Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/7d9f5804e4cc4bb6cc55133137a6e2060aa106b7 (roll clang 255169:257953).

If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.

thakis's CL does not seem to be the correct CL.
nektar@, dmazzoni@, aleventhal@: please help triage this better. thanks.

tkent@chromium.org, nverne@chromium.org -- can you please help triage this bug? thanks.

nverne: Uh oh! This issue still open and hasn't been updated in the last 17 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Friendly ping from security sheriff. Please take a look at this High severity issue. We should deploy the patch to all Chrome users in under 60 days as per [1], and 25 days have already passed.


[1]: https://www.chromium.org/developers/severity-guidelines

This is definitely not my but. The line in question is 
https://codesearch.chromium.org/chromium/src/third_party/WebKit/Source/modules/accessibility/AXLayoutObject.cpp?q=AccessibilityHitTest&sq=package:chromium&l=1437
This is the bad cast. 

Assigning to dmazzoni@ who can pass it on to the right person.

dmazzoni: Uh oh! This issue still open and hasn't been updated in the last 31 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Any progress? I want to make sure we don't blow the deadline. Thanks.

Also, does this bug affect platforms other than Linux? I'd assume it potentially affects all Blink platforms, right?

I don't think we currently have a way that this bad cast could be
triggered on the open web, we only call hit test on the LayoutView.
But it was possible to trigger this bad cast from a test, so we should
fix it.

https://chromium-review.googlesource.com/c/chromium/src/+/827528

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b324e0140b97c11b7fe580336c050d6e2afce169

commit b324e0140b97c11b7fe580336c050d6e2afce169
Author: Dominic Mazzoni <dmazzoni@chromium.org>
Date: Thu Dec 14 20:46:45 2017

Fix bad cast in AXLayoutObject::AccessibilityHitTest

I don't think we currently have a way that this bad cast could be
triggered on the open web, we only call hit test on the LayoutView.
But it was possible to trigger this bad cast from a test, so we should
fix it.

Bug:  777150 
Change-Id: I8ec81a4a86edd5956936a480e2733e6bee9a5865
Reviewed-on: https://chromium-review.googlesource.com/827528
Commit-Queue: Dominic Mazzoni <dmazzoni@chromium.org>
Commit-Queue: Aaron Leventhal <aleventhal@chromium.org>
Reviewed-by: Aaron Leventhal <aleventhal@chromium.org>
Cr-Commit-Position: refs/heads/master@{#524166}
[modify] https://crrev.com/b324e0140b97c11b7fe580336c050d6e2afce169/third_party/WebKit/Source/modules/accessibility/AXLayoutObject.cpp

Removing milestone, since I don't believe this is possible to exploit there's no need to merge.

ClusterFuzz has detected this issue as fixed in range 524153:524180.

Detailed report: https://clusterfuzz.com/testcase?key=5683646647500800

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_ubsan_vptr_content_shell_drt
Platform Id: linux

Crash Type: Bad-cast
Crash Address: 0x26b41802c000
Crash State:
  Bad-cast to blink::LayoutBox from blink::LayoutInline
  blink::AXLayoutObject::AccessibilityHitTest
  blink::WebAXObject::HitTest
  
Sanitizer: undefined (UBSAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=370022:370027
Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=524153:524180

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5683646647500800

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5683646647500800 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot