New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 668772 link

Starred by 2 users
Status: WontFix
Owner:
mkwst@chromium.org
Buried. Ping if important.
Closed: Dec 2016
Cc:
msrchandra@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Crash in blink::XSSAuditorDelegate::didBlockScript

Project Member Reported by ClusterFuzz, Nov 26 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5709330168152064

Fuzzer: mbarbella_js_mutation_layout
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  blink::XSSAuditorDelegate::didBlockScript
  blink::HTMLDocumentParser::pumpTokenizer
  blink::HTMLDocumentParser::insert
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=434385:434426

Minimized Testcase (0.50 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94meKvfVZPeni_y7wGS170BuC2JrwG7Xw4-3QVNEIGFQN8IjWc7U9IgBSTpHKaoSYpnoZ8ET3ZwbvG18OriWoNfUutxLpkKJxXIpf4NP8_LZ32VrBiC-G6AgAMgZbcQfz4ZMgzlo9GEw4310nxwp0M7Y6lT8g?testcase_id=5709330168152064

Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by ajha@chromium.org, Nov 27 2016

Components: Blink>HTML
Labels: M-57

Comment 2 by tkent@chromium.org, Nov 28 2016

Components: -Blink>HTML Blink>SecurityFeature

Comment 3 by msrchandra@chromium.org, Nov 28 2016

Cc: msrchandra@chromium.org
Labels: Test-Predator-Correct-CLs
Owner: mkwst@chromium.org
Status: Assigned (was: Untriaged)
Using Find it, assigning to the concern owner, below are the results --
The result is a list of CLs that change the crashed files. 

Author: mkwst
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/46b2f19290555de613e09226348ae711db179f58
Time: Thu Nov 24 21:48:42 2016
Lines 687-693 of file HTMLDocumentParser.cpp which potentially caused crash are changed in this cl (frame #1, "blink::HTMLDocumentParser::pumpTokenizer").
Minimum distance from crash line to modified line: 0. (file: HTMLDocumentParser.cpp, crashed on: 687, modified: 687).

@mkwst -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

Comment 4 by mkwst@chromium.org, Nov 28 2016 

I can't replicate this locally, even under ASAN. That said, I guess I can understand how `frameLoader.client()` could be `nullptr` depending on when `onload` fires (thus triggering more navigations). I'll add a check.

Comment 5 by dominicc@chromium.org, Nov 29 2016

Components: Blink>HTML>Parser
Project Member

Comment 6 by bugdroid1@chromium.org, Nov 29 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/1d7a2e8d1b446d3ec4b55932d623e1ffe933fd47

commit 1d7a2e8d1b446d3ec4b55932d623e1ffe933fd47
Author: mkwst <mkwst@chromium.org>
Date: Tue Nov 29 07:45:52 2016

Fix a potential null deref in XSSAuditorDelegate.

The ASAN bots say this causes a crash; I can't replicate it locally, but
I believe that the combination of `document.write` and synchronous
`javascript:` URL navigation could cause the auditor to trigger while the
document is detaching. This patch adds a small check.

BUG= 668772 

Review-Url: https://codereview.chromium.org/2531253002
Cr-Commit-Position: refs/heads/master@{#434927}

[modify] https://crrev.com/1d7a2e8d1b446d3ec4b55932d623e1ffe933fd47/third_party/WebKit/Source/core/html/parser/XSSAuditorDelegate.cpp
Project Member

Comment 7 by ClusterFuzz, Dec 29 2016

Status: WontFix (was: Assigned)
ClusterFuzz testcase 5709330168152064 is flaky and no longer reproduces, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment