New issue
Advanced search Search tips

Issue 792439 link

Starred by 2 users

Issue metadata

Status: Verified
Owner:
Closed: Dec 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows
Pri: 1
Type: Bug-Security



Sign in to add a comment

Security DCHECK failure: !object || (object->IsBox()) in LayoutBox.h

Project Member Reported by ClusterFuzz, Dec 6 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=4518132034306048

Fuzzer: inferno_twister
Job Type: windows_asan_content_shell
Platform Id: windows

Crash Type: Security DCHECK failure
Crash Address: 
Crash State:
  !object || (object->IsBox()) in LayoutBox.h
  blink::LayoutBox::SplitAnonymousBoxesAroundChild
  blink::LayoutTable::AddChild
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=windows_asan_content_shell&range=521668:521678

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4518132034306048

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
 
Project Member

Comment 1 by ClusterFuzz, Dec 6 2017

Components: Blink>DOM Blink>Layout
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 2 by ClusterFuzz, Dec 6 2017

Labels: Test-Predator-Auto-Owner
Owner: futhark@chromium.org
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/fc5c3629044888b8d723cc11424879bb883d8d3e (Wrap text child of display:contents in anonymous if necessary.).

If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.
Project Member

Comment 3 by sheriffbot@chromium.org, Dec 6 2017

Labels: M-64
Project Member

Comment 4 by sheriffbot@chromium.org, Dec 6 2017

Labels: ReleaseBlock-Stable
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 5 by sheriffbot@chromium.org, Dec 6 2017

Labels: Pri-1
Status: Started (was: Assigned)
Note that reproducing requires enabling display:contents which is behind a flag. This is done in the repro step by running with --run-layout-test.

Project Member

Comment 8 by ClusterFuzz, Dec 7 2017

Labels: OS-Linux
Project Member

Comment 9 by sheriffbot@chromium.org, Dec 7 2017

Labels: -Security_Impact-Head Security_Impact-Beta
Labels: -M-64 M-65
The CL landed after the M64 branch point.
Project Member

Comment 11 by bugdroid1@chromium.org, Dec 11 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/4a7c779ed98e170ce8d51744d59786ad646a80af

commit 4a7c779ed98e170ce8d51744d59786ad646a80af
Author: Rune Lillesveen <futhark@chromium.org>
Date: Mon Dec 11 10:05:04 2017

Add checks for anonymous boxes being of table part.

Anonymous inline wrappers for display:contents were mistakenly assumed
to be anonymous table parts.

Bug:  792439 ,  792946 ,  792550 
Change-Id: Ib7017ff67a8658135d2e08c47f93966d5dbfa5bc
Reviewed-on: https://chromium-review.googlesource.com/817564
Commit-Queue: Rune Lillesveen <futhark@chromium.org>
Reviewed-by: Morten Stenshorne <mstensho@chromium.org>
Cr-Commit-Position: refs/heads/master@{#523069}
[modify] https://crrev.com/4a7c779ed98e170ce8d51744d59786ad646a80af/third_party/WebKit/Source/core/layout/LayoutObjectTest.cpp
[modify] https://crrev.com/4a7c779ed98e170ce8d51744d59786ad646a80af/third_party/WebKit/Source/core/layout/LayoutTable.cpp
[modify] https://crrev.com/4a7c779ed98e170ce8d51744d59786ad646a80af/third_party/WebKit/Source/core/layout/LayoutTableSection.cpp

Status: Fixed (was: Started)
Project Member

Comment 13 by sheriffbot@chromium.org, Dec 11 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 14 by ClusterFuzz, Dec 12 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Fixed)
ClusterFuzz testcase 4518132034306048 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 15 by sheriffbot@chromium.org, Feb 8 2018

Labels: Merge-Request-65
Project Member

Comment 16 by sheriffbot@chromium.org, Feb 9 2018

Labels: -Merge-Request-65 Merge-Review-65 Hotlist-Merge-Review
This bug requires manual review: M65 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), bhthompson@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Cc: awhalley@chromium.org
[Bulk Edit]

+awhalley@ (Security TPM) for M65 merge review
govind@ - good for 65
Labels: -Merge-Review-65 Merge-Approved-65
Approving merge to M65 branch 3325 based on comment #18. Please merge ASAP so we can pick it up for next week Beta release. Thank you.
Project Member

Comment 20 by sheriffbot@chromium.org, Feb 12 2018

Cc: gov...@chromium.org
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: -Merge-Approved-65
Cl listed at #11 is already in M65 branch (3325). 
Labels: -ReleaseBlock-Stable
Project Member

Comment 23 by sheriffbot@chromium.org, Mar 19 2018

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 24 by sheriffbot@chromium.org, Mar 27 2018

Labels: -Security_Impact-Beta Security_Impact-Stable

Sign in to add a comment