Issue metadata
Sign in to add a comment
|
Heap-use-after-free in document |
||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6358216842936320 Fuzzer: bj_broddelwerk Job Type: linux_lsan_chrome_mp Platform Id: linux Crash Type: Heap-use-after-free READ 8 Crash Address: 0x60e000079b40 Crash State: document frameView blink::AutoscrollController::startAutoscrollForSelection Sanitizer: address (ASAN) Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=436983:437053 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97YjtM5Aui8sq53ESm_rqlKWXUmTMD1hK6JZHGmSaazx3gV8a_DsF6VrJ412EICHWdLgVTZeSTlNSvettye_X59HWTDeqcpGrGfs7e4TJadWMBItOOYAUa47f3O9wWRje9VgRCDN5JWTBsB8ws2jRB23QnBT_s0BI7V0M5ENBvwAW28YH9FUC4JpEHhWxHAmB4kpRA99UEGcK9oEWcbPzeuPOhU9ps3yljtND4Avs-mjoVsFCQwvhIrizm4XlnR2HIEu6fzN9cxe_VyYDyl1X6DKbdZTrbTsv4YJlm1xB1FBdfET54L1m1_621ZApIUBYKA_uU9EiHaqeMPkH19U3Z5l1hg-zjk-g627enAb_iYtsIN4Fg?testcase_id=6358216842936320 Additional requirements: Requires Gestures Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jan 15 2017
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 15 2017
,
Jan 17 2017
chrishtr: ClusterFuzz suspects that https://chromium.googlesource.com/chromium/src/+/1cf98b57647fa75d2aa18a94ba2128f1dc770386 introduced this issue. Can you please take a look?
,
Jan 18 2017
It appears that the cause is that MouseEventManager::handleMouseDraggedEvent calls m_frame->eventHandler().selectionController().handleMouseDraggedEvent which may mutate the DOM and invalidate the node which is the target of the event. This root cause is not due to my CL; my CL just added code which exhibited it by trying to access fields on the invalidated node.
,
Jan 18 2017
I have an easy fix.
,
Jan 18 2017
,
Jan 19 2017
ClusterFuzz has detected this issue as fixed in range 444249:444262. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6358216842936320 Fuzzer: bj_broddelwerk Job Type: linux_lsan_chrome_mp Platform Id: linux Crash Type: Heap-use-after-free READ 8 Crash Address: 0x60e000079b40 Crash State: document frameView blink::AutoscrollController::startAutoscrollForSelection Sanitizer: address (ASAN) Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=436983:437053 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=444249:444262 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97YjtM5Aui8sq53ESm_rqlKWXUmTMD1hK6JZHGmSaazx3gV8a_DsF6VrJ412EICHWdLgVTZeSTlNSvettye_X59HWTDeqcpGrGfs7e4TJadWMBItOOYAUa47f3O9wWRje9VgRCDN5JWTBsB8ws2jRB23QnBT_s0BI7V0M5ENBvwAW28YH9FUC4JpEHhWxHAmB4kpRA99UEGcK9oEWcbPzeuPOhU9ps3yljtND4Avs-mjoVsFCQwvhIrizm4XlnR2HIEu6fzN9cxe_VyYDyl1X6DKbdZTrbTsv4YJlm1xB1FBdfET54L1m1_621ZApIUBYKA_uU9EiHaqeMPkH19U3Z5l1hg-zjk-g627enAb_iYtsIN4Fg?testcase_id=6358216842936320 Additional requirements: Requires Gestures See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jan 19 2017
ClusterFuzz testcase 6358216842936320 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jan 19 2017
,
Jan 19 2017
,
Jan 19 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/921bcf9b346434464e9c0ee809d409c23237edb0 commit 921bcf9b346434464e9c0ee809d409c23237edb0 Author: chrishtr <chrishtr@chromium.org> Date: Thu Jan 19 22:26:23 2017 Fix crash in mouse event handling with a dirty layout tree. BUG= 681369 Review-Url: https://codereview.chromium.org/2646653002 Cr-Commit-Position: refs/heads/master@{#444863} [modify] https://crrev.com/921bcf9b346434464e9c0ee809d409c23237edb0/third_party/WebKit/LayoutTests/TestExpectations [add] https://crrev.com/921bcf9b346434464e9c0ee809d409c23237edb0/third_party/WebKit/LayoutTests/editing/selection/select-delete-in-event-handler-expected.txt [add] https://crrev.com/921bcf9b346434464e9c0ee809d409c23237edb0/third_party/WebKit/LayoutTests/editing/selection/select-delete-in-event-handler.html [modify] https://crrev.com/921bcf9b346434464e9c0ee809d409c23237edb0/third_party/WebKit/Source/core/input/MouseEventManager.cpp
,
Jan 19 2017
,
Jan 26 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/aec7c1aa58c46f2c7c86399f2bd1e0ad6b3a54ef commit aec7c1aa58c46f2c7c86399f2bd1e0ad6b3a54ef Author: Rebaseline Bot <blink-rebaseline-bot@chromium.org> Date: Thu Jan 26 20:53:44 2017 Auto-rebaseline for r444863 https://chromium.googlesource.com/chromium/src/+/921bcf9b34643 BUG= 681369 TBR=chrishtr@chromium.org Review-Url: https://codereview.chromium.org/2651673014 . Cr-Commit-Position: refs/heads/master@{#446438} [modify] https://crrev.com/aec7c1aa58c46f2c7c86399f2bd1e0ad6b3a54ef/third_party/WebKit/LayoutTests/TestExpectations [modify] https://crrev.com/aec7c1aa58c46f2c7c86399f2bd1e0ad6b3a54ef/third_party/WebKit/LayoutTests/editing/selection/select-delete-in-event-handler-expected.txt [add] https://crrev.com/aec7c1aa58c46f2c7c86399f2bd1e0ad6b3a54ef/third_party/WebKit/LayoutTests/platform/linux/editing/selection/select-delete-in-event-handler-expected.txt
,
Jan 27 2017
,
Apr 28 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 18 2017
We have made a bunch of changes on ClusterFuzz side, so resetting ClusterFuzz-Wrong label. |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by sheriffbot@chromium.org
, Jan 15 2017