Issue metadata
Sign in to add a comment
|
Use-after-poison in blink::CrossThreadPersistentRegion::prepareForThreadStateTermination |
||||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5130570338402304 Fuzzer: therealholden_worker Job Type: mac_asan_chrome Platform Id: mac Crash Type: Use-after-poison READ 8 Crash Address: 0x7ea1fb581b20 Crash State: blink::CrossThreadPersistentRegion::prepareForThreadStateTermination blink::ThreadState::runTerminationGC blink::ThreadHeap::detach Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_chrome&range=398867:398897 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96bC7dMCyQbM0zSHFEnPF1mSVyMn3-W11AWDshYUMnRFf-biDi-1pqFiUf-ik9IB-TYJJKMVuGZP0CFVNXTWz1_Ko5Btmac5bo9EEONoXoub8RY5usca1FqB0egPtUlJVVlo0fjxmFgh5_riPxtAi3D2-jHlw Additional requirements: Requires HTTP Filer: inferno See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 16 2016
This is with the fix from issue 619373 in scope (r399442) ?
,
Jun 16 2016
,
Jun 16 2016
The crash report mentions Chromium (Crash revision) 399780 which is > than r399442 mentioned in c#2. Or is this incorrect?
,
Jun 16 2016
Oh, I don't have ready access to the report, but the description gives [398867, 398897] as the regression range. Re-opening.
,
Jun 16 2016
,
Jun 17 2016
,
Jun 17 2016
,
Jun 17 2016
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 17 2016
,
Jun 20 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6606097444241408 Fuzzer: therealholden_worker Job Type: windows_asan_chrome_no_sandbox Platform Id: windows Crash Type: Use-after-poison READ 4 Crash Address: 0x0e959c84 Crash State: blink::CrossThreadPersistentRegion::prepareForThreadStateTermination blink::ThreadState::runTerminationGC blink::ThreadHeap::detach Recommended Security Severity: High Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95g4-54WRsiOY2gZDFhR0nbr-mz7XhSgEAcEmXWAd2xNTySXvYZLGQY4RcXcgFtSKN10OKziSQAJa6avg8vbQdNRcgeZJNQNtrMQrY29xc2VXGDPQrf4gbBke3LGlHCGuHzuvqSgpF8WU8hIMmu-SRw6JYlOA?testcase_id=6606097444241408 Additional requirements: Requires HTTP Filer: mmoroz See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 22 2016
,
Jun 22 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/04cff368a4228a43d484d6e71828d1f795518a39 commit 04cff368a4228a43d484d6e71828d1f795518a39 Author: sigbjornf <sigbjornf@opera.com> Date: Wed Jun 22 18:19:45 2016 Add ASan exemption when iterating cross-thread-persistents. When running a termination GC or tracing, the set/region of live CrossThreadPersistent nodes are iterated over, checking if the objects they point to belong to the current thread. As heap objects can have CrossThreadPersistent<> fields, it is possible for there to be CrossThreadPersistent nodes which point back to heap objects about to be swept. When ASan is enabled, the page sweeping takes care of poisioning all to-be-swept objects first. The combination of the above two means that persistent iteration can try to inspect one of these poisoned objects, which will trigger an ASan error. The persistent will not be further used, as it doesn't belong to the thread. To accommodate this, we do disable ASan while performing the object lookup while iterating the CrossThreadPersistent node set. R= BUG= 620754 Review-Url: https://codereview.chromium.org/2087253002 Cr-Commit-Position: refs/heads/master@{#401354} [modify] https://crrev.com/04cff368a4228a43d484d6e71828d1f795518a39/third_party/WebKit/Source/platform/heap/Persistent.h
,
Jun 22 2016
,
Jun 22 2016
,
Jun 23 2016
ClusterFuzz has detected this issue as fixed in range 401308:401390. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5130570338402304 Fuzzer: therealholden_worker Job Type: mac_asan_chrome Platform Id: mac Crash Type: Use-after-poison READ 8 Crash Address: 0x7ea1fb581b20 Crash State: blink::CrossThreadPersistentRegion::prepareForThreadStateTermination blink::ThreadState::runTerminationGC blink::ThreadHeap::detach Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_chrome&range=398867:398897 Fixed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_chrome&range=401308:401390 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96bC7dMCyQbM0zSHFEnPF1mSVyMn3-W11AWDshYUMnRFf-biDi-1pqFiUf-ik9IB-TYJJKMVuGZP0CFVNXTWz1_Ko5Btmac5bo9EEONoXoub8RY5usca1FqB0egPtUlJVVlo0fjxmFgh5_riPxtAi3D2-jHlw?testcase_id=5130570338402304 Additional requirements: Requires HTTP See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 23 2016
,
Jul 6 2016
No reward for this one since it requires ASAN to be disabled.
,
Jul 26 2016
Removing ReleaseBlock-Beta since the fix is already in M53
,
Jul 27 2016
,
Sep 29 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
|
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by infe...@chromium.org
, Jun 16 2016Owner: haraken@chromium.org
Status: Assigned (was: Available)