Issue metadata
Sign in to add a comment
|
Heap-buffer-overflow in epoll_add |
||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5049426703286272 Fuzzer: ipc_fuzzer_mut Job Type: linux_asan_chrome_ipc Platform Id: linux Crash Type: Heap-buffer-overflow READ 8 Crash Address: 0x61500002faf0 Crash State: epoll_add event_add base::MessagePumpLibevent::WatchFileDescriptor Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_ipc&range=392267:392268 Minimized Testcase (774.19 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95doQvWPwSXdL1OQw0vT13RtPYhLSoF0s2p_FkSR2Iul5nG1UI18J6Sb-LHcFVX5F-_1nk3nVqd99GWaM3ZYb_uJ3bpBE-nyBR6PPRDeHcuxyRKtmsEj06mS-Hrn5zwukuAofseDjVXZoeP_KkueFxkw4hEBCV_jFJLavBWMtZwAb-mYks Filer: ochang See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
May 10 2016
,
May 10 2016
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
May 10 2016
,
May 10 2016
,
May 17 2016
+amistry FYI
,
May 17 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/1febcb4dfce7928a6d4bee93888bdb88bfa18ce4 commit 1febcb4dfce7928a6d4bee93888bdb88bfa18ce4 Author: rockot <rockot@chromium.org> Date: Tue May 17 05:02:30 2016 [mojo-edk] Fix bootstrap NodeChannel Start/ShutDown race If the parent bootstrap signals an error very early in NodeController startup, it can be ShutDown() before Start() is invoked on the IO thread via ConnectoToParentOnIOThread. This changes Start() to gracefully handle a null |channel_|. BUG= 610337 R=amistry@chromium.org Review-Url: https://codereview.chromium.org/1985993002 Cr-Commit-Position: refs/heads/master@{#394055} [modify] https://crrev.com/1febcb4dfce7928a6d4bee93888bdb88bfa18ce4/mojo/edk/system/node_channel.cc
,
May 17 2016
I only was able to repro this rarely with local runs of the fuzzer+asan. As far as I can tell, the most reasonable explanation for the bug is that StartOnIOThread must be called on an invalid ChannelPosix instance, and the CL above prevents the only possible code path I could find which might lead to this happening. I have been unable to repro with the patch applied. Please reopen this bug if ClusterFuzz remains unhappy.
,
May 17 2016
Adding Merge-Triage label for tracking purposes. Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Request-XX label, where XX is the Chrome milestone. When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com. Your fix is very close to the branch point. After the branch happens, please make sure to check if your fix is in. - Your friendly ClusterFuzz
,
May 18 2016
,
May 18 2016
I think the baking has been sufficient.
,
May 18 2016
[Automated comment] Less than 2 weeks to go before stable on M51, manual review required.
,
May 18 2016
Approving merge to M51 branch 2704 based on comment #11. Please merge ASAP as we're getting very close to M51 stable promotion.
,
May 18 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/9075528e0b9897b4775e764cacfff08b0eb79979 commit 9075528e0b9897b4775e764cacfff08b0eb79979 Author: Ken Rockot <rockot@chromium.org> Date: Wed May 18 21:53:35 2016 [mojo-edk] Fix bootstrap NodeChannel Start/ShutDown race If the parent bootstrap signals an error very early in NodeController startup, it can be ShutDown() before Start() is invoked on the IO thread via ConnectoToParentOnIOThread. This changes Start() to gracefully handle a null |channel_|. BUG= 610337 R=amistry@chromium.org Review-Url: https://codereview.chromium.org/1985993002 Cr-Commit-Position: refs/heads/master@{#394055} (cherry picked from commit 1febcb4dfce7928a6d4bee93888bdb88bfa18ce4) Review URL: https://codereview.chromium.org/1995723003 . Cr-Commit-Position: refs/branch-heads/2704@{#589} Cr-Branched-From: 6e53600def8f60d8c632fadc70d7c1939ccea347-refs/heads/master@{#386251} [modify] https://crrev.com/9075528e0b9897b4775e764cacfff08b0eb79979/mojo/edk/system/node_channel.cc
,
May 18 2016
,
May 18 2016
There won't be any M50 releases as we're very close to M51 stable promotion.
,
Aug 23 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by och...@chromium.org
, May 9 2016Status: Assigned (was: Available)