Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 0 users
Status: Fixed
Owner:
Closed: Nov 2014
Cc:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment
Stack-buffer-overflow in _XData32
Project Member Reported by clusterf...@chromium.org, Oct 30 2014 Back to list
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6521056239026176

Fuzzer: Attekett_surku_fuzzer
Job Type: Linux_asan_chrome_media

Crash Type: Stack-buffer-overflow READ 8
Crash Address: 0x7f5cc094c2c0
Crash State:
  _XData32
  XChangeProperty
  ui::SelectionOwner::ProcessTarget
  

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95h8mvnWmYAfFiJvJejAdRalefWGFj-oS0ttcixuN3Wvlw1OBScEljClpgim-tXk5yPtNuQolTfcvALtFk636csDIb5qlAKX96_iz8y1U_Gtc-N0gmze900Z4hgiLHLV_8_t6PdjHupfQrufquL5vPZWipwfHObnhlN3IFqsJWkiVIsz2s


Filer: inferno
 
Cc: attek...@gmail.com nordi...@gmail.com
Owner: pkotw...@chromium.org
Status: Assigned
This is found by both Attekett and Christoph's fuzzer at the same time. Probably reward split.
Project Member Comment 2 by clusterf...@chromium.org, Oct 30 2014
Labels: Pri-1
Status: Started
CL is up at https://codereview.chromium.org/697863002/
inferno@, Is there a good way of checking whether a particular CL fixes the reported issue?
Sorry, but this report (see Reproducible:no in report) was a one-time crasher. We just have to go with speculative fix. We will reopen if we see the stack again. With 4000 bots, it is high chance to rehit it quick. 
Status: Fixed
Project Member Comment 6 by clusterf...@chromium.org, Nov 3 2014
Labels: -Restrict-View-SecurityTeam Merge-Triage Restrict-View-SecurityNotify
Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

- Your friendly ClusterFuzz
Project Member Comment 7 by bugdroid1@chromium.org, Nov 3 2014
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f09a3116b3c3bff8d4c98dd65d659471a7eeff6f

commit f09a3116b3c3bff8d4c98dd65d659471a7eeff6f
Author: pkotwicz <pkotwicz@chromium.org>
Date: Sun Nov 02 22:24:50 2014

Pass in long to XChangeProperty() instead of an int when using format=32

BUG= 428557 
TEST=None

Review URL: https://codereview.chromium.org/697863002

Cr-Commit-Position: refs/heads/master@{#302404}

[modify] https://chromium.googlesource.com/chromium/src.git/+/f09a3116b3c3bff8d4c98dd65d659471a7eeff6f/ui/base/x/selection_owner.cc

Labels: -Merge-Triage Release-0-M40 Security_Impact-Stable
Labels: -reward-topanel reward-unpaid reward-2000 CVE-2014-7941
Fuzzer collision! It's $1000 for bug here, plus $500 for each of your fuzzers. As you both found it, we'll split the $1000 and give you $500 each, so that works out to be $1000 to each of you.

Note for future self: $1000 to attekett, $1000 to Christoph.
Project Member Comment 10 by clusterf...@chromium.org, Feb 9 2015
Labels: -Restrict-View-SecurityNotify
Bulk update: removing view restriction from closed bugs.
Labels: -reward-unpaid reward-inprocess
Reward payment made to attekett@ - leaving "reward-inprocess" label on for Christoph.
Labels: -reward-inprocess
Payment to Christoph sent. Removing in-process label.
Project Member Comment 14 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 15 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment