Issue metadata
Sign in to add a comment
|
Heap-buffer-overflow in cc::SurfaceLayer::SetHasPointerEventsNone |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5654841689636864 Fuzzer: inferno_webbot Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: Heap-buffer-overflow READ 1 Crash Address: 0x6170000e2a0a Crash State: cc::SurfaceLayer::SetHasPointerEventsNone blink::HTMLFrameOwnerElement::PointerEventsChanged blink::LayoutEmbeddedContent::StyleDidChange Sanitizer: address (ASAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=589304:589316 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5654841689636864 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Sep 7
Automatically applying components based on crash stacktrace and information from OWNERS files. If this is incorrect, please apply the Test-Predator-Wrong-Components label.
,
Sep 7
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/2c0b1626adf748ef1b4b57b5f81e2a8a80d7a6dc (Do not hit test OOPIFs with pointer-events: none). If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
,
Sep 7
Looking at the issue, the patch was reverted due to a flaky test though.
,
Sep 8
ClusterFuzz has detected this issue as fixed in range 589538:589542. Detailed report: https://clusterfuzz.com/testcase?key=5654841689636864 Fuzzer: inferno_webbot Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: Heap-buffer-overflow READ 1 Crash Address: 0x6170000e2a0a Crash State: cc::SurfaceLayer::SetHasPointerEventsNone blink::HTMLFrameOwnerElement::PointerEventsChanged blink::LayoutEmbeddedContent::StyleDidChange Sanitizer: address (ASAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=589304:589316 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=589538:589542 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5654841689636864 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Sep 8
ClusterFuzz testcase 5654841689636864 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Sep 8
,
Sep 8
,
Sep 8
,
Sep 10
The patch reverted due to flaky test will reland again, still need to fix this bug.
,
Sep 10
Hi Sadrul, this is the clusterfuzz bug. I'm suspecting that adding "if (!child_frame || !child_frame->GetLayer()) return;" at https://chromium-review.googlesource.com/c/chromium/src/+/1213538/6/content/renderer/child_frame_compositing_helper.cc#125 would fix the bug?
,
Sep 11
Looking at the detailed report, it looks like the layer is at that stage a SolidColorLayer (i.e. not null) created in [1]. So doing null checks should not help with the problem. So the code needs to know for sure whether that layer is a SurfaceLayer before doing the static_cast<>. For example, it could probably check that |primary_surface_id_| is valid. [1] https://cs.chromium.org/chromium/src/content/renderer/child_frame_compositing_helper.cc?type=cs&sq=package:chromium&g=0&l=39
,
Sep 11
,
Sep 11
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 11
The mentioned change was reverted and has not been relanded, so it shouldn't be an RBS.
,
Sep 12
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 12
Remove the labels.
,
Sep 12
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/c02c059891de67fa3b2ef879a322f5b01db87ab8 commit c02c059891de67fa3b2ef879a322f5b01db87ab8 Author: sunxd <sunxd@chromium.org> Date: Wed Sep 12 18:27:22 2018 Reland: Do not hit test OOPIFs with pointer-events: none Frame owners may have pointer-events: none property which blocks them from receiving mouse and touch events. Currently in V2 viz hit testing hit test data provider has no information about whether OOPIFs have pointer-events: none property. This CL plumbs pointer-events: none property from HTMLFrameOwnerElement to cc::SurfaceLayer so that the hit test data provider in LayerTreeHostImpl will be able to generate proper hit test data for pointer-events: none OOPIFs. The patch was reverted due to flaky browser test, we are relanding it by fixing the flakiness. The original patch also triggered a clusterfuzz bug, it is also fixed in this one. Bug: 841358 , 881917 , 881703 Cq-Include-Trybots: luci.chromium.try:android_optional_gpu_tests_rel;master.tryserver.blink:linux_trusty_blink_rel Change-Id: I66bf72095e5501c37b01beda134a583bf216c5b7 Reviewed-on: https://chromium-review.googlesource.com/1213538 Commit-Queue: Xianda Sun <sunxd@chromium.org> Reviewed-by: Stephen McGruer <smcgruer@chromium.org> Reviewed-by: Sadrul Chowdhury <sadrul@chromium.org> Reviewed-by: Jonathan Ross <jonross@chromium.org> Reviewed-by: Philip Rogers <pdr@chromium.org> Reviewed-by: Ken Buchanan <kenrb@chromium.org> Reviewed-by: Fady Samuel <fsamuel@chromium.org> Cr-Commit-Position: refs/heads/master@{#590755} [modify] https://crrev.com/c02c059891de67fa3b2ef879a322f5b01db87ab8/cc/layers/surface_layer.cc [modify] https://crrev.com/c02c059891de67fa3b2ef879a322f5b01db87ab8/cc/layers/surface_layer.h [modify] https://crrev.com/c02c059891de67fa3b2ef879a322f5b01db87ab8/cc/layers/surface_layer_impl.cc [modify] https://crrev.com/c02c059891de67fa3b2ef879a322f5b01db87ab8/cc/layers/surface_layer_impl.h [modify] https://crrev.com/c02c059891de67fa3b2ef879a322f5b01db87ab8/cc/trees/layer_tree_host_impl.cc [modify] https://crrev.com/c02c059891de67fa3b2ef879a322f5b01db87ab8/components/viz/common/features.cc [modify] https://crrev.com/c02c059891de67fa3b2ef879a322f5b01db87ab8/content/browser/site_per_process_hit_test_browsertest.cc [modify] https://crrev.com/c02c059891de67fa3b2ef879a322f5b01db87ab8/content/renderer/browser_plugin/browser_plugin.cc [modify] https://crrev.com/c02c059891de67fa3b2ef879a322f5b01db87ab8/content/renderer/browser_plugin/browser_plugin.h [modify] https://crrev.com/c02c059891de67fa3b2ef879a322f5b01db87ab8/content/renderer/child_frame_compositing_helper.cc [modify] https://crrev.com/c02c059891de67fa3b2ef879a322f5b01db87ab8/content/renderer/child_frame_compositing_helper.h [modify] https://crrev.com/c02c059891de67fa3b2ef879a322f5b01db87ab8/content/renderer/child_frame_compositing_helper_unittest.cc [modify] https://crrev.com/c02c059891de67fa3b2ef879a322f5b01db87ab8/content/renderer/child_frame_compositor.h [modify] https://crrev.com/c02c059891de67fa3b2ef879a322f5b01db87ab8/content/renderer/render_frame_proxy.cc [modify] https://crrev.com/c02c059891de67fa3b2ef879a322f5b01db87ab8/content/renderer/render_frame_proxy.h [modify] https://crrev.com/c02c059891de67fa3b2ef879a322f5b01db87ab8/content/test/data/frame_tree/page_with_positioned_frame_pointer-events_none.html [modify] https://crrev.com/c02c059891de67fa3b2ef879a322f5b01db87ab8/third_party/blink/public/web/web_remote_frame.h [modify] https://crrev.com/c02c059891de67fa3b2ef879a322f5b01db87ab8/third_party/blink/public/web/web_remote_frame_client.h [modify] https://crrev.com/c02c059891de67fa3b2ef879a322f5b01db87ab8/third_party/blink/renderer/core/exported/web_remote_frame_impl.cc [modify] https://crrev.com/c02c059891de67fa3b2ef879a322f5b01db87ab8/third_party/blink/renderer/core/exported/web_remote_frame_impl.h [modify] https://crrev.com/c02c059891de67fa3b2ef879a322f5b01db87ab8/third_party/blink/renderer/core/frame/remote_frame.cc [modify] https://crrev.com/c02c059891de67fa3b2ef879a322f5b01db87ab8/third_party/blink/renderer/core/frame/remote_frame.h [modify] https://crrev.com/c02c059891de67fa3b2ef879a322f5b01db87ab8/third_party/blink/renderer/core/frame/remote_frame_client.h [modify] https://crrev.com/c02c059891de67fa3b2ef879a322f5b01db87ab8/third_party/blink/renderer/core/frame/remote_frame_client_impl.cc [modify] https://crrev.com/c02c059891de67fa3b2ef879a322f5b01db87ab8/third_party/blink/renderer/core/frame/remote_frame_client_impl.h [modify] https://crrev.com/c02c059891de67fa3b2ef879a322f5b01db87ab8/third_party/blink/renderer/core/html/html_frame_owner_element.cc [modify] https://crrev.com/c02c059891de67fa3b2ef879a322f5b01db87ab8/third_party/blink/renderer/core/html/html_frame_owner_element.h [modify] https://crrev.com/c02c059891de67fa3b2ef879a322f5b01db87ab8/third_party/blink/renderer/core/layout/layout_embedded_content.cc [modify] https://crrev.com/c02c059891de67fa3b2ef879a322f5b01db87ab8/ui/compositor/layer_unittest.cc
,
Sep 14
,
Oct 9
Adding back missing labels.
,
Dec 22
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by ClusterFuzz
, Sep 7