Issue metadata
Sign in to add a comment
|
Security DCHECK failure in value.IsIdentifierValue() in CSSIdentifierValue.h |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6700704613007360 Fuzzer: ochang_domfuzzer Job Type: linux_asan_content_shell_drt Platform Id: linux Crash Type: Abrt Crash Address: 0x03e900000001 Crash State: blink::StyleBuilderConverter::ConvertContentAlignmentData blink::StyleBuilderFunctions::applyValueCSSPropertyAlignContent void blink::StyleResolver::ApplyProperties< Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=472654:472665 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6700704613007360 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 8 2017
,
Jun 8 2017
wangxianzhu@: https://chromium.googlesource.com/chromium/src/+/220cde510f9c973d9c2b546a8d8b3c9196cfe7ef looks like the most likely commit in this range. Could you look into this security bug? I can reproduce using the tool to get a full stack trace: #0 0x7f290b1d9c36 in gsignal /build/eglibc-MjiXCM/eglibc-2.19/signal/../nptl/sysdeps/unix/sysv/linux/raise.c:56:0 #1 0x5419dd2 in logging::LogMessage::~LogMessage() ./out/clusterfuzz_6700704613007360/../../base/logging.cc:783:7 #2 0xa45cc28 in ToCSSIdentifierValue ./out/clusterfuzz_6700704613007360/../../third_party/WebKit/Source/core/css/CSSIdentifierValue.h:67:1 #3 0xa45cc28 in blink::StyleBuilderConverter::ConvertContentAlignmentData(blink::StyleResolverState&, blink::CSSValue const&) ./out/clusterfuzz_6700704613007360/../../third_party/WebKit/Source/core/css/resolver/StyleBuilderConverter.cpp:541:0 #4 0xedac342 in blink::StyleBuilderFunctions::applyValueCSSPropertyAlignContent(blink::StyleResolverState&, blink::CSSValue const&) ./out/clusterfuzz_6700704613007360/gen/blink/core/StyleBuilderFunctions.cpp:2371:34 #5 0xa4beac6 in void blink::StyleResolver::ApplyProperties<(blink::CSSPropertyPriority)3, (blink::StyleResolver::ShouldUpdateNeedsApplyPass)0>(blink::StyleResolverState&, blink::StylePropertySet const*, bool, bool, blink::StyleResolver::NeedsApplyPass&, blink::PropertyWhitelistType) ./out/clusterfuzz_6700704613007360/../../third_party/WebKit/Source/core/css/resolver/StyleResolver.cpp:1584:5 #6 0xa49afda in void blink::StyleResolver::ApplyMatchedProperties<(blink::CSSPropertyPriority)3, (blink::StyleResolver::ShouldUpdateNeedsApplyPass)0>(blink::StyleResolverState&, blink::MatchedPropertiesRange const&, bool, bool, blink::StyleResolver::NeedsApplyPass&) ./out/clusterfuzz_6700704613007360/../../third_party/WebKit/Source/core/css/resolver/StyleResolver.cpp:1623:5 #7 0xa4a24ee in blink::StyleResolver::ApplyMatchedStandardProperties(blink::StyleResolverState&, blink::MatchResult const&, blink::StyleResolver::CacheSuccess const&, blink::StyleResolver::NeedsApplyPass&) ./out/clusterfuzz_6700704613007360/../../third_party/WebKit/Source/core/css/resolver/StyleResolver.cpp:1903:3 #8 0xa4947e7 in blink::StyleResolver::ApplyMatchedPropertiesAndCustomPropertyAnimations(blink::StyleResolverState&, blink::MatchResult const&, blink::Element const*) ./out/clusterfuzz_6700704613007360/../../third_party/WebKit/Source/core/css/resolver/StyleResolver.cpp:1674:5 #9 0xa492279 in blink::StyleResolver::StyleForElement(blink::Element*, blink::ComputedStyle const*, blink::ComputedStyle const*, blink::StyleSharingBehavior, blink::RuleMatchingBehavior) ./out/clusterfuzz_6700704613007360/../../third_party/WebKit/Source/core/css/resolver/StyleResolver.cpp:773:5 #10 0xa6c180f in OriginalStyleForLayoutObject ./out/clusterfuzz_6700704613007360/../../third_party/WebKit/Source/core/dom/Element.cpp:1884:46 #11 0xa6c180f in blink::Element::StyleForLayoutObject() ./out/clusterfuzz_6700704613007360/../../third_party/WebKit/Source/core/dom/Element.cpp:1861:0 #12 0xa74b1f4 in blink::LayoutTreeBuilderForElement::Style() const ./out/clusterfuzz_6700704613007360/../../third_party/WebKit/Source/core/dom/LayoutTreeBuilder.cpp:104:21 #13 0xa74aefd in blink::LayoutTreeBuilderForElement::ShouldCreateLayoutObject() const ./out/clusterfuzz_6700704613007360/../../third_party/WebKit/Source/core/dom/LayoutTreeBuilder.cpp:99:38 #14 0xa6be857 in CreateLayoutObjectIfNeeded ./out/clusterfuzz_6700704613007360/../../third_party/WebKit/Source/core/dom/LayoutTreeBuilder.h:90:9 #15 0xa6be857 in blink::Element::AttachLayoutTree(blink::Node::AttachContext const&) ./out/clusterfuzz_6700704613007360/../../third_party/WebKit/Source/core/dom/Element.cpp:1756:0 #16 0xa57f714 in blink::ContainerNode::AttachLayoutTree(blink::Node::AttachContext const&) ./out/clusterfuzz_6700704613007360/../../third_party/WebKit/Source/core/dom/ContainerNode.cpp:843:14 #17 0xa6bf0c3 in blink::Element::AttachLayoutTree(blink::Node::AttachContext const&) ./out/clusterfuzz_6700704613007360/../../third_party/WebKit/Source/core/dom/Element.cpp:1783:18 #18 0xa7aac47 in blink::Node::ReattachLayoutTree(blink::Node::AttachContext const&) ./out/clusterfuzz_6700704613007360/../../third_party/WebKit/Source/core/dom/Node.cpp:999:3 #19 0xa6c6f72 in blink::Element::RebuildLayoutTree(blink::Text*) ./out/clusterfuzz_6700704613007360/../../third_party/WebKit/Source/core/dom/Element.cpp:2084:5 #20 0xa61aad8 in blink::Document::UpdateStyle() ./out/clusterfuzz_6700704613007360/../../third_party/WebKit/Source/core/dom/Document.cpp:2171:25 #21 0xa609dae in blink::Document::UpdateStyleAndLayoutTree() ./out/clusterfuzz_6700704613007360/../../third_party/WebKit/Source/core/dom/Document.cpp:2085:3 #22 0xa6546fe in blink::Document::FinishedParsing() ./out/clusterfuzz_6700704613007360/../../third_party/WebKit/Source/core/dom/Document.cpp:5513:7 #23 0xb2d2007 in end ./out/clusterfuzz_6700704613007360/../../third_party/WebKit/Source/core/html/parser/HTMLDocumentParser.cpp:953:18 #24 0xb2d2007 in AttemptToRunDeferredScriptsAndEnd ./out/clusterfuzz_6700704613007360/../../third_party/WebKit/Source/core/html/parser/HTMLDocumentParser.cpp:965:0 #25 0xb2d2007 in blink::HTMLDocumentParser::PrepareToStopParsing() ./out/clusterfuzz_6700704613007360/../../third_party/WebKit/Source/core/html/parser/HTMLDocumentParser.cpp:253:0 #26 0xb2daf79 in blink::HTMLDocumentParser::ProcessTokenizedChunkFromBackgroundParser(std::__1::unique_ptr<blink::HTMLDocumentParser::TokenizedChunk, std::__1::default_delete<blink::HTMLDocumentParser::TokenizedChunk> >) ./out/clusterfuzz_6700704613007360/../../third_party/WebKit/Source/core/html/parser/HTMLDocumentParser.cpp:0:9 #27 0xb2d379b in blink::HTMLDocumentParser::PumpPendingSpeculations() ./out/clusterfuzz_6700704613007360/../../third_party/WebKit/Source/core/html/parser/HTMLDocumentParser.cpp:632:9 #28 0x9b1e84f in Run ./out/clusterfuzz_6700704613007360/../../base/callback.h:80:12 #29 0x9b1e84f in operator() ./out/clusterfuzz_6700704613007360/../../third_party/WebKit/Source/platform/wtf/Functional.h:221:0 #30 0x9b1e84f in blink::TaskHandle::Runner::Run(blink::TaskHandle const&) ./out/clusterfuzz_6700704613007360/../../third_party/WebKit/Source/platform/WebTaskRunner.cpp:75:0 #31 0x55ea271 in Run ./out/clusterfuzz_6700704613007360/../../base/callback.h:91:12 #32 0x55ea271 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) ./out/clusterfuzz_6700704613007360/../../base/debug/task_annotator.cc:59:0 #33 0x9fb610a in blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue(blink::scheduler::internal::WorkQueue*, bool, blink::scheduler::LazyNow, base::TimeTicks*) ./out/clusterfuzz_6700704613007360/../../third_party/WebKit/Source/platform/scheduler/base/task_queue_manager.cc:531:19 #34 0x9faf3d0 in blink::scheduler::TaskQueueManager::DoWork(bool) ./out/clusterfuzz_6700704613007360/../../third_party/WebKit/Source/platform/scheduler/base/task_queue_manager.cc:329:13 #35 0x55ea271 in Run ./out/clusterfuzz_6700704613007360/../../base/callback.h:91:12 #36 0x55ea271 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) ./out/clusterfuzz_6700704613007360/../../base/debug/task_annotator.cc:59:0 #37 0x5432549 in base::MessageLoop::RunTask(base::PendingTask*) ./out/clusterfuzz_6700704613007360/../../base/message_loop/message_loop.cc:414:19 #38 0x5433660 in base::MessageLoop::DeferOrRunPendingTask(base::PendingTask) ./out/clusterfuzz_6700704613007360/../../base/message_loop/message_loop.cc:425:5 #39 0x543411e in base::MessageLoop::DoWork() ./out/clusterfuzz_6700704613007360/../../base/message_loop/message_loop.cc:513:13 #40 0x543c67f in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) ./out/clusterfuzz_6700704613007360/../../base/message_loop/message_pump_default.cc:33:31 #41 0x54aaaaa in base::RunLoop::Run() ./out/clusterfuzz_6700704613007360/../../base/run_loop.cc:111:14 #42 0xd0dabad in content::RendererMain(content::MainFunctionParams const&) ./out/clusterfuzz_6700704613007360/../../content/renderer/renderer_main.cc:219:23 #43 0x3849060 in content::RunZygote(content::MainFunctionParams const&, content::ContentMainDelegate*) ./out/clusterfuzz_6700704613007360/../../content/app/content_main_runner.cc:341:14 #44 0x384cfb6 in content::ContentMainRunnerImpl::Run() ./out/clusterfuzz_6700704613007360/../../content/app/content_main_runner.cc:705:12 #45 0x8ff45de in service_manager::Main(service_manager::MainParams const&) ./out/clusterfuzz_6700704613007360/../../services/service_manager/embedder/main.cc:469:29 #46 0x138554f in content::ContentMain(content::ContentMainParams const&) ./out/clusterfuzz_6700704613007360/../../content/app/content_main.cc:19:10 #47 0x503373 in main ./out/clusterfuzz_6700704613007360/../../content/shell/app/shell_main.cc:48:10 #48 0x7f290b1c4f44 in __libc_start_main /build/eglibc-MjiXCM/eglibc-2.19/csu/libc-start.c:287:0
,
Jun 8 2017
This is related to style.
,
Jun 14 2017
Hmm, nothing in the regression range looks particularly relevant. eae@, do you think you could suggest someone who's familiar with this code to take a look?
,
Jun 14 2017
,
Jun 14 2017
,
Jun 14 2017
,
Jun 15 2017
This looks like a non issue. What happens is: 1. The property align-content is parsed. 2. The CSSGridLayout RuntimeEnabledFlag is disabled. 3. The parsed property is processed as if grid was disabled at parse time. 4. The structure of the CSSValue is different to what the StyleBuilderConverter expects because it assumes flags don't change at runtime. This flag has been set to stable since last November: https://chromium.googlesource.com/chromium/src/+/79bd413143afe5ad68104a3c99b9c04f64fc25ac This crash does not repro if the flag is not changed during the test.
,
Jun 15 2017
Fix uploaded: https://chromium-review.googlesource.com/c/536215/
,
Jun 15 2017
,
Jun 15 2017
,
Jun 15 2017
Security_Impact-None based on comment #9
,
Jun 16 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/94354e4bc8670a560a273ab24ec6bbf51ff7f622 commit 94354e4bc8670a560a273ab24ec6bbf51ff7f622 Author: Alan Cutter <alancutter@chromium.org> Date: Fri Jun 16 02:49:51 2017 Remove ability to change CSSGridLayout flag at runtime for testing This change removes the ability to alter whether CSSGridLayout is enabled during runtime. This ability is causing crashes on ClusterFuzz and is only used for testing purposes. CSSGridLayout has been stable since https://chromium.googlesource.com/chromium/src/+/79bd413143afe5ad68104a3c99b9c04f64fc25ac. Bug: 727077 Change-Id: I94a303fac9efc3fa2e84f23c712a1e3b90a8c30c Reviewed-on: https://chromium-review.googlesource.com/536215 Reviewed-by: Javier Fernandez <jfernandez@igalia.com> Reviewed-by: Noel Gordon <noel@chromium.org> Reviewed-by: Dirk Pranke <dpranke@chromium.org> Commit-Queue: Alan Cutter <alancutter@chromium.org> Cr-Commit-Position: refs/heads/master@{#479932} [modify] https://crrev.com/94354e4bc8670a560a273ab24ec6bbf51ff7f622/third_party/WebKit/LayoutTests/SmokeTests [modify] https://crrev.com/94354e4bc8670a560a273ab24ec6bbf51ff7f622/third_party/WebKit/LayoutTests/css3/flexbox/flexbox-lines-must-be-stretched-by-default.html [modify] https://crrev.com/94354e4bc8670a560a273ab24ec6bbf51ff7f622/third_party/WebKit/LayoutTests/fast/alignment/ensure-flexbox-compatibility-with-initial-values-expected.txt [modify] https://crrev.com/94354e4bc8670a560a273ab24ec6bbf51ff7f622/third_party/WebKit/LayoutTests/fast/alignment/ensure-flexbox-compatibility-with-initial-values.html [delete] https://crrev.com/5971e47dc08dbb773f58fd6fb13b1df7917fd295/third_party/WebKit/LayoutTests/fast/alignment/new-alignment-values-invalid-if-grid-not-enabled.html [add] https://crrev.com/94354e4bc8670a560a273ab24ec6bbf51ff7f622/third_party/WebKit/LayoutTests/fast/alignment/new-alignment-values.html [modify] https://crrev.com/94354e4bc8670a560a273ab24ec6bbf51ff7f622/third_party/WebKit/Source/platform/RuntimeEnabledFeatures.json5
,
Jun 16 2017
,
Jun 16 2017
ClusterFuzz has detected this issue as fixed in range 479921:479947. Detailed report: https://clusterfuzz.com/testcase?key=6700704613007360 Fuzzer: ochang_domfuzzer Job Type: linux_asan_content_shell_drt Platform Id: linux Crash Type: Security DCHECK failure Crash Address: Crash State: value.IsIdentifierValue() in CSSIdentifierValue.h blink::StyleBuilderConverter::ConvertContentAlignmentData blink::StyleBuilderFunctions::applyValueCSSPropertyAlignContent Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=472654:472665 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=479921:479947 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6700704613007360 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 16 2017
,
Sep 22 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by infe...@chromium.org
, Jun 8 2017