Issue metadata
Sign in to add a comment
|
Heap-use-after-free in blink::LayoutObject::MaybeClearIsScrollAnchorObject |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5091673965854720 Fuzzer: inferno_layout_test_unmodified Job Type: windows_asan_content_shell Platform Id: windows Crash Type: Heap-use-after-free READ 4 Crash Address: 0x114e98a459c4 Crash State: blink::LayoutObject::MaybeClearIsScrollAnchorObject blink::RootFrameViewport::SetLayoutViewport blink::PaintLayerScrollableArea::Dispose Sanitizer: address (ASAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=windows_asan_content_shell&range=533688:533710 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5091673965854720 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Feb 12 2018
Issue 811179 has been merged into this issue.
,
Feb 12 2018
szager@, this has introduced multiple security regressions. I see do not revert in your cl, please take a look soon to fix this regression. Otherwise, please revert.
,
Feb 12 2018
,
Feb 12 2018
Automatically applying components based on crash stacktrace and information from OWNERS files. If this is incorrect, please apply the Test-Predator-Wrong-Components label.
,
Feb 12 2018
,
Feb 12 2018
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Feb 12 2018
,
Feb 13 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/dae6f0ca22561ab9cef4a0e46d37faf67333a460 commit dae6f0ca22561ab9cef4a0e46d37faf67333a460 Author: Stefan Zager <szager@chromium.org> Date: Tue Feb 13 10:52:43 2018 [RootLayerScrolls] Speculative fix for crasher The call from PaintLayerScrollableArea::Dispose into TopDocumentRootScrollerController::DidDisposeScrollableArea can call back into the PLSA's ScrollAnchor, which may point to a LayoutObject which has already been deleted. The ScrollAnchor is no longer needed, so clear it out aggressively. BUG= 811144 R=skobes@chromium.org,bokan@chromium.org Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel;master.tryserver.chromium.linux:linux_layout_tests_slimming_paint_v2 Change-Id: I2121105ed0b4118f966c25682236649d33d3c055 Reviewed-on: https://chromium-review.googlesource.com/914864 Commit-Queue: Stefan Zager <szager@chromium.org> Reviewed-by: Steve Kobes <skobes@chromium.org> Cr-Commit-Position: refs/heads/master@{#536329} [modify] https://crrev.com/dae6f0ca22561ab9cef4a0e46d37faf67333a460/third_party/WebKit/Source/core/frame/LocalFrameView.cpp [modify] https://crrev.com/dae6f0ca22561ab9cef4a0e46d37faf67333a460/third_party/WebKit/Source/core/frame/LocalFrameView.h [modify] https://crrev.com/dae6f0ca22561ab9cef4a0e46d37faf67333a460/third_party/WebKit/Source/core/layout/ScrollAnchor.cpp [modify] https://crrev.com/dae6f0ca22561ab9cef4a0e46d37faf67333a460/third_party/WebKit/Source/core/layout/ScrollAnchor.h [modify] https://crrev.com/dae6f0ca22561ab9cef4a0e46d37faf67333a460/third_party/WebKit/Source/core/paint/PaintLayerScrollableArea.cpp
,
Feb 13 2018
,
Feb 14 2018
ClusterFuzz has detected this issue as fixed in range 536325:536340. Detailed report: https://clusterfuzz.com/testcase?key=5091673965854720 Fuzzer: inferno_layout_test_unmodified Job Type: windows_asan_content_shell Platform Id: windows Crash Type: Heap-use-after-free READ 4 Crash Address: 0x114e98a459c4 Crash State: blink::LayoutObject::MaybeClearIsScrollAnchorObject blink::RootFrameViewport::SetLayoutViewport blink::PaintLayerScrollableArea::Dispose Sanitizer: address (ASAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=windows_asan_content_shell&range=533688:533710 Fixed: https://clusterfuzz.com/revisions?job=windows_asan_content_shell&range=536325:536340 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5091673965854720 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Feb 14 2018
ClusterFuzz testcase 5091673965854720 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Feb 14 2018
,
Mar 27 2018
,
Mar 28 2018
,
Apr 27 2018
,
Apr 27 2018
This bug requires manual review: M67 has already been promoted to the beta branch, so this requires manual review Please contact the milestone owner if you have questions. Owners: cmasso@(Android), cmasso@(iOS), kbleicher@(ChromeOS), govind@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 27 2018
The fix in #9 landed in M66, so I'm not sure why SheriffBot added a merge request. https://storage.googleapis.com/chromium-find-releases-static/dae.html#dae6f0ca22561ab9cef4a0e46d37faf67333a460
,
Apr 27 2018
+awhalley@ for M67 merge review.
,
Apr 27 2018
Removing "Merge-Review-67" label per comment #18.
,
May 23 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by elawrence@chromium.org
, Feb 12 2018