Issue metadata
Sign in to add a comment
|
Crash in blink::ElementResolveContext::ElementResolveContext |
||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5815359269765120 Fuzzer: ifratric-browserfuzzer-v3 Job Type: windows_asan_chrome Platform Id: windows Crash Type: UNKNOWN Crash Address: 0x0d5abadc Crash State: blink::ElementResolveContext::ElementResolveContext blink::StyleResolverState::StyleResolverState blink::StyleResolver::pseudoCSSRulesForElement Recommended Security Severity: Medium Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv974jiiDurkkZkT6bj4vjj1HGz8FZTUDO1ARcERrziV_o-26IUPG0qwx4i0aR8McQb_uPslBZQtybgStbTK7YFgdr5-NI_pOZHBkq2oMXGTkQMlTPeGkFVVQuNNL6V56tBE_eOjZdBva85BKp8tPdhQkwvWJivAs2jXK4E7_Mt4BEidzpu8?testcase_id=5815359269765120 Filer: tanin See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 24 2016
Over to timloh@
,
Jun 25 2016
,
Jun 25 2016
,
Jun 25 2016
ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5815359269765120 Fuzzer: ifratric-browserfuzzer-v3 Job Type: windows_asan_chrome Platform Id: windows Crash Type: Use-after-poison READ 4 Crash Address: 0x0d56601c Crash State: blink::ElementResolveContext::ElementResolveContext blink::StyleResolverState::StyleResolverState blink::StyleResolver::pseudoCSSRulesForElement Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_chrome&range=401846:401852 Minimized Testcase (0.62 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv97_gaxJ6Nia7VV4BYTzO3eGGQf_yKpQAMe4T0xfwbwaqtYq1xLVC1geHbiz1c-6PP5ENBBEDDn2AX1fCowNg8sZOtIAxskwmplAw1TML43kIEXGqlMiLkmDQyPieRwckImtN_5ANO1dXAKxhDpANmYdTE1-YA?testcase_id=5815359269765120 <script> function triggeruaf() { } /*Document*/ var var00001 = document; //line 1 /*DOMImplementation*/ var var00002 = var00001.implementation; //line 2 /*HTMLDocument*/ var var00003 = var00002.createHTMLDocument(); //line 3 /*Document*/ var var00004 = var00003; //line 4 /*HTMLCollection*/ var var00068 = var00004.anchors; //line 81 /*string_cssvalue*/ var var00179 = "alternate"; //line 204 /*DOMWindow*/ var var00198 = window; //line 230 /*Element*/ var var00246 = var00004.createElement(var00179); //line 286 /*CSSRuleList*/ var var00247 = var00198.getMatchedCSSRules(var00246); //line 287 </script> See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 27 2016
,
Jun 27 2016
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 28 2016
M53 is branching this week and will be promoted to Beta in July.Your bug is labelled as Beta ReleaseBlock, pls make sure to land the fix ASAP. Thank you.
,
Jun 29 2016
None of the changes in the Clusterfuzz regression range touch Blink. Perhaps the flakiness of the crash messed up the bisect. Unable to repro in Linux asan.
,
Jun 29 2016
*Correction to previous comment: Unable to repro minified test case on Linux ASAN.
,
Jul 1 2016
M53 is branched today (2785) and will be promoted to Beta this month.Your bug is labelled as Beta ReleaseBlock, pls make sure to land and merge the fix to M53 branch 2785 by 5:00 PM PST on Friday 07/22 (sooner the better so it gets chance to bake in M53 dev releases it self). Thank you.
,
Jul 9 2016
timloh: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 14 2016
M53 beta launch is coming soon.Your bug is labelled as Beta ReleaseBlock, pls make sure to land the fix before 6:00 PM PST, Monday (07/18/16). Thank you.
,
Jul 19 2016
M53 beta launch is next week.Your bug is labelled as Beta ReleaseBlock, pls make sure to land the fix before 6:00 PM PST, Friday (07/22/16). Thank you.
,
Jul 21 2016
,
Jul 21 2016
,
Jul 21 2016
I'm afraid sheriffbot's label changes were a hiccup - this is still a blocker for Friday's M53.
,
Jul 22 2016
Comment #9 says can't repro this on linux asan. Clusterfuzz is failing to repro on the original crashing revision too. Removing release-block for now.
,
Jul 22 2016
,
Jul 22 2016
,
Jul 22 2016
,
Jul 23 2016
,
Aug 3 2016
M53 Stable launch is coming soon.Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix asap so it gets chance to bake in beta before stable promotion. Thank you.
,
Aug 5 2016
timloh: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 11 2016
Closing as WontFix as clusterfuzz can't repro.
,
Nov 18 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by ClusterFuzz
, Jun 24 2016