New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 602271 link

Starred by 0 users

Issue metadata

Status: Fixed
Owner:
Use other robhogan account instead.
Closed: Apr 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment

Heap-use-after-free in blink::LayoutListItem::updateMarkerLocation

Project Member Reported by ClusterFuzz, Apr 11 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5979771996995584

Fuzzer: ochang_domfuzzer
Job Type: linux_asan_chrome_v8_arm
Platform Id: linux

Crash Type: Heap-use-after-free READ 4
Crash Address: 0xa6611d80
Crash State:
  blink::LayoutListItem::updateMarkerLocation
  blink::LayoutListItem::subtreeDidChange
  blink::LayoutObject::handleSubtreeModifications
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=384665:385240

Minimized Testcase (0.44 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97X98n_PtyjJsg85d-L6HPL3SZNLgYr6RrSBjpFNDo_SUDMM49p0pN4Ohv9SOhoPTzzvl-YdtrohkCL9jaxeaqs8bn5hy0TTqz857SedFulaTtSKnywk_lgrkYEGeOBU8rbMvUznPXQPVEc6EUC2ziiwL1FPA

Filer: mmoroz

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 

Comment 1 by mmoroz@chromium.org, Apr 11 2016

Components: Blink>Layout
Labels: Pri-1
Owner: robhogan@chromium.org
robhogan@, could you please take a look or suggest another owner?

Project Member

Comment 2 by ClusterFuzz, Apr 11 2016

Status: Assigned (was: Available)
Cc: msten...@opera.com
We need a solution to the layout object getting nuked while we still have a pointer to it but I notice WeakPtr isn't used at all in layout/ and I'm guessing there's a performance reason for that? Will Oilpan solve this sort of thing in future? addChild() is such a dangerous footgun that it seems like there must be a way of alerting callers to the fact that it can make the parent and even some of its siblings go away, so be wary of keeping pointers to them.

Comment 4 by msten...@opera.com, Apr 11 2016

The only thing I'm aware of is  bug 417556 , which is about addChild() being too complicated. No activity there, though.
Project Member

Comment 5 by sheriffbot@chromium.org, Apr 12 2016

Labels: M-51
Project Member

Comment 6 by bugdroid1@chromium.org, Apr 12 2016

Labels: Merge-Request-51
Project Member

Comment 8 by ClusterFuzz, Apr 13 2016

ClusterFuzz has detected this issue as fixed in range 386714:386876.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5979771996995584

Fuzzer: ochang_domfuzzer
Job Type: linux_asan_chrome_v8_arm
Platform Id: linux

Crash Type: Heap-use-after-free READ 4
Crash Address: 0xa6611d80
Crash State:
  blink::LayoutListItem::updateMarkerLocation
  blink::LayoutListItem::subtreeDidChange
  blink::LayoutObject::handleSubtreeModifications
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=384665:385240
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=386714:386876

Minimized Testcase (0.44 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97X98n_PtyjJsg85d-L6HPL3SZNLgYr6RrSBjpFNDo_SUDMM49p0pN4Ohv9SOhoPTzzvl-YdtrohkCL9jaxeaqs8bn5hy0TTqz857SedFulaTtSKnywk_lgrkYEGeOBU8rbMvUznPXQPVEc6EUC2ziiwL1FPA

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 9 by ClusterFuzz, Apr 13 2016

Status: Fixed (was: Assigned)
Please mark security bugs as fixed as soon as the fix lands, and before requesting merges.

- Your friendly ClusterFuzz
Project Member

Comment 10 by bugdroid1@chromium.org, Apr 13 2016

Labels: merge-merged-2704
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/bdaff5b6a0ca169b95cedd9d3ba0b4e5f971ff4a

commit bdaff5b6a0ca169b95cedd9d3ba0b4e5f971ff4a
Author: Robert Hogan <robhogan@gmail.com>
Date: Wed Apr 13 18:31:10 2016

parent->addChild() can delete parent and any of its siblings

Once you call parent->addChild() your pointers to parent and any floating or
out-of-flow siblings it has are no longer safe.

BUG= 602271 

Review URL: https://codereview.chromium.org/1879553003

Cr-Commit-Position: refs/heads/master@{#386827}
(cherry picked from commit 741853f64fe49635e5b02b641b3799bdeacec37f)

Review URL: https://codereview.chromium.org/1886763003 .

Cr-Commit-Position: refs/branch-heads/2704@{#30}
Cr-Branched-From: 6e53600def8f60d8c632fadc70d7c1939ccea347-refs/heads/master@{#386251}

[modify] https://crrev.com/bdaff5b6a0ca169b95cedd9d3ba0b4e5f971ff4a/third_party/WebKit/LayoutTests/TestExpectations
[add] https://crrev.com/bdaff5b6a0ca169b95cedd9d3ba0b4e5f971ff4a/third_party/WebKit/LayoutTests/fast/lists/remove-listmarker-and-make-anonblock-empty-2-expected.txt
[add] https://crrev.com/bdaff5b6a0ca169b95cedd9d3ba0b4e5f971ff4a/third_party/WebKit/LayoutTests/fast/lists/remove-listmarker-and-make-anonblock-empty-2.html
[modify] https://crrev.com/bdaff5b6a0ca169b95cedd9d3ba0b4e5f971ff4a/third_party/WebKit/LayoutTests/platform/linux/editing/execCommand/create-list-with-hr-expected.png
[modify] https://crrev.com/bdaff5b6a0ca169b95cedd9d3ba0b4e5f971ff4a/third_party/WebKit/LayoutTests/platform/linux/editing/execCommand/create-list-with-hr-expected.txt
[modify] https://crrev.com/bdaff5b6a0ca169b95cedd9d3ba0b4e5f971ff4a/third_party/WebKit/Source/core/layout/LayoutListItem.cpp

Project Member

Comment 11 by ClusterFuzz, Apr 14 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 12 by tin...@google.com, Apr 14 2016

Labels: -Merge-Request-51 Merge-Approved-51 Hotlist-Merge-Approved
Your change meets the bar and is auto-approved for M51 (branch: 2704)
Labels: -Merge-Approved-51
Seems like this was already merged to M51 branch 2704 @ comment #10. So removing "Merge-Approved-51". Next time, please wait for approval.
Will do. Thanks.
Project Member

Comment 15 by sheriffbot@chromium.org, Jul 21 2016

Labels: -Restrict-View-SecurityNotify
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 16 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 17 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic

Sign in to add a comment