Issue metadata
Sign in to add a comment
|
Heap-use-after-free in blink::LayoutBlock::ComputeBlockPreferredLogicalWidths |
||||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5352322314797056 Fuzzer: ochang_domfuzzer Job Type: linux_asan_content_shell_drt Platform Id: linux Crash Type: Heap-use-after-free READ 16 Crash Address: 0x61500120ddb8 Crash State: blink::LayoutBlock::ComputeBlockPreferredLogicalWidths blink::LayoutBlock::ComputeIntrinsicLogicalWidths blink::LayoutBlock::ComputePreferredLogicalWidths Sanitizer: address (ASAN) Recommended Security Severity: High Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5352322314797056 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Jun 17 2018
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 17 2018
,
Jun 17 2018
Major regressions from https://chromium-review.googlesource.com/c/chromium/src/+/1102690, reverting.
,
Jun 17 2018
,
Jun 26 2018
This was not introduced by https://chromium-review.googlesource.com/c/chromium/src/+/1102690 (it was already there), and reverting it didn't help. Re-opening.
,
Jun 26 2018
The blamed range is https://chromium.googlesource.com/chromium/src/+log/81e42d0ddbf00b81d890458f59a18f1eb398c4aa..44027d41f779d62af9def030160ad2015c0d851f?pretty=fuller&n=10000 (2 commits in March 2018), but I tested, and the crasher predates that too. I'll redo the task.
,
Jun 26 2018
,
Jun 26 2018
Redo now blames - https://chromium.googlesource.com/chromium/src/+/0aca50f1552c882bc72ed5c419085fa975847a9c futhark@, can you please take a look.
,
Jun 27 2018
No, that CLs just using a different wrapper method to enforce const return values. This is an issue where BreakingContext::current_style_ is holding on to ComputedStyle without refcounting it where a hack in TextSizeAdjuster trying to keep them alive seemingly fails.
,
Jun 27 2018
I reproduced this with content shell on Mac running with --expose-internals-for-testing, building with this args.gn: enable_ipc_fuzzer = true enable_nacl = false ffmpeg_branding = "Chrome" is_asan = true is_component_build = false is_debug = false proprietary_codecs = true sanitizer_coverage_flags = "trace-pc-guard" strip_absolute_paths_from_debug_symbols = true v8_enable_verify_heap = true use_goma = true
,
Jun 27 2018
Emil, do you know who would know the BreakingContext lifetime and why we don't refcount ComputedStyle there?
,
Jun 28 2018
BreakingContext hasn't changed much in years and much of it pre-dates the use of reference counting. Getting a regression range for this would be *very* helpful. Switching to ref-counting seems like a good idea but that is a much bigger change.
,
Jun 28 2018
Was my change after all. Sorry about the noise.
,
Jun 28 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/b0a9cfb77595d3291e9d94beaa0ca3fef68bd76b commit b0a9cfb77595d3291e9d94beaa0ca3fef68bd76b Author: Rune Lillesveen <futhark@chromium.org> Date: Thu Jun 28 18:03:34 2018 Keep reference to child ComputedStyle on stack. Apparently, the ComputedStyle on a child may change during LayoutBlock::ComputeBlockPreferredLogicalWidths. We used to keep a reference to the ComputedStyle on the stack before [1]. Re-introducing scoped_refptr here. The reduced test exposed a DCHECK problem tracked by 389648. Instead of adding an almost identical new test, with another TestExpections line, we add writing-mode to the existing test which would expose the ASAN issue as well. [1] https://crrev.com/0aca50f1552c882bc72ed5c419085fa975847a9c Bug: 853538 , 389648 Change-Id: I5cb09c8cd9a7ae6d0621758f4690fce2abbb8096 Reviewed-on: https://chromium-review.googlesource.com/1117697 Commit-Queue: Rune Lillesveen <futhark@chromium.org> Reviewed-by: Morten Stenshorne <mstensho@chromium.org> Cr-Commit-Position: refs/heads/master@{#571199} [modify] https://crrev.com/b0a9cfb77595d3291e9d94beaa0ca3fef68bd76b/third_party/WebKit/LayoutTests/fast/text-autosizing/table-inflation-crash.html [modify] https://crrev.com/b0a9cfb77595d3291e9d94beaa0ca3fef68bd76b/third_party/blink/renderer/core/layout/layout_block.cc
,
Jun 28 2018
,
Jun 29 2018
ClusterFuzz has detected this issue as fixed in range 571196:571200. Detailed report: https://clusterfuzz.com/testcase?key=5352322314797056 Fuzzer: ochang_domfuzzer Job Type: linux_asan_content_shell_drt Platform Id: linux Crash Type: Heap-use-after-free READ 16 Crash Address: 0x61500120ddb8 Crash State: blink::LayoutBlock::ComputeBlockPreferredLogicalWidths blink::LayoutBlock::ComputeIntrinsicLogicalWidths blink::LayoutBlock::ComputePreferredLogicalWidths Sanitizer: address (ASAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=537333:537341 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=571196:571200 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5352322314797056 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 29 2018
,
Jul 1
,
Jul 1
This bug requires manual review: M68 has already been promoted to the beta branch, so this requires manual review Please contact the milestone owner if you have questions. Owners: cmasso@(Android), kariahda@(iOS), bhthompson@(ChromeOS), abdulsyed@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 2
Awhalley@ - Can you please confirm if this is required for M68?
,
Jul 2
abdulsyed@ - yep, relatively recent regression from 66, please take for 68 - thanks!
,
Jul 3
Approved - branch:3440
,
Jul 3
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/e98488a6c1ccaef81d1d0ded83d9b41752597e74 commit e98488a6c1ccaef81d1d0ded83d9b41752597e74 Author: Rune Lillesveen <futhark@chromium.org> Date: Tue Jul 03 20:25:10 2018 Keep reference to child ComputedStyle on stack. Apparently, the ComputedStyle on a child may change during LayoutBlock::ComputeBlockPreferredLogicalWidths. We used to keep a reference to the ComputedStyle on the stack before [1]. Re-introducing scoped_refptr here. The reduced test exposed a DCHECK problem tracked by 389648. Instead of adding an almost identical new test, with another TestExpections line, we add writing-mode to the existing test which would expose the ASAN issue as well. [1] https://crrev.com/0aca50f1552c882bc72ed5c419085fa975847a9c Bug: 853538 , 389648 Change-Id: I5cb09c8cd9a7ae6d0621758f4690fce2abbb8096 Reviewed-on: https://chromium-review.googlesource.com/1117697 Commit-Queue: Rune Lillesveen <futhark@chromium.org> Reviewed-by: Morten Stenshorne <mstensho@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#571199}(cherry picked from commit b0a9cfb77595d3291e9d94beaa0ca3fef68bd76b) Reviewed-on: https://chromium-review.googlesource.com/1125179 Cr-Commit-Position: refs/branch-heads/3440@{#594} Cr-Branched-From: 010ddcfda246975d194964ccf20038ebbdec6084-refs/heads/master@{#561733} [modify] https://crrev.com/e98488a6c1ccaef81d1d0ded83d9b41752597e74/third_party/WebKit/LayoutTests/fast/text-autosizing/table-inflation-crash.html [modify] https://crrev.com/e98488a6c1ccaef81d1d0ded83d9b41752597e74/third_party/blink/renderer/core/layout/layout_block.cc
,
Jul 3
I merged this on behalf of futhark, who's OOO.
,
Jul 3
Thank mstensho@!
,
Oct 5
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by sheriffbot@chromium.org
, Jun 17 2018