New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 626792 link

Starred by 2 users
Status: Verified
Owner:
sheriffbot@chromium.org
User never visited
Closed: Jul 2016
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment

Heap-use-after-free in GURL::GURL

Project Member Reported by ClusterFuzz, Jul 8 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5624318482710528

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_tsan_chrome_mp
Platform Id: linux

Crash Type: Heap-use-after-free READ 1
Crash Address: 0x7d500000db68
Crash State:
  GURL::GURL
  content::MediaPermissionDispatcher::HasPermission
  content::FilteringNetworkManager::CheckPermission
  
Recommended Security Severity: High


Minimized Testcase (0.09 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv953PDiiu82aiEVA_ryBPTd2eoyu1ryGAm8rpOW1-fHXOT513eoAT5qiXyviKCf7iAt4hDRD6J9fszAQV8ZxpSJy1o0wCgrGtqrtz_9hLZNnf9gpEoSBABk1_Root3mZ7BA7gbSWdvFrtDxzFIadHbpPKHeBSA?testcase_id=5624318482710528
<script>
var a = new window.webkitRTCPeerConnection({"iceServers":[{"url":"turns:"}]});
</script>


Filer: ochang

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
Project Member

Comment 1 by ClusterFuzz, Jul 9 2016 

ClusterFuzz has detected this issue as fixed in range 404363:404422.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5624318482710528

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_tsan_chrome_mp
Platform Id: linux

Crash Type: Heap-use-after-free READ 1
Crash Address: 0x7d500000db68
Crash State:
  GURL::GURL
  content::MediaPermissionDispatcher::HasPermission
  content::FilteringNetworkManager::CheckPermission
  
Recommended Security Severity: High

Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_tsan_chrome_mp&range=404363:404422

Minimized Testcase (0.09 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv953PDiiu82aiEVA_ryBPTd2eoyu1ryGAm8rpOW1-fHXOT513eoAT5qiXyviKCf7iAt4hDRD6J9fszAQV8ZxpSJy1o0wCgrGtqrtz_9hLZNnf9gpEoSBABk1_Root3mZ7BA7gbSWdvFrtDxzFIadHbpPKHeBSA?testcase_id=5624318482710528
<script>
var a = new window.webkitRTCPeerConnection({"iceServers":[{"url":"turns:"}]});
</script>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 2 by ClusterFuzz, Jul 9 2016

Labels: ClusterFuzz-Verified
Status: Verified (was: Available)
ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 3 by sheriffbot@chromium.org, Jul 9 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 4 by awhalley@chromium.org, Sep 16 2016

Labels: -ClusterFuzz Clusterfuzz M-54
Project Member

Comment 5 by sheriffbot@chromium.org, Sep 16 2016

Labels: Merge-Request-54

Comment 6 by dimu@chromium.org, Sep 17 2016

Labels: -Merge-Request-54 Merge-Approved-54 Hotlist-Merge-Approved
Owner: sheriffbot@chromium.org
Your change meets the bar and is auto-approved for M54 (branch: 2840)
Project Member

Comment 7 by sheriffbot@chromium.org, Sep 20 2016 

This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 8 by sheriffbot@chromium.org, Sep 23 2016 

This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 9 by awhalley@chromium.org, Oct 7 2016

Labels: -Hotlist-Merge-Approved -Merge-Approved-54
Nothing to merge here.

Comment 10 by awhalley@chromium.org, Oct 10 2016

Labels: Release-0-M54
Project Member

Comment 11 by sheriffbot@chromium.org, Oct 15 2016

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 12 by sheriffbot@chromium.org, Jul 28

Labels: Pri-1

Sign in to add a comment