Issue 653272 link

Starred by 1 user

Issue metadata

Status:	Fixed
Owner:	jsb...@chromium.org
Closed:	Oct 2016
Cc:	keishi@chromium.org haraken@chromium.org
EstimatedDays:	----
NextAction:	----
OS:	Linux
Pri:	1
Type:	Bug
Stability-Crash Reproducible Stability-Memory-AddressSanitizer Clusterfuzz

Crash in blink::Database::runTransaction

Project Member Reported by ClusterFuzz, Oct 5 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5524645271044096

Fuzzer: therealholden_worker
Job Type: linux_debug_chrome
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  blink::Database::runTransaction
  blink::Database::transaction
  blink::DatabaseV8Internal::transactionMethod
  

Minimized Testcase (0.66 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94VjbnjaEBtHgqYEk7arxVZCgErN9LFzp99kdezW-E4iZov-48NFaItFImX2ZyduoAJJlRtxNcwgDgOU5zi0HkeG485aGcxRpd1yp0q3cXAx5SW1rfJv2kaIwwtI1hv61oq0QA11ZIjbdfM1-eRXzD5xwq2Hg?testcase_id=5524645271044096

Additional requirements: Requires HTTP

Issue manually filed by: mmohammad

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by mmohammad@chromium.org, Oct 5 2016

Cc: keishi@chromium.org
Owner: jsb...@chromium.org
Status: Assigned (was: Untriaged)

jsbell@ could you please look into this.please feel free to re-assigned back if needed. thanks in advance !

Comment 2 by jsb...@chromium.org, Oct 5 2016

This is almost certainly another getExecutionContext() returning null - it's in an async callback that calls getExecutionContext() w/o checking the value.

Null ptr deref so not exploitable, fix looks easy.

Comment 3 by jsb...@chromium.org, Oct 6 2016

Cc: haraken@chromium.org
Status: Started (was: Assigned)

Project Member

Comment 4 by bugdroid1@chromium.org, Oct 7 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/6584c5e9bdbc3af9f7995a25252d5b4ef802e7c9

commit 6584c5e9bdbc3af9f7995a25252d5b4ef802e7c9
Author: jsbell <jsbell@chromium.org>
Date: Fri Oct 07 00:42:31 2016

WebSQL: Add missing getExecutionContext() null check

Following r419951 getExecutionContext() may return null, so
return value must be checked.

BUG= 653272 
R=haraken@chromium.org

Review-Url: https://codereview.chromium.org/2398313002
Cr-Commit-Position: refs/heads/master@{#423764}

[add] https://crrev.com/6584c5e9bdbc3af9f7995a25252d5b4ef802e7c9/third_party/WebKit/LayoutTests/storage/websql/database-removed-context-crash-expected.txt
[add] https://crrev.com/6584c5e9bdbc3af9f7995a25252d5b4ef802e7c9/third_party/WebKit/LayoutTests/storage/websql/database-removed-context-crash.html
[modify] https://crrev.com/6584c5e9bdbc3af9f7995a25252d5b4ef802e7c9/third_party/WebKit/LayoutTests/storage/websql/transaction-removed-context-crash.html
[modify] https://crrev.com/6584c5e9bdbc3af9f7995a25252d5b4ef802e7c9/third_party/WebKit/Source/modules/webdatabase/Database.cpp

Comment 5 by jsb...@chromium.org, Oct 7 2016

Status: Fixed (was: Started)

Project Member

Comment 6 by ClusterFuzz, Oct 8 2016

ClusterFuzz has detected this issue as fixed in range 423512:423881.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5524645271044096

Fuzzer: therealholden_worker
Job Type: linux_debug_chrome
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  blink::Database::runTransaction
  blink::Database::transaction
  blink::DatabaseV8Internal::transactionMethod
  
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_chrome&range=423512:423881

Minimized Testcase (0.66 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94VjbnjaEBtHgqYEk7arxVZCgErN9LFzp99kdezW-E4iZov-48NFaItFImX2ZyduoAJJlRtxNcwgDgOU5zi0HkeG485aGcxRpd1yp0q3cXAx5SW1rfJv2kaIwwtI1hv61oq0QA11ZIjbdfM1-eRXzD5xwq2Hg?testcase_id=5524645271044096

Additional requirements: Requires HTTP

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Project Member

Comment 7 by bugdroid1@chromium.org, Oct 12 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/fb7d72c8ec38f54f84c226c07c4c980283687d17

commit fb7d72c8ec38f54f84c226c07c4c980283687d17
Author: keishi <keishi@chromium.org>
Date: Wed Oct 12 07:26:35 2016

Remove CrossThreadPersistent::release

Calling CrossThreadPersistent::release was causing WorkerClients to be destroyed prematurely.
The stack for per thread heap enabled threads are invisible from other threads running GC. Using CrossThreadPersistent::release runs the risk of premature collection so we should delete it.

BUG=652001, 653272 ,652458,653657, 652556 ,653124,651790

Review-Url: https://codereview.chromium.org/2406333002
Cr-Commit-Position: refs/heads/master@{#424688}

[modify] https://crrev.com/fb7d72c8ec38f54f84c226c07c4c980283687d17/third_party/WebKit/Source/core/workers/DedicatedWorkerGlobalScope.cpp
[modify] https://crrev.com/fb7d72c8ec38f54f84c226c07c4c980283687d17/third_party/WebKit/Source/core/workers/DedicatedWorkerThread.cpp
[modify] https://crrev.com/fb7d72c8ec38f54f84c226c07c4c980283687d17/third_party/WebKit/Source/core/workers/SharedWorkerGlobalScope.cpp
[modify] https://crrev.com/fb7d72c8ec38f54f84c226c07c4c980283687d17/third_party/WebKit/Source/core/workers/SharedWorkerThread.cpp
[modify] https://crrev.com/fb7d72c8ec38f54f84c226c07c4c980283687d17/third_party/WebKit/Source/modules/compositorworker/CompositorWorkerGlobalScope.cpp
[modify] https://crrev.com/fb7d72c8ec38f54f84c226c07c4c980283687d17/third_party/WebKit/Source/modules/serviceworkers/ServiceWorkerGlobalScope.cpp
[modify] https://crrev.com/fb7d72c8ec38f54f84c226c07c4c980283687d17/third_party/WebKit/Source/modules/serviceworkers/ServiceWorkerThread.cpp
[modify] https://crrev.com/fb7d72c8ec38f54f84c226c07c4c980283687d17/third_party/WebKit/Source/platform/heap/Persistent.h

Project Member

Comment 8 by ClusterFuzz, Oct 13 2016

ClusterFuzz has detected this issue as fixed in range 423512:423881.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5524645271044096

Fuzzer: therealholden_worker
Job Type: linux_debug_chrome
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  blink::Database::runTransaction
  blink::Database::transaction
  blink::DatabaseV8Internal::transactionMethod
  
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_chrome&range=423512:423881

Minimized Testcase (0.66 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94VjbnjaEBtHgqYEk7arxVZCgErN9LFzp99kdezW-E4iZov-48NFaItFImX2ZyduoAJJlRtxNcwgDgOU5zi0HkeG485aGcxRpd1yp0q3cXAx5SW1rfJv2kaIwwtI1hv61oq0QA11ZIjbdfM1-eRXzD5xwq2Hg?testcase_id=5524645271044096

Additional requirements: Requires HTTP

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Project Member

Comment 9 by bugdroid1@chromium.org, Oct 27 2016

Labels: merge-merged-2840

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/6584c5e9bdbc3af9f7995a25252d5b4ef802e7c9

commit 6584c5e9bdbc3af9f7995a25252d5b4ef802e7c9
Author: jsbell <jsbell@chromium.org>
Date: Fri Oct 07 00:42:31 2016

WebSQL: Add missing getExecutionContext() null check

Following r419951 getExecutionContext() may return null, so
return value must be checked.

BUG= 653272 
R=haraken@chromium.org

Review-Url: https://codereview.chromium.org/2398313002
Cr-Commit-Position: refs/heads/master@{#423764}

[add] https://crrev.com/6584c5e9bdbc3af9f7995a25252d5b4ef802e7c9/third_party/WebKit/LayoutTests/storage/websql/database-removed-context-crash-expected.txt
[add] https://crrev.com/6584c5e9bdbc3af9f7995a25252d5b4ef802e7c9/third_party/WebKit/LayoutTests/storage/websql/database-removed-context-crash.html
[modify] https://crrev.com/6584c5e9bdbc3af9f7995a25252d5b4ef802e7c9/third_party/WebKit/LayoutTests/storage/websql/transaction-removed-context-crash.html
[modify] https://crrev.com/6584c5e9bdbc3af9f7995a25252d5b4ef802e7c9/third_party/WebKit/Source/modules/webdatabase/Database.cpp

Comment 10 by dimu@google.com, Nov 4 2016

Labels: -merge-merged-2840

[Automated comment] removing mislabelled merge-merged-2840

Project Member

Comment 11 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

►

Issue 653272 link

Issue metadata

Crash in blink::Database::runTransaction

Issue description

Comment 1 by mmohammad@chromium.org, Oct 5 2016

Comment 1 Deleted

Comment 2 by jsb...@chromium.org, Oct 5 2016

Comment 2 Deleted

Comment 3 by jsb...@chromium.org, Oct 6 2016

Comment 3 Deleted

Comment 4 by bugdroid1@chromium.org, Oct 7 2016

Comment 4 Deleted

Comment 5 by jsb...@chromium.org, Oct 7 2016

Comment 5 Deleted

Comment 6 by ClusterFuzz, Oct 8 2016

Comment 6 Deleted

Comment 7 by bugdroid1@chromium.org, Oct 12 2016

Comment 7 Deleted

Comment 8 by ClusterFuzz, Oct 13 2016

Comment 8 Deleted

Comment 9 by bugdroid1@chromium.org, Oct 27 2016

Comment 9 Deleted

Comment 10 by dimu@google.com, Nov 4 2016

Comment 10 Deleted

Comment 11 by sheriffbot@chromium.org, Nov 22 2016

Comment 11 Deleted

Sign in to add a comment