This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

I think this could likely be related to https://codereview.chromium.org/2695593006. The stack trace includes blink::TraceTrait<blink::Clipboard>::TraceMarkedWrapper

Not sure exactly the best component for this. 

garykac: could you ptal at this security bug? Thanks!

ClusterFuzz has detected this issue as fixed in range 485413:485448.

Detailed report: https://clusterfuzz.com/testcase?key=4773486525677568

Fuzzer: inferno_twister
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: Use-after-poison READ 8
Crash Address: 0x7e8626103b50
Crash State:
  blink::EventListenerIterator::NextListener
  blink::EventTarget::TraceWrappers
  blink::TraceTrait<blink::Clipboard>::TraceMarkedWrapper
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=485115:485134
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=485413:485448

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4773486525677568


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 4773486525677568 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

 Issue 744591  has been merged into this issue.

This came up again in  issue 744591 . It may not repro consistently. garykac: could you please take a look? Thanks!

garykac: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

URGENT - PTAL.
Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and get it merged into the M61 branch #3163 ASAP to have enough baking time in Beta before Stable promotion. Thank you!

Know that this issue shouldn't block the release?  Remove the ReleaseBlock-Stable label.

garykac: Uh oh! This issue still open and hasn't been updated in the last 28 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

[Bulk Edit]
URGENT - PTAL.
Your bug is labelled as M61 Stable ReleaseBlock, pls make sure to land the fix and get it merged into the release branch ASAP.

Know that this issue shouldn't block the release?  Remove the ReleaseBlock-Stable label.

Thank you.

The clipboard feature in the cl is not enabled for Stable, so this should not impact the M61 stable release.

I'm still investigating the cause.

mlippautz@, have you seen crashes like this in the past? Is there something we're forgetting to do in the new script wrappable objects?

Actually, yes, I have seen a crasher for EventListener objects just recently (CF). The reason was that Oilpan was not properly tracing event listeners and prematurely collecting memory. We then crash in wrapper tracing when accessing the dangling pointer.

And AFAICS this is the same issue here. Oilpan tracing in [1] should be EventTargetWithInlineData and not EventTarget.

[1] https://cs.chromium.org/chromium/src/third_party/WebKit/Source/core/clipboard/Clipboard.cpp?l=41

Btw, please cc me on  issue 744591  if that one reproduces reliably. 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/88338230f791a91b88db94d0873815f8ce5d180f

commit 88338230f791a91b88db94d0873815f8ce5d180f
Author: Michael Lippautz <mlippautz@chromium.org>
Date: Mon Aug 14 20:43:02 2017

Fix Oilpan tracing of Clipboard

We need to trace EventTargetWithInlineData as otherwise any data in
EventTargetData, e.g.,event listeners are prematurely collected.

Bug:  chromium:740367 
Change-Id: I4136c044f9a78f1901848664a0a4a7834a389562
Reviewed-on: https://chromium-review.googlesource.com/612078
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Kentaro Hara <haraken@chromium.org>
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Cr-Commit-Position: refs/heads/master@{#494172}
[modify] https://crrev.com/88338230f791a91b88db94d0873815f8ce5d180f/third_party/WebKit/Source/core/clipboard/Clipboard.cpp

 Issue 755065  has been merged into this issue.

We have made a bunch of changes on ClusterFuzz side, so resetting ClusterFuzz-Wrong label.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot