New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 626187 link

Starred by 1 user

Issue metadata

Status: Duplicate
Merged: issue 617648
Owner:
Last visit > 30 days ago
Closed: Jul 2016
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment

Heap-use-after-free in content::FilteringNetworkManager::CheckPermission

Project Member Reported by ClusterFuzz, Jul 7 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6365070569504768

Fuzzer: inferno_twister
Job Type: linux_tsan_chrome_mp
Platform Id: linux

Crash Type: Heap-use-after-free WRITE 1
Crash Address: 0x7d500000dd44
Crash State:
  content::FilteringNetworkManager::CheckPermission
  base::internal::Invoker<base::internal::BindState<void
  base::debug::TaskAnnotator::RunTask
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_tsan_chrome_mp&range=397755:397878

Minimized Testcase (0.10 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96qNComMSxu49sSBrU1PrcknqCtVjRHgG3gO9tVj8PMgjRl1q0fyiB5T7_OOqYf-VP2UsJFfQmerKXNYV5bMZ9wGohy_xde3fDa2erER4yCTgwPizqjqqPzmy4lVayRJafTqqasmZ76ZLBSy9UnZIRfJfwZGQ?testcase_id=6365070569504768
&#x6585;		<script>
var a = new window.webkitRTCPeerConnection({"iceServers":[{"url":"turns:"}]});
</script>


Filer: ochang

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Owner: deadbeef@chromium.org
Might be the same as  bug 617648 . Please mark as a dupe if that's the case.
Project Member

Comment 2 by sheriffbot@chromium.org, Jul 7 2016

Labels: M-53
Project Member

Comment 3 by sheriffbot@chromium.org, Jul 7 2016

Labels: ReleaseBlock-Beta
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 4 by sheriffbot@chromium.org, Jul 7 2016

Labels: Pri-1
Project Member

Comment 5 by sheriffbot@chromium.org, Jul 7 2016

Status: Assigned (was: Available)
Mergedinto: 617648
Status: Duplicate (was: Assigned)
It is a duplicate. The method just got renamed.

I have a CL to fix this, I'm just waiting on review: https://codereview.chromium.org/2113523003/
Project Member

Comment 7 by ClusterFuzz, Jul 8 2016

ClusterFuzz has detected this issue as fixed in range 404363:404422.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6365070569504768

Fuzzer: inferno_twister
Job Type: linux_tsan_chrome_mp
Platform Id: linux

Crash Type: Heap-use-after-free WRITE 1
Crash Address: 0x7d500000dd44
Crash State:
  content::FilteringNetworkManager::CheckPermission
  base::internal::Invoker<base::internal::BindState<void
  base::debug::TaskAnnotator::RunTask
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_tsan_chrome_mp&range=397755:397878
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_tsan_chrome_mp&range=404363:404422

Minimized Testcase (0.10 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96qNComMSxu49sSBrU1PrcknqCtVjRHgG3gO9tVj8PMgjRl1q0fyiB5T7_OOqYf-VP2UsJFfQmerKXNYV5bMZ9wGohy_xde3fDa2erER4yCTgwPizqjqqPzmy4lVayRJafTqqasmZ76ZLBSy9UnZIRfJfwZGQ?testcase_id=6365070569504768
&#x6585;		<script>
var a = new window.webkitRTCPeerConnection({"iceServers":[{"url":"turns:"}]});
</script>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 8 by sheriffbot@chromium.org, Oct 16 2016

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment