New issue
Advanced search Search tips

Issue 912046 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Dec 6
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Mac
Pri: 1
Type: Bug

Blocking:
issue 880027



Sign in to add a comment

Null-dereference READ in blink::SecurityOrigin::CanRequest

Project Member Reported by ClusterFuzz, Dec 5

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5970609349328896

Fuzzer: ochang_domfuzzer
Job Type: linux_msan_content_shell_drt
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000040
Crash State:
  blink::SecurityOrigin::CanRequest
  blink::AllowedByNosniff::MimeTypeAsScript
  blink::ClassicPendingScript::GetSource
  
Sanitizer: memory (MSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_msan_content_shell_drt&range=613878:613879

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5970609349328896

Issue filed automatically.

See https://www.chromium.org/developers/testing/memorysanitizer#TOC-Reproducing-ClusterFuzz-Bugs for more information.
 
Project Member

Comment 1 by ClusterFuzz, Dec 5

Components: Blink>Internals Blink>Loader
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 2 by ClusterFuzz, Dec 5

Labels: Test-Predator-Auto-Owner
Owner: hirosh...@chromium.org
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/f5918e1225fc91bc5c02bb1cfb447dc97578e952 (Move AllowedByNosniff to platform/loader).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
Components: -Blink>Internals Blink>HTML>Script
Status: Started (was: Assigned)
This is because script element's Document's ResourceFetcher's FetchContext's SecurityOrigin becomes null after moving he script to another document created by creteDocument().
My CL caused this regression because it switches context document to element document unintentionally.

Blocking: 880027
Project Member

Comment 6 by ClusterFuzz, Dec 5

Labels: OS-Mac
Project Member

Comment 7 by bugdroid1@chromium.org, Dec 6

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/748875b36e91d5cd25bd8d653677fb5192203c97

commit 748875b36e91d5cd25bd8d653677fb5192203c97
Author: Hiroshige Hayashizaki <hiroshige@chromium.org>
Date: Thu Dec 06 05:46:57 2018

Revert unintentional switching to element document in an AllowedByNosniff call

In classic_pending_script.cc, [1] uses
GetElement()->GetDocument().Fetcher()->Context()
which corresponds to the element document, while before [1] it was
GetElement()->GetDocument().ContextDocument()
which corresponds to the context document.

This CL reverts this change and uses the context document, and
adds a regression test derived from a clusterfuzz test case.

[1] https://chromium-review.googlesource.com/1351873

Bug:  912046 , 880027
Change-Id: I92ca9723c3fdd1c5d9c304e4e196aeb77c75ee88
Reviewed-on: https://chromium-review.googlesource.com/c/1364050
Reviewed-by: Hiroki Nakagawa <nhiroki@chromium.org>
Commit-Queue: Hiroshige Hayashizaki <hiroshige@chromium.org>
Cr-Commit-Position: refs/heads/master@{#614279}
[modify] https://crrev.com/748875b36e91d5cd25bd8d653677fb5192203c97/third_party/blink/renderer/core/script/classic_pending_script.cc
[add] https://crrev.com/748875b36e91d5cd25bd8d653677fb5192203c97/third_party/blink/web_tests/http/tests/misc/script-moved-to-createDocument-crash.html

Project Member

Comment 8 by ClusterFuzz, Dec 6

ClusterFuzz has detected this issue as fixed in range 614278:614279.

Detailed report: https://clusterfuzz.com/testcase?key=5970609349328896

Fuzzer: ochang_domfuzzer
Job Type: linux_msan_content_shell_drt
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000040
Crash State:
  blink::SecurityOrigin::CanRequest
  blink::AllowedByNosniff::MimeTypeAsScript
  blink::ClassicPendingScript::GetSource
  
Sanitizer: memory (MSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_msan_content_shell_drt&range=613878:613879
Fixed: https://clusterfuzz.com/revisions?job=linux_msan_content_shell_drt&range=614278:614279

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5970609349328896

See https://www.chromium.org/developers/testing/memorysanitizer#TOC-Reproducing-ClusterFuzz-Bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 9 by ClusterFuzz, Dec 6

Labels: ClusterFuzz-Verified
Status: Verified (was: Started)
ClusterFuzz testcase 5970609349328896 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment