Issue metadata
Sign in to add a comment
|
Crash in blink::HTMLFrameElementBase::DidNotifySubtreeInsertionsToDocument |
||||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5876122314342400 Fuzzer: ifratric-browserfuzzer-v3 Job Type: windows_asan_chrome Platform Id: windows Crash Type: UNKNOWN READ Crash Address: 0xe9912080 Crash State: blink::HTMLFrameElementBase::DidNotifySubtreeInsertionsToDocument blink::ContainerNode::DidInsertNodeVector blink::ContainerNode::InsertBefore Sanitizer: address (ASAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=windows_asan_chrome&range=448729:448971 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5876122314342400 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 14 2017
This is a SECURITY_CHECK() failure. So this is not vulnerable.
,
Jun 15 2017
hiroshige, FYI. This is caused by recursive synchronous 'load' events.
,
Jun 15 2017
I found that
- synchronous 'load' event was not a culprit. If we make 'load' event asynchronous, the repro case in the CF entry won't crash. However, it won't fix the root issue.
- My CL was not a culprit. The following minimum repro should crash without my CL.
<body>
<script>
var iframe1;
window.onload = function() {
var fragment = document.createDocumentFragment();
var script = fragment.appendChild(document.createElement('script'));
iframe1 = fragment.appendChild(document.createElement('iframe'));
fragment.appendChild(document.createTextNode('foo'));
script.textContent = 'document.body.appendChild(iframe1);';
document.body.appendChild(fragment);
};
</script>
</body>
,
Jun 15 2017
add jochen@ and dcheng@ who might review a fix.
,
Jun 15 2017
Also see issue 631151 .
,
Jun 15 2017
,
Jun 16 2017
ClusterFuzz has detected this issue as fixed in range 479633:479657. Detailed report: https://clusterfuzz.com/testcase?key=5876122314342400 Fuzzer: ifratric-browserfuzzer-v3 Job Type: windows_asan_chrome Platform Id: windows Crash Type: UNKNOWN READ Crash Address: 0xe9912080 Crash State: blink::HTMLFrameElementBase::DidNotifySubtreeInsertionsToDocument blink::ContainerNode::DidInsertNodeVector blink::ContainerNode::InsertBefore Sanitizer: address (ASAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=windows_asan_chrome&range=448729:448971 Fixed: https://clusterfuzz.com/revisions?job=windows_asan_chrome&range=479633:479657 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5876122314342400 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Sep 21 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by est...@chromium.org
, Jun 14 2017Owner: tkent@chromium.org
Status: Assigned (was: Untriaged)