ortuno@, could you please help to triage this?

Lowering the security severity since the use after free is happening in a Fake used only in Layout Tests. I'll investigate.

Since this is fake only, no security impact.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5985295438970880

Fuzzer: inferno_twister
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x61f0000292a0
Crash State:
  device::MockBluetoothGattNotifySession::DoNotify
  base::Timer::RunScheduledTask
  base::debug::TaskAnnotator::RunTask
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=396347:396435

Minimized Testcase (25.86 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97Ba9pnZLe_Gz1yofvUgPArvz-CQhL7o8D4wl7OYXyS8uzZvgKP2APieu8_EIdCvJGrPWdXnBcjG2d1mznl5b27ozZMgwqbSWbxQVxqfPdjoru1ZmRMdQ_vmjTmRHg0ijOr6dMR-LoayjgY4EhQwBhA3SMqogTQ0kbJ1v7QPXDNRivWm-4?testcase_id=5985295438970880

Filer: tanin

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

After two days of debugging (yay!) I finally figured out what's going on. The version of the resources file that the fuzzer is using is outdated. The outdated version releases a reference to the adapter (through a test only function) then when the test is done the device disconnects, releasing the last reference to the adapter and freeing it. When BluetoothGattNotifySession, tries to use the adapter, it's no longer there.

We removed the call that releases the first reference to the adapter from the resources files so this should no longer be a problem.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6511004850847744

Fuzzer: inferno_twister
Job Type: windows_syzyasan_content_shell
Platform Id: windows

Crash Type: Heap-use-after-free READ 4
Crash Address: 0x2a7cc053
Crash State:
  device::MockBluetoothGattNotifySession::DoNotify
  base::internal::Invoker<base::internal::BindState<void
  base::Timer::RunScheduledTask
  
Recommended Security Severity: High


Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97s3rK7eFo3Ri1SGLGxjW8TpFYf1i4_lOwxvJNlMIn7IA_Zsdt9yDXhs4E_TEDJpTebeGB_IzL-ierM1HYfTqYAuslUtn54dXdNDkf6fZoZLk1sIwQYppxjDN5I8dUDoB5qkQnjrINm0neKiqeK1x2J2mENsZY77NB5KdedEyTtyJ2TuD8?testcase_id=6511004850847744


Filer: mmoroz

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6411328390692864

Fuzzer: ochang_domfuzzer
Job Type: linux_msan_content_shell_drt
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  device::MockBluetoothGattNotifySession::DoNotify
  base::Timer::RunScheduledTask
  base::debug::TaskAnnotator::RunTask
  
Recommended Security Severity: Medium


Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97LieA_z8PNIVYa41-e8n1Gzzq3SJM5M4QsF1PYDwUka3ZdoSDCDpmJsVWIxS4deig9YeQiElpYF2BXPNFUcBELPaDRv-BpYBtDNSQse4PgcphKVdGD3kmOpe0M8hw3mNTL0j3508ojQ6rwGR0pVJVXmGHdmqE1kwZA6BnuwSIrTo7viKc?testcase_id=6411328390692864


Filer: mmoroz

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Issue 668502 has been merged into this issue.