New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 658984 link

Starred by 2 users
Status: Fixed
Owner:
mkwst@chromium.org
Buried. Ping if important.
Closed: Oct 2016
Cc:
jochen@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Crash in blink::ContentSecurityPolicy::dispatchViolationEvents

Project Member Reported by ClusterFuzz, Oct 25 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4574437326454784

Fuzzer: mbarbella_js_mutation_layout
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  blink::ContentSecurityPolicy::dispatchViolationEvents
  blink::internal::CallClosureTask<void
  blink::MainThreadTaskRunner::perform
  

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95NGdnqu5IVtknwSC8AeWIJ1C7KE8COYP8pjLSX6QnU7rZr3WZPn6_EVNwA7lQTMuH15T5ZvwPw75aMlZgDY7W8p9iXMP0WoOrUFXYbJ6h1ppIwj6ee5RNh_N6QAF7YAQgQNu8Rg8-ZJnIe5oEBwnMycV6_zA?testcase_id=4574437326454784


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by durga.behera@chromium.org, Oct 25 2016

Components: Infra>Git
Labels: Test-Predator-Correct
Owner: mkwst@chromium.org
Status: Assigned (was: Untriaged)
Suspected CLs:
===============
Regression information is not available. The result is the blame information.

Author: mkwst
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/357d8e12ff388c450cdc431a3e5865737d84d2e2
Time: Tue Oct 18 10:02:25 2016
The CL last changed line 1275 of file ContentSecurityPolicy.cpp, which is stack frame 0.

Author: tzik
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/27d1e313968955f1a120b65b31e316263365b1b3
Time: Tue Sep 13 05:28:59 2016
The CL last changed line 64 of file callback.h, which is stack frame 1.

Author: Blink Reformat
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/1c8e1a7719e9d223cc84e838c9a31a0210f5878b
Time: Sat Oct 01 00:25:32 2016
The CL last changed line 220 of file Functional.h, which is stack frame 2.

Author: Blink Reformat
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/1c8e1a7719e9d223cc84e838c9a31a0210f5878b
Time: Sat Oct 01 00:25:32 2016
The CL last changed line 59 of file ExecutionContextTask.h, which is stack frame 3.

Author: Blink Reformat
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/1c8e1a7719e9d223cc84e838c9a31a0210f5878b
Time: Sat Oct 01 00:25:32 2016
The CL last changed line 82 of file ExecutionContextTask.h, which is stack frame 4.

Author: Blink Reformat
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/1c8e1a7719e9d223cc84e838c9a31a0210f5878b
Time: Sat Oct 01 00:25:32 2016
The CL last changed line 92 of file MainThreadTaskRunner.cpp, which is stack frame 5.

Author: tzik
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/99de02ba952b0a69291f81c5b8ca14d81cc1f74f
Time: Fri Jul 01 05:54:12 2016
The CL last changed line 214 of file bind_internal.h, which is stack frame 6.

=====================
Suspected Project: chromium

-----------------------
Suspecting the below from the above CL list.
https://chromium.googlesource.com/chromium/src/+/357d8e12ff388c450cdc431a3e5865737d84d2e2
mkwst@: Could you please take a look into this if its related to your change, else please help us assigning to an appropriate owner for the same.

Comment 2 by mkwst@chromium.org, Oct 25 2016

Cc: jochen@chromium.org
`nullptr` deref. Ugh.

Will be fixed in https://codereview.chromium.org/2450833002. CCing Jochen to make sure he has access to the bug.
Project Member

Comment 3 by bugdroid1@chromium.org, Oct 26 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/6524ad09faec33bfe9f6e2ddeaa568c8ae5c9b31

commit 6524ad09faec33bfe9f6e2ddeaa568c8ae5c9b31
Author: mkwst <mkwst@chromium.org>
Date: Wed Oct 26 11:08:47 2016

Verify that an event queue is present before firing an event.

BUG= 658984 
R=jochen@chromium.org

Review-Url: https://codereview.chromium.org/2450833002
Cr-Commit-Position: refs/heads/master@{#427667}

[modify] https://crrev.com/6524ad09faec33bfe9f6e2ddeaa568c8ae5c9b31/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
Project Member

Comment 4 by ClusterFuzz, Oct 28 2016 

ClusterFuzz has detected this issue as fixed in range 427578:427987.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4574437326454784

Fuzzer: mbarbella_js_mutation_layout
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  blink::ContentSecurityPolicy::dispatchViolationEvents
  blink::internal::CallClosureTask<void
  blink::MainThreadTaskRunner::perform
  
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=427578:427987

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95NGdnqu5IVtknwSC8AeWIJ1C7KE8COYP8pjLSX6QnU7rZr3WZPn6_EVNwA7lQTMuH15T5ZvwPw75aMlZgDY7W8p9iXMP0WoOrUFXYbJ6h1ppIwj6ee5RNh_N6QAF7YAQgQNu8Rg8-ZJnIe5oEBwnMycV6_zA?testcase_id=4574437326454784


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 5 by mkwst@chromium.org, Oct 28 2016

Status: Fixed (was: Assigned)
Project Member

Comment 6 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment