New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 2 users

Issue metadata

Status: Verified
Owner:
Closed: Jun 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security

Blocked on:
issue 613901



Sign in to add a comment
link

Issue 620766: Heap-use-after-free in cc::DrawPolygon::Split

Reported by ClusterFuzz, Jun 16 2016 Project Member

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5500578197405696

Fuzzer: inferno_twister
Job Type: linux_tsan_chrome_mp
Platform Id: linux

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x7d1800047160
Crash State:
  cc::DrawPolygon::Split
  cc::BspTree::BuildTree
  cc::BspTree::BuildTree
  

Minimized Testcase (4.38 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96fx61TmB6jc1luWgy6CtBLRM3vnPD-aHV_x6jsmDZMwimC7CYI37ldRfH6VHr83aRboUurWQsFeanw95ZoX1ydFzsC7-IZeB0EDeom4pXCoBMOcGQQ5oZNUID12raI2nKvrzQ8_HIltFGpQAO59tqHX0u56w

Filer: mmoroz

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 

Comment 1 by mmoroz@chromium.org, Jun 16 2016

Blockedon: 613901
Looks very similar to bug 613901.

Comment 2 by mmoroz@chromium.org, Jun 16 2016

Cc: hirosh...@chromium.org
Components: Internals>Compositing>Rasterization
Labels: Pri-1
Owner: tobiasjs@chromium.org

Comment 3 by ClusterFuzz, Jun 16 2016

Project Member
Status: Assigned (was: Available)

Comment 4 by euge...@google.com, Jun 16 2016

Cc: dvyukov@chromium.org vitalyb...@chromium.org
Btw, the stack trace looks like we are missing inlined frames:
 #1 0x7fef76d28e29 in cc::DrawPolygon::Split(cc::DrawPolygon const&, std::__1::unique_ptr<cc::DrawPolygon, std::__1::default_delete<cc::DrawPolygon> >*, std::__1::unique_ptr<cc::DrawPolygon, std::__1::default_delete<cc::DrawPolygon> >*) buildtools/third_party/libc++/trunk/include/memory:1740:31

This is similar to b/29090668.
The MSan bug 613901 with the same stack trace does not have this problem.

Comment 5 by sheriffbot@chromium.org, Jun 17 2016

Project Member
Labels: M-51

Comment 6 by ClusterFuzz, Jun 23 2016

Project Member
ClusterFuzz has detected this issue as fixed in range 401416:401447.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5500578197405696

Fuzzer: inferno_twister
Job Type: linux_tsan_chrome_mp
Platform Id: linux

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x7d1800047160
Crash State:
  cc::DrawPolygon::Split
  cc::BspTree::BuildTree
  cc::BspTree::BuildTree
  
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_tsan_chrome_mp&range=401416:401447

Minimized Testcase (4.38 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96fx61TmB6jc1luWgy6CtBLRM3vnPD-aHV_x6jsmDZMwimC7CYI37ldRfH6VHr83aRboUurWQsFeanw95ZoX1ydFzsC7-IZeB0EDeom4pXCoBMOcGQQ5oZNUID12raI2nKvrzQ8_HIltFGpQAO59tqHX0u56w?testcase_id=5500578197405696

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 7 by ClusterFuzz, Jun 23 2016

Project Member
Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Comment 8 by ClusterFuzz, Jun 23 2016

Project Member
Labels: Merge-Triage M-52
Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Request-XX label, where XX is the Chrome milestone.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

- Your friendly ClusterFuzz

Comment 9 by sheriffbot@chromium.org, Jun 24 2016

Project Member
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 10 by sheriffbot@chromium.org, Jun 26 2016

Project Member
Labels: Merge-Request-52

Comment 11 by gov...@chromium.org, Jun 27 2016

Before we approve merge to M52, Could you please confirm whether this change is baked/verified in Canary and safe to merge?

Comment 12 by tin...@google.com, Jun 27 2016

Labels: -Merge-Request-52 Merge-Approved-52 Hotlist-Merge-Approved
Your change meets the bar and is auto-approved for M52 (branch: 2743)

Comment 13 by sheriffbot@chromium.org, Jul 1 2016

Project Member
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 14 by sheriffbot@chromium.org, Jul 5 2016

Project Member
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 15 by awhalley@chromium.org, Jul 8 2016

Labels: -Merge-Triage

Comment 16 by awhalley@chromium.org, Jul 12 2016

Hello!  Please merge to M52 by 5pm PDT Today (Tuesday 12th) if at all possible.  Cheers!

Comment 17 by tobiasjs@chromium.org, Jul 12 2016

It's been done. CL is https://codereview.chromium.org/2136493002/ - it just didn't have the right bug number attached.

Comment 18 by awhalley@chromium.org, Jul 12 2016

Ah, sorry. Many thanks!

Comment 19 by awhalley@chromium.org, Jul 13 2016

Labels: -Hotlist-Merge-Approved -Merge-Approved-52 merge-merged-2743

Comment 20 by gov...@chromium.org, Jul 14 2016

Reply to comment #17, could you please confirm https://codereview.chromium.org/2136493002/  is merged to M52? I don't see it is merged yet to M52.

Comment 22 by gov...@chromium.org, Jul 14 2016

OK, thank you.

Comment 23 by tobiasjs@chromium.org, Jul 14 2016

It looks like it didn't make it to m53, either. Should probably cherry-pick it there too.

Comment 24 by gov...@chromium.org, Jul 14 2016

Please request a merge to M53 by applying Merge-Request-53 label. Thank you.

Comment 25 by tobiasjs@chromium.org, Jul 14 2016

I've done that on the bug that the original CL references (crbug.com/606984).

Comment 26 by tobiasjs@chromium.org, Jul 14 2016

For tracking purposes, m53 merge CL is https://codereview.chromium.org/2151893002

Comment 27 by gov...@chromium.org, Jul 14 2016

Ok, thank you (M53 merge is also done - https://bugs.chromium.org/p/chromium/issues/detail?id=606984#c29).

Comment 28 by awhalley@chromium.org, Jul 29 2016

Labels: -ClusterFuzz Clusterfuzz Release-1-M52

Comment 29 by sheriffbot@chromium.org, Sep 30 2016

Project Member
Labels: -Restrict-View-SecurityNotify
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 30 by sheriffbot@chromium.org, Oct 1 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 31 by sheriffbot@chromium.org, Oct 2 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 32 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Sign in to add a comment