This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

scheib, could you please take a look at this security bug? Looks like it might be related to https://codereview.chromium.org/2616443002 (in the regression range). Thanks!

Please note that as this bug is marked as ReleaseBlock-Beta for M57, changes needs to be on trunk by this Friday, 1/27, to make the M57 branch. Please prioritise accordingly. Thanks!

[Bulk edit]

A friendly reminder that M57 Beta launch is coming soon on February 2nd (in a week)! Your bug is labelled as Beta ReleaseBlock, pls make sure to land the fix and get it merged into the release branch (2987) ASAP so it gets enough baking time in Dev (before Beta promotion). Thank you!

https://codereview.chromium.org/2660453003

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/531ee8ee9b5cb061bdc96fb42567ad79017c38cb

commit 531ee8ee9b5cb061bdc96fb42567ad79017c38cb
Author: scheib <scheib@chromium.org>
Date: Fri Jan 27 07:49:56 2017

bluetooth: web: Bluetooth does not yet inherit EventTarget; crash fix.

Updating IDL files for spec changes, I incorrectly included a change
to the Bluetooth interface to mark it as inheriting from EventTarget.
  In: https://codereview.chromium.org/2616443002

We do not yet dispatch events to the Bluetooth object, and so should
not inherit EventTarget.

BUG= 683835 

Review-Url: https://codereview.chromium.org/2660453003
Cr-Commit-Position: refs/heads/master@{#446621}

[modify] https://crrev.com/531ee8ee9b5cb061bdc96fb42567ad79017c38cb/third_party/WebKit/LayoutTests/platform/mac/virtual/stable/webexposed/global-interface-listing-expected.txt
[modify] https://crrev.com/531ee8ee9b5cb061bdc96fb42567ad79017c38cb/third_party/WebKit/LayoutTests/webexposed/global-interface-listing-expected.txt
[modify] https://crrev.com/531ee8ee9b5cb061bdc96fb42567ad79017c38cb/third_party/WebKit/Source/modules/bluetooth/Bluetooth.idl

Thanks for the fix and merge request scheib@. Interestingly, the range reported by Clusterfuzz suggests this regressed in 58.0.2990, so we wouldn't need to merge back to 57. Does that seem reasonable, or did clusterfuzz get it wrong?

ClusterFuzz has detected this issue as fixed in range 446618:446648.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6073687674716160

Fuzzer: inferno_twister
Job Type: linux_ubsan_vptr_content_shell_drt
Platform Id: linux

Crash Type: Bad-cast
Crash Address: 0x1ee3e6b70010
Crash State:
  Bad-cast to blink::EventTarget from blink::Bluetooth
  blink::V8EventTarget::toImpl
  blink::EventTargetV8Internal::addEventListenerMethodCallback
  
Sanitizer: undefined (UBSAN)

Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=445305:445309
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=446618:446648

Minimized Testcase (2.99 Kb): https://cluster-fuzz.appspot.com/download/AMIfv956mZLOdTMQxOr5HAI6mPjNrNQCchSP2yVnzrjGL9rJryaTAp_wKNPd2HCnQ2f1E0mo5ZkrVMJHXFY8h03CjGuKzQXc6J6XCwPE6ecSLL0M6JsQdRdd48OOI5tEu9k7T1ZCd6Wemhyz-HSHFIE05JkFOpUrFya5ryjg8L5cYmNpHilIhyLNAXuohmdne9AKHwQ9CnGNpzcgA59-eM62lM0jpJ74jPDiHSDdK6Xs80e3nI6eoC_r5b94GQt-UQz_V_d7MxqcVa8EZkJ0mv4MOztm4fEpaaz8apFMKi-D7-vyOxt78r94C7MoorFqLZijWiNeca9N1HoBjhuXyS6tIByw5hHYgDRD-Tdxp_0499OYzKHeBLI?testcase_id=6073687674716160

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6073687674716160 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Your change meets the bar and is auto-approved for M57. Please go ahead and merge the CL to branch 2987 manually. Please contact milestone owner if you have questions.
Owners: amineer@(clank), cmasso@(bling), ketakid@(cros), govind@(desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Please merge  your change to M57 branch 2987 ASAP.If merge happens today before 5:00 PM PT, then we can take it for tomorrow's last M57 Dev release. Thank you.

awhalley, you are correct, I don't know why sheriff bot marked this issue as M57 in comment 1. The fault was introduced in 445306, and 57 branched at 444943. So, no further action needed.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot