Heap-use-after-free in blink::LayoutObject::WillBeDestroyed |
||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5362818275344384 Fuzzer: mbarbella_webcomponents Job Type: linux_asan_content_shell_drt Platform Id: linux Crash Type: Heap-use-after-free READ 8 Crash Address: 0x611000035da0 Crash State: blink::LayoutObject::WillBeDestroyed blink::LayoutBoxModelObject::WillBeDestroyed blink::LayoutBox::WillBeDestroyed Sanitizer: address (ASAN) Recommended Security Severity: High Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5362818275344384 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Jun 13 2018
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 13 2018
,
Jun 14 2018
waiting on a regression range from CF, in the meantime adding a few people making changes around this code.
,
Jun 14 2018
This line is a new change I added: https://cs.chromium.org/chromium/src/third_party/blink/renderer/core/layout/layout_object.cc?rcl=a63ca3e78449d088f9e43a29340073f1b31179f8&l=3071 But we call GetDocument() earlier in that file so not sure if something can happen since that line.
,
Jun 14 2018
ekaramad, can you try and repro before/after your change, and see if it might be the issue here? unfortunately CF is having some issues doing the regression on this? you should be able to use the reproduce tool here https://github.com/google/clusterfuzz-tools and supply test case id 5362818275344384
,
Jun 15 2018
I will try this and update the bug.
,
Jun 15 2018
I ran this locally and I can not reproduce the crash on 561055 (my own CL). I can see it crashes on 566628 which is a build from Tue.
,
Jun 15 2018
wfh@: Bouncing it back to you for triage. Thanks!
,
Jun 26 2018
,
Jun 26 2018
dmazzoni, CF's regression range points to https://chromium.googlesource.com/chromium/src/+/6589a857b53023b5c12f85194583f13da2466264. Could you please take a look? Thanks.
,
Jun 27 2018
dmazzoni: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 11
dmazzoni: Uh oh! This issue still open and hasn't been updated in the last 28 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 25
,
Aug 6
dmazzoni@, friendly ping from the security sheriff. Please prioritize this issue once you're back from the vacation. Thanks!
,
Aug 7
M69 Stable promotion is coming VERY soon. Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and request a merge into the release branch ASAP. Thank you.
,
Aug 12
We commit ourselves to a 60 day deadline for fixing for high severity vulnerabilities, and have exceeded it here. If you're unable to look into this soon, could you please find another owner or remove yourself so that this gets back into the security triage queue? For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 13
M69 Stable promotion is coming VERY soon. Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and request a merge into the release branch ASAP. Thank you.
,
Aug 15
Fix in progress: https://chromium-review.googlesource.com/c/chromium/src/+/1175491
,
Aug 15
Thank you dmazzoni@. When do you expect fix to be land in trunk?
,
Aug 15
+awhalley@ (Security TPM)
,
Aug 15
,
Aug 16
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/98acdea74f9d50d8ce3776443a8ba194907f6970 commit 98acdea74f9d50d8ce3776443a8ba194907f6970 Author: Dominic Mazzoni <dmazzoni@chromium.org> Date: Thu Aug 16 17:59:36 2018 Avoid recalculating native role in AXNodeObject::CanHaveChildren CanHaveChildren() is called frequently, including from delicate situations like when a LayoutObject is being deleted. Currently it calls NativeAccessibilityRoleIgnoringAria(), which is actually somewhat expensive and calls UpdateDistribution(), and clusterfuzz found a way for that to result in a UAF. The easy solution is just to save the result of NativeAccessibilityRoleIgnoringAria when we initially compute the node's role. Then CanHaveChildren() can just check it directly rather than recomputing it each time. Bug: 852735 , 852251 Change-Id: Id745d3b42c1f89434e519195e8511159621734d0 Reviewed-on: https://chromium-review.googlesource.com/1175491 Commit-Queue: Dominic Mazzoni <dmazzoni@chromium.org> Reviewed-by: Alice Boxhall <aboxhall@chromium.org> Cr-Commit-Position: refs/heads/master@{#583726} [modify] https://crrev.com/98acdea74f9d50d8ce3776443a8ba194907f6970/third_party/blink/renderer/modules/accessibility/ax_layout_object.cc [modify] https://crrev.com/98acdea74f9d50d8ce3776443a8ba194907f6970/third_party/blink/renderer/modules/accessibility/ax_node_object.cc [modify] https://crrev.com/98acdea74f9d50d8ce3776443a8ba194907f6970/third_party/blink/renderer/modules/accessibility/ax_node_object.h
,
Aug 16
,
Aug 16
Is this need a merge to M69?
,
Aug 16
,
Aug 17
ClusterFuzz has detected this issue as fixed in range 583723:583733. Detailed report: https://clusterfuzz.com/testcase?key=5362818275344384 Fuzzer: mbarbella_webcomponents Job Type: linux_asan_content_shell_drt Platform Id: linux Crash Type: Heap-use-after-free READ 8 Crash Address: 0x611000035da0 Crash State: blink::LayoutObject::WillBeDestroyed blink::LayoutBoxModelObject::WillBeDestroyed blink::LayoutBox::WillBeDestroyed Sanitizer: address (ASAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=566621:566623 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=583723:583733 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5362818275344384 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 17
ClusterFuzz testcase 5362818275344384 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Aug 17
,
Aug 20
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/2d3bb5da1eeae4947d925f3337b7a0667403135e commit 2d3bb5da1eeae4947d925f3337b7a0667403135e Author: Dominic Mazzoni <dmazzoni@chromium.org> Date: Mon Aug 20 21:26:49 2018 Merge to M69: Avoid recalculating native role in AXNodeObject::CanHaveChildren CanHaveChildren() is called frequently, including from delicate situations like when a LayoutObject is being deleted. Currently it calls NativeAccessibilityRoleIgnoringAria(), which is actually somewhat expensive and calls UpdateDistribution(), and clusterfuzz found a way for that to result in a UAF. The easy solution is just to save the result of NativeAccessibilityRoleIgnoringAria when we initially compute the node's role. Then CanHaveChildren() can just check it directly rather than recomputing it each time. Bug: 852735 , 852251 Change-Id: Id745d3b42c1f89434e519195e8511159621734d0 Reviewed-on: https://chromium-review.googlesource.com/1175491 Commit-Queue: Dominic Mazzoni <dmazzoni@chromium.org> Reviewed-by: Alice Boxhall <aboxhall@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#583726}(cherry picked from commit 98acdea74f9d50d8ce3776443a8ba194907f6970) Reviewed-on: https://chromium-review.googlesource.com/1182204 Reviewed-by: Dominic Mazzoni <dmazzoni@chromium.org> Cr-Commit-Position: refs/branch-heads/3497@{#724} Cr-Branched-From: 271eaf50594eb818c9295dc78d364aea18c82ea8-refs/heads/master@{#576753} [modify] https://crrev.com/2d3bb5da1eeae4947d925f3337b7a0667403135e/third_party/blink/renderer/modules/accessibility/ax_layout_object.cc [modify] https://crrev.com/2d3bb5da1eeae4947d925f3337b7a0667403135e/third_party/blink/renderer/modules/accessibility/ax_node_object.cc [modify] https://crrev.com/2d3bb5da1eeae4947d925f3337b7a0667403135e/third_party/blink/renderer/modules/accessibility/ax_node_object.h
,
Aug 21
,
Nov 23
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||||||||||||||
►
Sign in to add a comment |
||||||||||||||||||
Comment 1 by sheriffbot@chromium.org
, Jun 13 2018