Issue 877346 link

Starred by 1 user

Issue metadata

Status:	Verified
Owner:	yukishiino@chromium.org
Closed:	Aug 28
Cc:	yukishiino@chromium.org █ yukiy@google.com lfg@chromium.org
Components:	Blink>Bindings
EstimatedDays:	----
NextAction:	----
OS:	Linux
Pri:	2
Type:	Bug
allpublic ClusterFuzz-Verified Via-Wizard-Security

Null-dereference READ in blink::V8AbstractEventListener::InvokeEventHandler

Reported by cdsrc2...@gmail.com, Aug 24

Issue description

UserAgent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36

Steps to reproduce the problem:
Version 70.0.3515.0 (Developer Build) (64-bit)(ubuntu)
68.0.3440.106(release)(32bit)(windows)

1.build new chrome
2../chrome ./crash.html

What is the expected behavior?

What went wrong?
Received signal 11 SEGV_MAPERR 000000000000
    #0 0x5609758f4741 in __interceptor_backtrace /b/swarming/w/ir/kitchen-workdir/src/third_party/llvm/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:4024:13
    #1 0x56097d87218e in base::debug::StackTrace::StackTrace(unsigned long) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/debug/stack_trace_posix.cc:808:41
    #2 0x56097d8710dd in base::debug::(anonymous namespace)::StackDumpSignalHandler(int, siginfo_t*, void*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/debug/stack_trace_posix.cc:334:3
    #3 0x7fe70e11a890 in __funlockfile ??:?
    #4 0x7fe70e11a890 in ?? ??:0
    #5 0x560986871e64 in blink::V8AbstractEventListener::InvokeEventHandler(blink::ScriptState*, blink::Event*, v8::Local<v8::Value>) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/bindings/core/v8/v8_abstract_event_listener.cc:0:42
    #6 0x560986871933 in blink::V8AbstractEventListener::HandleEvent(blink::ScriptState*, blink::Event*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/bindings/core/v8/v8_abstract_event_listener.cc:127:3
    #7 0x5609868715e0 in blink::V8AbstractEventListener::handleEvent(blink::ExecutionContext*, blink::Event*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/bindings/core/v8/v8_abstract_event_listener.cc:112:3
    #8 0x560987d10120 in blink::EventTarget::FireEventListeners(blink::Event*, blink::EventTargetData*, blink::HeapVector<blink::RegisteredEventListener, 1u>&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/dom/events/event_target.cc:842:15
    #9 0x560987d0e2ae in blink::EventTarget::FireEventListeners(blink::Event*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/dom/events/event_target.cc:682:29
    #10 0x56098bd6c7a1 in blink::IDBEventDispatcher::Dispatch(blink::Event*, blink::HeapVector<blink::Member<blink::EventTarget>, 0u>&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/modules/indexeddb/idb_event_dispatcher.cc:52:21
    #11 0x56098bd129fe in blink::IDBRequest::DispatchEventInternal(blink::Event*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/modules/indexeddb/idb_request.cc:699:7
    #12 0x56098bd7b598 in blink::IDBOpenDBRequest::DispatchEventInternal(blink::Event*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/modules/indexeddb/idb_open_db_request.cc:201:22
    #13 0x560987d0dd35 in blink::EventTarget::dispatchEventForBindings(blink::Event*, blink::ExceptionState&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/dom/events/event_target.cc:573:10
    #14 0x56098686d053 in dispatchEventMethod /home/cowboy/chromium/src/out/chrome_asan_shared/gen/third_party/blink/renderer/bindings/core/v8/v8_event_target.cc:173:23
    #15 0x56098686d053 in blink::V8EventTarget::dispatchEventMethodCallback(v8::FunctionCallbackInfo<v8::Value> const&) /home/cowboy/chromium/src/out/chrome_asan_shared/gen/third_party/blink/renderer/bindings/core/v8/v8_event_target.cc:208:0
    #16 0x56097aa5ddcb in v8::internal::FunctionCallbackArguments::Call(v8::internal::CallHandlerInfo*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../v8/src/api-arguments-inl.h:119:3
    #17 0x56097aa5b7ae in v8::internal::MaybeHandle<v8::internal::Object> v8::internal::(anonymous namespace)::HandleApiCallHelper<false>(v8::internal::Isolate*, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::FunctionTemplateInfo>, v8::internal::Handle<v8::internal::Object>, v8::internal::BuiltinArguments) /home/cowboy/chromium/src/out/chrome_asan_shared/../../v8/src/builtins/builtins-api.cc:109:36
    #18 0x56097aa598ae in v8::internal::Builtin_Impl_HandleApiCall(v8::internal::BuiltinArguments, v8::internal::Isolate*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../v8/src/builtins/builtins-api.cc:139:5
    #19 0x56097c26458e in Builtins_CEntry_Return1_DontSaveFPRegs_ArgvOnStack_NoBuiltinExit embedded.cc:?
    #20 0x56097c26458e in ?? ??:0
  r8: 0000000000000000  r9: 0000000000000001 r10: 00000ffcdf9b9769 r11: 00007fe6fcdcbb48
 r12: 00000fd91ed462ca r13: 00000fdccc6bcf10 r14: 000061d00000c988 r15: 00000ffd5fa1a300
  di: 0000000000000000  si: 00000000000000f5  bp: 00007ffdef432570  bx: 00007ffdef4324a0
  dx: 0000000000000040  ax: 0000000000000000  cx: 00007ee6635e7880  sp: 00007ffdef4324a0
  ip: 0000560986871e64 efl: 0000000000010246 cgf: 002b000000000033 erf: 0000000000000004
 trp: 000000000000000e msk: 0000000000000000 cr2: 0000000000000000
[end of stack trace]

Did this work before? N/A 

Chrome version: Version 70.0.3515.0 (Developer Build) (64-bit)(ubuntu)  Channel: dev
OS Version: Ubuntu18.04
Flash Version:

crash.zip
27.6 KB Download

Comment 1 by vakh@chromium.org, Aug 24

Cc: yukishiino@chromium.org
Components: Blink>Bindings
Labels: Security_Impact-Head
Owner: yukiy@google.com
Status: Assigned (was: Unconfirmed)

Project Member

Comment 2 by ClusterFuzz, Aug 24

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=4825732438818816.

Project Member

Comment 3 by ClusterFuzz, Aug 24

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=6291035794440192.

Project Member

Comment 4 by ClusterFuzz, Aug 24

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=5173602778087424.

Project Member

Comment 5 by ClusterFuzz, Aug 24

Testcase 4825732438818816 failed to reproduce the crash. Please inspect the program output at https://clusterfuzz.com/testcase?key=4825732438818816.

Project Member

Comment 6 by ClusterFuzz, Aug 24

Testcase 6291035794440192 failed to reproduce the crash. Please inspect the program output at https://clusterfuzz.com/testcase?key=6291035794440192.

Comment 7 by vakh@chromium.org, Aug 24

Please see https://clusterfuzz.com/v2/testcase-detail/5173602778087424 for details

Project Member

Comment 8 by ClusterFuzz, Aug 25

Labels: -Security_Impact-Head Security_Impact-Stable
Summary: Null-dereference READ in blink::V8AbstractEventListener::InvokeEventHandler (was: sig11 0x00000000 in blink::V8AbstractEventListener::InvokeEventHandler)

Detailed report: https://clusterfuzz.com/testcase?key=5173602778087424

Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000000
Crash State:
  blink::V8AbstractEventListener::InvokeEventHandler
  blink::V8AbstractEventListener::HandleEvent
  blink::V8AbstractEventListener::handleEvent
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=518240:518474

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5173602778087424

See https://github.com/google/clusterfuzz-tools for more information.

Comment 9 by vakh@chromium.org, Aug 26

Labels: Security_Severity-Low

Security_Severity-Low since it is just a Null-dereference read.
This should probably be a not-security bug.

Comment 10 by yukishiino@chromium.org, Aug 28

Cc: yukiy@google.com
Owner: yukishiino@chromium.org

Comment 11 by yukishiino@chromium.org, Aug 28

Status: Started (was: Assigned)

Comment 12 by yukishiino@chromium.org, Aug 28

Labels: -Security_Severity-Low -Security_Impact-Stable

Confirmed that #c9 is correct.  This is a simple nullptr dereference.  A fix is under review now.

Project Member

Comment 13 by bugdroid1@chromium.org, Aug 28

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/922b4678a3e11a77eb56f90f0e5891f564095383

commit 922b4678a3e11a77eb56f90f0e5891f564095383
Author: Yuki Shiino <yukishiino@chromium.org>
Date: Tue Aug 28 11:24:51 2018

IndexedDB: Fixes event dispatching; set the event target.

IDBRequest's custom implementation of event dispatching has a bug
that it does not set any event target.  This patch sets the event
target before dispatching an event, and fixes a crash issue.

Bug:  877346 
Change-Id: Id3b695f3a8cff06a26a3cb08475d76777a7a26b8
Reviewed-on: https://chromium-review.googlesource.com/1193383
Reviewed-by: Kentaro Hara <haraken@chromium.org>
Commit-Queue: Yuki Shiino <yukishiino@chromium.org>
Cr-Commit-Position: refs/heads/master@{#586652}
[modify] https://crrev.com/922b4678a3e11a77eb56f90f0e5891f564095383/third_party/blink/renderer/modules/indexeddb/idb_request.cc

Comment 14 by yukishiino@chromium.org, Aug 28

Status: Fixed (was: Started)

Project Member

Comment 15 by sheriffbot@chromium.org, Aug 28

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 16 by tsepez@chromium.org, Aug 28

Labels: -Type-Bug-Security Type-Bug

NULL-deref is not a security bug, just a functional bug.

Project Member

Comment 17 by ClusterFuzz, Aug 29

ClusterFuzz has detected this issue as fixed in range 586651:586652.

Detailed report: https://clusterfuzz.com/testcase?key=5173602778087424

Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000000
Crash State:
  blink::V8AbstractEventListener::InvokeEventHandler
  blink::V8AbstractEventListener::HandleEvent
  blink::V8AbstractEventListener::handleEvent
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=518240:518474
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=586651:586652

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5173602778087424

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Project Member

Comment 18 by ClusterFuzz, Aug 29

Labels: ClusterFuzz-Verified
Status: Verified (was: Fixed)

ClusterFuzz testcase 5173602778087424 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Project Member

Comment 19 by sheriffbot@chromium.org, Dec 4

Labels: -Restrict-View-SecurityNotify allpublic

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

►

Issue 877346 link

Issue metadata

Null-dereference READ in blink::V8AbstractEventListener::InvokeEventHandler

Issue description

Comment 1 by vakh@chromium.org, Aug 24

Comment 1 Deleted

Comment 2 by ClusterFuzz, Aug 24

Comment 2 Deleted

Comment 3 by ClusterFuzz, Aug 24

Comment 3 Deleted

Comment 4 by ClusterFuzz, Aug 24

Comment 4 Deleted

Comment 5 by ClusterFuzz, Aug 24

Comment 5 Deleted

Comment 6 by ClusterFuzz, Aug 24

Comment 6 Deleted

Comment 7 by vakh@chromium.org, Aug 24

Comment 7 Deleted

Comment 8 by ClusterFuzz, Aug 25

Comment 8 Deleted

Comment 9 by vakh@chromium.org, Aug 26

Comment 9 Deleted

Comment 10 by yukishiino@chromium.org, Aug 28

Comment 10 Deleted

Comment 11 by yukishiino@chromium.org, Aug 28

Comment 11 Deleted

Comment 12 by yukishiino@chromium.org, Aug 28

Comment 12 Deleted

Comment 13 by bugdroid1@chromium.org, Aug 28

Comment 13 Deleted

Comment 14 by yukishiino@chromium.org, Aug 28

Comment 14 Deleted

Comment 15 by sheriffbot@chromium.org, Aug 28

Comment 15 Deleted

Comment 16 by tsepez@chromium.org, Aug 28

Comment 16 Deleted

Comment 17 by ClusterFuzz, Aug 29

Comment 17 Deleted

Comment 18 by ClusterFuzz, Aug 29

Comment 18 Deleted

Comment 19 by sheriffbot@chromium.org, Dec 4

Comment 19 Deleted

Sign in to add a comment