New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 686481 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Feb 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment

Heap-use-after-free in blink::visualRectForDisplayItem

Project Member Reported by ClusterFuzz, Jan 28 2017

Issue description

Comment 1 by est...@chromium.org, Jan 29 2017

Owner: wkorman@chromium.org
Status: Assigned (was: Untriaged)
wkorman, I'm wondering if you might be able to help find an owner for this? Nothing in the regression range looks particularly suspicious, at least not to my eyes which are not very familiar with this code...

Comment 2 by est...@chromium.org, Jan 29 2017

Components: Blink>Paint
Project Member

Comment 3 by sheriffbot@chromium.org, Jan 29 2017

Labels: M-57
Project Member

Comment 4 by sheriffbot@chromium.org, Jan 29 2017

Labels: ReleaseBlock-Beta
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 5 by sheriffbot@chromium.org, Jan 29 2017

Labels: Pri-1
Project Member

Comment 6 by sheriffbot@chromium.org, Jan 30 2017

Labels: -Security_Impact-Head Security_Impact-Beta
Attempting to view:

https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=441524:442831

is reporting an error as 'Failed to get component rev list.'. I tried an incognito window logged in as both corp and chromium accounts.
Cc: wangxianzhu@chromium.org
Potentially related to http://crbug.com/680423.
The test contains 'float:right', but the patch seems not to fix it.

I almost always ignore the regression ranges given by clusterfuzz because they are often incorrect and too wide.

Cc: mbarbe...@chromium.org
+mbarbella@ to have a look at #7 - I see that problem too.

This bug is reported as M57 Beta blocker and we're very close to M57 Beta promotion on Thursday (02/02). Please plan to have fix ready and merged to M57 branch 2987 by 5:00 PM PT, tomorrow, Wednesday (02/01). Thank you.
Labels: -ReleaseBlock-Beta ReleaseBlock-Stable
Cc: -wangxianzhu@chromium.org wkorman@chromium.org
Owner: wangxianzhu@chromium.org
Apologies, I missed seeing c#11 until now and it is already after M57 Beta promotion.

If this is really high priority wangxianzhu@ would be better to look at this as it is likely closely related to similar issues he has reworked/fixed recently. Passing to him for consideration/input. If it is not related to your other float work feel free to pass back to me.
Reduced test case
<script>
setTimeout(function() {
  input2.parentNode.insertBefore(span, input2);
}, 0);
</script> 
<span style="opacity: 0.9">
  <div id="div1" style="columns: 1; float: left">
    <button>
      <span id="span">SPAN</span>
    </button>
    <button>
      <input id="input2">
    </button>
  </div>
</span>

c.html
307 bytes View Download
A friendly reminder that M57 Stable is launch is coming soon! Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and get it merged into the release branch ASAP so it gets enough baking time in Beta (before Stable promotion). Thank you!

Cc: chrishtr@chromium.org
Project Member

Comment 17 by bugdroid1@chromium.org, Feb 9 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/bfa6918b9aaf67f812459e5757e46485ff8ae1d4

commit bfa6918b9aaf67f812459e5757e46485ff8ae1d4
Author: wangxianzhu <wangxianzhu@chromium.org>
Date: Thu Feb 09 06:12:24 2017

Fix PaintLayer::compositingContainer for self-painting non-stacked layers

A self-painting non-stacked layer always paint itself through the normal
flow list of its parent, no matter if the parent is the containing layer.
This affects float layer under a stacked inline layer. If the float
layer is self-painting but not stacked, it's painted from its parent
instead of its containing layer.

BUG= 686481 
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_layout_tests_slimming_paint_v2

Review-Url: https://codereview.chromium.org/2682933002
Cr-Commit-Position: refs/heads/master@{#449219}

[add] https://crrev.com/bfa6918b9aaf67f812459e5757e46485ff8ae1d4/third_party/WebKit/LayoutTests/paint/invalidation/column-float-under-stacked-inline-expected.html
[add] https://crrev.com/bfa6918b9aaf67f812459e5757e46485ff8ae1d4/third_party/WebKit/LayoutTests/paint/invalidation/column-float-under-stacked-inline.html
[modify] https://crrev.com/bfa6918b9aaf67f812459e5757e46485ff8ae1d4/third_party/WebKit/Source/core/paint/PaintLayer.cpp
[modify] https://crrev.com/bfa6918b9aaf67f812459e5757e46485ff8ae1d4/third_party/WebKit/Source/core/paint/PaintLayerTest.cpp

Labels: Merge-Request-57
Project Member

Comment 19 by sheriffbot@chromium.org, Feb 10 2017

Labels: -Merge-Request-57 Hotlist-Merge-Approved Merge-Approved-57
Your change meets the bar and is auto-approved for M57. Please go ahead and merge the CL to branch 2987 manually. Please contact milestone owner if you have questions.
Owners: amineer@(clank), cmasso@(bling), ketakid@(cros), govind@(desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 20 by ClusterFuzz, Feb 10 2017

ClusterFuzz has detected this issue as fixed in range 449206:449250.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6010701979320320

Fuzzer: bj_broddelwerk
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x608000023da0
Crash State:
  blink::visualRectForDisplayItem
  blink::PaintController::commitNewDisplayItems
  blink::GraphicsLayer::paint
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=441524:442831
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=449206:449250

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97FU1-ERQWoweDzDMl9niAprhp8FjCdR4t_rTJ1_tFR7n2K4MTOPuyGfax4jHXbChJUDNj5fShSLOmY1F1EalAPygRpZs6CNCNoC4VqXWeU2gwCz-YFTqqw5hX54dJI0PAnaxkhN3DWx9M1dfvzuwq7tjkOKjyjZq2wpicRet4mGe08Ewzvuyy2jVU7LMl_rv_h5Vc35YJ6DLAX-eMRyn_OcLV0HIYTcRMqEVQm4qyZCoeGBn7gFBFPaJeRarWOpX5Z9ECQXkn5UUcPDZpPlxU9ktuqADXPPMePINVkpFv9HvbymH3Cu5qzgywa5GQlU1KBbWknmV1RXEi5vcEY-NRrxcy8PeJ9tOnKjf2xZwxqcZr1Op8?testcase_id=6010701979320320


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 21 by ClusterFuzz, Feb 10 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 6010701979320320 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 22 by sheriffbot@chromium.org, Feb 10 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 23 by bugdroid1@chromium.org, Feb 10 2017

Labels: -merge-approved-57 merge-merged-2987
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/5ffefa7a3d0b13b25f70f436ac4b92c8d193e541

commit 5ffefa7a3d0b13b25f70f436ac4b92c8d193e541
Author: wangxianzhu <wangxianzhu@chromium.org>
Date: Fri Feb 10 20:04:03 2017

Fix PaintLayer::compositingContainer for self-painting non-stacked layers

A self-painting non-stacked layer always paint itself through the normal
flow list of its parent, no matter if the parent is the containing layer.
This affects float layer under a stacked inline layer. If the float
layer is self-painting but not stacked, it's painted from its parent
instead of its containing layer.

BUG= 686481 
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_layout_tests_slimming_paint_v2
TBR=wangxianzhu@chromium.org
NOTRY=true
NOPRESUBMIT=true

Review-Url: https://codereview.chromium.org/2682933002
Cr-Original-Commit-Position: refs/heads/master@{#449219}
Review-Url: https://codereview.chromium.org/2690633002
Cr-Commit-Position: refs/branch-heads/2987@{#449}
Cr-Branched-From: ad51088c0e8776e8dcd963dbe752c4035ba6dab6-refs/heads/master@{#444943}

[add] https://crrev.com/5ffefa7a3d0b13b25f70f436ac4b92c8d193e541/third_party/WebKit/LayoutTests/paint/invalidation/column-float-under-stacked-inline-expected.html
[add] https://crrev.com/5ffefa7a3d0b13b25f70f436ac4b92c8d193e541/third_party/WebKit/LayoutTests/paint/invalidation/column-float-under-stacked-inline.html
[modify] https://crrev.com/5ffefa7a3d0b13b25f70f436ac4b92c8d193e541/third_party/WebKit/Source/core/paint/PaintLayer.cpp
[modify] https://crrev.com/5ffefa7a3d0b13b25f70f436ac4b92c8d193e541/third_party/WebKit/Source/core/paint/PaintLayerTest.cpp

Labels: -Hotlist-Merge-Approved -ReleaseBlock-Stable
Project Member

Comment 25 by sheriffbot@chromium.org, May 19 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment