Null-dereference READ in blink::KURL::ComponentStringView |
|||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6265257961193472 Fuzzer: j00ru_htmlcss_fuzz Job Type: windows_asan_chrome_no_sandbox Platform Id: windows Crash Type: Null-dereference READ Crash Address: 0x00000140 Crash State: blink::KURL::ComponentStringView blink::KURL::User blink::FrameFetchContext::ShouldBlockFetchAsCredentialedSubresource Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=windows_asan_chrome_no_sandbox&range=479114:479249 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6265257961193472 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 20 2017
This crash is seen on Windows latest Canary-61.0.3135.0 & seeing 2 instances from 2 clients so far. Stack trace: ----------- Thread 0 (id: 6976) CRASHED [EXCEPTION_ACCESS_VIOLATION_READ @ 0x00000220 ] MAGIC SIGNATURE THREAD Stack Quality97%Show frame trust levels 0x00007ffa42851f16 (chrome_child.dll -kurl.cpp:845 ) blink::KURL::ComponentStringView(url::Component const &) 0x00007ffa42851e86 (chrome_child.dll -kurl.cpp:862 ) blink::KURL::ComponentString(url::Component const &) 0x00007ffa42bef555 (chrome_child.dll -kurl.cpp:391 ) blink::KURL::User() 0x00007ffa43022949 (chrome_child.dll -framefetchcontext.cpp:943 ) blink::FrameFetchContext::ShouldBlockFetchAsCredentialedSubresource(blink::ResourceRequest const &,blink::KURL const &) 0x00007ffa428e9381 (chrome_child.dll -basefetchcontext.cpp:263 ) blink::BaseFetchContext::CanRequestInternal(blink::Resource::Type,blink::ResourceRequest const &,blink::KURL const &,blink::ResourceLoaderOptions const &,blink::SecurityViolationReportingPolicy,blink::FetchParameters::OriginRestriction,blink::ResourceRequest::RedirectStatus) 0x00007ffa42b53b5a (chrome_child.dll -basefetchcontext.cpp:53 ) blink::BaseFetchContext::CanRequest(blink::Resource::Type,blink::ResourceRequest const &,blink::KURL const &,blink::ResourceLoaderOptions const &,blink::SecurityViolationReportingPolicy,blink::FetchParameters::OriginRestriction) 0x00007ffa42950072 (chrome_child.dll -resourcefetcher.cpp:566 ) blink::ResourceFetcher::PrepareRequest(blink::FetchParameters &,blink::ResourceFactory const &,blink::SubstituteData const &,unsigned long,blink::ResourceRequestBlockedReason &) 0x00007ffa429329fb (chrome_child.dll -resourcefetcher.cpp:607 ) blink::ResourceFetcher::RequestResource(blink::FetchParameters &,blink::ResourceFactory const &,blink::SubstituteData const &) 0x00007ffa427d28a2 (chrome_child.dll -rawresource.cpp:83 ) blink::RawResource::FetchMainResource(blink::FetchParameters &,blink::ResourceFetcher *,blink::SubstituteData const &) 0x00007ffa42966977 (chrome_child.dll -documentloader.cpp:873 ) blink::DocumentLoader::StartLoading() 0x00007ffa42966c75 (chrome_child.dll -frameloader.cpp:1464 ) blink::FrameLoader::StartLoad(blink::FrameLoadRequest &,blink::FrameLoadType,blink::NavigationPolicy,blink::HistoryItem *) 0x00007ffa42966826 (chrome_child.dll -frameloader.cpp:897 ) blink::FrameLoader::Load(blink::FrameLoadRequest const &,blink::FrameLoadType,blink::HistoryItem *,blink::HistoryLoadType) 0x00007ffa4296233d (chrome_child.dll -weblocalframeimpl.cpp:1744 ) blink::WebLocalFrameImpl::CreateChildFrame(blink::FrameLoadRequest const &,WTF::AtomicString const &,blink::HTMLFrameOwnerElement *) 0x00007ffa4296203c (chrome_child.dll -htmlframeownerelement.cpp:297 ) blink::HTMLFrameOwnerElement::LoadOrRedirectSubframe(blink::KURL const &,WTF::AtomicString const &,bool) 0x00007ffa42c66e15 (chrome_child.dll -htmlframeelementbase.cpp:112 ) blink::HTMLFrameElementBase::OpenURL(bool) 0x00007ffa42c66d43 (chrome_child.dll -htmlframeelementbase.cpp:205 ) blink::HTMLFrameElementBase::DidNotifySubtreeInsertionsToDocument() 0x00007ffa4283b7ae (chrome_child.dll -containernode.cpp:864 ) blink::ContainerNode::NotifyNodeInserted(blink::Node &,blink::ContainerNode::ChildrenChangeSource) 0x00007ffa4283b68a (chrome_child.dll -containernode.cpp:840 ) blink::ContainerNode::ParserAppendChild(blink::Node *) 0x00007ffa4283b5ce (chrome_child.dll -htmlconstructionsite.cpp:111 ) blink::Insert 0x00007ffa42812316 (chrome_child.dll -htmltreebuilder.cpp:325 ) blink::HTMLTreeBuilder::ConstructTree(blink::AtomicHTMLToken *) 0x00007ffa42951f08 (chrome_child.dll -htmldocumentparser.cpp:750 ) blink::HTMLDocumentParser::ConstructTreeFromHTMLToken() 0x00007ffa42811845 (chrome_child.dll -htmldocumentparser.cpp:704 ) blink::HTMLDocumentParser::PumpTokenizer() 0x00007ffa42951560 (chrome_child.dll -htmldocumentparser.cpp:265 ) blink::HTMLDocumentParser::PumpTokenizerIfPossible() 0x00007ffa42c3882e (chrome_child.dll -htmldocumentparser.cpp:796 ) blink::HTMLDocumentParser::insert(blink::SegmentedString const &) 0x00007ffa42c386c9 (chrome_child.dll -document.cpp:3420 ) blink::Document::write(blink::SegmentedString const &,blink::Document *,blink::ExceptionState &) 0x00007ffa42c38584 (chrome_child.dll -document.cpp:3426 ) blink::Document::write(WTF::String const &,blink::Document *,blink::ExceptionState &) 0x00007ffa42c38506 (chrome_child.dll -document.cpp:3445 ) blink::Document::write(blink::LocalDOMWindow *,WTF::Vector<WTF::String,0,WTF::PartitionAllocator> const &,blink::ExceptionState &) 0x00007ffa42c38430 (chrome_child.dll -v8document.cpp:3664 ) blink::DocumentV8Internal::writeMethod 0x00007ffa42c382b5 (chrome_child.dll -v8document.cpp:5885 ) blink::V8Document::writeMethodCallback(v8::FunctionCallbackInfo<v8::Value> const &) 0x00007ffa427b1c34 (chrome_child.dll -builtins-api.cc:112 ) v8::internal::`anonymous namespace'::HandleApiCallHelper<0> 0x00007ffa427b0a5c (chrome_child.dll -builtins-api.cc:142 ) v8::internal::Builtin_Impl_HandleApiCall 0x00007ffa427b096d (chrome_child.dll -builtins-api.cc:130 ) v8::internal::Builtin_HandleApiCall(int,v8::internal::Object * *,v8::internal::Isolate *) 0x00000089852847a0 Link to the list of builds: -------------------------- https://crash.corp.google.com/browse?q=product.name%3D%27Chrome%27%20%20AND%20custom_data.ChromeCrashProto.ptype%3D%27renderer%27%20AND%20custom_data.ChromeCrashProto.magic_signature_1.name%3D%27blink%3A%3AKURL%3A%3AComponentStringView%27&ignore_case=false&enable_rewrite=true&omit_field_name=&omit_field_value=&omit_field_opt=%3D#samplereports:5,productname,processtype,magicsignature Could someone from dev team please look into this issue. Thanks.
,
Jun 20 2017
Users experienced this crash on the following builds: Win Canary 61.0.3135.0 - 0.22 CPM, 4 reports, 4 clients (signature blink::KURL::ComponentStringView) If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates. - Go/Fracas
,
Jun 21 2017
,
Jun 22 2017
,
Jun 23 2017
Suspecting https://chromium.googlesource.com/chromium/src/+/0ae6b276afc7f7fb1a5adec900717ce03cb83eaf (Allow embedded credentials for relative URLs.) mkwst@, could you take a look?
,
Jun 26 2017
Issue 733176 has been merged into this issue.
,
Jun 26 2017
Issue 733904 has been merged into this issue.
,
Jun 26 2017
Mind taking a look at this, Daniel? One approach would be to teach the getter in `FrameFetchContext::URL` to deal with a missing document by returning `KURL()`.
,
Jun 26 2017
Users experienced this crash on the following builds: Android Dev 61.0.3136.4 - 1.77 CPM, 36 reports, 7 clients (signature ComponentStringView) If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates. - Go/Fracas
,
Jun 27 2017
This crash still exist in latest canary - 61.0.3142.0, it would be great to have a fix asap.
,
Jun 28 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/47f802227d3d74f8535df2d17f46d6cce75228c8 commit 47f802227d3d74f8535df2d17f46d6cce75228c8 Author: Daniel Vogelheim <vogelheim@chromium.org> Date: Wed Jun 28 12:41:55 2017 Ensure FrameFetchContext::Url() works if !document_. When created via CreateFetcherFromDocumentLoader, the context will have neither a document_ nor a frozen_state_. Url() needs to return something vaguely useful in this case. Bug: 733147 Change-Id: I86532eb2234d74cf6fc9055ed0fc331a939b75ce Reviewed-on: https://chromium-review.googlesource.com/549638 Reviewed-by: Mike West <mkwst@chromium.org> Commit-Queue: Daniel Vogelheim <vogelheim@chromium.org> Cr-Commit-Position: refs/heads/master@{#482959} [add] https://crrev.com/47f802227d3d74f8535df2d17f46d6cce75228c8/third_party/WebKit/LayoutTests/fast/loader/object-with-rejected-resource-expected.txt [add] https://crrev.com/47f802227d3d74f8535df2d17f46d6cce75228c8/third_party/WebKit/LayoutTests/fast/loader/object-with-rejected-resource.html [modify] https://crrev.com/47f802227d3d74f8535df2d17f46d6cce75228c8/third_party/WebKit/Source/core/loader/FrameFetchContext.cpp [modify] https://crrev.com/47f802227d3d74f8535df2d17f46d6cce75228c8/third_party/WebKit/Source/platform/weborigin/KURL.cpp [modify] https://crrev.com/47f802227d3d74f8535df2d17f46d6cce75228c8/third_party/WebKit/Source/platform/weborigin/KURL.h
,
Jun 28 2017
,
Jun 29 2017
ClusterFuzz has detected this issue as fixed in range 482716:483036. Detailed report: https://clusterfuzz.com/testcase?key=6265257961193472 Fuzzer: j00ru_htmlcss_fuzz Job Type: windows_asan_chrome_no_sandbox Platform Id: windows Crash Type: Null-dereference READ Crash Address: 0x00000140 Crash State: blink::KURL::ComponentStringView blink::KURL::User blink::FrameFetchContext::ShouldBlockFetchAsCredentialedSubresource Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=windows_asan_chrome_no_sandbox&range=479114:479249 Fixed: https://clusterfuzz.com/revisions?job=windows_asan_chrome_no_sandbox&range=482716:483036 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6265257961193472 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Sep 9 2017
Crashes on Android stopped after 61.0.3142.0 |
|||||||||||
►
Sign in to add a comment |
|||||||||||
Comment 1 by ClusterFuzz
, Jun 14 2017