Issue metadata
Sign in to add a comment
|
Heap-use-after-free in content::FilteringNetworkManager::Initialize |
||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4976413501554688 Fuzzer: inferno_layout_test_unmodified Job Type: linux_tsan_chrome_mp Platform Id: linux Crash Type: Heap-use-after-free WRITE 1 Crash Address: 0x7d500000a944 Crash State: content::FilteringNetworkManager::Initialize base::internal::Invoker<base::IndexSequence<0ul>, base::internal::BindState<base base::debug::TaskAnnotator::RunTask Recommended Security Severity: High Minimized Testcase (0.09 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv95pBu2ogdBw6EEeXyj4SHBuvVhRzLdP-6bwFzwtkvFrRgzE9FftZQvIEyawqv29F1z48pAsnA1LBvF_6MbZJcLbfxVSr0eY99Ph9vFGdZ2zjsDAbBaObSgkeAh473Y9B9AhsPqDv87N_oUYzA0ctiS1DWJ6Yw <script> var a = new window.webkitRTCPeerConnection({"iceServers":[{"url":"turns:"}]}); </script> Filer: ochang See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 6 2016
guoweis@, could you please take a look at this bug?
,
Jun 6 2016
assigned to pthatcher for webrtc related bugs in chromium.
,
Jun 12 2016
,
Jun 21 2016
pthatcher: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 21 2016
,
Jun 21 2016
,
Jun 28 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5426834514903040 Fuzzer: inferno_layout_test_unmodified Job Type: linux_asan_chrome_v8_arm Platform Id: linux Crash Type: Heap-use-after-free WRITE 1 Crash Address: 0xabf00278 Crash State: content::FilteringNetworkManager::Initialize base::internal::Invoker<base::IndexSequence<0u>, base::internal::BindState<base: base::debug::TaskAnnotator::RunTask Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=397755:397878 Minimized Testcase (0.09 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv944wwFGe-oCyr9EOC0_RLINTPl_X4ASG8AEenTkSNoSUhSkAYpPCNdADa5qQeYYe5N48qR1rR0kmid9X4i5NuOViHT7hedCEKaBklviH7-5QXJ-XnfxnbNtdcVVgvSsNZnlm45pyR6RjVAwmEuD00PQYjqQRw?testcase_id=5426834514903040 <script> var a = new window.webkitRTCPeerConnection({"iceServers":[{"url":"turns:"}]}); </script> Filer: tanin See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 6 2016
ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4976413501554688 Fuzzer: inferno_layout_test_unmodified Job Type: linux_tsan_chrome_mp Platform Id: linux Crash Type: Heap-use-after-free WRITE 1 Crash Address: 0x7d500000a944 Crash State: content::FilteringNetworkManager::Initialize base::internal::Invoker<base::IndexSequence<0ul>, base::internal::BindState<base base::debug::TaskAnnotator::RunTask Recommended Security Severity: High Minimized Testcase (0.09 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv95Cnj7ugJEIEXUbXFbCBWT-bHNtaA4x-nA-oizzTpIg0Gc8-gOLL-v2CDzQGtSv4FOgjYAhjKujwSOR6BLSh-dB5gGjRAtIxb_HnaBYiwZY5v0gx1q0dPWhHtZSk7f2nbJoB3Yvtl41CKd62RPpwilaCjBnnw?testcase_id=4976413501554688 <script> var a = new window.webkitRTCPeerConnection({"iceServers":[{"url":"turns:"}]}); </script> See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 8 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/c6dcde40c5dc3ad78ee039f6a7e9e71437256512 commit c6dcde40c5dc3ad78ee039f6a7e9e71437256512 Author: deadbeef <deadbeef@chromium.org> Date: Fri Jul 08 15:41:46 2016 Do FilteringNetworkManager::CheckPermission from new Initialize method. This is guaranteed to be called from PeerConnection on the correct thread when the PeerConnection is initializing. This means it's no longer PeerConnectionDependencyFactory's responsibility to initialize it, and it can be initialized in a thread safe way. BUG= 617648 Review-Url: https://codereview.chromium.org/2113523003 Cr-Commit-Position: refs/heads/master@{#404395} [modify] https://crrev.com/c6dcde40c5dc3ad78ee039f6a7e9e71437256512/content/renderer/media/webrtc/peer_connection_dependency_factory.cc [modify] https://crrev.com/c6dcde40c5dc3ad78ee039f6a7e9e71437256512/content/renderer/p2p/filtering_network_manager.cc [modify] https://crrev.com/c6dcde40c5dc3ad78ee039f6a7e9e71437256512/content/renderer/p2p/filtering_network_manager.h [modify] https://crrev.com/c6dcde40c5dc3ad78ee039f6a7e9e71437256512/content/renderer/p2p/filtering_network_manager_unittest.cc [modify] https://crrev.com/c6dcde40c5dc3ad78ee039f6a7e9e71437256512/content/renderer/p2p/port_allocator.cc [modify] https://crrev.com/c6dcde40c5dc3ad78ee039f6a7e9e71437256512/content/renderer/p2p/port_allocator.h
,
Jul 8 2016
,
Jul 9 2016
ClusterFuzz has detected this issue as fixed in range 404363:404422. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5426834514903040 Fuzzer: inferno_layout_test_unmodified Job Type: linux_asan_chrome_v8_arm Platform Id: linux Crash Type: Heap-use-after-free WRITE 1 Crash Address: 0xabf00278 Crash State: content::FilteringNetworkManager::Initialize base::internal::Invoker<base::IndexSequence<0u>, base::internal::BindState<base: base::debug::TaskAnnotator::RunTask Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=397755:397878 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=404363:404422 Minimized Testcase (0.09 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv944wwFGe-oCyr9EOC0_RLINTPl_X4ASG8AEenTkSNoSUhSkAYpPCNdADa5qQeYYe5N48qR1rR0kmid9X4i5NuOViHT7hedCEKaBklviH7-5QXJ-XnfxnbNtdcVVgvSsNZnlm45pyR6RjVAwmEuD00PQYjqQRw?testcase_id=5426834514903040 <script> var a = new window.webkitRTCPeerConnection({"iceServers":[{"url":"turns:"}]}); </script> See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 9 2016
,
Jul 9 2016
ClusterFuzz has detected this issue as fixed in range 404363:404454. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6146830341767168 Fuzzer: inferno_layout_test_unmodified Job Type: linux_lsan_chrome_mp Platform Id: linux Crash Type: Heap-use-after-free WRITE 1 Crash Address: 0x615000001ac4 Crash State: content::FilteringNetworkManager::Initialize base::debug::TaskAnnotator::RunTask base::MessageLoop::RunTask Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=397908:397913 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=404363:404454 Minimized Testcase (0.21 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95IUbt1ALl86LCu93zZr7MdhDo2RSGw0T2rURLzUrf4_apjDD25tWxv9nY3j9rYJJZwbFOU5LL_FDjSOWyMvOU8G0hs-6tWsALupFz-FsK8h2aknO_gvQAd7VdRtwlmUYlbp0dFNsOFjmNZW18jp6WVgfyS-Q?testcase_id=6146830341767168 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 11 2016
Marking as verified since clusterfuzz reported here (and on all the duplicate entries) that it's fixed.
,
Jul 14 2016
Approving merge to M53 branch 2785 based on comment #14 & #15. Please merge ASAP. Thank you.
,
Jul 14 2016
I'm not a committer. Is someone else able to merge? Tommi? :)
,
Jul 15 2016
Guido has volunteered to help
,
Jul 15 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/f5a188d3a5f73412355e523c9c6b1a39eae2a9b2 commit f5a188d3a5f73412355e523c9c6b1a39eae2a9b2 Author: Guido Urdaneta <guidou@chromium.org> Date: Fri Jul 15 10:47:03 2016 Do FilteringNetworkManager::CheckPermission from new Initialize method. This is guaranteed to be called from PeerConnection on the correct thread when the PeerConnection is initializing. This means it's no longer PeerConnectionDependencyFactory's responsibility to initialize it, and it can be initialized in a thread safe way. BUG= 617648 Review-Url: https://codereview.chromium.org/2113523003 Cr-Commit-Position: refs/heads/master@{#404395} (cherry picked from commit c6dcde40c5dc3ad78ee039f6a7e9e71437256512) Review URL: https://codereview.chromium.org/2157453002 . Cr-Commit-Position: refs/branch-heads/2785@{#146} Cr-Branched-From: 68623971be0cfc492a2cb0427d7f478e7b214c24-refs/heads/master@{#403382} [modify] https://crrev.com/f5a188d3a5f73412355e523c9c6b1a39eae2a9b2/content/renderer/media/webrtc/peer_connection_dependency_factory.cc [modify] https://crrev.com/f5a188d3a5f73412355e523c9c6b1a39eae2a9b2/content/renderer/p2p/filtering_network_manager.cc [modify] https://crrev.com/f5a188d3a5f73412355e523c9c6b1a39eae2a9b2/content/renderer/p2p/filtering_network_manager.h [modify] https://crrev.com/f5a188d3a5f73412355e523c9c6b1a39eae2a9b2/content/renderer/p2p/filtering_network_manager_unittest.cc [modify] https://crrev.com/f5a188d3a5f73412355e523c9c6b1a39eae2a9b2/content/renderer/p2p/port_allocator.cc [modify] https://crrev.com/f5a188d3a5f73412355e523c9c6b1a39eae2a9b2/content/renderer/p2p/port_allocator.h
,
Aug 31 2016
,
Sep 14 2016
,
Oct 15 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 25 2018
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by ClusterFuzz
, Jun 6 2016