Heap-use-after-free in blink::Text::TextLayoutObjectIsNeeded |
||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6568209275944960 Fuzzer: attekett_dom_fuzzer Job Type: linux_asan_chrome_v8_arm Platform Id: linux Crash Type: Heap-use-after-free READ 8 Crash Address: 0xc940d420 Crash State: blink::Text::TextLayoutObjectIsNeeded blink::Text::AttachLayoutTree blink::ContainerNode::AttachLayoutTree Sanitizer: address (ASAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_v8_arm&range=483672:483684 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6568209275944960 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 1 2017
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 1 2017
,
Jul 2 2017
,
Jul 3 2017
Likely dupe of Issue 738590 ? https://chromium.googlesource.com/chromium/src/+/7c44da721a59e6aa0b9fdcddb314175cb1e0123f looks likely.
,
Jul 4 2017
Issue 738590 has been merged into this issue.
,
Jul 4 2017
,
Jul 4 2017
rune@, could you take a look?
,
Jul 4 2017
There's a deleted previous_in_flow in the AttachContext during layout tree attachment.
,
Jul 4 2017
This is because the previous_in_flow can be set before the synchronous ReattachLayoutTree() in AttachLayoutTree() for ImageInputType HTMLObjectElement and HTMLImageElement.
,
Jul 5 2017
,
Jul 5 2017
,
Jul 6 2017
Published for review now.
,
Jul 7 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/78551960460fbafad62ca74726e1f697c659b7d3 commit 78551960460fbafad62ca74726e1f697c659b7d3 Author: Rune Lillesveen <rune@opera.com> Date: Fri Jul 07 07:07:30 2017 Handle re-entrant AttachLayoutTree for the same node. Lazy whitespace re-attachment introduced tracking of the last seen in- flow box in AttachContext. We have three places where we may end up calling AttachLayoutTree from AttachLayoutTree for the same element[1] causing re-entrancy issues for AttachContext. The AttachContext would keep a pointer to the LayoutObject created by the outer AttachLayoutTree while that may have been deleted by the inner AttachLayoutTree. Here we store the passed-in AttachContext on a SyncReattachContext stack and pass it, with the previous in-flow restored, when re-entering ReattachLayoutTree(). [1] This typically happens when we find out that a resource won't load while attaching the layout object and we immediately decide to render fallback content. Bug: 738596 Change-Id: I978f77fbaa481a713b21ece92aabac39d37af450 Reviewed-on: https://chromium-review.googlesource.com/560836 Reviewed-by: meade_UTC10 <meade@chromium.org> Commit-Queue: Rune Lillesveen <rune@opera.com> Cr-Commit-Position: refs/heads/master@{#484847} [add] https://crrev.com/78551960460fbafad62ca74726e1f697c659b7d3/third_party/WebKit/LayoutTests/fast/forms/image/fallback-reattach-crash.html [modify] https://crrev.com/78551960460fbafad62ca74726e1f697c659b7d3/third_party/WebKit/Source/core/dom/BUILD.gn [add] https://crrev.com/78551960460fbafad62ca74726e1f697c659b7d3/third_party/WebKit/Source/core/dom/SyncReattachContext.cpp [add] https://crrev.com/78551960460fbafad62ca74726e1f697c659b7d3/third_party/WebKit/Source/core/dom/SyncReattachContext.h [modify] https://crrev.com/78551960460fbafad62ca74726e1f697c659b7d3/third_party/WebKit/Source/core/html/HTMLImageElement.cpp [modify] https://crrev.com/78551960460fbafad62ca74726e1f697c659b7d3/third_party/WebKit/Source/core/html/HTMLInputElement.cpp [modify] https://crrev.com/78551960460fbafad62ca74726e1f697c659b7d3/third_party/WebKit/Source/core/html/HTMLObjectElement.cpp [modify] https://crrev.com/78551960460fbafad62ca74726e1f697c659b7d3/third_party/WebKit/Source/core/html/HTMLObjectElement.h [modify] https://crrev.com/78551960460fbafad62ca74726e1f697c659b7d3/third_party/WebKit/Source/core/html/HTMLPlugInElement.h [modify] https://crrev.com/78551960460fbafad62ca74726e1f697c659b7d3/third_party/WebKit/Source/core/html/forms/ImageInputType.cpp
,
Jul 7 2017
,
Jul 7 2017
,
Jul 8 2017
ClusterFuzz has detected this issue as fixed in range 484843:484851. Detailed report: https://clusterfuzz.com/testcase?key=6568209275944960 Fuzzer: attekett_dom_fuzzer Job Type: linux_asan_chrome_v8_arm Platform Id: linux Crash Type: Heap-use-after-free READ 8 Crash Address: 0xc940d420 Crash State: blink::Text::TextLayoutObjectIsNeeded blink::Text::AttachLayoutTree blink::ContainerNode::AttachLayoutTree Sanitizer: address (ASAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_v8_arm&range=483672:483684 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_v8_arm&range=484843:484851 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6568209275944960 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 24 2017
,
Jul 26 2017
,
Oct 13 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||||||||||
►
Sign in to add a comment |
||||||||||||||
Comment 1 by sheriffbot@chromium.org
, Jul 1 2017