.com
Job Type: Linux_ubsan_vptr_chrome

Crash Type: Bad-cast
Crash Address: 0x17c635c05520
Crash State:
  - crash stack -
  Bad-cast to blink::ShadowRoot from blink::HTMLDocument
  ShadowRoot.h:165:1
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_chrome&range=287842:288028

Minimized Testcase (1.05 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96ezhIHLshEAI6rqn5ozLZ97vfywFYBabK1Ns41hVQkh0CeJyaMG5IaQd57n76KffoJf7jqP-5oR18RrYtmap2JU76cZRCicrA7n9Rlbx24v0PLuLli_iUGU8H0-wlq_NHdytFX0GfCXv_oBFYOu4qxFTqxxg


Project Member

Comment 18 by ClusterFuzz, Aug 9 2014

ClusterFuzz has detected this issue as fixed in range 288271:288375.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5607444891828224

Fuzzer: Lcamtuf_cross_fuzz
Job Type: Linux_ubsan_vptr_chrome

Crash Type: Bad-cast
Crash Address: 0x034927805fb0
Crash State:
  - crash stack -
  Bad-cast to blink::ShadowRoot from blink::HTMLDocument
  ShadowRoot.h:165:1
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_chrome&range=287842:288028
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_chrome&range=288271:288375

Minimized Testcase (4.43 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96WAx6QTFD7QdGPOHwHzN6-eSB0IDocXDFbuNwjW1LYUwXGAySJXG2AtWp5iqD5aFTjvbm47-VQCETneIJVj1KV6EVhoR8tVyGDeb-9J451NshPchH7Cj3TkRApGKQuddsJfCT2ZctcNTRLIL0aP5ZsWunbrA

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.

Project Member

Comment 19 by ClusterFuzz, Aug 9 2014

Labels: M-36
Project Member

Comment 20 by ClusterFuzz, Aug 16 2014

Labels: Nag
yutak@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member

Comment 21 by ClusterFuzz, Aug 18 2014

Labels: -M-36 M-37
Project Member

Comment 22 by ClusterFuzz, Aug 20 2014

ClusterFuzz has detected this issue as fixed in range 288271:288375.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5607444891828224

Fuzzer: Lcamtuf_cross_fuzz
Job Type: Linux_ubsan_vptr_chrome

Crash Type: Bad-cast
Crash Address: 0x034927805fb0
Crash State:
  Bad-cast to blink::ShadowRoot from blink::HTMLDocument
  ShadowRoot.h:165:1
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_chrome&range=287842:288028
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_chrome&range=288271:288375

Minimized Testcase (4.43 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96WAx6QTFD7QdGPOHwHzN6-eSB0IDocXDFbuNwjW1LYUwXGAySJXG2AtWp5iqD5aFTjvbm47-VQCETneIJVj1KV6EVhoR8tVyGDeb-9J451NshPchH7Cj3TkRApGKQuddsJfCT2ZctcNTRLIL0aP5ZsWunbrA

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.

Project Member

Comment 23 by ClusterFuzz, Aug 23 2014

yutak@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member

Comment 24 by ClusterFuzz, Aug 30 2014

yutak@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member

Comment 25 by ClusterFuzz, Sep 7 2014

yutak@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member

Comment 26 by ClusterFuzz, Sep 14 2014

yutak@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member

Comment 27 by ClusterFuzz, Sep 21 2014

yutak@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member

Comment 28 by ClusterFuzz, Sep 29 2014

yutak@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member

Comment 29 by ClusterFuzz, Sep 29 2014

Labels: -M-37 M-38
Project Member

Comment 30 by ClusterFuzz, Oct 6 2014

yutak@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Status: Fixed
It doesn't look like this crash has popped up for a while, so I'm guessing the fixed reports were correct. Please reopen if necessary.
Project Member

Comment 32 by ClusterFuzz, Oct 7 2014

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 33 by ClusterFuzz, Oct 7 2014

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4563410841763840

Fuzzer: Lcamtuf_cross_fuzz
Job Type: Linux_ubsan_vptr_chrome

Crash Type: Bad-cast
Crash Address: 0x03f26ac04ac0
Crash State:
  Bad-cast to blink::ShadowRoot from blink::HTMLDocument
  ShadowRoot.h:166:1
  

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96Inlulu25xN6CPmJu99w2j8qHiXcvrcPYV9-pn2Bsic9YA26OucNP3bwB6LvUIyMTWXSqz3P2aonP94ZT_VWXmbEaz9YHySTZDdKJSZRTshkWnquv_YI9oUow1vrocjga0NZsN8ASYACG0gYPct2zrgVTTqfTbLzMaMFjhgPvOmvP6M8U


