Issue 590610 link

Starred by 0 users

Issue metadata

Status:	Fixed
Owner:	█ mkwst@chromium.org Buried. Ping if important.
Closed:	Feb 2016
Components:	UI>Browser>Passwords
EstimatedDays:	----
NextAction:	----
OS:	Linux
Pri:	1
Type:	Bug-Security
M-50 Hotlist-Merge-Approved Security_Severity-High Security_Impact-Beta allpublic Clusterfuzz merge-merged-2661

Bad-cast to const blink::WebPasswordCredential from blink::WebCredential;credential_manager_content_utils.cc:26:9

Project Member Reported by ClusterFuzz, Feb 28 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5066892538019840

Fuzzer: inferno_twister
Job Type: linux_ubsan_vptr_chrome
Platform Id: linux

Crash Type: Bad-cast
Crash Address: 0x7fffa85848c8
Crash State:
  Bad-cast to const blink::WebPasswordCredential from blink::WebCredential
  credential_manager_content_utils.cc:26:9
  

Minimized Testcase (0.10 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94qpq9vvcxNGGgx3038U9GG9XAgZSn3hnLl1sVG-XHGuN7gcpIAImQv-UqZ_kECus_ShFXSH0uBD3AVXwXUwk7u3dZx5DuBIlI2cBt5QtNi5sbsx1odQW3J9G3tKyIP8EosNIqYfjv80o9Qhhv1Ycsac7XPdg
<script>
var local = new PasswordCredential({
});
    navigator.credentials.store(local);
</script>


Additional requirements: Requires HTTP

Filer: inferno

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by infe...@chromium.org, Feb 29 2016

Owner: mkwst@chromium.org
Status: Assigned (was: Available)

Comment 2 by mkwst@chromium.org, Feb 29 2016

https://codereview.chromium.org/1745963002 up for review to tighten up the checks for the constructor.

Project Member

Comment 3 by bugdroid1@chromium.org, Feb 29 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/80aa06df6c68611a18eff99fc6a048d6843b9ea6

commit 80aa06df6c68611a18eff99fc6a048d6843b9ea6
Author: mkwst <mkwst@chromium.org>
Date: Mon Feb 29 11:24:58 2016

CREDENTIAL: Do type checks for credential constructors.

BUG= 590610 
R=jochen@chromium.org

Review URL: https://codereview.chromium.org/1745963002

Cr-Commit-Position: refs/heads/master@{#378194}

[modify] https://crrev.com/80aa06df6c68611a18eff99fc6a048d6843b9ea6/third_party/WebKit/LayoutTests/http/tests/credentialmanager/federatedcredential-basics.html
[modify] https://crrev.com/80aa06df6c68611a18eff99fc6a048d6843b9ea6/third_party/WebKit/LayoutTests/http/tests/credentialmanager/passwordcredential-basics.html
[modify] https://crrev.com/80aa06df6c68611a18eff99fc6a048d6843b9ea6/third_party/WebKit/Source/modules/credentialmanager/FederatedCredential.cpp
[modify] https://crrev.com/80aa06df6c68611a18eff99fc6a048d6843b9ea6/third_party/WebKit/Source/modules/credentialmanager/PasswordCredential.cpp

Comment 4 by och...@chromium.org, Feb 29 2016

Components: UI>Browser>Passwords
Status: Fixed (was: Assigned)

Marking as fixed based on #3. 

mkwst, mind updating the impact (stable/beta/head) on this bug? The crash was marked as Unreproducible on CF, so the "Head" impact may not be entirely accurate.

Comment 5 by mkwst@chromium.org, Mar 1 2016

Labels: -Unreproducible Merge-Request-50 M-50 Security_Impact-Beta

I think this was just barely in the beta we just cut. Requesting merge.

Comment 6 by tin...@google.com, Mar 1 2016

Labels: -Merge-Request-50 Merge-Approved-50 Hotlist-Merge-Approved

Your change meets the bar and is auto-approved for M50 (branch: 2661)

Project Member

Comment 7 by bugdroid1@chromium.org, Mar 1 2016

Labels: -merge-approved-50 merge-merged-2661

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/ea796daa7f532ada0d514de9652bf78fccef99f2

commit ea796daa7f532ada0d514de9652bf78fccef99f2
Author: Mike West <mkwst@google.com>
Date: Tue Mar 01 12:56:04 2016

CREDENTIAL: Do type checks for credential constructors.

BUG= 590610 
R=jochen@chromium.org

Review URL: https://codereview.chromium.org/1745963002

Cr-Commit-Position: refs/heads/master@{#378194}
(cherry picked from commit 80aa06df6c68611a18eff99fc6a048d6843b9ea6)

Review URL: https://codereview.chromium.org/1755603002 .

Cr-Commit-Position: refs/branch-heads/2661@{#22}
Cr-Branched-From: ef6f6ae5e4c96622286b563658d5cd62a6cf1197-refs/heads/master@{#378081}

[modify] https://crrev.com/ea796daa7f532ada0d514de9652bf78fccef99f2/third_party/WebKit/LayoutTests/http/tests/credentialmanager/federatedcredential-basics.html
[modify] https://crrev.com/ea796daa7f532ada0d514de9652bf78fccef99f2/third_party/WebKit/LayoutTests/http/tests/credentialmanager/passwordcredential-basics.html
[modify] https://crrev.com/ea796daa7f532ada0d514de9652bf78fccef99f2/third_party/WebKit/Source/modules/credentialmanager/FederatedCredential.cpp
[modify] https://crrev.com/ea796daa7f532ada0d514de9652bf78fccef99f2/third_party/WebKit/Source/modules/credentialmanager/PasswordCredential.cpp

Project Member

Comment 8 by ClusterFuzz, Mar 10 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Project Member

Comment 9 by sheriffbot@chromium.org, Jun 7 2016

Labels: -Restrict-View-SecurityNotify

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Project Member

Comment 10 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Project Member

Comment 11 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 12 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Project Member

Comment 13 by sheriffbot@chromium.org, Jul 28

Labels: Pri-1

►

Issue 590610 link

Issue metadata

Bad-cast to const blink::WebPasswordCredential from blink::WebCredential;credential_manager_content_utils.cc:26:9

Issue description

Comment 1 by infe...@chromium.org, Feb 29 2016

Comment 1 Deleted

Comment 2 by mkwst@chromium.org, Feb 29 2016

Comment 2 Deleted

Comment 3 by bugdroid1@chromium.org, Feb 29 2016

Comment 3 Deleted

Comment 4 by och...@chromium.org, Feb 29 2016

Comment 4 Deleted

Comment 5 by mkwst@chromium.org, Mar 1 2016

Comment 5 Deleted

Comment 6 by tin...@google.com, Mar 1 2016

Comment 6 Deleted

Comment 7 by bugdroid1@chromium.org, Mar 1 2016

Comment 7 Deleted

Comment 8 by ClusterFuzz, Mar 10 2016

Comment 8 Deleted

Comment 9 by sheriffbot@chromium.org, Jun 7 2016

Comment 9 Deleted

Comment 10 by sheriffbot@chromium.org, Oct 1 2016

Comment 10 Deleted

Comment 11 by sheriffbot@chromium.org, Oct 2 2016

Comment 11 Deleted

Comment 12 by mbarbe...@chromium.org, Oct 2 2016

Comment 12 Deleted

Comment 13 by sheriffbot@chromium.org, Jul 28

Comment 13 Deleted

Sign in to add a comment