Null-dereference READ in blink::V8AbstractEventListener::InvokeEventHandler
Reported by
cdsrc2...@gmail.com,
Aug 24
|
|||||||||||
Issue description
UserAgent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36
Steps to reproduce the problem:
Version 70.0.3515.0 (Developer Build) (64-bit)(ubuntu)
68.0.3440.106(release)(32bit)(windows)
1.build new chrome
2../chrome ./crash.html
What is the expected behavior?
What went wrong?
Received signal 11 SEGV_MAPERR 000000000000
#0 0x5609758f4741 in __interceptor_backtrace /b/swarming/w/ir/kitchen-workdir/src/third_party/llvm/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:4024:13
#1 0x56097d87218e in base::debug::StackTrace::StackTrace(unsigned long) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/debug/stack_trace_posix.cc:808:41
#2 0x56097d8710dd in base::debug::(anonymous namespace)::StackDumpSignalHandler(int, siginfo_t*, void*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/debug/stack_trace_posix.cc:334:3
#3 0x7fe70e11a890 in __funlockfile ??:?
#4 0x7fe70e11a890 in ?? ??:0
#5 0x560986871e64 in blink::V8AbstractEventListener::InvokeEventHandler(blink::ScriptState*, blink::Event*, v8::Local<v8::Value>) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/bindings/core/v8/v8_abstract_event_listener.cc:0:42
#6 0x560986871933 in blink::V8AbstractEventListener::HandleEvent(blink::ScriptState*, blink::Event*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/bindings/core/v8/v8_abstract_event_listener.cc:127:3
#7 0x5609868715e0 in blink::V8AbstractEventListener::handleEvent(blink::ExecutionContext*, blink::Event*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/bindings/core/v8/v8_abstract_event_listener.cc:112:3
#8 0x560987d10120 in blink::EventTarget::FireEventListeners(blink::Event*, blink::EventTargetData*, blink::HeapVector<blink::RegisteredEventListener, 1u>&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/dom/events/event_target.cc:842:15
#9 0x560987d0e2ae in blink::EventTarget::FireEventListeners(blink::Event*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/dom/events/event_target.cc:682:29
#10 0x56098bd6c7a1 in blink::IDBEventDispatcher::Dispatch(blink::Event*, blink::HeapVector<blink::Member<blink::EventTarget>, 0u>&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/modules/indexeddb/idb_event_dispatcher.cc:52:21
#11 0x56098bd129fe in blink::IDBRequest::DispatchEventInternal(blink::Event*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/modules/indexeddb/idb_request.cc:699:7
#12 0x56098bd7b598 in blink::IDBOpenDBRequest::DispatchEventInternal(blink::Event*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/modules/indexeddb/idb_open_db_request.cc:201:22
#13 0x560987d0dd35 in blink::EventTarget::dispatchEventForBindings(blink::Event*, blink::ExceptionState&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/dom/events/event_target.cc:573:10
#14 0x56098686d053 in dispatchEventMethod /home/cowboy/chromium/src/out/chrome_asan_shared/gen/third_party/blink/renderer/bindings/core/v8/v8_event_target.cc:173:23
#15 0x56098686d053 in blink::V8EventTarget::dispatchEventMethodCallback(v8::FunctionCallbackInfo<v8::Value> const&) /home/cowboy/chromium/src/out/chrome_asan_shared/gen/third_party/blink/renderer/bindings/core/v8/v8_event_target.cc:208:0
#16 0x56097aa5ddcb in v8::internal::FunctionCallbackArguments::Call(v8::internal::CallHandlerInfo*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../v8/src/api-arguments-inl.h:119:3
#17 0x56097aa5b7ae in v8::internal::MaybeHandle<v8::internal::Object> v8::internal::(anonymous namespace)::HandleApiCallHelper<false>(v8::internal::Isolate*, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::FunctionTemplateInfo>, v8::internal::Handle<v8::internal::Object>, v8::internal::BuiltinArguments) /home/cowboy/chromium/src/out/chrome_asan_shared/../../v8/src/builtins/builtins-api.cc:109:36
#18 0x56097aa598ae in v8::internal::Builtin_Impl_HandleApiCall(v8::internal::BuiltinArguments, v8::internal::Isolate*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../v8/src/builtins/builtins-api.cc:139:5
#19 0x56097c26458e in Builtins_CEntry_Return1_DontSaveFPRegs_ArgvOnStack_NoBuiltinExit embedded.cc:?
#20 0x56097c26458e in ?? ??:0
r8: 0000000000000000 r9: 0000000000000001 r10: 00000ffcdf9b9769 r11: 00007fe6fcdcbb48
r12: 00000fd91ed462ca r13: 00000fdccc6bcf10 r14: 000061d00000c988 r15: 00000ffd5fa1a300
di: 0000000000000000 si: 00000000000000f5 bp: 00007ffdef432570 bx: 00007ffdef4324a0
dx: 0000000000000040 ax: 0000000000000000 cx: 00007ee6635e7880 sp: 00007ffdef4324a0
ip: 0000560986871e64 efl: 0000000000010246 cgf: 002b000000000033 erf: 0000000000000004
trp: 000000000000000e msk: 0000000000000000 cr2: 0000000000000000
[end of stack trace]
Did this work before? N/A
Chrome version: Version 70.0.3515.0 (Developer Build) (64-bit)(ubuntu) Channel: dev
OS Version: Ubuntu18.04
Flash Version:
,
Aug 24
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=4825732438818816.
,
Aug 24
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=6291035794440192.
,
Aug 24
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=5173602778087424.
,
Aug 24
Testcase 4825732438818816 failed to reproduce the crash. Please inspect the program output at https://clusterfuzz.com/testcase?key=4825732438818816.
,
Aug 24
Testcase 6291035794440192 failed to reproduce the crash. Please inspect the program output at https://clusterfuzz.com/testcase?key=6291035794440192.
,
Aug 24
Please see https://clusterfuzz.com/v2/testcase-detail/5173602778087424 for details
,
Aug 25
Detailed report: https://clusterfuzz.com/testcase?key=5173602778087424 Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000000 Crash State: blink::V8AbstractEventListener::InvokeEventHandler blink::V8AbstractEventListener::HandleEvent blink::V8AbstractEventListener::handleEvent Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=518240:518474 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5173602778087424 See https://github.com/google/clusterfuzz-tools for more information.
,
Aug 26
Security_Severity-Low since it is just a Null-dereference read. This should probably be a not-security bug.
,
Aug 28
,
Aug 28
,
Aug 28
Confirmed that #c9 is correct. This is a simple nullptr dereference. A fix is under review now.
,
Aug 28
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/922b4678a3e11a77eb56f90f0e5891f564095383 commit 922b4678a3e11a77eb56f90f0e5891f564095383 Author: Yuki Shiino <yukishiino@chromium.org> Date: Tue Aug 28 11:24:51 2018 IndexedDB: Fixes event dispatching; set the event target. IDBRequest's custom implementation of event dispatching has a bug that it does not set any event target. This patch sets the event target before dispatching an event, and fixes a crash issue. Bug: 877346 Change-Id: Id3b695f3a8cff06a26a3cb08475d76777a7a26b8 Reviewed-on: https://chromium-review.googlesource.com/1193383 Reviewed-by: Kentaro Hara <haraken@chromium.org> Commit-Queue: Yuki Shiino <yukishiino@chromium.org> Cr-Commit-Position: refs/heads/master@{#586652} [modify] https://crrev.com/922b4678a3e11a77eb56f90f0e5891f564095383/third_party/blink/renderer/modules/indexeddb/idb_request.cc
,
Aug 28
,
Aug 28
,
Aug 28
NULL-deref is not a security bug, just a functional bug.
,
Aug 29
ClusterFuzz has detected this issue as fixed in range 586651:586652. Detailed report: https://clusterfuzz.com/testcase?key=5173602778087424 Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000000 Crash State: blink::V8AbstractEventListener::InvokeEventHandler blink::V8AbstractEventListener::HandleEvent blink::V8AbstractEventListener::handleEvent Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=518240:518474 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=586651:586652 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5173602778087424 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 29
ClusterFuzz testcase 5173602778087424 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Dec 4
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||
►
Sign in to add a comment |
|||||||||||
Comment 1 by vakh@chromium.org
, Aug 24Components: Blink>Bindings
Labels: Security_Impact-Head
Owner: yukiy@google.com
Status: Assigned (was: Unconfirmed)