Filer: mbarbella
Labels: -Restrict-View-SecurityNotify Restrict-View-SecurityTeam
Status: Assigned
Ignore c#31. This is still happening.
Project Member

Comment 35 by ClusterFuzz, Oct 14 2014

yutak@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member

Comment 36 by ClusterFuzz, Oct 21 2014

yutak@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member

Comment 37 by ClusterFuzz, Oct 29 2014

yutak@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member

Comment 38 by ClusterFuzz, Nov 5 2014

yutak@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member

Comment 39 by ClusterFuzz, Nov 8 2014

Labels: -M-38 M-39
Project Member

Comment 40 by ClusterFuzz, Nov 12 2014

yutak@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member

Comment 41 by ClusterFuzz, Nov 13 2014

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5906707623444480

Fuzzer: Lcamtuf_cross_fuzz
Job Type: Linux_ubsan_vptr_chrome

Crash Type: Bad-cast
Crash Address: 0x073a0ee06028
Crash State:
  Bad-cast to blink::ShadowRoot from blink::HTMLDocument
  ShadowRoot.h:166:1
  

Minimized Testcase (6.19 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95z1iu6ajLsluaymAhUEx5TdTgOR2S_uNnOs42lvcUy8QSqpESD5FIKyHo-vSbUyMHVGQxeP2ZHZk0sYXr-ZdvhO7AzupKVGn6uPxcUKbTgDi71qIQz2NbRG7xyi4m2STq7vHmB54o8ZTlqHAc6lKLtpIAv2g

Filer: mbarbella
Project Member

Comment 42 by ClusterFuzz, Nov 19 2014

ClusterFuzz has detected this issue as fixed in range 304665:304755.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5906707623444480

Fuzzer: Lcamtuf_cross_fuzz
Job Type: Linux_ubsan_vptr_chrome

Crash Type: Bad-cast
Crash Address: 0x28abea805570
Crash State:
  Bad-cast to blink::ShadowRoot from blink::HTMLDocument
  ShadowRoot.h:166:1
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_chrome&range=303684:303830
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_chrome&range=304665:304755

Minimized Testcase (3.43 Kb): https://cluster-fuzz.appspot.com/download/AMIfv9559CMypV2lR9sxnguebRR7d68Qc1NRFkB2x9zv1zzmjfE_kwyy5wHBsBbn32jEyHGXQiqy3xU23rRdusYcj4lE-BB2_AdFpQ0OOdnA7hiYcXmr7nszdfxr8MIX6gI7GOSs7JYpKFXbwmHGTMIpdh0zJjFuzg

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.

Project Member

Comment 43 by ClusterFuzz, Nov 20 2014

ClusterFuzz has detected this issue as fixed in range 304665:304755.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5906707623444480

Fuzzer: Lcamtuf_cross_fuzz
Job Type: Linux_ubsan_vptr_chrome

Crash Type: Bad-cast
Crash Address: 0x28abea805570
Crash State:
  Bad-cast to blink::ShadowRoot from blink::HTMLDocument
  ShadowRoot.h:166:1
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_chrome&range=303684:303830
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_chrome&range=304665:304755

Minimized Testcase (3.43 Kb): https://cluster-fuzz.appspot.com/download/AMIfv9559CMypV2lR9sxnguebRR7d68Qc1NRFkB2x9zv1zzmjfE_kwyy5wHBsBbn32jEyHGXQiqy3xU23rRdusYcj4lE-BB2_AdFpQ0OOdnA7hiYcXmr7nszdfxr8MIX6gI7GOSs7JYpKFXbwmHGTMIpdh0zJjFuzg

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.

Project Member

Comment 44 by ClusterFuzz, Nov 20 2014

yutak@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member

Comment 45 by ClusterFuzz, Nov 22 2014

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5421601603452928

Fuzzer: Lcamtuf_cross_fuzz
Job Type: Linux_ubsan_vptr_chrome

Crash Type: Bad-cast
Crash Address: 0x2cf7fc005570
Crash State:
  Bad-cast to blink::ShadowRoot from blink::HTMLDocument
  ShadowRoot.h:166:1
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_chrome&range=304665:304755

Minimized Testcase (3.42 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96beGtT6xxaRyt8Q_wZGM9dtDI5KUSqYmfS03s4wFVOtmI8VqArwo_0o6F02baZYkze906qkx8pQBp7sNzAdbCtIVXTxPJ3dOchFXW7K_oSwJLWFYGj0oejUTX7PYSMssSqFcgvDiTIYemJX5qiQqGz2UG_xQ

Filer: inferno
Yuta, will you be able to fix this bug?
Project Member

Comment 47 by ClusterFuzz, Nov 27 2014

yutak@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member

Comment 48 by ClusterFuzz, Dec 5 2014

yutak@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Owner: szager@chromium.org
Project Member

Comment 50 by ClusterFuzz, Dec 13 2014

szager@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member

Comment 51 by ClusterFuzz, Dec 16 2014

ClusterFuzz has detected this issue as fixed in range 306452:306538.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5421601603452928

Fuzzer: Lcamtuf_cross_fuzz
Job Type: Linux_ubsan_vptr_chrome

Crash Type: Bad-cast
Crash Address: 0x3ed4b9c05570
Crash State:
  Bad-cast to blink::ShadowRoot from blink::HTMLDocument
  ShadowRoot.h:166:1
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_chrome&range=304665:304755
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_chrome&range=306452:306538

Minimized Testcase (3.42 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95_w92TruSTnFw7HJ3cz--sez8HAhP5ssopsm_X6Bl9uXWauZU-kXfLKYDxekArgARh09vSnYFlSLSQUnFaZBzgKp1bf_65CqmVue9ZnoisoQKbz5S5dfbvP4ucZ2dB0Usrmw3qgEpP1_ZnJ_p7VNNQut7YGg

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.

This is not fixed. New testcase coming.
Project Member

Comment 53 by ClusterFuzz, Dec 17 2014

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6171957081931776

Fuzzer: Inferno_twister_custom_bundle
Job Type: Linux_ubsan_vptr_chrome

Crash Type: Bad-cast
Crash Address: 0x35be7446c000
Crash State:
  Bad-cast to blink::ShadowRoot from blink::XMLDocument
  ShadowRoot.h:166:1
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_chrome&range=300745:300817

Minimized Testcase (15.37 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96nWW8at3G9HmreXiZzJBaukoi6DbyLFl1lxFDeAOwHxRZBzDcjZ0sDuVA3CS_joVVYA-eWkC2xLl2c41tkmd3C46tsBoqQHNWqm9x_wTlz3AdR3p4AduuQ94qiYwjnL2pRicxZ25oxCHe3Q3gY8WQ8OsuOow

Filer: inferno
Project Member

Comment 54 by ClusterFuzz, Dec 18 2014

szager@: Uh oh! This issue is still open and hasn't been updated in the last 12 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member

Comment 55 by ClusterFuzz, Dec 19 2014

szager@: Uh oh! This issue is still open and hasn't been updated in the last 13 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member

Comment 56 by ClusterFuzz, Jan 2 2015

szager@: Uh oh! This issue is still open and hasn't been updated in the last 27 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Labels: -M-39 M-40
No more M39 patches, moving to M40.
Project Member

Comment 58 by ClusterFuzz, Jan 17 2015

szager@: Uh oh! This issue is still open and hasn't been updated in the last 41 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member

Comment 59 by ClusterFuzz, Feb 2 2015

szager@: Uh oh! This issue is still open and hasn't been updated in the last 58 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
oh dear, this is old.  I will look at it soon (probably not today).
Cc: timwillis@chromium.org
Thanks szager - any idea on timeframe? It's a high severity bug in Stable, so it's pretty high on my wish list to get fixed.

Comment 62 Deleted

Another ping :)
szager: Have you had a chance to look at this one yet?
I've been digging into this one, and I think I'm reasonably close to a fix.
Status: Started
Great, thanks! Setting this as "Started".
Project Member

Comment 66 by ClusterFuzz, Feb 20 2015

Labels: -M-40 M-41
Status: Fixed
Labels: -M-41 M-42 Merge-Triage
Labels: -Nag -Merge-Triage Merge-Requested
Merge Requested to M42.

Comment 71 by amin...@google.com, Mar 16 2015

Labels: -Merge-Requested Merge-Approved Hotlist-Merge-Approved
Approved for M42 (branch: 2311)
Labels: Release-0-M42
Project Member

Comment 75 by ClusterFuzz, Jun 1 2015

Labels: -Restrict-View-SecurityTeam
Bulk update: removing view restriction from closed bugs.
Project Member

Comment 76 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 77 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic

Sign in to add a comment