Malformed html crashes chrome
Reported by
zhouat2...@gmail.com,
Jul 21
|
||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36 Steps to reproduce the problem: 1. asan-linux-stable-67.0.3396.99 2. open poc file `SEGV_MAPERR_chrome.html` What is the expected behavior? What went wrong? SEGV_MAPERR Did this work before? N/A Chrome version: 67.0.3396.99 Channel: stable OS Version: OS X 10.13.4 Flash Version:
,
Jul 22
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=5935322761003008.
,
Jul 22
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=6484907279515648.
,
Jul 22
I can reproduce this renderer crash on Mac M68, but not on the latest Mac ASAN build (70.0.3500.0), so it seems that this may already be fixed. Clusterfuzz is also having trouble repro-ing on both Linux and Mac. With a Mac ASAN debug build 67.0.3396.0 gets the following failed check stack trace shown below. This looks potentially similar to Issue 847192 but I'm not familiar with the code/that other bug to know if that's what fixed this. I think this may be the DCHECK here that got commented out: https://cs.chromium.org/chromium/src/third_party/blink/renderer/core/editing/selection_adjuster.cc?sq=package:chromium&dr&g=0&l=583 Tentatively assigning to yoichio@ who reviewed the CL that affected this (https://crrev.com/c/1102157) and has other recent changes in this file. The owner of that CL (ctzsm@) is OOO. I'm not sure if this has actual security implications or if we're just hitting a (D)CHECK. For now, I'm setting this to Security-Severity_Medium to be conservative (since the original report says SEGV_MAPERR which could indicate an out-of-bounds memory access. [89971:775:0722/124841.211436:FATAL:selection_adjuster.cc(713)] Check failed: false. 0 Chromium Framework 0x0000000130c5cd79 base::debug::StackTrace::StackTrace(unsigned long) + 825 1 Chromium Framework 0x0000000130c5ce8c base::debug::StackTrace::StackTrace(unsigned long) + 60 2 Chromium Framework 0x0000000130c58e03 base::debug::StackTrace::StackTrace() + 51 3 Chromium Framework 0x0000000130d82cf1 logging::LogMessage::~LogMessage() + 2177 4 Chromium Framework 0x0000000130d7bb6c logging::LogMessage::~LogMessage() + 44 5 Chromium Framework 0x0000000152f909d9 blink::EphemeralRangeTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> > blink::EditingBoundaryAdjuster::AdjustSelectionToAvoidCrossingEditingBoundaries<blink::EditingAlgorithm<blink::FlatTreeTraversal> >(blink::EphemeralRangeTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> > const&, blink::PositionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> > const&) + 1881 6 Chromium Framework 0x0000000152f8a336 blink::SelectionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> > blink::EditingBoundaryAdjuster::AdjustSelection<blink::EditingAlgorithm<blink::FlatTreeTraversal> >(blink::SelectionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> > const&) + 358 7 Chromium Framework 0x0000000152f8a1bb blink::SelectionAdjuster::AdjustSelectionToAvoidCrossingEditingBoundaries(blink::SelectionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> > const&) + 59 8 Chromium Framework 0x00000001530869c1 blink::SelectionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> > blink::ComputeVisibleSelection<blink::EditingAlgorithm<blink::FlatTreeTraversal> >(blink::SelectionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> > const&, blink::TextGranularity) + 1633 9 Chromium Framework 0x00000001530862d0 blink::VisibleSelectionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> >::CreateWithGranularity(blink::SelectionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> > const&, blink::TextGranularity) + 272 10 Chromium Framework 0x00000001530861ad blink::VisibleSelectionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> >::Create(blink::SelectionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> > const&) + 61 11 Chromium Framework 0x0000000153089d6b blink::CreateVisibleSelection(blink::SelectionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> > const&) + 59 12 Chromium Framework 0x0000000152fa7814 blink::SelectionEditor::UpdateCachedVisibleSelectionInFlatTreeIfNeeded() const + 1748 13 Chromium Framework 0x0000000152fa6f08 blink::SelectionEditor::ComputeVisibleSelectionInFlatTree() const + 1176 14 Chromium Framework 0x0000000152e1d4ea blink::FrameSelection::ComputeVisibleSelectionInFlatTree() const + 74 15 Chromium Framework 0x0000000152e23b9e blink::FrameSelection::SelectionHasFocus() const + 462 16 Chromium Framework 0x0000000152e24192 blink::FrameSelection::IsHidden() const + 306 17 Chromium Framework 0x0000000152ed1735 blink::CalcSelectionRangeAndSetSelectionState(blink::FrameSelection const&) + 1253 18 Chromium Framework 0x0000000152ed0af8 blink::LayoutSelection::Commit() + 1592 19 Chromium Framework 0x0000000152e28758 blink::FrameSelection::CommitAppearanceIfNeeded() + 56 20 Chromium Framework 0x0000000155293d3b blink::LayoutView::CommitPendingSelection() + 1403 21 Chromium Framework 0x0000000155ea5eb5 blink::PaintLayerCompositor::UpdateIfNeededRecursiveInternal(blink::DocumentLifecycle::LifecycleState, blink::CompositingReasonsStats&) + 2965 22 Chromium Framework 0x0000000155ea4795 blink::PaintLayerCompositor::UpdateIfNeededRecursive(blink::DocumentLifecycle::LifecycleState) + 485 23 Chromium Framework 0x000000015375889c blink::LocalFrameView::UpdateLifecyclePhasesInternal(blink::DocumentLifecycle::LifecycleState) + 8380 24 Chromium Framework 0x00000001537567c9 blink::LocalFrameView::UpdateAllLifecyclePhases() + 73 25 Chromium Framework 0x0000000155c4c15b blink::PageAnimator::UpdateAllLifecyclePhases(blink::LocalFrame&) + 299 26 Chromium Framework 0x0000000155c60cf7 blink::PageWidgetDelegate::UpdateLifecycle(blink::Page&, blink::LocalFrame&, blink::WebWidget::LifecycleUpdate) + 151 27 Chromium Framework 0x000000015330f2c3 blink::WebViewImpl::UpdateLifecycle(blink::WebWidget::LifecycleUpdate) + 1443 28 Chromium Framework 0x000000015330458c blink::WebWidget::UpdateAllLifecyclePhases() + 156 29 Chromium Framework 0x000000015330be88 blink::WebViewImpl::ResizeViewWhileAnchored(float, float, bool) + 1416 30 Chromium Framework 0x000000015330ce83 blink::WebViewImpl::ResizeWithBrowserControls(blink::WebSize const&, float, float, bool) + 3171 31 Chromium Framework 0x000000015ba696d2 content::RenderViewImpl::ResizeWebWidget() + 994 32 Chromium Framework 0x000000015badc2d1 content::RenderWidget::Resize(content::ResizeParams const&) + 6769 33 Chromium Framework 0x000000015baca705 content::RenderWidget::OnResize(content::ResizeParams const&) + 917 34 Chromium Framework 0x000000015ba6b63e content::RenderViewImpl::OnResize(content::ResizeParams const&) + 7902 35 Chromium Framework 0x000000015bb15bda void base::DispatchToMethodImpl<content::RenderWidget*, void (content::RenderWidget::*)(content::ResizeParams const&), std::__1::tuple<content::ResizeParams>, 0ul>(content::RenderWidget* const&, void (content::RenderWidget::*)(content::ResizeParams const&), std::__1::tuple<content::ResizeParams>&&, std::__1::integer_sequence<unsigned long, 0ul>) + 778 36 Chromium Framework 0x000000015bb15851 void base::DispatchToMethod<content::RenderWidget*, void (content::RenderWidget::*)(content::ResizeParams const&), std::__1::tuple<content::ResizeParams> >(content::RenderWidget* const&, void (content::RenderWidget::*)(content::ResizeParams const&), std::__1::tuple<content::ResizeParams>&&) + 721 37 Chromium Framework 0x000000015bb154f7 void IPC::DispatchToMethod<content::RenderWidget, void (content::RenderWidget::*)(content::ResizeParams const&), void, std::__1::tuple<content::ResizeParams> >(content::RenderWidget*, void (content::RenderWidget::*)(content::ResizeParams const&), void*, std::__1::tuple<content::ResizeParams>&&) + 807 38 Chromium Framework 0x000000015bab9faa bool IPC::MessageT<ViewMsg_Resize_Meta, std::__1::tuple<content::ResizeParams>, void>::Dispatch<content::RenderWidget, content::RenderWidget, void, void (content::RenderWidget::*)(content::ResizeParams const&)>(IPC::Message const*, content::RenderWidget*, content::RenderWidget*, void*, void (content::RenderWidget::*)(content::ResizeParams const&)) + 1914 39 Chromium Framework 0x000000015baafea5 content::RenderWidget::OnMessageReceived(IPC::Message const&) + 6037 40 Chromium Framework 0x000000015ba414b9 content::RenderViewImpl::OnMessageReceived(IPC::Message const&) + 13177 41 Chromium Framework 0x00000001342ec88c IPC::MessageRouter::RouteMessage(IPC::Message const&) + 268 42 Chromium Framework 0x000000014e2d807c content::ChildThreadImpl::ChildThreadMessageRouter::RouteMessage(IPC::Message const&) + 60 43 Chromium Framework 0x00000001342ec760 IPC::MessageRouter::OnMessageReceived(IPC::Message const&) + 368 44 Chromium Framework 0x000000014e2ee3a0 content::ChildThreadImpl::OnMessageReceived(IPC::Message const&) + 272 45 Chromium Framework 0x000000015b998792 content::RenderThreadImpl::OnMessageReceived(IPC::Message const&) + 338 46 Chromium Framework 0x000000013421a3d4 IPC::ChannelProxy::Context::OnDispatchMessage(IPC::Message const&) + 468 47 Chromium Framework 0x000000013422a87c void base::internal::FunctorTraits<void (IPC::ChannelProxy::Context::*)(IPC::Message const&), void>::Invoke<scoped_refptr<IPC::ChannelProxy::Context> const&, IPC::Message const&>(void (IPC::ChannelProxy::Context::*)(IPC::Message const&), scoped_refptr<IPC::ChannelProxy::Context> const&&&, IPC::Message const&&&) + 700 48 Chromium Framework 0x000000013422a508 void base::internal::InvokeHelper<false, void>::MakeItSo<void (IPC::ChannelProxy::Context::* const&)(IPC::Message const&), scoped_refptr<IPC::ChannelProxy::Context> const&, IPC::Message const&>(void (IPC::ChannelProxy::Context::* const&&&)(IPC::Message const&), scoped_refptr<IPC::ChannelProxy::Context> const&&&, IPC::Message const&&&) + 584 49 Chromium Framework 0x000000013422a2ac void base::internal::Invoker<base::internal::BindState<void (IPC::ChannelProxy::Context::*)(IPC::Message const&), scoped_refptr<IPC::ChannelProxy::Context>, IPC::Message>, void ()>::RunImpl<void (IPC::ChannelProxy::Context::* const&)(IPC::Message const&), std::__1::tuple<scoped_refptr<IPC::ChannelProxy::Context>, IPC::Message> const&, 0ul, 1ul>(void (IPC::ChannelProxy::Context::* const&&&)(IPC::Message const&), std::__1::tuple<scoped_refptr<IPC::ChannelProxy::Context>, IPC::Message> const&&&, std::__1::integer_sequence<unsigned long, 0ul, 1ul>) + 156 50 Chromium Framework 0x000000013422a173 base::internal::Invoker<base::internal::BindState<void (IPC::ChannelProxy::Context::*)(IPC::Message const&), scoped_refptr<IPC::ChannelProxy::Context>, IPC::Message>, void ()>::Run(base::internal::BindStateBase*) + 67 51 Chromium Framework 0x0000000118f8ac35 base::OnceCallback<void ()>::Run() && + 293 52 Chromium Framework 0x0000000130c62660 base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) + 2544 53 Chromium Framework 0x000000012ba4c6ce blink::scheduler::internal::ThreadControllerImpl::DoWork(blink::scheduler::internal::SequencedTaskSource::WorkType) + 3918 54 Chromium Framework 0x000000012ba54fdd void base::internal::FunctorTraits<void (blink::scheduler::internal::ThreadControllerImpl::*)(blink::scheduler::internal::SequencedTaskSource::WorkType), void>::Invoke<base::WeakPtr<blink::scheduler::internal::ThreadControllerImpl> const&, blink::scheduler::internal::SequencedTaskSource::WorkType const&>(void (blink::scheduler::internal::ThreadControllerImpl::*)(blink::scheduler::internal::SequencedTaskSource::WorkType), base::WeakPtr<blink::scheduler::internal::ThreadControllerImpl> const&&&, blink::scheduler::internal::SequencedTaskSource::WorkType const&&&) + 813 55 Chromium Framework 0x000000012ba54bb7 void base::internal::InvokeHelper<true, void>::MakeItSo<void (blink::scheduler::internal::ThreadControllerImpl::* const&)(blink::scheduler::internal::SequencedTaskSource::WorkType), base::WeakPtr<blink::scheduler::internal::ThreadControllerImpl> const&, blink::scheduler::internal::SequencedTaskSource::WorkType const&>(void (blink::scheduler::internal::ThreadControllerImpl::* const&&&)(blink::scheduler::internal::SequencedTaskSource::WorkType), base::WeakPtr<blink::scheduler::internal::ThreadControllerImpl> const&&&, blink::scheduler::internal::SequencedTaskSource::WorkType const&&&) + 647 56 Chromium Framework 0x000000012ba5491c void base::internal::Invoker<base::internal::BindState<void (blink::scheduler::internal::ThreadControllerImpl::*)(blink::scheduler::internal::SequencedTaskSource::WorkType), base::WeakPtr<blink::scheduler::internal::ThreadControllerImpl>, blink::scheduler::internal::SequencedTaskSource::WorkType>, void ()>::RunImpl<void (blink::scheduler::internal::ThreadControllerImpl::* const&)(blink::scheduler::internal::SequencedTaskSource::WorkType), std::__1::tuple<base::WeakPtr<blink::scheduler::internal::ThreadControllerImpl>, blink::scheduler::internal::SequencedTaskSource::WorkType> const&, 0ul, 1ul>(void (blink::scheduler::internal::ThreadControllerImpl::* const&&&)(blink::scheduler::internal::SequencedTaskSource::WorkType), std::__1::tuple<base::WeakPtr<blink::scheduler::internal::ThreadControllerImpl>, blink::scheduler::internal::SequencedTaskSource::WorkType> const&&&, std::__1::integer_sequence<unsigned long, 0ul, 1ul>) + 156 57 Chromium Framework 0x000000012ba547e3 base::internal::Invoker<base::internal::BindState<void (blink::scheduler::internal::ThreadControllerImpl::*)(blink::scheduler::internal::SequencedTaskSource::WorkType), base::WeakPtr<blink::scheduler::internal::ThreadControllerImpl>, blink::scheduler::internal::SequencedTaskSource::WorkType>, void ()>::Run(base::internal::BindStateBase*) + 67 58 Chromium Framework 0x0000000118f8ac35 base::OnceCallback<void ()>::Run() && + 293 59 Chromium Framework 0x0000000130c62660 base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) + 2544 60 Chromium Framework 0x0000000130e35bb1 base::internal::IncomingTaskQueue::RunTask(base::PendingTask*) + 513 61 Chromium Framework 0x0000000130e556a6 base::MessageLoop::RunTask(base::PendingTask*) + 2550
,
Jul 22
,
Jul 23
Maybe following CL fixed this: https://chromium.googlesource.com/chromium/src/+/7bd29404a6ab8d36bdff4123ae522fcd9068344b
,
Jul 23
Do we think there are security implications to this (actual OOB read/write), or is it just hitting the CHECK? If there are security implications then we may want to merge the fix back, if possible.
,
Jul 23
I believe there were no security implication, it's just a DCHECK (NOTREACHED()). [1] [1] https://chromium.googlesource.com/chromium/src/+/67.0.3396.0/third_party/blink/renderer/core/editing/selection_adjuster.cc#713
,
Jul 23
,
Jul 23
,
Jul 28
,
Aug 6
Hi zhouat2017@ - thanks for the report! I'm afraid the VRP panel took a look and decided that this is a non exploitable bug, so won't be rewarding for it. |
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 Deleted