Issue metadata
Sign in to add a comment
|
Heap-use-after-free in printing::PrintWebViewHelper::RequestPrintPreview |
||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5765158006947840 Fuzzer: mbarbella_js_mutation_layout Job Type: linux_asan_chrome_v8 Platform Id: linux Crash Type: Heap-use-after-free WRITE 1 Crash Address: 0x61100001b419 Crash State: printing::PrintWebViewHelper::RequestPrintPreview printing::PrintWebViewHelper::ScriptedPrint content::RenderFrameImpl::ScriptedPrint Recommended Security Severity: High Regressed: V8: r41058:41075 Minimized Testcase (0.07 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv94YSihmr-pDnJ7JED_5Jl0NVFZRVB8sNhUDh1hiJlWC-TPqVhLKwnT5gZg_vlxeEEOFwmNbp5HA5vwajMKc7FriPuoPVqek3u8z3DZ-qs9vdhJ7LQs8fwpmLgTiRbd0sXaaje_0UPAY1EQgKo3pKFIOKK_Gfg?testcase_id=5765158006947840 <script> try { __f_73(); } catch(e) { print(); } </script> Additional requirements: Requires Gestures Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Nov 18 2016
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 18 2016
,
Nov 18 2016
thestig@, since you are listed in the printing OWNERS file, can you take a look at this or send it to someone who can? Thanks.
,
Nov 18 2016
,
Nov 21 2016
This may be bug 666714 ?
,
Nov 22 2016
,
Nov 22 2016
This is very easy to repro: 1) Call 'window.print()' from anyhwhere. 2) Type any cross-origin domain in the omnibox. 3) PrintWebViewHelper::RequestPrintPreview writes PrintWebViewHelper::is_scripted_preview_delayed_ after it is freed.
,
Nov 23 2016
I'm guessing this wasn't a problem before because RenderViews have a much longer life time than RenderFrames. Now PrintWebViewHelper (which is really PrintWebFrameHelper) gets deleted much easier because RenderFrames go away quicker/earlier. Without removing the nested message loop, can we move it out of PrintWebViewHelper and into either a static function or some other class like RenderThread? In addition, we need some RenderFrame lifetime tracking. Combined, when the nested message loop ends, we can check if the calling RenderFrame is still alive, and only reset |is_scripted_preview_delayed_| if that's the case.
,
Nov 24 2016
And indeed very easy to repro. Needs more testing.
,
Nov 24 2016
It tursn out PrintWebViewHelper has a WeakPtr factory, and now we have: https://codereview.chromium.org/2522313003
,
Nov 28 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/d5c9ff3d4eb3de0945a0537288a4bee31c2ee4cf commit d5c9ff3d4eb3de0945a0537288a4bee31c2ee4cf Author: thestig <thestig@chromium.org> Date: Mon Nov 28 22:06:50 2016 Check for PrintWebViewHelper validity when running nested message loops. BUG= 666616 Review-Url: https://codereview.chromium.org/2522313003 Cr-Commit-Position: refs/heads/master@{#434734} [modify] https://crrev.com/d5c9ff3d4eb3de0945a0537288a4bee31c2ee4cf/components/printing/renderer/print_web_view_helper.cc [modify] https://crrev.com/d5c9ff3d4eb3de0945a0537288a4bee31c2ee4cf/components/printing/renderer/print_web_view_helper.h
,
Nov 29 2016
ClusterFuzz has detected this issue as fixed in range 41323:41324. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5765158006947840 Fuzzer: mbarbella_js_mutation_layout Job Type: linux_asan_chrome_v8 Platform Id: linux Crash Type: Heap-use-after-free WRITE 1 Crash Address: 0x61100001b419 Crash State: printing::PrintWebViewHelper::RequestPrintPreview printing::PrintWebViewHelper::ScriptedPrint content::RenderFrameImpl::ScriptedPrint Recommended Security Severity: High Regressed: V8: r41058:41075 Fixed: V8: r41323:41324 Minimized Testcase (0.07 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv94YSihmr-pDnJ7JED_5Jl0NVFZRVB8sNhUDh1hiJlWC-TPqVhLKwnT5gZg_vlxeEEOFwmNbp5HA5vwajMKc7FriPuoPVqek3u8z3DZ-qs9vdhJ7LQs8fwpmLgTiRbd0sXaaje_0UPAY1EQgKo3pKFIOKK_Gfg?testcase_id=5765158006947840 <script> try { __f_73(); } catch(e) { print(); } </script> Additional requirements: Requires Gestures See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 29 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Nov 29 2016
,
Nov 30 2016
This needs a M56 merge.
,
Nov 30 2016
Your change meets the bar and is auto-approved for M56 (branch: 2924)
,
Nov 30 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/26f89f0ea0aef159e490d099b30d258da2816ed8 commit 26f89f0ea0aef159e490d099b30d258da2816ed8 Author: Lei Zhang <thestig@chromium.org> Date: Wed Nov 30 11:21:03 2016 M56: Check for PrintWebViewHelper validity when running nested message loops. BUG= 666616 Review-Url: https://codereview.chromium.org/2522313003 Cr-Commit-Position: refs/heads/master@{#434734} (cherry picked from commit d5c9ff3d4eb3de0945a0537288a4bee31c2ee4cf) Review URL: https://codereview.chromium.org/2532323004 . Cr-Commit-Position: refs/branch-heads/2924@{#185} Cr-Branched-From: 3a87aecc31cd1ffe751dd72c04e5a96a1fc8108a-refs/heads/master@{#433059} [modify] https://crrev.com/26f89f0ea0aef159e490d099b30d258da2816ed8/components/printing/renderer/print_web_view_helper.cc [modify] https://crrev.com/26f89f0ea0aef159e490d099b30d258da2816ed8/components/printing/renderer/print_web_view_helper.h
,
Nov 30 2016
,
Dec 14 2016
,
Mar 8 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by sheriffbot@chromium.org
, Nov 18 2016