Issue metadata
Sign in to add a comment
|
Use-of-uninitialized-value in blink::PointerEventManager::setPointerCapture |
||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5878976497319936 Fuzzer: inferno_twister_custom_bundle Job Type: linux_msan_chrome Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: blink::PointerEventManager::setPointerCapture blink::ElementV8Internal::setPointerCaptureMethodCallback v8::internal::FunctionCallbackArguments::Call Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=403806:403830 Minimized Testcase (4.89 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95sBQNgMc-CZqVjRBeXjzWguKK5Gr1qPG4lgmv2vvf0NPFgiYtCOw0Hy5a9ljq-1MZ64TuTTZNgzA6t0nHPZNXizoywU2mvMRsi3plh-KrW5mnED49hj3WRtgASKQ22Ms5QubhnByqlzcN1J2QlRkO9JppB2Q?testcase_id=5878976497319936 Additional requirements: Requires HTTP Filer: tanin See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 27 2016
mmoroz@ it seems that this is a similar issue as issue 627454 . Isn't it? I'll try to build the master and see whether the issue is reproducible with this test case or not.
,
Jul 27 2016
Yeah, looks pretty similar. I've just kicked "redo fixed" job to ensure that this is a valid bug.
,
Jul 28 2016
,
Jul 28 2016
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 28 2016
,
Jul 28 2016
,
Jul 28 2016
,
Aug 11 2016
nzolghadr: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 11 2016
The stack trace here (and also in issue 627454 ) seem to show a jump from V8Element::setPointerCapture to PointerEventManager::setPointerCapture, i.e., not through Element. The second params are clearly different in V8Element::setPointerCapture and Element::setPointerCapture (ExceptionState& vs Element*). Any chance the repro is "fooling" the V8 "binding"?
,
Aug 11 2016
I ran the test locally. It does not make any crash. mmoroz@ there is a weird stack trace in this crash which is the same as the previous issue. A direct jump from 0x7f7d98863800 in setPointerCaptureMethod out/Release/gen/blink/bindings/core/v8/V8Element.cpp:1046:11 to 0x7f7d9997ee70 in blink::PointerEventManager::setPointerCapture(int, blink::EventTarget*) third_party/WebKit/Source/core/input/PointerEventManager.cpp:810:9 While it should have gone through EventHandler.cpp. Could that be due to some optimization in the compile for the release builds or something? Because whatever the setPointerCapture function in PointerEventManager.cpp is using should have been initialized when creating an EventHandler object. What happened to the re-run you triggered. Did it pass?
,
Aug 11 2016
yukishiino@: could you please comment if the jump in the stack trace from V8Element::setPointerCapture to PointerEventManager::setPointerCapture (w/o going through Element::setPointerCapture) is at all a V8 optimization? If not, the repro might be fooling the V8 binding here.
,
Aug 24 2016
mmoroz@ any update on this one? Can I close this if this is not reproducible?
,
Aug 24 2016
nzolghadr@, I'm sorry for missing your question in c#11! Metadata section of the report shows: <...> [2016-08-09 18:19:57] clusterfuzz-linux-0363: Progression task errored out: Known crash revision 407792 did not crash. [2016-08-09 18:19:57] clusterfuzz-linux-0363: Progression task errored out: Test case appears to be flaky. <...> and the report is marked as non-reproducible. Let's close it. Thanks for the follow-up!
,
Aug 24 2016
Oops, WontFix should be a better status.
,
Nov 30 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 6 2017
,
Sep 18
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by rickyz@chromium.org
, Jul 27 2016Owner: nzolghadr@chromium.org
Status: Assigned (was: Untriaged)