Author: dmurph
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/1fb98480c61c563587cbb01de87cfad180fec942
Time: Wed Mar 30 21:14:26 2016
Lines 258-264 of file blob_transport_controller.cc which potentially caused crash are changed in this cl (frame #5, "content::BlobTransportController::OnMemoryRequest").

Files blob_message_filter.cc, blob_consolidation.cc are changed in this cl (and is part of stack frame #6, "content::BlobMessageFilter::OnRequestMemoryItem")
Minimum distance from crash line to modified line: 0. (file: blob_transport_controller.cc, crashed on: 258, modified: 258).

Suspected Project: chromium
Suspected Component: Internals>Core

 Issue 619270  has been merged into this issue.

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sorry for the incorrect ClusterFuzz update, please ignore it. Reopening bug.

ClusterFuzz has detected this issue as fixed in range 401020:401085.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4701241431293952

Fuzzer: jsbell_serviceworker
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Heap-buffer-overflow WRITE {*}
Crash Address: 0x7f9348bc0000
Crash State:
  content::WriteMemory
  content::BlobConsolidation::VisitMemory
  content::BlobConsolidation::ReadMemory
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=383194:384397
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=401020:401085

Minimized Testcase (3.55 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95pXTf5oWfv-VHXj-xchYleHanK3dqcN86Nzz0xIFM5GS6HViRBFhyZkQefEbrkArjSON2cy5NavRv0MKMF0LzUnBT-068peroI8s1IXo5RfQqy4z2I3HEA9kFtiXZK4Oe36DOQ9bAogt4OUavT23_j32umSg?testcase_id=4701241431293952

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

This is still happening, although flakingly.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6592934187368448

Fuzzer: inferno_twister
Job Type: linux_lsan_chrome_mp
Platform Id: linux

Crash Type: Heap-buffer-overflow WRITE {*}
Crash Address: 0x7fc85a9c0000
Crash State:
  content::WriteMemory
  content::BlobConsolidation::VisitMemory
  content::BlobConsolidation::ReadMemory
  
Recommended Security Severity: High


Minimized Testcase (2.00 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94H3OEQI92v2A4V0R4BW70p4SjsPdUMPQbuCFUPdsji7FsbRQAIsebv3HRY6opJFdhO23_C4NZsDFdwZFqrQ6u1C9qCRaB0YxqvROz1D97V8XnWoHR1OdBU3RLBvzztCcOq2xuDzMZlN3iZ-0z59rxdFV-cWA?testcase_id=6592934187368448

Filer: inferno

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

ClusterFuzz has detected this issue as fixed in range 401020:401085.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6592934187368448

Fuzzer: inferno_twister
Job Type: linux_lsan_chrome_mp
Platform Id: linux

Crash Type: Heap-buffer-overflow WRITE {*}
Crash Address: 0x7fc85a9c0000
Crash State:
  content::WriteMemory
  content::BlobConsolidation::VisitMemory
  content::BlobConsolidation::ReadMemory
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=383194:384397
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=401020:401085

Minimized Testcase (2.00 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94H3OEQI92v2A4V0R4BW70p4SjsPdUMPQbuCFUPdsji7FsbRQAIsebv3HRY6opJFdhO23_C4NZsDFdwZFqrQ6u1C9qCRaB0YxqvROz1D97V8XnWoHR1OdBU3RLBvzztCcOq2xuDzMZlN3iZ-0z59rxdFV-cWA?testcase_id=6592934187368448

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

huh. weird. I'll look into it.

dmurph: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

dmurph: Uh oh! This issue still open and hasn't been updated in the last 28 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Friendly ping. dmurph: any updates?

It looks like this probably happens when someone gives an incorrectl size for the shared memory handle... I'm not sure how to validate that I'm not going past the original allocation size of the shared memory in the browser process.

Looking into it more now.

We commit ourselves to a 60 day deadline for fixing for high severity vulnerabilities, and have exceeded it here. If you're unable to look into this soon, could you please find another owner or remove yourself so that this gets back into the security triage queue?

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This is fixed already. Closing.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot