Issue metadata
Sign in to add a comment
|
Negative-size-param in content::MediaStreamDispatcherHost::OnCancelDeviceChangeNotifications |
||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5363874417344512 Fuzzer: ipc_fuzzer_gen Job Type: windows_asan_chrome_ipc Platform Id: windows Crash Type: Negative-size-param Crash Address: Crash State: content::MediaStreamDispatcherHost::OnCancelDeviceChangeNotifications IPC::MessageT<MediaStreamHostMsg_CancelDeviceChangeNotifications_Meta,std::tuple content::MediaStreamDispatcherHost::OnMessageReceived Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_chrome_ipc&range=404506:404552 Minimized Testcase (17.62 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97xsfcIEwgKaFS08hxBYhm-EG97MhQO0wIEaaLNppT8YuPsLQNDXHpKY7QRbVNsCr0g5DvJrLm8PI9c2kYBDQ1kyz2wASlYB23SAxDJtoihmL4IBsh2xAx7qO1qazMXEU9gZCfb3C3I8PgSeurdQ-_Um9JMQqKSgB-zat38hDHfB_K331M?testcase_id=5363874417344512 Filer: mmoroz See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 12 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6049708216942592 Fuzzer: ipc_fuzzer_gen Job Type: windows_asan_chrome_ipc Platform Id: windows Crash Type: Negative-size-param Crash Address: Crash State: content::MediaStreamDispatcherHost::OnCancelDeviceChangeNotifications IPC::MessageT<MediaStreamHostMsg_CancelDeviceChangeNotifications_Meta,std::tuple content::MediaStreamDispatcherHost::OnMessageReceived Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_chrome_ipc&range=404552:404561 Minimized Testcase (348.83 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96qJtTnN0Hl0iAoxyO5TuOvD-D9FHKUkG7wPXJfInJkcbT4yAWrQB8zdVfXsNr5210yDFD7fVnzc7i78Ukl1vH_e8QQXhifb-OHGzDUJ7_Sj_sCisHQgD4rCIf9BjGSWqPOOT_2p9-Hx5_2cGdqTvp0VRIIY9rQPs5xQmcgPcF_tBKl1Xs?testcase_id=6049708216942592 Filer: mmoroz See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 12 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5141307064582144 Fuzzer: ipc_fuzzer_gen Job Type: windows_asan_chrome_ipc Platform Id: windows Crash Type: Negative-size-param Crash Address: Crash State: content::MediaStreamDispatcherHost::OnCancelDeviceChangeNotifications IPC::MessageT<MediaStreamHostMsg_CancelDeviceChangeNotifications_Meta,std::tuple content::MediaStreamDispatcherHost::OnMessageReceived Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_chrome_ipc&range=404363:404454 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95XoqpQ_L4Ou4J-proDGp16d_5hlJTlBGnh7ZJP-tdOP0tF9USx69wdSbErvViplnISOVtKhFTbpP6LY2ZevEyjsoLqSoxn7V_kOwbik4ERDIAkp50KF1ZdOwZ38Nio62-fo92hjeeI_v0DzyBxKcCV8E5mwgvmW1ynajy2kFxnKTphFYE?testcase_id=5141307064582144 Filer: mmoroz See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 12 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5760632087642112 Fuzzer: ipc_fuzzer_gen Job Type: windows_asan_chrome_ipc Platform Id: windows Crash Type: Negative-size-param Crash Address: Crash State: content::MediaStreamDispatcherHost::OnCancelDeviceChangeNotifications IPC::MessageT<MediaStreamHostMsg_CancelDeviceChangeNotifications_Meta,std::tuple content::MediaStreamDispatcherHost::OnMessageReceived Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_chrome_ipc&range=404191:404223 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95dh43pfyy2jr0sPIyP487r1berUpGw7uJxMIFk3pftoTCGOBPHx-ebTCcDn0d2YR-tVL8W1gRct92hzY_clHlFpNNz8OJHUUSJTG1K2f0__kzA_MDj_ODep84yEtS7AtEyD81cQMRA2eMgPsxwRHjejr4an8DBPEtnZ8b9B2ISkziURv4?testcase_id=5760632087642112 Filer: mmoroz See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 12 2016
,
Jul 12 2016
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 12 2016
,
Jul 12 2016
,
Jul 13 2016
,
Jul 13 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6068258180694016 Fuzzer: ipc_fuzzer_gen Job Type: windows_asan_chrome_ipc Platform Id: windows Crash Type: Negative-size-param Crash Address: Crash State: content::MediaStreamDispatcherHost::OnCancelDeviceChangeNotifications IPC::MessageT<MediaStreamHostMsg_CancelDeviceChangeNotifications_Meta,std::tuple content::MediaStreamDispatcherHost::OnMessageReceived Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_chrome_ipc&range=404565:404631 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97m8zcI2peAp9M9nhv2LczeR7OgRfJ8VqV39skP0f1HqZXmOg5nV0ci9UUEZYR3LBcAsCZ3vmIHVpt3wquDPFLl0DnScXDEuYGqS7Ka93Pr6o_Bku5rIvW0NPUx-Yne3kKA-1bxDeEOSxmHjNySzurKWsyNN8pcq9_liOMHbIq0mKdjFo0?testcase_id=6068258180694016 Filer: mmoroz See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 13 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6424270569996288 Fuzzer: ipc_fuzzer_gen Job Type: windows_asan_chrome_ipc Platform Id: windows Crash Type: Negative-size-param Crash Address: Crash State: content::MediaStreamDispatcherHost::OnCancelDeviceChangeNotifications IPC::MessageT<MediaStreamHostMsg_CancelDeviceChangeNotifications_Meta,std::tuple content::MediaStreamDispatcherHost::OnMessageReceived Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_chrome_ipc&range=404810:404813 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94LS8Dw4BSHc4zmtQoH7fsK7UO4IluYaZ3fBUVEawSt9L5b2BMMyumqZ_Hw-YDg7jmJFIbUehoZ41sPetMHqmk5sWw6C_YTwvlOYFmiL-S9XGCD_lTbc6ofZ0j32dABUXKTVW1HdcQZCq0o6doCePgIFLODOWPU22g2kQfknqW3Tggn4k4?testcase_id=6424270569996288 Filer: mmoroz See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 13 2016
Guido - can you take a look?
