New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 0 users

Issue metadata

Status: Fixed
Owner:
Last visit > 30 days ago
Closed: Oct 2014
Cc:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment

Use-of-uninitialized-value in AvatarMenuBubbleView::LinkClicked

Project Member Reported by ClusterFuzz, Oct 10 2014 Back to list

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6209429543321600

Fuzzer: Bj_broddelwerk
Job Type: Linux_msan_chrome

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  AvatarMenuBubbleView::LinkClicked
  views::Link::OnKeyPressed
  views::View::OnKeyEvent
  

Minimized Testcase (0.00 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95B7zYpvgEVCKbb7uINE-Q1q0fTt8T0qcetb4CNXXaJSssXQtcfG_6n8ICXezQTWRj0Ix6T3jE6Yobt31qrqJRNzJ697zQpZgPVyB9wigdCkYTsus86upGn5rp5llKeK0n21nN6HuFufQlpNm1PpwQq54811g
>>


Additional requirements: Requires Gestures

Filer: inferno
 
Owner: akuegel@chromium.org
Status: Assigned (was: NULL)
Author: akuegel@chromium.org
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/a9c2d6481ca1228e72621041db3fb052480c08bb
Time: Fri May 31 14:37:14 2013
The CL last changed line 680 of file avatar_menu_bubble_view.cc, which is stack frame 0.
Project Member

Comment 2 by ClusterFuzz, Oct 11 2014

Labels: Pri-1
Labels: M-39
Status: Started (was: NULL)
Thanks for the report. The variable was missing a NULL initialization in the constructor. I have a CL ready to fix this.
Project Member

Comment 5 by bugdroid1@chromium.org, Oct 15 2014

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d3319ba3dc0c86b3c64e1fd4b11f4429de52b8db

commit d3319ba3dc0c86b3c64e1fd4b11f4429de52b8db
Author: akuegel <akuegel@chromium.org>
Date: Wed Oct 15 10:41:34 2014

Initialize |switch_profile_link_| in the constructor.

This should fix the use of the uninitialized value in the LinkClicked() method.
Currently, the variable is only initialized for supervised user profiles,
but LinkClicked() is also called for other profiles.

BUG= 422482 

Review URL: https://codereview.chromium.org/639163003

Cr-Commit-Position: refs/heads/master@{#299672}

[modify] https://chromium.googlesource.com/chromium/src.git/+/d3319ba3dc0c86b3c64e1fd4b11f4429de52b8db/chrome/browser/ui/views/profiles/avatar_menu_bubble_view.cc

Status: Fixed (was: NULL)
Project Member

Comment 7 by ClusterFuzz, Oct 15 2014

ClusterFuzz has detected this issue as fixed in range 299664:299673.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6209429543321600

Fuzzer: Bj_broddelwerk
Job Type: Linux_msan_chrome

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  AvatarMenuBubbleView::LinkClicked
  views::Link::OnKeyPressed
  views::View::OnKeyEvent
  
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=299664:299673

Minimized Testcase (0.00 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95B7zYpvgEVCKbb7uINE-Q1q0fTt8T0qcetb4CNXXaJSssXQtcfG_6n8ICXezQTWRj0Ix6T3jE6Yobt31qrqJRNzJ697zQpZgPVyB9wigdCkYTsus86upGn5rp5llKeK0n21nN6HuFufQlpNm1PpwQq54811g
>>


Additional requirements: Requires Gestures

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.

Project Member

Comment 8 by ClusterFuzz, Oct 15 2014

Labels: -Restrict-View-SecurityTeam Merge-Triage M-38 Restrict-View-SecurityNotify
Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

- Your friendly ClusterFuzz
Cc: nordi...@gmail.com
Labels: -Merge-Triage Merge-Requested
I would like to request merge permission to the M-39 branch. This patch has been included in Canary since a few days, and it seems to cause no problems.

Comment 11 by amin...@google.com, Oct 20 2014

Labels: -Merge-Requested Merge-Approved
merge approved for m39 branch 2171
Project Member

Comment 12 by bugdroid1@chromium.org, Oct 22 2014

Labels: -Merge-Approved merge-merged-2171
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/875dc17184c77f2398a56efd9f25c1b6d780ac28

commit 875dc17184c77f2398a56efd9f25c1b6d780ac28
Author: Adrian Kuegel <akuegel@chromium.org>
Date: Wed Oct 22 08:21:39 2014

Merge 299672 "Initialize |switch_profile_link_| in the constructor."

BUG= 422482 
TBR=sky@chromium.org

Review URL: https://codereview.chromium.org/639163003

Cr-Commit-Position: refs/heads/master@{#299672}
(cherry picked from commit d3319ba3dc0c86b3c64e1fd4b11f4429de52b8db)

Review URL: https://codereview.chromium.org/667413002

Cr-Commit-Position: refs/branch-heads/2171@{#227}
Cr-Branched-From: 267aeeb8d85c8503a7fd12bd14654b8ea78d3974-refs/heads/master@{#297060}

[modify] https://chromium.googlesource.com/chromium/src.git/+/875dc17184c77f2398a56efd9f25c1b6d780ac28/chrome/browser/ui/views/profiles/avatar_menu_bubble_view.cc

Labels: Merge-Requested
I would like to request merge permission to the M-38 branch.

Comment 14 by amin...@google.com, Oct 28 2014

Labels: m39-ignore
Adding an ignore label for M39 as this has already been merged there.  M38 TPM will follow up independently.
Labels: -Merge-Requested Merge-Approved
Project Member

Comment 16 by bugdroid1@chromium.org, Nov 5 2014

Labels: -Merge-Approved merge-merged-2125
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/2e64aac2c48fdc52f003fc356e4b2a7514a750d7

commit 2e64aac2c48fdc52f003fc356e4b2a7514a750d7
Author: Adrian Kuegel <akuegel@chromium.org>
Date: Wed Nov 05 11:02:47 2014

Merge 299672 "Initialize |switch_profile_link_| in the constructor."

BUG= 422482 
TBR=sky@chromium.org

Review URL: https://codereview.chromium.org/639163003

Cr-Commit-Position: refs/heads/master@{#299672}
(cherry picked from commit d3319ba3dc0c86b3c64e1fd4b11f4429de52b8db)

Review URL: https://codereview.chromium.org/700133002

Cr-Commit-Position: refs/branch-heads/2125@{#601}
Cr-Branched-From: b68026d94bda36dd106a3d91a098719f952a9477-refs/heads/master@{#290040}

[modify] https://chromium.googlesource.com/chromium/src.git/+/2e64aac2c48fdc52f003fc356e4b2a7514a750d7/chrome/browser/ui/views/profiles/avatar_menu_bubble_view.cc

Labels: -m39-ignore Release-0-M39
Project Member

Comment 18 by ClusterFuzz, Jan 21 2015

Labels: -Restrict-View-SecurityNotify
Bulk update: removing view restriction from closed bugs.
Project Member

Comment 19 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 20 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic

Sign in to add a comment