Issue metadata
Sign in to add a comment
|
Heap-buffer-overflow in content::ResourceDispatcher::OnMessageReceived |
||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6600113463492608 Fuzzer: inferno_flicker Job Type: linux_asan_chrome_chromeos Platform Id: linux Crash Type: Heap-buffer-overflow READ 8 Crash Address: 0x603000011be0 Crash State: content::ResourceDispatcher::OnMessageReceived content::DispatchMessageTask::run base::internal::Invoker<base::IndexSequence<0ul>, base::internal::BindState<base Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=372832:372879 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97YwLs8jznNLRFcosbOIJrib14PebfjUEyJNaN6WhTpAGvZzUSlG0A5oNdhgwBBpqbW7P64p84Jhw6c5vjCiijys8bAsbUDVEwE3C7RQeeId85DRSYW4zd2JY3h58rBu4iGdLLNzQlDzc59p-S1Qbsrfwg4Bb5ukT5BhfhiLQuo3xlCBzI Filer: mmoroz See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Apr 15 2016
,
Apr 15 2016
,
Apr 16 2016
,
Apr 30 2016
skyostil: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
May 5 2016
Sorry, I'm not sure how this ended up on my plate? I don't really work on ResourceDispatcher that often.
,
May 6 2016
My guess is that the bug is with something doing IPC, not necessarily an actual change to ResourceDispatcher. mek@, could you investigate whether it's https://chromium.googlesource.com/chromium/src/+/68eb197178f87cc8c25187c685080e69f4156262 (it's in the revision range)?
,
May 9 2016
It seems extremely unlikely that my change had anything to do with this, as none of the code in that CL would ever run unless an actual service worker is installed (which is not the case in the clusterfuzz test). Also I can't reproduce the crash at ToT (and don't seem to be able to build an ASAN build as of 3 months ago which seems to be when clusterfuzz found the bug, so I don't even know if the bug is still valid.
,
May 10 2016
Hm, ClusterFuzz also has "Reproducible: No" flag now. Thanks everyone.
,
Aug 16 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
|
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by mmoroz@chromium.org
, Apr 15 2016Labels: Pri-2
Owner: skyos...@chromium.org