Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Issue 559310 Security: SharedWorkerDevToolsAgentHost UAF (sandbox escape)
Starred by 1 user Project Member Reported by och...@chromium.org, Nov 20 2015 Back to list
Status: Fixed
Owner:
Closed: Dec 2015
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment
Repro (renderer patch attached, may need a couple of retries to win the race)

=================================================================
==25485==ERROR: AddressSanitizer: heap-use-after-free on address 0x62100037f108 at pc 0x7ff278d3dbbf bp 0x7ffd0be25cf0 sp 0x7ffd0be25ce8
READ of size 4 at 0x62100037f108 thread T0 (chrome)
    #0 0x7ff278d3dbbe in base::subtle::RefCountedBase::AddRef() const base/memory/ref_counted.h:53:5
    #1 0x7ff2793c3eb4 in base::RefCounted<content::DevToolsAgentHost>::AddRef() const base/memory/ref_counted.h:129:5
    #2 0x7ff27954f918 in scoped_refptr<content::SharedWorkerDevToolsAgentHost>::AddRef(content::SharedWorkerDevToolsAgentHost*) base/memory/ref_counted.h:398:3
    #3 0x7ff279548359 in scoped_refptr<content::SharedWorkerDevToolsAgentHost>::scoped_refptr(content::SharedWorkerDevToolsAgentHost*) base/memory/ref_counted.h:277:7
    #4 0x7ff27954b205 in content::SharedWorkerDevToolsManager::WorkerDestroyed(int, int) content/browser/devtools/shared_worker_devtools_manager.cc:74:48
    #5 0x7ff27abd8bca in content::(anonymous namespace)::NotifyWorkerDestroyed(int, int) content/browser/shared_worker/shared_worker_host.cc:47:3
    #6 0x7ff27a7b296e in base::internal::RunnableAdapter<void (*)(int, int)>::Run(int const&, int const&) base/bind_internal.h:159:12
    #7 0x7ff27a7b2815 in base::internal::InvokeHelper<false, void, base::internal::RunnableAdapter<void (*)(int, int)>, base::internal::TypeList<int const&, int const&> >::MakeItSo(base::internal::RunnableAdapter<void (*)(int, int)>, int const&, int const&) base/bind_internal.h:295:5
    #8 0x7ff27a7b2673 in base::internal::Invoker<base::IndexSequence<0ul, 1ul>, base::internal::BindState<base::internal::RunnableAdapter<void (*)(int, int)>, void (int, int), base::internal::TypeList<int, int> >, base::internal::TypeList<base::internal::UnwrapTraits<int>, base::internal::UnwrapTraits<int> >, base::internal::InvokeHelper<false, void, base::internal::RunnableAdapter<void (*)(int, int)>, base::internal::TypeList<int const&, int const&> >, void ()>::Run(base::internal::BindStateBase*) base/bind_internal.h:345:12
    #9 0x7ff26db84b13 in base::Callback<void ()>::Run() const base/callback.h:396:12
    #10 0x7ff26dbf4ab5 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask const&) base/debug/task_annotator.cc:51:3
    #11 0x7ff26dd483e7 in base::MessageLoop::RunTask(base::PendingTask const&) base/message_loop/message_loop.cc:481:3
    #12 0x7ff26dd495fb in base::MessageLoop::DeferOrRunPendingTask(base::PendingTask const&) base/message_loop/message_loop.cc:490:5
    #13 0x7ff26dd4a679 in base::MessageLoop::DoWork() base/message_loop/message_loop.cc:602:13
    #14 0x7ff26db396db in base::MessagePumpGlib::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_glib.cc:313:31
    #15 0x7ff26dd475be in base::MessageLoop::RunHandler() base/message_loop/message_loop.cc:445:3
    #16 0x7ff26de426c4 in base::RunLoop::Run() base/run_loop.cc:55:3
    #17 0x7ff287132b52 in ChromeBrowserMainParts::MainMessageLoopRun(int*) chrome/browser/chrome_browser_main.cc:1771:3
    #18 0x7ff279181d69 in content::BrowserMainLoop::RunMainMessageLoopParts() content/browser/browser_main_loop.cc:947:21
    #19 0x7ff279195bda in content::BrowserMainRunnerImpl::Run() content/browser/browser_main_runner.cc:235:5
    #20 0x7ff279170aa4 in content::BrowserMain(content::MainFunctionParams const&) content/browser/browser_main.cc:44:15
    #21 0x7ff278c9b66b in content::RunNamedProcessTypeMain(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, content::MainFunctionParams const&, content::ContentMainDelegate*) content/app/content_main_runner.cc:378:14
    #22 0x7ff278c9ff94 in content::ContentMainRunnerImpl::Run() content/app/content_main_runner.cc:804:12
    #23 0x7ff278c98a4b in content::ContentMain(content::ContentMainParams const&) content/app/content_main.cc:19:15
    #24 0x7ff285cda6f0 in ChromeMain chrome/app/chrome_main.cc:66:12
    #25 0x7ff285cda4e1 in main chrome/app/chrome_exe_main_aura.cc:17:10
    #26 0x7ff261c52ec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287:0

0x62100037f108 is located 8 bytes inside of 4080-byte region [0x62100037f100,0x6210003800f0)
freed by thread T20 (Chrome_IOThread) here:
    #0 0x7ff285cd8a1b in operator delete(void*) ??:0:0
    #1 0x7ff26dd58639 in __deallocate buildtools/third_party/libc++/trunk/include/new:164:3
    #2 0x7ff26dd58639 in deallocate buildtools/third_party/libc++/trunk/include/memory:1636:0
    #3 0x7ff26dd58639 in deallocate buildtools/third_party/libc++/trunk/include/memory:1447:0
    #4 0x7ff26dd58639 in std::__1::deque<base::PendingTask, std::__1::allocator<base::PendingTask> >::pop_front() buildtools/third_party/libc++/trunk/include/deque:2541:0
    #5 0x7ff26dd4a53b in pop buildtools/third_party/libc++/trunk/include/queue:298:17
    #6 0x7ff26dd4a53b in base::MessageLoop::DoWork() base/message_loop/message_loop.cc:595:0
    #7 0x7ff26db3faab in base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_libevent.cc:237:21
    #8 0x7ff26dd475be in base::MessageLoop::RunHandler() base/message_loop/message_loop.cc:445:3
    #9 0x7ff26de426c4 in base::RunLoop::Run() base/run_loop.cc:55:3
    #10 0x7ff26dd42e5f in base::MessageLoop::Run() base/message_loop/message_loop.cc:288:3
    #11 0x7ff26df99588 in base::Thread::Run(base::MessageLoop*) base/threading/thread.cc:199:3
    #12 0x7ff2791d701a in content::BrowserThreadImpl::IOThreadRun(base::MessageLoop*) content/browser/browser_thread_impl.cc:211:3
    #13 0x7ff2791d73e9 in content::BrowserThreadImpl::Run(base::MessageLoop*) content/browser/browser_thread_impl.cc:246:14
    #14 0x7ff26df99ea9 in base::Thread::ThreadMain() base/threading/thread.cc:251:3
    #15 0x7ff26df5d3c2 in base::(anonymous namespace)::ThreadFunc(void*) base/threading/platform_thread_posix.cc:64:3
    #16 0x7ff266177181 in start_thread /build/buildd/eglibc-2.19/nptl/pthread_create.c:312:0

previously allocated by thread T19 (Chrome_CacheThr) here:
    #0 0x7ff285cd845b in operator new(unsigned long) ??:0:0
    #1 0x7ff26dd34da2 in __allocate buildtools/third_party/libc++/trunk/include/new:156:10
    #2 0x7ff26dd34da2 in allocate buildtools/third_party/libc++/trunk/include/memory:1634:0
    #3 0x7ff26dd34da2 in allocate buildtools/third_party/libc++/trunk/include/memory:1439:0
    #4 0x7ff26dd34da2 in std::__1::deque<base::PendingTask, std::__1::allocator<base::PendingTask> >::__add_back_capacity() buildtools/third_party/libc++/trunk/include/deque:2424:0
    #5 0x7ff26dd316eb in std::__1::deque<base::PendingTask, std::__1::allocator<base::PendingTask> >::push_back(base::PendingTask const&) buildtools/third_party/libc++/trunk/include/deque:1770:9
    #6 0x7ff26dd2ec1a in push buildtools/third_party/libc++/trunk/include/queue:286:39
    #7 0x7ff26dd2ec1a in base::internal::IncomingTaskQueue::PostPendingTask(base::PendingTask*) base/message_loop/incoming_task_queue.cc:158:0
    #8 0x7ff26dd2e4b1 in base::internal::IncomingTaskQueue::AddToIncomingQueue(tracked_objects::Location const&, base::Callback<void ()> const&, base::TimeDelta, bool) base/message_loop/incoming_task_queue.cc:75:10
    #9 0x7ff26dd60c3b in base::internal::MessageLoopTaskRunner::PostDelayedTask(tracked_objects::Location const&, base::Callback<void ()> const&, base::TimeDelta) base/message_loop/message_loop_task_runner.cc:30:10
    #10 0x7ff26df38869 in base::TaskRunner::PostTask(tracked_objects::Location const&, base::Callback<void ()> const&) base/task_runner.cc:45:10
    #11 0x7ff282a4cd16 in disk_cache::InFlightIO::OnIOComplete(disk_cache::BackgroundIO*) net/disk_cache/blockfile/in_flight_io.cc:86:3
    #12 0x7ff282a4ca6f in disk_cache::BackgroundIO::NotifyController() net/disk_cache/blockfile/in_flight_io.cc:56:5
    #13 0x7ff282a43580 in disk_cache::BackendIO::ExecuteBackendOperation() net/disk_cache/blockfile/in_flight_backend_io.cc:285:3
    #14 0x7ff282a4102c in disk_cache::BackendIO::ExecuteOperation() net/disk_cache/blockfile/in_flight_backend_io.cc:45:3
    #15 0x7ff282a4bb6a in base::internal::RunnableAdapter<void (disk_cache::BackendIO::*)()>::Run(disk_cache::BackendIO*) base/bind_internal.h:178:12
    #16 0x7ff282a4ba1d in base::internal::InvokeHelper<false, void, base::internal::RunnableAdapter<void (disk_cache::BackendIO::*)()>, base::internal::TypeList<disk_cache::BackendIO* const&> >::MakeItSo(base::internal::RunnableAdapter<void (disk_cache::BackendIO::*)()>, disk_cache::BackendIO* const&) base/bind_internal.h:295:5
    #17 0x7ff282a4b82a in base::internal::Invoker<base::IndexSequence<0ul>, base::internal::BindState<base::internal::RunnableAdapter<void (disk_cache::BackendIO::*)()>, void (disk_cache::BackendIO*), base::internal::TypeList<disk_cache::BackendIO*> >, base::internal::TypeList<base::internal::UnwrapTraits<disk_cache::BackendIO*> >, base::internal::InvokeHelper<false, void, base::internal::RunnableAdapter<void (disk_cache::BackendIO::*)()>, base::internal::TypeList<disk_cache::BackendIO* const&> >, void ()>::Run(base::internal::BindStateBase*) base/bind_internal.h:345:12
    #18 0x7ff26db84b13 in base::Callback<void ()>::Run() const base/callback.h:396:12
    #19 0x7ff26dbf4ab5 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask const&) base/debug/task_annotator.cc:51:3
    #20 0x7ff26dd483e7 in base::MessageLoop::RunTask(base::PendingTask const&) base/message_loop/message_loop.cc:481:3
    #21 0x7ff26dd495fb in base::MessageLoop::DeferOrRunPendingTask(base::PendingTask const&) base/message_loop/message_loop.cc:490:5
    #22 0x7ff26dd4a679 in base::MessageLoop::DoWork() base/message_loop/message_loop.cc:602:13
    #23 0x7ff26db3faab in base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_libevent.cc:237:21
    #24 0x7ff26dd475be in base::MessageLoop::RunHandler() base/message_loop/message_loop.cc:445:3
    #25 0x7ff26de426c4 in base::RunLoop::Run() base/run_loop.cc:55:3
    #26 0x7ff26dd42e5f in base::MessageLoop::Run() base/message_loop/message_loop.cc:288:3
    #27 0x7ff26df99588 in base::Thread::Run(base::MessageLoop*) base/threading/thread.cc:199:3
    #28 0x7ff2791d6d3a in content::BrowserThreadImpl::CacheThreadRun(base::MessageLoop*) content/browser/browser_thread_impl.cc:205:3
    #29 0x7ff2791d73d7 in content::BrowserThreadImpl::Run(base::MessageLoop*) content/browser/browser_thread_impl.cc:244:14
    #30 0x7ff26df99ea9 in base::Thread::ThreadMain() base/threading/thread.cc:251:3
    #31 0x7ff26df5d3c2 in base::(anonymous namespace)::ThreadFunc(void*) base/threading/platform_thread_posix.cc:64:3
    #32 0x7ff266177181 in start_thread /build/buildd/eglibc-2.19/nptl/pthread_create.c:312:0

Thread T20 (Chrome_IOThread) created by T0 (chrome) here:
    #0 0x7ff285c9a4b9 in __interceptor_pthread_create ??:0:0
    #1 0x7ff26df5c4f7 in base::(anonymous namespace)::CreateThread(unsigned long, bool, base::PlatformThread::Delegate*, base::PlatformThreadHandle*, base::ThreadPriority) base/threading/platform_thread_posix.cc:103:13
    #2 0x7ff26df5c0e2 in base::PlatformThread::CreateWithPriority(unsigned long, base::PlatformThread::Delegate*, base::PlatformThreadHandle*, base::ThreadPriority) base/threading/platform_thread_posix.cc:184:10
    #3 0x7ff26df98914 in base::Thread::StartWithOptions(base::Thread::Options const&) base/threading/thread.cc:113:10
    #4 0x7ff2791d7df8 in content::BrowserThreadImpl::StartWithOptions(base::Thread::Options const&) content/browser/browser_thread_impl.cc:301:10
    #5 0x7ff27917c876 in content::BrowserMainLoop::CreateThreads() content/browser/browser_main_loop.cc:900:12
    #6 0x7ff27918f89a in base::internal::RunnableAdapter<int (content::BrowserMainLoop::*)()>::Run(content::BrowserMainLoop*) base/bind_internal.h:178:12
    #7 0x7ff27918f5b2 in base::internal::InvokeHelper<false, int, base::internal::RunnableAdapter<int (content::BrowserMainLoop::*)()>, base::internal::TypeList<content::BrowserMainLoop*> >::MakeItSo(base::internal::RunnableAdapter<int (content::BrowserMainLoop::*)()>, content::BrowserMainLoop*) base/bind_internal.h:288:12
    #8 0x7ff27918f379 in base::internal::Invoker<base::IndexSequence<0ul>, base::internal::BindState<base::internal::RunnableAdapter<int (content::BrowserMainLoop::*)()>, int (content::BrowserMainLoop*), base::internal::TypeList<base::internal::UnretainedWrapper<content::BrowserMainLoop> > >, base::internal::TypeList<base::internal::UnwrapTraits<base::internal::UnretainedWrapper<content::BrowserMainLoop> > >, base::internal::InvokeHelper<false, int, base::internal::RunnableAdapter<int (content::BrowserMainLoop::*)()>, base::internal::TypeList<content::BrowserMainLoop*> >, int ()>::Run(base::internal::BindStateBase*) base/bind_internal.h:345:12
    #9 0x7ff27a168753 in base::Callback<int ()>::Run() const base/callback.h:396:12
    #10 0x7ff27acec465 in content::StartupTaskRunner::RunAllTasksNow() content/browser/startup_task_runner.cc:45:14
    #11 0x7ff27917aab5 in content::BrowserMainLoop::CreateStartupTasks() content/browser/browser_main_loop.cc:809:3
    #12 0x7ff2791957db in content::BrowserMainRunnerImpl::Initialize(content::MainFunctionParams const&) content/browser/browser_main_runner.cc:220:5
    #13 0x7ff279170a0a in content::BrowserMain(content::MainFunctionParams const&) content/browser/browser_main.cc:40:19
    #14 0x7ff278c9b66b in content::RunNamedProcessTypeMain(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, content::MainFunctionParams const&, content::ContentMainDelegate*) content/app/content_main_runner.cc:378:14
    #15 0x7ff278c9ff94 in content::ContentMainRunnerImpl::Run() content/app/content_main_runner.cc:804:12
    #16 0x7ff278c98a4b in content::ContentMain(content::ContentMainParams const&) content/app/content_main.cc:19:15
    #17 0x7ff285cda6f0 in ChromeMain chrome/app/chrome_main.cc:66:12
    #18 0x7ff285cda4e1 in main chrome/app/chrome_exe_main_aura.cc:17:10
    #19 0x7ff261c52ec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287:0

Thread T19 (Chrome_CacheThr) created by T0 (chrome) here:
    #0 0x7ff285c9a4b9 in __interceptor_pthread_create ??:0:0
    #1 0x7ff26df5c4f7 in base::(anonymous namespace)::CreateThread(unsigned long, bool, base::PlatformThread::Delegate*, base::PlatformThreadHandle*, base::ThreadPriority) base/threading/platform_thread_posix.cc:103:13
    #2 0x7ff26df5c0e2 in base::PlatformThread::CreateWithPriority(unsigned long, base::PlatformThread::Delegate*, base::PlatformThreadHandle*, base::ThreadPriority) base/threading/platform_thread_posix.cc:184:10
    #3 0x7ff26df98914 in base::Thread::StartWithOptions(base::Thread::Options const&) base/threading/thread.cc:113:10
    #4 0x7ff2791d7df8 in content::BrowserThreadImpl::StartWithOptions(base::Thread::Options const&) content/browser/browser_thread_impl.cc:301:10
    #5 0x7ff27917c876 in content::BrowserMainLoop::CreateThreads() content/browser/browser_main_loop.cc:900:12
    #6 0x7ff27918f89a in base::internal::RunnableAdapter<int (content::BrowserMainLoop::*)()>::Run(content::BrowserMainLoop*) base/bind_internal.h:178:12
    #7 0x7ff27918f5b2 in base::internal::InvokeHelper<false, int, base::internal::RunnableAdapter<int (content::BrowserMainLoop::*)()>, base::internal::TypeList<content::BrowserMainLoop*> >::MakeItSo(base::internal::RunnableAdapter<int (content::BrowserMainLoop::*)()>, content::BrowserMainLoop*) base/bind_internal.h:288:12
    #8 0x7ff27918f379 in base::internal::Invoker<base::IndexSequence<0ul>, base::internal::BindState<base::internal::RunnableAdapter<int (content::BrowserMainLoop::*)()>, int (content::BrowserMainLoop*), base::internal::TypeList<base::internal::UnretainedWrapper<content::BrowserMainLoop> > >, base::internal::TypeList<base::internal::UnwrapTraits<base::internal::UnretainedWrapper<content::BrowserMainLoop> > >, base::internal::InvokeHelper<false, int, base::internal::RunnableAdapter<int (content::BrowserMainLoop::*)()>, base::internal::TypeList<content::BrowserMainLoop*> >, int ()>::Run(base::internal::BindStateBase*) base/bind_internal.h:345:12
    #9 0x7ff27a168753 in base::Callback<int ()>::Run() const base/callback.h:396:12
    #10 0x7ff27acec465 in content::StartupTaskRunner::RunAllTasksNow() content/browser/startup_task_runner.cc:45:14
    #11 0x7ff27917aab5 in content::BrowserMainLoop::CreateStartupTasks() content/browser/browser_main_loop.cc:809:3
    #12 0x7ff2791957db in content::BrowserMainRunnerImpl::Initialize(content::MainFunctionParams const&) content/browser/browser_main_runner.cc:220:5
    #13 0x7ff279170a0a in content::BrowserMain(content::MainFunctionParams const&) content/browser/browser_main.cc:40:19
    #14 0x7ff278c9b66b in content::RunNamedProcessTypeMain(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, content::MainFunctionParams const&, content::ContentMainDelegate*) content/app/content_main_runner.cc:378:14
    #15 0x7ff278c9ff94 in content::ContentMainRunnerImpl::Run() content/app/content_main_runner.cc:804:12
    #16 0x7ff278c98a4b in content::ContentMain(content::ContentMainParams const&) content/app/content_main.cc:19:15
    #17 0x7ff285cda6f0 in ChromeMain chrome/app/chrome_main.cc:66:12
    #18 0x7ff285cda4e1 in main chrome/app/chrome_exe_main_aura.cc:17:10
    #19 0x7ff261c52ec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287:0

SUMMARY: AddressSanitizer: heap-use-after-free (/mnt/ssd/chromium/src/out/Release/lib/libcontent.so+0xcc0bbe)
Shadow bytes around the buggy address:
  0x0c4280067dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4280067de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4280067df0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4280067e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4280067e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c4280067e20: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4280067e30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4280067e40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4280067e50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4280067e60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4280067e70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==25485==ABORTING



 
renderer_hax.patch
1.8 KB Download
Comment 1 by och...@chromium.org, Nov 20 2015
Bug is in SharedWorkerDevToolsManager::WorkerDestroyed:

  AgentHostMap::iterator it = workers_.find(id);
  DCHECK(it != workers_.end());
  scoped_refptr<SharedWorkerDevToolsAgentHost> agent_host(it->second);
  agent_host->WorkerDestroyed();

the it != workers_.end() check should not be a DCHECK

Comment 2 Deleted
Comment 3 by wfh@chromium.org, Nov 20 2015
Cc: yu...@chromium.org dgozman@chromium.org
Labels: Security_Severity-High Security_Impact-Stable Cr-Platform-DevTools
Owner: pfeldman@chromium.org
Status: Assigned
Project Member Comment 4 by clusterf...@chromium.org, Nov 20 2015
Labels: Pri-1
Project Member Comment 5 by bugdroid1@chromium.org, Nov 25 2015
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/3f1bf682566dfcf478d5f0d841f65d27b849e643

commit 3f1bf682566dfcf478d5f0d841f65d27b849e643
Author: pfeldman <pfeldman@chromium.org>
Date: Wed Nov 25 03:48:34 2015

DevTools: relax the check when looking up the shared workers' agent hosts.

BUG= 559310 

Review URL: https://codereview.chromium.org/1473853002

Cr-Commit-Position: refs/heads/master@{#361556}

[modify] http://crrev.com/3f1bf682566dfcf478d5f0d841f65d27b849e643/content/browser/devtools/shared_worker_devtools_manager.cc

Status: Fixed
Project Member Comment 7 by clusterf...@chromium.org, Nov 25 2015
Labels: -Restrict-View-SecurityTeam Merge-Triage M-48 M-47 Restrict-View-SecurityNotify
Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

- Your friendly ClusterFuzz
Cc: och...@chromium.org
Thanks for fixing this, pfeldman. Could you take care of the merges?
Sure. Does it have to be approved? Tell me where it can go and I merge it.
Status: Started
Labels: Merge-Request-48 Merge-Request-47
Status: Fixed
Yep.

