New issue
Advanced search Search tips

Issue 766007 link

Starred by 1 user

Issue metadata

Status: Duplicate
Merged: issue 606594
Owner:
Closed: Feb 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 2
Type: Bug



Sign in to add a comment

Heap-use-after-free in test_runner::WebFrameTestClient::DidAddMessageToConsole

Project Member Reported by ClusterFuzz, Sep 17 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5639604190576640

Fuzzer: inferno_layout_test_unmodified
Job Type: mac_asan_content_shell
Platform Id: mac

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x6120000604e8
Crash State:
  test_runner::WebFrameTestClient::DidAddMessageToConsole
  test_runner::WebFrameTestProxy<content::RenderFrameImpl, content::RenderFrameImp
  blink::ChromeClientImpl::AddMessageToConsole
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_content_shell&range=502229:502259

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5639604190576640

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
 
Project Member

Comment 1 by sheriffbot@chromium.org, Sep 18 2017

Labels: M-63
Project Member

Comment 2 by sheriffbot@chromium.org, Sep 18 2017

Labels: ReleaseBlock-Stable
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 3 by sheriffbot@chromium.org, Sep 18 2017

Labels: Pri-1

Comment 4 by palmer@chromium.org, Sep 20 2017

Cc: dpranke@chromium.org dmazz...@chromium.org pfeldman@chromium.org
Owner: lukasza@chromium.org
Status: Assigned (was: Untriaged)
Any chance that this and https://bugs.chromium.org/p/chromium/issues/detail?id=766039 indicate that the bug really is in test_runner?

Note also that content/shell/test_runner/OWNERS refers to a Test>Layout component, but that doesn't seem to be legal in the Components: field below.
I am not sure how much I can trust the saved callstack, but if this is a UaF of |WebFrameTestClient::delegate_| then 1) it seems to be a dupe of  issue 606594  and  2 ) it does indeed seem to be a test-only issue with no impact on the product itself.

Unfortunately, I don't have any good ideas on how to proceed with  issue 606594 ... :-/
Labels: -Security_Impact-Head -ReleaseBlock-Stable Security_Impact-None ReleaseBlock-NA
Project Member

Comment 7 by sheriffbot@chromium.org, Sep 22 2017

Labels: -ReleaseBlock-NA
Project Member

Comment 8 by ClusterFuzz, Oct 1 2017

Components: Blink
Labels: Test-Predator-AutoComponents
Automatically applying components based on information from OWNERS files. If this seems incorrect, please apply the Test-Predator-Wrong-Components label.

Comment 9 Deleted

Labels: -Test-Predator-AutoComponents Test-Predator-Auto-Components
Friendly ping!
Labels: -Type-Bug-Security -Pri-1 -Restrict-View-SecurityTeam -Security_Impact-None -Security_Severity-High Pri-2 Type-Bug
Removing out of security queue since this is crash in test code (WebWidgetTestClient) - similarly to how issue 808385 was handled.
Mergedinto: 606594
Status: Duplicate (was: Assigned)
Looking at the ClusterFuzz data, it seems that ASAN says that the UaF object was allocated by content/shell/renderer/layout_test/layout_test_content_renderer_client.cc:75:34 here:

  BlinkTestRunner* test_runner = new BlinkTestRunner(render_view);

Based on this, I am fairly confident that this is a dupe of  issue 606594 .
Project Member

Comment 14 by ClusterFuzz, Mar 21 2018

ClusterFuzz has detected this issue as fixed in range 544435:544631.

Detailed report: https://clusterfuzz.com/testcase?key=5639604190576640

Fuzzer: inferno_layout_test_unmodified
Job Type: mac_asan_content_shell
Platform Id: mac

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x6120001e2768
Crash State:
  test_runner::WebFrameTestClient::DidAddMessageToConsole
  test_runner::WebFrameTestProxy<content::RenderFrameImpl, content::RenderFrameImp
  blink::ChromeClientImpl::AddMessageToConsole
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_content_shell&range=502229:502259
Fixed: https://clusterfuzz.com/revisions?job=mac_asan_content_shell&range=544435:544631

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5639604190576640

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Sign in to add a comment