Issue metadata
Sign in to add a comment
|
Heap-use-after-free in blink::LayoutObject::LayoutObjectBitfields::isAnonymous
Reported by
attek...@gmail.com,
Apr 3 2016
|
||||||||||||||||||
Issue description
Tested on:
OS: Ubuntu 14.04
Chromium: linux-release-asan-symbolized-linux-release-384715
ASAN-trace:
==21649==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000042478 at pc 0x55f619fc9c21 bp 0x7fff2f3bcf00 sp 0x7fff2f3bcef8
READ of size 7 at 0x611000042478 thread T0 (chrome)
#0 0x55f619fc9c20 in blink::LayoutObject::LayoutObjectBitfields::isAnonymous() const /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/layout/LayoutObject.h:1810
#1 0x55f61a7c2d6f in blink::LayoutObject::isAnonymousBlock() const /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/layout/LayoutObject.h:646
#2 0x55f61ca1234d in blink::LayoutListItem::updateMarkerLocation() /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/layout/LayoutListItem.cpp:319 (discriminator 1)
#3 0x55f61ca12071 in blink::LayoutListItem::subtreeDidChange() /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/layout/LayoutListItem.cpp:109
#4 0x55f61ca3b285 in blink::LayoutObject::handleSubtreeModifications() /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/layout/LayoutObject.cpp:439
#5 0x55f61ca3b337 in blink::LayoutObject::handleSubtreeModifications() /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/layout/LayoutObject.cpp:446
#6 0x55f61ca3b337 in blink::LayoutObject::handleSubtreeModifications() /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/layout/LayoutObject.cpp:446
#7 0x55f61ca3b337 in blink::LayoutObject::handleSubtreeModifications() /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/layout/LayoutObject.cpp:446
#8 0x55f61b06e9b5 in blink::Document::notifyLayoutTreeOfSubtreeChanges() /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/dom/Document.cpp:1913 (discriminator 1)
#9 0x55f61b063e7c in blink::Document::updateLayoutTree() /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/dom/Document.cpp:1813
#10 0x55f61bef0af7 in updateStyleAndLayoutIfNeededRecursiveInternal /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/frame/FrameView.cpp:2597 (discriminator 2)
.
.
.
0x611000042478 is located 56 bytes inside of 232-byte region [0x611000042440,0x611000042528)
freed by thread T0 (chrome) here:
#0 0x55f613eb5d0b in __interceptor_free ??:?
#1 0x55f61ca591b4 in blink::LayoutObject::destroy() /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/layout/LayoutObject.cpp:2889 (discriminator 1)
#2 0x55f61c8360f1 in blink::mergeContiguousAnonymousBlocks(blink::LayoutObject*, blink::LayoutObject*&) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/layout/LayoutBlock.cpp:284
#3 0x55f61c831a02 in blink::addNextFloatingOrOutOfFlowSiblingsToBlock(blink::LayoutBlock*) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/layout/LayoutBlock.cpp:304
#4 0x55f61c8333a4 in blink::LayoutBlock::addChildIgnoringContinuation(blink::LayoutObject*, blink::LayoutObject*) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/layout/LayoutBlock.cpp:528
#5 0x55f61c897948 in blink::LayoutBlockFlow::addChild(blink::LayoutObject*, blink::LayoutObject*) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:2006
#6 0x55f61ca7de5f in blink::LayoutRubyRun::addChild(blink::LayoutObject*, blink::LayoutObject*) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/layout/LayoutRubyRun.cpp:143
#7 0x55f626e65486 in blink::LayoutRubyAsBlock::addChild(blink::LayoutObject*, blink::LayoutObject*) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/layout/LayoutRuby.cpp:157
#8 0x55f61ca12318 in blink::LayoutListItem::updateMarkerLocation() /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/layout/LayoutListItem.cpp:316 (discriminator 1)
.
.
.
previously allocated by thread T0 (chrome) here:
#0 0x55f613eb602b in __interceptor_malloc ??:?
#1 0x55f61ca3863e in partitionAlloc /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/wtf/PartitionAlloc.h:660 (discriminator 1)
#2 0x55f61c87252d in blink::LayoutBlockFlow::createAnonymous(blink::Document*) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:193 (discriminator 1)
#3 0x55f61c85bc9e in createAnonymousWithParentAndDisplay /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/layout/LayoutBlock.cpp:2735
#4 0x55f61c83334a in blink::LayoutBlock::addChildIgnoringContinuation(blink::LayoutObject*, blink::LayoutObject*) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/layout/LayoutBlock.cpp:523 (discriminator 1)
#5 0x55f61c897948 in blink::LayoutBlockFlow::addChild(blink::LayoutObject*, blink::LayoutObject*) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:2006
#6 0x55f61ca7de5f in blink::LayoutRubyRun::addChild(blink::LayoutObject*, blink::LayoutObject*) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/layout/LayoutRubyRun.cpp:143
#7 0x55f626e65486 in blink::LayoutRubyAsBlock::addChild(blink::LayoutObject*, blink::LayoutObject*) /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/layout/LayoutRuby.cpp:157
#8 0x55f61ca12318 in blink::LayoutListItem::updateMarkerLocation() /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/layout/LayoutListItem.cpp:316 (discriminator 1)
#9 0x55f61ca12071 in blink::LayoutListItem::subtreeDidChange() /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/layout/LayoutListItem.cpp:109
#10 0x55f61ca3b285 in blink::LayoutObject::handleSubtreeModifications() /mnt/data/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/WebKit/Source/core/layout/LayoutObject.cpp:439
.
.
.
,
Apr 4 2016
Thanks for the report. I suspect this is a duplicate, but I'll cc you on the other issue so you can take a look.
,
Apr 5 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5629836382437376 Uploader: rsesek@chromium.org Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: Heap-use-after-free READ 7 Crash Address: 0x612000052438 Crash State: blink::LayoutObject::isAnonymousBlock blink::LayoutListItem::updateMarkerLocation blink::LayoutListItem::subtreeDidChange Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=381067:381276 Minimized Testcase (0.33 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv95_6o3U5scVxQ07do22gfk8u_I7dklGZoJqCkaiqnb3lZmYuOWIz85me0sTRbZh4DjG_2wIUogQYHgzyTrcqu69_xMLKYHFy0Y430QNWOMZRNfMedHEoQV6IJrLU9sH8To3XFHvz8iZQX1zQvtyG3rnwQQcMw <style> form{ display: list-item; } .C2{ display: block; </style> <details> <ruby id="I32" class="C2"> <center> </details> <form id="I56"> <script> var test2=document.getElementById("I32") var test16=document.getElementById("I56") test16.appendChild(test2); window.scrollTo(938,754) test16.style.zoom=3.479548064060509 </script> See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. A recommended severity was added to this bug. Please change the severity if it is inaccurate.
,
Jul 16 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
|
|||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||
Comment 1 by ClusterFuzz
, Apr 4 2016