Since this is a pretty simple fix, requesting merges for 47 and 48
Comment 12 by tin...@google.com, Dec 3 2015
Labels: -Merge-Request-47 Merge-Review-47 Hotlist-Merge-Review
[Automated comment] Request affecting a post-stable build (M47), manual review required.
Comment 13 by tin...@google.com, Dec 3 2015
Labels: -Merge-Request-48 Merge-Approved-48 Hotlist-Merge-Approved
Congrats your change is auto-approved for M48 (branch: 2564)
Project Member Comment 14 by bugdroid1@chromium.org, Dec 3 2015
Labels: -Merge-Approved-48 merge-merged-2564
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c94711d68720905a8b4460d55152d5b4a5662fc2

commit c94711d68720905a8b4460d55152d5b4a5662fc2
Author: Pavel Feldman <pfeldman@chromium.org>
Date: Thu Dec 03 19:04:54 2015

DevTools: relax the check when looking up the shared workers' agent hosts.

BUG= 559310 

Review URL: https://codereview.chromium.org/1473853002

Cr-Commit-Position: refs/heads/master@{#361556}
(cherry picked from commit 3f1bf682566dfcf478d5f0d841f65d27b849e643)

Review URL: https://codereview.chromium.org/1492123006 .

Cr-Commit-Position: refs/branch-heads/2564@{#221}
Cr-Branched-From: 1283eca15bd9f772387f75241576cde7bdec7f54-refs/heads/master@{#359700}

[modify] http://crrev.com/c94711d68720905a8b4460d55152d5b4a5662fc2/content/browser/devtools/shared_worker_devtools_manager.cc

Labels: -Merge-Review-47 Merge-Approved-47
Approved for M47 (branch 2526)
Project Member Comment 16 by bugdroid1@chromium.org, Dec 3 2015
Labels: -Merge-Approved-47 merge-merged-2526
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/1a2410a457677adeab6febfd0161f88d8eae6a30

commit 1a2410a457677adeab6febfd0161f88d8eae6a30
Author: Pavel Feldman <pfeldman@chromium.org>
Date: Thu Dec 03 19:42:14 2015

DevTools: relax the check when looking up the shared workers' agent hosts.

BUG= 559310 

Review URL: https://codereview.chromium.org/1473853002

Cr-Commit-Position: refs/heads/master@{#361556}
(cherry picked from commit 3f1bf682566dfcf478d5f0d841f65d27b849e643)

Review URL: https://codereview.chromium.org/1496983002 .

Cr-Commit-Position: refs/branch-heads/2526@{#498}
Cr-Branched-From: cb947c0153db0ec02a8abbcb3ca086d88bf6006f-refs/heads/master@{#352221}

[modify] http://crrev.com/1a2410a457677adeab6febfd0161f88d8eae6a30/content/browser/devtools/shared_worker_devtools_manager.cc

Project Member Comment 17 by bugdroid1@chromium.org, Dec 7 2015
The following revision refers to this bug:
  https://chrome-internal.googlesource.com/bling/chromium.git/+/c94711d68720905a8b4460d55152d5b4a5662fc2

commit c94711d68720905a8b4460d55152d5b4a5662fc2
Author: Pavel Feldman <pfeldman@chromium.org>
Date: Thu Dec 03 19:04:54 2015

Cc: timwillis@chromium.org
Labels: -Merge-Triage Release-1-M47
Project Member Comment 19 by sheriffbot@chromium.org, Mar 11 2016
Labels: -Restrict-View-SecurityNotify
This security bug has been closed for more than 14 weeks. Removing view restrictions.

For more details visit https://sites.google.com/a/chromium.org/dev/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 20 by sheriffbot@chromium.org, Oct 1
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 21 by sheriffbot@chromium.org, Oct 2
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment