Issue metadata
Sign in to add a comment
|
Heap-use-after-free in content::FilteringNetworkManager::CheckPermission |
||||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5791156067893248 Fuzzer: inferno_layout_test_unmodified Job Type: linux_tsan_chrome_mp Platform Id: linux Crash Type: Heap-use-after-free WRITE 1 Crash Address: 0x7d500000dd44 Crash State: content::FilteringNetworkManager::CheckPermission base::internal::Invoker<base::internal::BindState<base::internal::RunnableAdapte base::debug::TaskAnnotator::RunTask Recommended Security Severity: High Minimized Testcase (0.09 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv96lFHP3fScUpgirJ1gYOsooAbJpO2AUuVgrpG3-Mpg7IAiV_loX61QZ9PnaovscgzrIemMGrpElmzY98LM6bkJO_LdFuZymi7ypxn3HP4FFOmQTr1wYUWP828vdTQHvmxFs_C1nPU1TWl-1mveKUmqlM61G6g?testcase_id=5791156067893248 <script> var a = new window.webkitRTCPeerConnection({"iceServers":[{"url":"turns:"}]}); </script> Filer: mbarbella See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 30 2016
,
Jun 30 2016
PeerConnectionDependencyFactory::CreatePeerConnection() posts a task for FilteringNetworkManager::CheckPermission() using base::Unretained with the assumption that the NetworkManager is going to be deleted on the worker thread (see https://codesearch.chromium.org/chromium/src/content/renderer/media/webrtc/peer_connection_dependency_factory.cc?rcl=1467300303&l=393 ). That assumption is broken after crrev.com/397785 . Taylor, can you please take a look?
,
Jun 30 2016
It's actually still deleted on the worker thread. The issue is it's initialized with a "Post", but used (and potentially deleted) with a "Send". And there's no guarantee on the order between Posts and Sends. Rather than try to change the mechanics of rtc::Thread, I'm just initializing it in a "Send" in PeerConnection along with other initialization that needs to happen on the network thread. It's in this CL; I'm just waiting on your review: https://codereview.chromium.org/2113523003/
,
Jul 9 2016
ClusterFuzz has detected this issue as fixed in range 404363:404422. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5791156067893248 Fuzzer: inferno_layout_test_unmodified Job Type: linux_tsan_chrome_mp Platform Id: linux Crash Type: Heap-use-after-free WRITE 1 Crash Address: 0x7d500000dd44 Crash State: content::FilteringNetworkManager::CheckPermission base::internal::Invoker<base::internal::BindState<base::internal::RunnableAdapte base::debug::TaskAnnotator::RunTask Recommended Security Severity: High Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_tsan_chrome_mp&range=404363:404422 Minimized Testcase (0.09 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv96lFHP3fScUpgirJ1gYOsooAbJpO2AUuVgrpG3-Mpg7IAiV_loX61QZ9PnaovscgzrIemMGrpElmzY98LM6bkJO_LdFuZymi7ypxn3HP4FFOmQTr1wYUWP828vdTQHvmxFs_C1nPU1TWl-1mveKUmqlM61G6g?testcase_id=5791156067893248 <script> var a = new window.webkitRTCPeerConnection({"iceServers":[{"url":"turns:"}]}); </script> See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 9 2016
ClusterFuzz has detected this issue as fixed in range 404363:404454. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5257761327939584 Fuzzer: inferno_layout_test_unmodified Job Type: linux_lsan_chrome_mp Platform Id: linux Crash Type: Heap-use-after-free WRITE 1 Crash Address: 0x615000002c44 Crash State: content::FilteringNetworkManager::CheckPermission base::debug::TaskAnnotator::RunTask base::MessageLoop::RunTask Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=397755:397878 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=404363:404454 Minimized Testcase (0.09 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv94lGsAk3RgRMHetaTj4vWCwBNBoiaaNIjZkaRAxEp_vHREAfDaUk-cHSf6cAO2bgfjRDCzEPPlkg8Go4mR-Iwqow4CQuLwxdxgW1H-F5czDX-qrD5z1-kjwJ0Ow-hZR4TlcCxygyZrai3ZBxQ62j8O6KVFkVQ?testcase_id=5257761327939584 <script> var a = new window.webkitRTCPeerConnection({"iceServers":[{"url":"turns:"}]}); </script> See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Oct 16 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by ClusterFuzz
, Jun 30 2016