New issue
Advanced search Search tips

Issue 653272 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Oct 2016
Cc:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Crash in blink::Database::runTransaction

Project Member Reported by ClusterFuzz, Oct 5 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5524645271044096

Fuzzer: therealholden_worker
Job Type: linux_debug_chrome
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  blink::Database::runTransaction
  blink::Database::transaction
  blink::DatabaseV8Internal::transactionMethod
  

Minimized Testcase (0.66 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94VjbnjaEBtHgqYEk7arxVZCgErN9LFzp99kdezW-E4iZov-48NFaItFImX2ZyduoAJJlRtxNcwgDgOU5zi0HkeG485aGcxRpd1yp0q3cXAx5SW1rfJv2kaIwwtI1hv61oq0QA11ZIjbdfM1-eRXzD5xwq2Hg?testcase_id=5524645271044096

Additional requirements: Requires HTTP

Issue manually filed by: mmohammad

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Cc: keishi@chromium.org
Owner: jsb...@chromium.org
Status: Assigned (was: Untriaged)
jsbell@ could you please look into this.please feel free to re-assigned back if needed. thanks in advance !
This is almost certainly another getExecutionContext() returning null - it's in an async callback that calls getExecutionContext() w/o checking the value.

Null ptr deref so not exploitable, fix looks easy.
Cc: haraken@chromium.org
Status: Started (was: Assigned)
Status: Fixed (was: Started)
Project Member

Comment 6 by ClusterFuzz, Oct 8 2016

ClusterFuzz has detected this issue as fixed in range 423512:423881.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5524645271044096

Fuzzer: therealholden_worker
Job Type: linux_debug_chrome
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  blink::Database::runTransaction
  blink::Database::transaction
  blink::DatabaseV8Internal::transactionMethod
  
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_chrome&range=423512:423881

Minimized Testcase (0.66 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94VjbnjaEBtHgqYEk7arxVZCgErN9LFzp99kdezW-E4iZov-48NFaItFImX2ZyduoAJJlRtxNcwgDgOU5zi0HkeG485aGcxRpd1yp0q3cXAx5SW1rfJv2kaIwwtI1hv61oq0QA11ZIjbdfM1-eRXzD5xwq2Hg?testcase_id=5524645271044096

Additional requirements: Requires HTTP

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 7 by bugdroid1@chromium.org, Oct 12 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/fb7d72c8ec38f54f84c226c07c4c980283687d17

commit fb7d72c8ec38f54f84c226c07c4c980283687d17
Author: keishi <keishi@chromium.org>
Date: Wed Oct 12 07:26:35 2016

Remove CrossThreadPersistent::release

Calling CrossThreadPersistent::release was causing WorkerClients to be destroyed prematurely.
The stack for per thread heap enabled threads are invisible from other threads running GC. Using CrossThreadPersistent::release runs the risk of premature collection so we should delete it.

BUG=652001, 653272 ,652458,653657, 652556 ,653124,651790

Review-Url: https://codereview.chromium.org/2406333002
Cr-Commit-Position: refs/heads/master@{#424688}

[modify] https://crrev.com/fb7d72c8ec38f54f84c226c07c4c980283687d17/third_party/WebKit/Source/core/workers/DedicatedWorkerGlobalScope.cpp
[modify] https://crrev.com/fb7d72c8ec38f54f84c226c07c4c980283687d17/third_party/WebKit/Source/core/workers/DedicatedWorkerThread.cpp
[modify] https://crrev.com/fb7d72c8ec38f54f84c226c07c4c980283687d17/third_party/WebKit/Source/core/workers/SharedWorkerGlobalScope.cpp
[modify] https://crrev.com/fb7d72c8ec38f54f84c226c07c4c980283687d17/third_party/WebKit/Source/core/workers/SharedWorkerThread.cpp
[modify] https://crrev.com/fb7d72c8ec38f54f84c226c07c4c980283687d17/third_party/WebKit/Source/modules/compositorworker/CompositorWorkerGlobalScope.cpp
[modify] https://crrev.com/fb7d72c8ec38f54f84c226c07c4c980283687d17/third_party/WebKit/Source/modules/serviceworkers/ServiceWorkerGlobalScope.cpp
[modify] https://crrev.com/fb7d72c8ec38f54f84c226c07c4c980283687d17/third_party/WebKit/Source/modules/serviceworkers/ServiceWorkerThread.cpp
[modify] https://crrev.com/fb7d72c8ec38f54f84c226c07c4c980283687d17/third_party/WebKit/Source/platform/heap/Persistent.h

Project Member

Comment 8 by ClusterFuzz, Oct 13 2016

ClusterFuzz has detected this issue as fixed in range 423512:423881.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5524645271044096

Fuzzer: therealholden_worker
Job Type: linux_debug_chrome
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  blink::Database::runTransaction
  blink::Database::transaction
  blink::DatabaseV8Internal::transactionMethod
  
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_chrome&range=423512:423881

Minimized Testcase (0.66 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94VjbnjaEBtHgqYEk7arxVZCgErN9LFzp99kdezW-E4iZov-48NFaItFImX2ZyduoAJJlRtxNcwgDgOU5zi0HkeG485aGcxRpd1yp0q3cXAx5SW1rfJv2kaIwwtI1hv61oq0QA11ZIjbdfM1-eRXzD5xwq2Hg?testcase_id=5524645271044096

Additional requirements: Requires HTTP

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 10 by dimu@google.com, Nov 4 2016

Labels: -merge-merged-2840
[Automated comment] removing mislabelled merge-merged-2840
Project Member

Comment 11 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment