2024-10-31 23:42 UTC

View Issue Details Jump to Notes ]
IDProjectCategoryView StatusLast Update
0002789LibDOM[All Projects] Generalpublic2024-05-27 12:47
Reportersha0sum 
Assigned Tokinnison 
PrioritynormalSeveritycrashReproducibilityalways
StatusresolvedResolutionfixed 
Summary0002789: Crashes found from fuzzing
DescriptionFuzzing netsurf-gtk using Domato[1] found a few segfaults in LibDOM 0.4.1 (HEAD at 93b8a9bba18fc3166dd158484188b1730afdd382).

Minimized test cases, along with corresponding AddressSanitizer stack traces, are attached.

[1] https://github.com/googleprojectzero/domato
TagsNo tags attached.
Fixed in CI build #6738
Reported in CI build #
Attached Files
  • zip file icon crashes.zip (6,386 bytes) 2020-08-15 23:21
  • txt file icon 5.asan.txt (3,341 bytes) 2020-08-16 17:37 -
    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==307418==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000058 (pc 0x5636fe24eff7 bp 0x61100048b740 sp 0x7ffc487d57d8 T0)
    ==307418==The signal is caused by a READ memory access.
    ==307418==Hint: address points to the zero page.
        #0 0x5636fe24eff6 in dom_html_table_section_element_get_rows src/html/html_tablesection_element.c:217
        #1 0x5636fe250e0f in dom_html_table_row_element_get_row_index src/html/html_tablerow_element.c:247
        #2 0x5636fdb909bf in dukky_html_table_row_element_rowIndex_getter /home/user/dev-netsurf/workspace/netsurf/html_table_row_element.c:160
        #3 0x5636fddebbba in duk__handle_call_raw content/handlers/javascript/duktape/duktape.c:64992
        #4 0x5636fddf681c in duk_hobject_getprop content/handlers/javascript/duktape/duktape.c:57584
        #5 0x5636fda83b02 in duk__js_execute_bytecode_inner content/handlers/javascript/duktape/duktape.c:78025
        #6 0x5636fdde481a in duk_js_execute_bytecode content/handlers/javascript/duktape/duktape.c:76732
        #7 0x5636fddec86c in duk__handle_call_raw content/handlers/javascript/duktape/duktape.c:64970
        #8 0x5636fdecfae5 in duk_handle_call_unprotected content/handlers/javascript/duktape/duktape.c:65146
        #9 0x5636fdecfae5 in duk__pcall_method_raw content/handlers/javascript/duktape/duktape.c:14391
        #10 0x5636fddffe2b in duk__handle_safe_call_inner content/handlers/javascript/duktape/duktape.c:65199
        #11 0x5636fddffe2b in duk_handle_safe_call content/handlers/javascript/duktape/duktape.c:65444
        #12 0x5636fde01fe9 in duk_pcall_method_flags content/handlers/javascript/duktape/duktape.c:14410
        #13 0x5636fddbc74b in js_fire_event content/handlers/javascript/duktape/dukky.c:1649
        #14 0x5636fdcdde70 in html_finish_conversion content/handlers/html/html.c:373
        #15 0x5636fdcdffc0 in html_begin_conversion content/handlers/html/html.c:970
        #16 0x5636fdca77b9 in html_convert_css_callback content/handlers/html/css.c:139
        #17 0x5636fdf267bb in hlcache_content_callback content/hlcache.c:204
        #18 0x5636fdbe55d1 in content_broadcast content/content.c:762
        #19 0x5636fdbe59a9 in content_set_done content/content.c:308
        #20 0x5636fdc31fd2 in nscss_content_done content/handlers/css/css.c:506
        #21 0x5636fdc34106 in nscss_convert_css_data content/handlers/css/css.c:321
        #22 0x5636fdc34106 in nscss_convert content/handlers/css/css.c:289
        #23 0x5636fdbe5ded in content_convert content/content.c:84
        #24 0x5636fdbe5ded in content_llcache_callback content/content.c:140
        #25 0x5636fdf33c79 in llcache_object_notify_users content/llcache.c:3430
        #26 0x5636fdf351af in llcache_catch_up_all_users content/llcache.c:3864
        #27 0x5636fe0e88bd in schedule_run frontends/gtk/schedule.c:148
        #28 0x5636fe0a9ef9 in nsgtk_main frontends/gtk/gui.c:506
        #29 0x5636fda7dab3 in main frontends/gtk/gui.c:1312
        #30 0x7f9e4dafa0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
        #31 0x5636fdabecfd in _start (/home/user/dev-netsurf/workspace/netsurf/nsgtk3+0xadacfd)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV src/html/html_tablesection_element.c:217 in dom_html_table_section_element_get_rows
    ==307418==ABORTING
    
    txt file icon 5.asan.txt (3,341 bytes) 2020-08-16 17:37 +

-Relationships
+Relationships

-Notes
sha0sum

~0002286

sha0sum (reporter)

Here is another crash input, caused by referencing rowIndex of an HTMLTableRowElement when there is no <thead> in the table:

<script>
window.onload = function () {
    row = document.getElementById("htmlvar00004");
    row.rowIndex;
}
</script>

<table>
<!-- Crashes when no <thead> element -->
<tr id="htmlvar00004"></tr>
</table>
kinnison

~0002295

kinnison (administrator)

Thanks for this, I've made appropriate fixes to our DOM bindings to deal with these. If you could let us know the best way to get domato and monkey working together we can add this to our CI.
kinnison

~0002454

kinnison (administrator)

Turns out I hadn't fixed it
kinnison

~0002455

kinnison (administrator)

There were a couple of spots where table rows didn't check they had parents. Fixed.
+Notes

-Issue History
Date Modified Username Field Change
2020-08-15 23:21 sha0sum New Issue
2020-08-15 23:21 sha0sum File Added: crashes.zip
2020-08-16 17:37 sha0sum File Added: 5.asan.txt
2020-08-16 17:37 sha0sum Note Added: 0002286
2020-10-02 11:16 kinnison Assigned To => kinnison
2020-10-02 11:16 kinnison Status new => assigned
2020-10-02 15:20 kinnison Status assigned => resolved
2020-10-02 15:20 kinnison Resolution open => fixed
2020-10-02 15:20 kinnison Note Added: 0002295
2024-05-27 12:45 kinnison Status resolved => assigned
2024-05-27 12:45 kinnison Note Added: 0002454
2024-05-27 12:47 kinnison Status assigned => resolved
2024-05-27 12:47 kinnison Fixed in CI build # => 6738
2024-05-27 12:47 kinnison Note Added: 0002455
+Issue History