,
Jul 13 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6512224655114240 Fuzzer: ipc_fuzzer_gen Job Type: windows_asan_chrome_ipc Platform Id: windows Crash Type: Negative-size-param Crash Address: Crash State: content::MediaStreamDispatcherHost::OnCancelDeviceChangeNotifications IPC::MessageT<MediaStreamHostMsg_CancelDeviceChangeNotifications_Meta,std::tuple content::MediaStreamDispatcherHost::OnMessageReceived Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_chrome_ipc&range=404506:404552 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97BnUElQpfPwuVn0TiaT9FKwQFErbfOANBPRYYg9q8UJgJb5wimqgYmITYRC00imevHjgE3z5eghRI-l5rtszcg4Qf0dPgrV4-WkWM4L3eC30z-488ShP2o3NQ_hVLqT626LkkNCfIFzEToGCgbhbTmqLS3Z-CS8HRWmzoX2sXkf3EMa7A?testcase_id=6512224655114240 Filer: mmoroz See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 13 2016
,
Jul 13 2016
inferno,mbarbella: I am not familiar with ipc_fuzzer_gen. Is this test a malicious renderer sending bad IPC messages to the browser? If so, aren't the crashes the correct browser behavior?
,
Jul 13 2016
It does simulate a malicious renderer sending bad messages to the browser, but crashes specifically aren't the correct behavior. Any data sent by the renderer should be considered untrusted. See https://www.chromium.org/Home/chromium-security/education/security-tips-for-ipc
,
Jul 14 2016
M53 beta launch is coming soon.Your bug is labelled as Beta ReleaseBlock, pls make sure to land the fix before 6:00 PM PST, Monday (07/18/16). Thank you.
,
Jul 15 2016
,
Jul 15 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/a1cf8423d5032e9fc3d463ca7f36f9e282d2d29d commit a1cf8423d5032e9fc3d463ca7f36f9e282d2d29d Author: guidou <guidou@chromium.org> Date: Fri Jul 15 01:23:51 2016 Improve handling of invalid frame ID in MSDH::OnCancelDeviceChangeNotifications Use bad_message::ReceivedBadMessage() to handle an invalid frame ID passed via IPC. BUG= 624447 , 627436 Review-Url: https://codereview.chromium.org/2149943002 Cr-Commit-Position: refs/heads/master@{#405663} [modify] https://crrev.com/a1cf8423d5032e9fc3d463ca7f36f9e282d2d29d/content/browser/bad_message.h [modify] https://crrev.com/a1cf8423d5032e9fc3d463ca7f36f9e282d2d29d/content/browser/renderer_host/media/media_stream_dispatcher_host.cc [modify] https://crrev.com/a1cf8423d5032e9fc3d463ca7f36f9e282d2d29d/tools/metrics/histograms/histograms.xml
,
Jul 15 2016
Please mark security bugs as fixed as soon as the fix lands, and before requesting merges. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 16 2016
,
Jul 18 2016
Before we approve merge to M53, Could you please confirm whether this change is baked/verified in Canary and safe to merge? +awhalley@, whether it is ok to take this merge in for M53 or not based on reply to above question.
,
Jul 18 2016
The change has been in Canary for a couple of days. I think it's safe to merge.
,
Jul 18 2016
I agree.
,
Jul 18 2016
Approving merge to M53 branch 2785 based on comment #23 and #24. Please merge ASAP or latest by 5:00 PM PST today so we can take it for M53 dev release tomorrow. Thank you.
,
Jul 18 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/c75a1fcd1aa65d58972dcc321a37e0083d682358 commit c75a1fcd1aa65d58972dcc321a37e0083d682358 Author: Guido Urdaneta <guidou@chromium.org> Date: Mon Jul 18 21:42:55 2016 Improve handling of invalid frame ID in MSDH::OnCancelDeviceChangeNotifications Use bad_message::ReceivedBadMessage() to handle an invalid frame ID passed via IPC. BUG= 624447 , 627436 Review-Url: https://codereview.chromium.org/2149943002 Cr-Commit-Position: refs/heads/master@{#405663} (cherry picked from commit a1cf8423d5032e9fc3d463ca7f36f9e282d2d29d) Review URL: https://codereview.chromium.org/2157933004 . Cr-Commit-Position: refs/branch-heads/2785@{#201} Cr-Branched-From: 68623971be0cfc492a2cb0427d7f478e7b214c24-refs/heads/master@{#403382} [modify] https://crrev.com/c75a1fcd1aa65d58972dcc321a37e0083d682358/content/browser/bad_message.h [modify] https://crrev.com/c75a1fcd1aa65d58972dcc321a37e0083d682358/content/browser/renderer_host/media/media_stream_dispatcher_host.cc [modify] https://crrev.com/c75a1fcd1aa65d58972dcc321a37e0083d682358/tools/metrics/histograms/histograms.xml
,
Jul 27 2016
,
Oct 21 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by mmoroz@chromium.org
, Jul 12 2016Owner: tommi@chromium.org