Issue metadata
Sign in to add a comment
|
Crash in blink::Database::getSecurityOrigin |
||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6277306379403264 Fuzzer: therealholden_worker Job Type: windows_asan_chrome Platform Id: windows Crash Type: UNKNOWN READ Crash Address: 0x00000000 Crash State: blink::Database::getSecurityOrigin blink::Database::reportStartTransactionResult blink::SQLTransaction::deliverTransactionCallback Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_chrome&range=419971:420294 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96OV38b04FWUM9mhNJ06PgZL3dOySB36Xu7PKIsC3bIo1VaMy0bClTUTSGn4f9OhOtlWmCUHuAwDQCHxRFZkCgdTtoCAHhCDxiNAa1Tkt9PoPbhxHYiwy-OrrhSm7sVPk5YlnLGNpWfMfBDPac6tGfrBnN2ow?testcase_id=6277306379403264 Additional requirements: Requires Gestures Additional requirements: Requires HTTP Issue manually filed by: kavvaru See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Sep 26 2016
I suspect this is fallout from: https://chromium.googlesource.com/chromium/src/+/b729a998b05ec916731171d59de95e0aea31bbac i.e. getExecutionContext() will return to return nullptr The fix is probably as simple as an early `return nullptr` in Database::getSecurityOrigin() if getExecutionContext()->isContextThread() yields nullptr, since that method already returns nullptr (well, 0) in some cases. But that may not be a tested/used code path - possibly we'll want something higher up the stack.
,
Sep 27 2016
,
Sep 28 2016
I expect there are more of these lurking in the websql code. But I also expect that therealholden's fuzzer will find them and provide awesome repros. :) They'll be nullptr deferences in the renderer so no security issue.
,
Sep 28 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/0fe809e04a61ce645439aad1b9cf3012271ab6a4 commit 0fe809e04a61ce645439aad1b9cf3012271ab6a4 Author: jsbell <jsbell@chromium.org> Date: Wed Sep 28 16:11:12 2016 Add missing null check in Database::getSecurityOrigin() Following r419951 getExecutionContext() may return null, so return value must be checked. BUG= 650173 R=haraken@chromium.org Review-Url: https://codereview.chromium.org/2375733003 Cr-Commit-Position: refs/heads/master@{#421534} [add] https://crrev.com/0fe809e04a61ce645439aad1b9cf3012271ab6a4/third_party/WebKit/LayoutTests/storage/websql/transaction-removed-context-crash-expected.txt [add] https://crrev.com/0fe809e04a61ce645439aad1b9cf3012271ab6a4/third_party/WebKit/LayoutTests/storage/websql/transaction-removed-context-crash.html [modify] https://crrev.com/0fe809e04a61ce645439aad1b9cf3012271ab6a4/third_party/WebKit/Source/modules/webdatabase/Database.cpp
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by kavvaru@chromium.org
, Sep 26 2016Owner: jsb...@chromium.org
Status: Assigned (was: Untriaged)