New issue
Advanced search Search tips

Issue 837946 link

Starred by 1 user
Status: WontFix
Owner:
dmazz...@chromium.org
Closed: May 2018
Cc:
aboxhall@chromium.org
dmazz...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security
Team-Accessibility



Sign in to add a comment

Bad-cast to content::RenderFrameImpl from invalid vptr in test_runner::WebFrameTestProxy<content::RenderFrameImpl, content::RenderFrameImpl::CreateParams>::PostAccessibilityEvent

Project Member Reported by ClusterFuzz, Apr 28 2018 
Detailed report: https://clusterfuzz.com/testcase?key=5686981993168896

Fuzzer: inferno_twister
Job Type: linux_ubsan_vptr_content_shell_drt
Platform Id: linux

Crash Type: Bad-cast
Crash Address: 0x029414ae3b00
Crash State:
  Bad-cast to content::RenderFrameImpl from invalid vptr
  test_runner::WebFrameTestProxy<content::RenderFrameImpl, content::RenderFrameImpl::CreateParams>::PostAccessibilityEvent
  blink::AXObjectCacheImpl::PostPlatformNotification
  
Sanitizer: undefined (UBSAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=527199:527221

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5686981993168896

Additional requirements: Requires HTTP

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
Project Member

Comment 1 by ClusterFuzz, Apr 28 2018

Components: Blink>Accessibility
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 2 by sheriffbot@chromium.org, Apr 29 2018

Labels: M-66
Project Member

Comment 3 by sheriffbot@chromium.org, Apr 29 2018

Labels: Pri-1

Comment 4 by tsepez@chromium.org, May 2 2018

Owner: dmazz...@chromium.org
Status: Assigned (was: Untriaged)
dmazzoni@ - could you please take a look or re-assign as appropriate. Thanks!
Project Member

Comment 5 by sheriffbot@chromium.org, May 13 2018 

dmazzoni: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 6 by ClusterFuzz, May 17 2018

Labels: -Reproducible Unreproducible
ClusterFuzz testcase 5686981993168896 appears to be flaky, updating reproducibility label.
Project Member

Comment 7 by ClusterFuzz, May 17 2018

Status: WontFix (was: Assigned)
ClusterFuzz testcase 5686981993168896 is flaky and no longer crashes, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 8 by sheriffbot@chromium.org, Aug 23

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment