New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 0 users
Status: Fixed
Owner:
Closed: Sep 2014
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment
Heap-use-after-free in SkScaledImageCache::findAndLock
Project Member Reported by clusterf...@chromium.org, May 16 2014 Back to list
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5433391312797696

Fuzzer: Inferno_twister
Job Type: Linux_tsan_chrome_mp

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x7d1000016a50
Crash State:
  - crash stack -
  SkScaledImageCache::findAndLock
  findAndLock
  SkScaledImageCache::findAndLock
  
Regressed: https://cluster-fuzz.appspot.com//revisions?job=linux_tsan_chrome_mp&range=228675:228681

Minimized Testcase (1.29 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95tVrfiyUFVKXAdI3GhA-5o5zE2MrWas3cgTA5sfPZsO8v_VHPwif38TEQCUxydjUwwaICBuFNuDGeJtVQXWC1htKOPQHR9oa0EnZQfIbTPyg2ilhxaokjiQoqLekxTltDbNa0IaeHEhqvQpTXjL3br_gdSDw

Additional requirements: Requires Interaction Gestures
 
Cc: sugoi@chromium.org senorblanco@chromium.org
Labels: -Security_Impact-Head Security_Impact-Beta Cr-Internals-Skia
Owner: reed@chromium.org
Status: Assigned
I think i saw this trace before m36 branched.
Project Member Comment 2 by clusterf...@chromium.org, May 16 2014
Labels: Pri-1
Project Member Comment 3 by clusterf...@chromium.org, May 20 2014
ClusterFuzz has detected this issue as fixed in range 271365:271393.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5433391312797696

Fuzzer: Inferno_twister
Job Type: Linux_tsan_chrome_mp

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x7d1000016a50
Crash State:
  - crash stack -
  SkScaledImageCache::findAndLock
  findAndLock
  SkScaledImageCache::findAndLock
  
Regressed: https://cluster-fuzz.appspot.com//revisions?job=linux_tsan_chrome_mp&range=228675:228681
Fixed: https://cluster-fuzz.appspot.com//revisions?job=linux_tsan_chrome_mp&range=271365:271393

Minimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95tVrfiyUFVKXAdI3GhA-5o5zE2MrWas3cgTA5sfPZsO8v_VHPwif38TEQCUxydjUwwaICBuFNuDGeJtVQXWC1htKOPQHR9oa0EnZQfIbTPyg2ilhxaokjiQoqLekxTltDbNa0IaeHEhqvQpTXjL3br_gdSDw

Additional requirements: Requires Interaction Gestures

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.

Project Member Comment 4 by clusterf...@chromium.org, May 24 2014
Labels: Nag
reed@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member Comment 5 by clusterf...@chromium.org, Jun 1 2014
reed@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Labels: M-36
I can't reproduce this on an ASan build for Linux. Is it indeed fixed?
This was found by TSAN, not ASAN.
Project Member Comment 8 by clusterf...@chromium.org, Jun 10 2014
reed@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member Comment 9 by clusterf...@chromium.org, Jun 18 2014
reed@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member Comment 10 by clusterf...@chromium.org, Jun 23 2014
Labels: Security_Impact-Stable
Project Member Comment 11 by clusterf...@chromium.org, Jun 26 2014
reed@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Cc: timwillis@chromium.org
Mike - can you please provide an update here? This bug appears to affect stable so we'd very much like to squash it. 
Project Member Comment 13 by clusterf...@chromium.org, Jul 5 2014
reed@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member Comment 14 by clusterf...@chromium.org, Jul 13 2014
reed@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member Comment 15 by clusterf...@chromium.org, Jul 22 2014
reed@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Cc: hclam@chromium.org reed@google.com
Owner: reve...@chromium.org
Mike's out for a while.

David, could you take a look or reassign?
Cc: reve...@chromium.org
Owner: reed@chromium.org
Looks like a process teardown issue. The global scaled image cache instance seem to be used after having been deleted.

It might be worth investigating the real cause for this but I'm not sure how critical that is. Using a leaky global instance for the cache should solve it and while that's commonly used in chromium, I'm not sure how well that fits into skia.

I'll assign this back to reed@ for now but feel free to assign it back if anyone feels like this needs to be urgently addressed.
Cc: reed@chromium.org bsalomon@chromium.org
Project Member Comment 19 by clusterf...@chromium.org, Jul 28 2014
Labels: -Security_Impact-Beta
Project Member Comment 20 by clusterf...@chromium.org, Aug 3 2014
reed@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member Comment 21 by clusterf...@chromium.org, Aug 11 2014
reed@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member Comment 22 by clusterf...@chromium.org, Aug 18 2014
Labels: -M-36 M-37
Project Member Comment 23 by clusterf...@chromium.org, Aug 18 2014
reed@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member Comment 24 by clusterf...@chromium.org, Aug 26 2014
reed@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member Comment 25 by clusterf...@chromium.org, Sep 2 2014
reed@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member Comment 26 by clusterf...@chromium.org, Sep 9 2014
reed@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Status: Fixed
This crash hasn't shown up in a while (none in the last 90 days for the TSan job type, and no recent crashes searching all jobs), so I'm guessing this is fixed. If it starts showing up again we'll file a new bug for it.
Project Member Comment 28 by clusterf...@chromium.org, Sep 11 2014
Labels: -Restrict-View-SecurityTeam Merge-Triage M-38 Restrict-View-SecurityNotify
Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

- Your friendly ClusterFuzz
Labels: -Nag -Merge-Triage Merge-NA
Merge-NA based on c#27.
Labels: Release-0-M38
Project Member Comment 31 by clusterf...@chromium.org, Dec 18 2014
Labels: -Restrict-View-SecurityNotify
Bulk update: removing view restriction from closed bugs.
Labels: Stability-ThreadSanitizer
Labels: -Stability-Memory-ThreadSanitizer
Project Member Comment 34 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 35 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment