Heap-use-after-free in blink::PaintLayerScrollableArea::updateScrollOffset |
|||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4802767312125952 Fuzzer: inferno_twister Job Type: mac_asan_content_shell Platform Id: mac Crash Type: Heap-use-after-free READ 8 Crash Address: 0x60f000017cf0 Crash State: blink::PaintLayerScrollableArea::updateScrollOffset blink::ScrollableArea::scrollOffsetChanged blink::ScrollableArea::setScrollOffset Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_content_shell&range=431234:431241 Minimized Testcase (0.84 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94rlziSinnfBLRAKMrujKgg9rUUZX8F5eltIWLRXmhvSD-VFPGBMTCfOoBibDq4t7mnNDgurzFdDSL3QJK_wN1Xu2hTGk0yzr7zu1zf4KfKu7qF4q8qQXxZYq9LzR4B3g3Aod5zUqah7DO8Z-uuBBLt1fFh3w?testcase_id=4802767312125952 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Dec 26 2016
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Dec 26 2016
,
Dec 27 2016
Hi Christian, Emil, Could one of you please help triage this use-after-free security bug?! It's not obvious what change has triggered this scenario. Clusterfuzz is suspicious of an opera CL, but it doesn't look promising to me. (https://chromium.googlesource.com/chromium/src/+/c5de692783f306d25186d46039f8541c9c4ebbe0) Looks like the LayoutBox object has had a layer destroyed (blink::PaintLayer::removeOnlyThisLayerAfterStyleChange()), which is then being accessed later when there's a scroll event and repaint. Check out the thread stack that freed that memory address in the detailed report. Any help finding an appropriate owner would be appreciated. Thanks!
,
Dec 27 2016
,
Jan 9 2017
cbiesinger: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 17 2017
Clusterfuzz fails to find a regression range, sigh. Any chance you could look into this szager?
,
Jan 23 2017
A friendly reminder that M57 Beta launch is coming soon on February 2nd! Your bug is labelled as Beta ReleaseBlock, pls make sure to land the fix and get it merged into the release branch (2987) ASAP so it gets enough baking time in Dev (before Beta promotion). Thank you!
,
Jan 23 2017
szager: Uh oh! This issue still open and hasn't been updated in the last 28 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 25 2017
[Bulk edit] A friendly reminder that M57 Beta launch is coming soon on February 2nd (in a week)! Your bug is labelled as Beta ReleaseBlock, pls make sure to land the fix and get it merged into the release branch (2987) ASAP so it gets enough baking time in Dev (before Beta promotion). Thank you!
,
Jan 26 2017
,
Jan 27 2017
,
Feb 8 2017
A friendly reminder that M57 Stable is launch is coming soon! Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and get it merged into the release branch ASAP so it gets enough baking time in Beta (before Stable promotion). Thank you!
,
Feb 13 2017
Hi szager@ - are you best placed to look at this? If not please re-assign.
,
Feb 15 2017
I haven't been able to root cause this, I'm still looking.
It's worth pointing out that the test relies on a testing API ('accessibilityController') which is only available when running content_shell with the --run-layout-test flag. So this wouldn't affect users. It's an open question whether it's possible to trigger the same crash without using accessibilityController; I have not been able to do so.
So, this crash should definitely be fixed, but it's not at all clear that it affects chrome.
,
Feb 15 2017
,
Feb 16 2017
,
Feb 16 2017
OK, I found root cause: components/test_runner/accessibility_controller.cc runs accessibility callbacks synchronously from NotificationReceived (unlike the non-test code, which correctly uses PostTask). Since accessibility notifications can be dispatched synchronously during layout, this is a big no-no. Lowering priority and removing blocker labels, since this only affects test code. Reassigning to dmazzoni@ for accessibility triage.
,
Mar 16 2017
,
Mar 27 2017
,
Mar 29 2017
,
Apr 21 2017
,
Apr 21 2017
,
May 22 2017
ClusterFuzz has detected this issue as fixed in range 472963:472976. Detailed report: https://clusterfuzz.com/testcase?key=4802767312125952 Fuzzer: inferno_twister Job Type: mac_asan_content_shell Platform Id: mac Crash Type: Heap-use-after-free READ 8 Crash Address: 0x60f000017cf0 Crash State: blink::PaintLayerScrollableArea::updateScrollOffset blink::ScrollableArea::scrollOffsetChanged blink::ScrollableArea::setScrollOffset Sanitizer: address (ASAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=mac_asan_content_shell&range=352118:352226 Fixed: https://clusterfuzz.com/revisions?job=mac_asan_content_shell&range=472963:472976 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4802767312125952 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
May 22 2017
ClusterFuzz has detected this issue as fixed in range 472963:472976. Detailed report: https://clusterfuzz.com/testcase?key=4802767312125952 Fuzzer: inferno_twister Job Type: mac_asan_content_shell Platform Id: mac Crash Type: Heap-use-after-free READ 8 Crash Address: 0x60f000017cf0 Crash State: blink::PaintLayerScrollableArea::updateScrollOffset blink::ScrollableArea::scrollOffsetChanged blink::ScrollableArea::setScrollOffset Sanitizer: address (ASAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=mac_asan_content_shell&range=352118:352226 Fixed: https://clusterfuzz.com/revisions?job=mac_asan_content_shell&range=472963:472976 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4802767312125952 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
May 22 2017
ClusterFuzz testcase 4802767312125952 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||
Comment 1 by sheriffbot@chromium.org
, Dec 26 2016