New issue
Advanced search Search tips

Issue 793649 link

Starred by 1 user
Status: Fixed
Owner:
hirosh...@chromium.org
Closed: Dec 2017
Cc:
kkaluri@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Mac
Pri: 1
Type: Bug



Sign in to add a comment

Null-dereference READ in blink::SecurityOrigin::IsolatedCopy

Project Member Reported by ClusterFuzz, Dec 10 2017 
Detailed report: https://clusterfuzz.com/testcase?key=5751196475457536

Fuzzer: inferno_twister
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000008
Crash State:
  blink::SecurityOrigin::IsolatedCopy
  blink::WebLocalFrameImpl::SetIsolatedWorldSecurityOrigin
  test_runner::TestRunnerForSpecificView::SetIsolatedWorldSecurityOrigin
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=522513:522516

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5751196475457536

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
Project Member

Comment 1 by ClusterFuzz, Dec 10 2017

Labels: OS-Mac

Comment 2 by kkaluri@chromium.org, Dec 11 2017

Cc: kkaluri@chromium.org
Components: Blink
Labels: M-65 Test-Predator-Wrong
Owner: hirosh...@chromium.org
Status: Assigned (was: Untriaged)
With reference to the following  Issue 792890 , assigning it to the concern owner.

@hiroshige -- Could you please look into this issue, kindly reassign if it has nothing to do with your changes.

Thanks.

Comment 3 by kkaluri@chromium.org, Dec 11 2017 

 Issue 793632  has been merged into this issue.
Project Member

Comment 4 by ClusterFuzz, Dec 11 2017

Labels: OS-Windows

Comment 5 by dtapu...@chromium.org, Dec 11 2017

Components: -Blink Blink>JavaScript
Project Member

Comment 6 by ClusterFuzz, Dec 13 2017

Components: Blink>Internals
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Comment 7 by hirosh...@chromium.org, Dec 13 2017

Status: Started (was: Assigned)
The report suggest that security_origin.Get() is null in WebLocalFrameImpl::SetIsolatedWorldSecurityOrigin(), but I couldn't reproduced locally.
Anyway adding a null check:
https://chromium-review.googlesource.com/c/chromium/src/+/825653

Comment 8 by hirosh...@chromium.org, Dec 13 2017

Components: -Blink>JavaScript -Blink>Internals Blink>SecurityFeature>SameOriginPolicy
Project Member

Comment 9 by bugdroid1@chromium.org, Dec 16 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/ec7630cce5aef96c1b5386895541790cd52886e5

commit ec7630cce5aef96c1b5386895541790cd52886e5
Author: Hiroshige Hayashizaki <hiroshige@chromium.org>
Date: Sat Dec 16 00:59:43 2017

Add a null check in WebLocalFrameImpl::SetIsolatedWorldSecurityOrigin()

https://chromium-review.googlesource.com/752006 added an IsolatedCopy()
call but the SecurityOrigin can be null when
WebLocalFrameImpl::SetIsolatedWorldSecurityOrigin() is called from
TestRunnerForSpecificView::SetIsolatedWorldSecurityOrigin().

Bug:  793649 ,  779730 
Change-Id: I017eec29cc6c8cc9a753181c9b6f335569cccb9f
Reviewed-on: https://chromium-review.googlesource.com/825653
Commit-Queue: Hiroshige Hayashizaki <hiroshige@chromium.org>
Reviewed-by: Yutaka Hirano <yhirano@chromium.org>
Reviewed-by: Mike West <mkwst@chromium.org>
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Cr-Commit-Position: refs/heads/master@{#524542}
[modify] https://crrev.com/ec7630cce5aef96c1b5386895541790cd52886e5/third_party/WebKit/Source/core/frame/WebLocalFrameImpl.cpp

Comment 10 by hirosh...@chromium.org, Dec 21 2017

Status: Fixed (was: Started)
Should be fixed. (clusterfuzz's FIXED REVISION RANGE is wrong though, perhaps the crash is flaky on clusterfuzz)

Sign in to add a comment