New issue
Advanced search Search tips

Issue 536917 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Sep 2015
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment

Heap-use-after-free in blink::RadioInputType::didDispatchClick

Project Member Reported by ClusterFuzz, Sep 28 2015

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5031294801543168

Uploader: ochang@google.com
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Heap-use-after-free WRITE 1
Crash Address: 0x60a0001dc038
Crash State:
  blink::RadioInputType::didDispatchClick
  blink::HTMLInputElement::postDispatchEventHandler
  blink::EventDispatcher::dispatchEventPostProcess
  

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96gSD-wjOUQHQttlZNpi171k9ovFpMSQLKORpgo2fDR7lj6jhBHffmsr2fESCI_lHWTDrvt-M2ve4Z8WyxJtNBYIPOdqiV88LDZQp2W0oo4HNc0u5-VKDtSzO9jc-XiwFJe5Hl-z9BIWwFHaXZMv5LfkPR2vQ


Filer: ochang

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 

Comment 1 by och...@chromium.org, Sep 28 2015

Cc: tkent@chromium.org
Owner: och...@chromium.org
Status: Assigned
Just realised that  bug 534990  can also be triggered via a radio input. Patch incoming.
Project Member

Comment 2 by ClusterFuzz, Sep 28 2015

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5031294801543168

Uploader: ochang@google.com
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Heap-use-after-free WRITE 1
Crash Address: 0x60a0002286b8
Crash State:
  blink::RadioInputType::didDispatchClick
  blink::HTMLInputElement::postDispatchEventHandler
  blink::EventDispatcher::dispatchEventPostProcess
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=343796:343863

Minimized Testcase (0.22 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv940yJEt1xfPZd5TkS2j116xVA1Sv_aYjcyIex5BCApWBnvQ2E_hTj32HlNzGx_d1FSZndWa1zQskOXVImhuNw53Hm7YmaEf-GnEDOKxCzhO4H4gFyBlAspjLjSAtMc-cc1musk72a13J8WClOJ5qe1jLBXVvA
<label><input type=radio><script>
var label = document.querySelector('label');
var radio = document.querySelector('input');
radio.addEventListener('change', function() {
  this.removeAttribute('type');
});
label.click();
</script>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
Project Member

Comment 3 by ClusterFuzz, Sep 28 2015

Labels: Pri-1 Security_Impact-Beta
Project Member

Comment 5 by ClusterFuzz, Sep 29 2015

Labels: M-46

Comment 6 by och...@chromium.org, Sep 29 2015

Status: Fixed
Project Member

Comment 7 by bugdroid1@chromium.org, Sep 29 2015

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/2c4017042ecfa61efc1dfbc8bed52d044b353def

commit 2c4017042ecfa61efc1dfbc8bed52d044b353def
Author: yutak <yutak@chromium.org>
Date: Tue Sep 29 04:08:04 2015

Oilpan: Fix build after 7338ad63.

BUG= 536917 
TBR=oilpan-reviews@chromium.org
NOTRY=true

Review URL: https://codereview.chromium.org/1379463002

Cr-Commit-Position: refs/heads/master@{#351255}

[modify] http://crrev.com/2c4017042ecfa61efc1dfbc8bed52d044b353def/third_party/WebKit/Source/core/html/HTMLInputElement.cpp

Project Member

Comment 8 by ClusterFuzz, Sep 29 2015

Labels: -Restrict-View-SecurityTeam Merge-Triage M-47 Restrict-View-SecurityNotify
Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

Your fix is very close to the branch point. After the branch happens, please make sure to check if your fix is in.

- Your friendly ClusterFuzz
Project Member

Comment 9 by ClusterFuzz, Sep 29 2015

ClusterFuzz has detected this issue as fixed in range 351025:351295.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5031294801543168

Uploader: ochang@google.com
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Heap-use-after-free WRITE 1
Crash Address: 0x60a0002286b8
Crash State:
  blink::RadioInputType::didDispatchClick
  blink::HTMLInputElement::postDispatchEventHandler
  blink::EventDispatcher::dispatchEventPostProcess
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=343796:343863
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=351025:351295

Minimized Testcase (0.22 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv940yJEt1xfPZd5TkS2j116xVA1Sv_aYjcyIex5BCApWBnvQ2E_hTj32HlNzGx_d1FSZndWa1zQskOXVImhuNw53Hm7YmaEf-GnEDOKxCzhO4H4gFyBlAspjLjSAtMc-cc1musk72a13J8WClOJ5qe1jLBXVvA
<label><input type=radio><script>
var label = document.querySelector('label');
var radio = document.querySelector('input');
radio.addEventListener('change', function() {
  this.removeAttribute('type');
});
label.click();
</script>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect,try re-doing that job on the test case report page.
Mergedinto: 534990
Status: Duplicate
Labels: -Merge-Triage Merge-Request-46
Mergedinto:
Status: Fixed

Comment 13 by tin...@google.com, Oct 2 2015

Labels: -Merge-Request-46 Merge-Review-46 Hotlist-Merge-Review
[Automated comment] Less than 2 weeks to go before stable on M46, manual review required.
 Issue 534990  has been merged into this issue.
Labels: -Merge-Review-46 Merge-Approved-46
Merge approved for M46 branch (branch: 2490).
Project Member

Comment 16 by bugdroid1@chromium.org, Oct 2 2015

Labels: -Merge-Approved-46 merge-merged-2490
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/19a48e8fef901572e29f16e7e027324f6f604293

commit 19a48e8fef901572e29f16e7e027324f6f604293
Author: Martin Barbella <mbarbella@chromium.org>
Date: Fri Oct 02 22:07:02 2015

Merge 3 CLs required to fix  bug 536917 :

Oilpan: Fix build after 7338ad63.

Review URL: https://codereview.chromium.org/1379463002

Cr-Commit-Position: refs/heads/master@{#351255}
(cherry picked from commit 2c4017042ecfa61efc1dfbc8bed52d044b353def)

Properly fix use-after-free of InputTypeViews when the type attribute is modified in the change event handler.

Follow-up to https://codereview.chromium.org/1366983003/

Review URL: https://codereview.chromium.org/1377673002

Cr-Commit-Position: refs/heads/master@{#351244}
(cherry picked from commit 7338ad634e98e80404df1fa0ea5dd2d198dbdd95)

Prevent CheckboxInputType from being freed by change event handlers.

Review URL: https://codereview.chromium.org/1366983003

Cr-Commit-Position: refs/heads/master@{#350787}
(cherry picked from commit 78501ccabe3e33db6f051f673d31caefe81be4a0)

BUG= 536917 
R=ochang@chromium.org
TBR=ochang@google.com

Review URL: https://codereview.chromium.org/1381373002 .

Cr-Commit-Position: refs/branch-heads/2490@{#477}
Cr-Branched-From: 7790a3535f2a81a03685eca31a32cf69ae0c114f-refs/heads/master@{#344925}

[add] http://crrev.com/19a48e8fef901572e29f16e7e027324f6f604293/third_party/WebKit/LayoutTests/fast/forms/checkbox/checkbox-change-event-free-expected.txt
[add] http://crrev.com/19a48e8fef901572e29f16e7e027324f6f604293/third_party/WebKit/LayoutTests/fast/forms/checkbox/checkbox-change-event-free.html
[modify] http://crrev.com/19a48e8fef901572e29f16e7e027324f6f604293/third_party/WebKit/Source/core/html/HTMLInputElement.cpp

Project Member

Comment 17 by bugdroid1@chromium.org, Oct 2 2015

The following revision refers to this bug:
  https://chrome-internal.googlesource.com/bling/chromium.git/+/19a48e8fef901572e29f16e7e027324f6f604293

commit 19a48e8fef901572e29f16e7e027324f6f604293
Author: Martin Barbella <mbarbella@chromium.org>
Date: Fri Oct 02 22:07:02 2015

Project Member

Comment 18 by ClusterFuzz, Jan 5 2016

Labels: -Restrict-View-SecurityNotify
Bulk update: removing view restriction from closed bugs.
Project Member

Comment 19 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 20 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic

Sign in to add a comment