New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 0 users
Status: Fixed
Owner:
Closed: Sep 2014
Cc:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment
Use-of-uninitialized-value in content::MessageChannel::DrainEarlyMessageQueue
Project Member Reported by ClusterFuzz, Sep 5 2014 Back to list
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4925670334398464

Fuzzer: Ifratric_acrojs
Job Type: Linux_msan_chrome

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  content::MessageChannel::DrainEarlyMessageQueue
  base::debug::TaskAnnotator::RunTask
  base::MessageLoop::RunTask
  

Minimized Testcase (988.98 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95x9AwF4mWbwRcYrXUxLhx5t6XUyQr2AzGzZ1fIPdpRXJN_Fth2RAIpDVDuUfoIxaX1QdHJ2yr_vqoCTA0QIShFUox7QCPsbtN-ter2t93sL9S3kA-n7fuXaykWyN-bzt7nnXeQZQc7O81AHCCoTl_bCYDFIw6Bj0j2VSUiWx7PR5LnIqk

Filer: inferno
 
Owner: raymes@chromium.org
Status: Assigned
Thanks inferno@. I'm not 100% sure what revision was tested here. I've reverted and relanded a patch that would tickle this code a bunch of times in the past few days. I reverted the patch in:
refs/heads/master@{#293079}
The latest reland of the patch was in:
refs/heads/master@{#293366}

It seems like the revision being tested is 292300, is that true? If so this result might be obsolete (though I definitely can't claim the bug is gone yet!). Is it easy to rerun the test case on ToT? Otherwise I can probably set up a build locally and see if it's still an issue.
lets wait until tmrw, it should automatically test it on the new build and then return result.
Project Member Comment 4 by ClusterFuzz, Sep 5 2014
Labels: Pri-1
Labels: M-37
Project Member Comment 6 by ClusterFuzz, Sep 10 2014
ClusterFuzz has detected this issue as fixed in range 293978:294083.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4925670334398464

Fuzzer: Ifratric_acrojs
Job Type: Linux_msan_chrome

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  content::MessageChannel::DrainEarlyMessageQueue
  base::debug::TaskAnnotator::RunTask
  base::MessageLoop::RunTask
  
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=293978:294083

Minimized Testcase (988.98 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95x9AwF4mWbwRcYrXUxLhx5t6XUyQr2AzGzZ1fIPdpRXJN_Fth2RAIpDVDuUfoIxaX1QdHJ2yr_vqoCTA0QIShFUox7QCPsbtN-ter2t93sL9S3kA-n7fuXaykWyN-bzt7nnXeQZQc7O81AHCCoTl_bCYDFIw6Bj0j2VSUiWx7PR5LnIqk

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.

Project Member Comment 7 by ClusterFuzz, Sep 12 2014
Labels: Nag
raymes@: Uh oh! This issue is still open and hasn't been updated in the last 7 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Comment 8 by raymes@chromium.org, Sep 15 2014
Status: Fixed
Project Member Comment 9 by ClusterFuzz, Sep 15 2014
Labels: -Restrict-View-SecurityTeam Merge-Triage M-38 Restrict-View-SecurityNotify
Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

- Your friendly ClusterFuzz
Cc: timwillis@chromium.org
Labels: -M-37 -Nag -Merge-Triage Merge-Requested
Matthew - Merge Requested for M38 (branch 2125)
Cl?
Labels: -Merge-Requested -M-38 Merge-NA M-39
regression after branch point - https://chromium.googlesource.com/chromium/src/+/2515b7dc2832404db4aa8d7d20257f0865c0d931{#293366}. No merge needed.
Labels: Release-0-M39
Project Member Comment 14 by ClusterFuzz, Dec 22 2014
Labels: -Restrict-View-SecurityNotify
Bulk update: removing view restriction from closed bugs.
Project Member Comment 15 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 16 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment