Issue metadata
Sign in to add a comment
|
Crash in blink::Geolocation::onGeolocationPermissionUpdated |
||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6039713928708096 Fuzzer: inferno_layout_test_unmodified Job Type: linux_lsan_chrome_mp Platform Id: linux Crash Type: UNKNOWN WRITE Crash Address: 0x7eb740d312b0 Crash State: blink::Geolocation::onGeolocationPermissionUpdated mojo::internal::Router::OnConnectionError mojo::Connector::HandleError Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=393440:393453 Minimized Testcase (6.96 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96Cc8ttx9XsCxFFMPp28iNKAQRZCFEEgS_sE1_dvjAuTOqvWxm9QypRWD827l4Cbm46nd-8qEOvmkhtNMeWbEBGS4XhzqW0lA9rz3Og-yclfCGWQKtssK6LMVyoyEUFDjEXEEIXX-IAeB4qhf1CUX0AH9CfLg?testcase_id=6039713928708096 Additional requirements: Requires Gestures Filer: mmoroz See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 18 2016
,
Jul 18 2016
,
Jul 18 2016
,
Jul 20 2016
,
Jul 21 2016
,
Jul 27 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5752702881759232 Fuzzer: inferno_layout_test_unmodified Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x7eb37bececc8 Crash State: mojo::InterfacePtr<blink::mojom::blink::PermissionService>::reset mojo::internal::Router::OnConnectionError mojo::Connector::HandleError Recommended Security Severity: Low Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=407005:407057 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96eyN_YT7IFOfSUlZ7D7ey2uDaQLHN8uREHi8imYftfTVP1N-vhC_RjZLPbYfkUME5Csy4i10NauSUQPRzfIEc4u_B_0CpyhWzlmffU39LEOXfuSPap33bQol92uWLpUpDPmr3FkwwjZ6V_IFmp8z_ZzdJCFQ?testcase_id=5752702881759232 Additional requirements: Requires Gestures Filer: tanin See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Aug 3 2016
sammc: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 3 2016
M53 Stable launch is coming soon.Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix asap so it gets chance to bake in beta before stable promotion. Thank you.
,
Aug 10 2016
Hi sammc@ - are you the right person to look at this?
,
Aug 12 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/29010a784ba04202699665087996cdbc1143c21c commit 29010a784ba04202699665087996cdbc1143c21c Author: sammc <sammc@chromium.org> Date: Fri Aug 12 05:10:26 2016 Ignore mojo connection errors during shutdown in Geolocation. BUG= 628999 Review-Url: https://codereview.chromium.org/2163683004 Cr-Commit-Position: refs/heads/master@{#411555} [modify] https://crrev.com/29010a784ba04202699665087996cdbc1143c21c/third_party/WebKit/Source/modules/geolocation/Geolocation.cpp
,
Aug 14 2016
ClusterFuzz has detected this issue as fixed in range 411529:411875. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6039713928708096 Fuzzer: inferno_layout_test_unmodified Job Type: linux_lsan_chrome_mp Platform Id: linux Crash Type: UNKNOWN WRITE Crash Address: 0x7eb740d312b0 Crash State: blink::Geolocation::onGeolocationPermissionUpdated mojo::internal::Router::OnConnectionError mojo::Connector::HandleError Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=393440:393453 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=411529:411875 Minimized Testcase (6.96 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96Cc8ttx9XsCxFFMPp28iNKAQRZCFEEgS_sE1_dvjAuTOqvWxm9QypRWD827l4Cbm46nd-8qEOvmkhtNMeWbEBGS4XhzqW0lA9rz3Og-yclfCGWQKtssK6LMVyoyEUFDjEXEEIXX-IAeB4qhf1CUX0AH9CfLg?testcase_id=6039713928708096 Additional requirements: Requires Gestures See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 14 2016
,
Aug 15 2016
,
Aug 15 2016
Looks like fix is landed and verified by clusterfuzz. Please request a merge to M53 by applying "Merge-Request-53" label. Thank you.
,
Aug 15 2016
,
Aug 15 2016
Your change meets the bar and is auto-approved for M53 (branch: 2785)
,
Aug 16 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/5c2705e030a1ef2097faf77e40a14fa43583c124 commit 5c2705e030a1ef2097faf77e40a14fa43583c124 Author: Sam McNally <sammc@chromium.org> Date: Tue Aug 16 00:10:31 2016 Ignore mojo connection errors during shutdown in Geolocation. BUG= 628999 Review-Url: https://codereview.chromium.org/2163683004 Cr-Commit-Position: refs/heads/master@{#411555} (cherry picked from commit 29010a784ba04202699665087996cdbc1143c21c) Review URL: https://codereview.chromium.org/2241273005 . Cr-Commit-Position: refs/branch-heads/2785@{#618} Cr-Branched-From: 68623971be0cfc492a2cb0427d7f478e7b214c24-refs/heads/master@{#403382} [modify] https://crrev.com/5c2705e030a1ef2097faf77e40a14fa43583c124/third_party/WebKit/Source/modules/geolocation/Geolocation.cpp
,
Aug 16 2016
,
Aug 25 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/8435863a81be1eee4c28131a341f8a4bce04a7b4 commit 8435863a81be1eee4c28131a341f8a4bce04a7b4 Author: haraken <haraken@chromium.org> Date: Thu Aug 25 00:50:57 2016 Remove Platform::current checks from Mojo's error handlers in geolocation The checks were added in https://codereview.chromium.org/2163683004/ but are no longer needed because I already removed blink::shutdown from the renderer's shutdown sequence. BUG= 628999 Review-Url: https://codereview.chromium.org/2271953002 Cr-Commit-Position: refs/heads/master@{#414232} [modify] https://crrev.com/8435863a81be1eee4c28131a341f8a4bce04a7b4/third_party/WebKit/Source/modules/geolocation/Geolocation.cpp
,
Sep 5 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/556b4223eeea55a338bf38ca87b004ba23e1039a commit 556b4223eeea55a338bf38ca87b004ba23e1039a Author: haraken <haraken@chromium.org> Date: Mon Sep 05 00:32:02 2016 Revert of Remove Platform::current checks from Mojo's error handlers in geolocation (patchset #1 id:1 of https://codereview.chromium.org/2271953002/ ) Reason for revert: I'll revert r413430 and its dependent CLs because r413430 caused issue 642072. The problem is that we cannot simply remove blink::shutdown because the following scenario can happen: 1) blink::shutdown is not called. Workers are still running. 2) RenderThreadImpl gets destructed. MessageLoop gets destructed. 3) The workers may access the RenderThreadImpl and MessageLoop. To fix the problem, we need to call ProcessDied() and forcibly kill the renderer process at the end of RenderThreadImpl::Shutdown(). Original issue's description: > Remove Platform::current checks from Mojo's error handlers in geolocation > > The checks were added in https://codereview.chromium.org/2163683004/ > but are no longer needed because I already removed blink::shutdown > from the renderer's shutdown sequence. > > BUG= 628999 ,639244 > > Committed: https://crrev.com/8435863a81be1eee4c28131a341f8a4bce04a7b4 > Cr-Commit-Position: refs/heads/master@{#414232} TBR=sammc@chromium.org BUG= 628999 ,639244 NOTRY=true Review-Url: https://codereview.chromium.org/2312553003 Cr-Commit-Position: refs/heads/master@{#416480} [modify] https://crrev.com/556b4223eeea55a338bf38ca87b004ba23e1039a/third_party/WebKit/Source/modules/geolocation/Geolocation.cpp
,
Sep 5 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/556b4223eeea55a338bf38ca87b004ba23e1039a commit 556b4223eeea55a338bf38ca87b004ba23e1039a Author: haraken <haraken@chromium.org> Date: Mon Sep 05 00:32:02 2016 Revert of Remove Platform::current checks from Mojo's error handlers in geolocation (patchset #1 id:1 of https://codereview.chromium.org/2271953002/ ) Reason for revert: I'll revert r413430 and its dependent CLs because r413430 caused issue 642072. The problem is that we cannot simply remove blink::shutdown because the following scenario can happen: 1) blink::shutdown is not called. Workers are still running. 2) RenderThreadImpl gets destructed. MessageLoop gets destructed. 3) The workers may access the RenderThreadImpl and MessageLoop. To fix the problem, we need to call ProcessDied() and forcibly kill the renderer process at the end of RenderThreadImpl::Shutdown(). Original issue's description: > Remove Platform::current checks from Mojo's error handlers in geolocation > > The checks were added in https://codereview.chromium.org/2163683004/ > but are no longer needed because I already removed blink::shutdown > from the renderer's shutdown sequence. > > BUG= 628999 ,639244 > > Committed: https://crrev.com/8435863a81be1eee4c28131a341f8a4bce04a7b4 > Cr-Commit-Position: refs/heads/master@{#414232} TBR=sammc@chromium.org BUG= 628999 ,639244 NOTRY=true Review-Url: https://codereview.chromium.org/2312553003 Cr-Commit-Position: refs/heads/master@{#416480} [modify] https://crrev.com/556b4223eeea55a338bf38ca87b004ba23e1039a/third_party/WebKit/Source/modules/geolocation/Geolocation.cpp
,
Sep 5 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/556b4223eeea55a338bf38ca87b004ba23e1039a commit 556b4223eeea55a338bf38ca87b004ba23e1039a Author: haraken <haraken@chromium.org> Date: Mon Sep 05 00:32:02 2016 Revert of Remove Platform::current checks from Mojo's error handlers in geolocation (patchset #1 id:1 of https://codereview.chromium.org/2271953002/ ) Reason for revert: I'll revert r413430 and its dependent CLs because r413430 caused issue 642072. The problem is that we cannot simply remove blink::shutdown because the following scenario can happen: 1) blink::shutdown is not called. Workers are still running. 2) RenderThreadImpl gets destructed. MessageLoop gets destructed. 3) The workers may access the RenderThreadImpl and MessageLoop. To fix the problem, we need to call ProcessDied() and forcibly kill the renderer process at the end of RenderThreadImpl::Shutdown(). Original issue's description: > Remove Platform::current checks from Mojo's error handlers in geolocation > > The checks were added in https://codereview.chromium.org/2163683004/ > but are no longer needed because I already removed blink::shutdown > from the renderer's shutdown sequence. > > BUG= 628999 ,639244 > > Committed: https://crrev.com/8435863a81be1eee4c28131a341f8a4bce04a7b4 > Cr-Commit-Position: refs/heads/master@{#414232} TBR=sammc@chromium.org BUG= 628999 ,639244 NOTRY=true Review-Url: https://codereview.chromium.org/2312553003 Cr-Commit-Position: refs/heads/master@{#416480} [modify] https://crrev.com/556b4223eeea55a338bf38ca87b004ba23e1039a/third_party/WebKit/Source/modules/geolocation/Geolocation.cpp
,
Sep 6 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/85a5be3cfe186fee3d41fd4883e600988da6f110 commit 85a5be3cfe186fee3d41fd4883e600988da6f110 Author: Kentaro Hara <haraken@chromium.org> Date: Tue Sep 06 05:11:33 2016 Revert of Remove Platform::current checks from Mojo's error handlers in geolocation (patchset #1 id:1 of https://codereview.chromium.org/2271953002/ ) Reason for revert: I'll revert r413430 and its dependent CLs because r413430 caused issue 642072. The problem is that we cannot simply remove blink::shutdown because the following scenario can happen: 1) blink::shutdown is not called. Workers are still running. 2) RenderThreadImpl gets destructed. MessageLoop gets destructed. 3) The workers may access the RenderThreadImpl and MessageLoop. To fix the problem, we need to call ProcessDied() and forcibly kill the renderer process at the end of RenderThreadImpl::Shutdown(). Original issue's description: > Remove Platform::current checks from Mojo's error handlers in geolocation > > The checks were added in https://codereview.chromium.org/2163683004/ > but are no longer needed because I already removed blink::shutdown > from the renderer's shutdown sequence. > > BUG= 628999 ,639244 > > Committed: https://crrev.com/8435863a81be1eee4c28131a341f8a4bce04a7b4 > Cr-Commit-Position: refs/heads/master@{#414232} TBR=sammc@chromium.org BUG= 628999 ,639244 NOTRY=true Review-Url: https://codereview.chromium.org/2312553003 Cr-Commit-Position: refs/heads/master@{#416480} (cherry picked from commit 556b4223eeea55a338bf38ca87b004ba23e1039a) Review URL: https://codereview.chromium.org/2312833002 . Cr-Commit-Position: refs/branch-heads/2840@{#160} Cr-Branched-From: 1ae106dbab4bddd85132d5b75c670794311f4c57-refs/heads/master@{#414607} [modify] https://crrev.com/85a5be3cfe186fee3d41fd4883e600988da6f110/third_party/WebKit/Source/modules/geolocation/Geolocation.cpp
,
Oct 27 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/85a5be3cfe186fee3d41fd4883e600988da6f110 commit 85a5be3cfe186fee3d41fd4883e600988da6f110 Author: Kentaro Hara <haraken@chromium.org> Date: Tue Sep 06 05:11:33 2016 Revert of Remove Platform::current checks from Mojo's error handlers in geolocation (patchset #1 id:1 of https://codereview.chromium.org/2271953002/ ) Reason for revert: I'll revert r413430 and its dependent CLs because r413430 caused issue 642072. The problem is that we cannot simply remove blink::shutdown because the following scenario can happen: 1) blink::shutdown is not called. Workers are still running. 2) RenderThreadImpl gets destructed. MessageLoop gets destructed. 3) The workers may access the RenderThreadImpl and MessageLoop. To fix the problem, we need to call ProcessDied() and forcibly kill the renderer process at the end of RenderThreadImpl::Shutdown(). Original issue's description: > Remove Platform::current checks from Mojo's error handlers in geolocation > > The checks were added in https://codereview.chromium.org/2163683004/ > but are no longer needed because I already removed blink::shutdown > from the renderer's shutdown sequence. > > BUG= 628999 ,639244 > > Committed: https://crrev.com/8435863a81be1eee4c28131a341f8a4bce04a7b4 > Cr-Commit-Position: refs/heads/master@{#414232} TBR=sammc@chromium.org BUG= 628999 ,639244 NOTRY=true Review-Url: https://codereview.chromium.org/2312553003 Cr-Commit-Position: refs/heads/master@{#416480} (cherry picked from commit 556b4223eeea55a338bf38ca87b004ba23e1039a) Review URL: https://codereview.chromium.org/2312833002 . Cr-Commit-Position: refs/branch-heads/2840@{#160} Cr-Branched-From: 1ae106dbab4bddd85132d5b75c670794311f4c57-refs/heads/master@{#414607} [modify] https://crrev.com/85a5be3cfe186fee3d41fd4883e600988da6f110/third_party/WebKit/Source/modules/geolocation/Geolocation.cpp
,
Nov 21 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 22 2017
,
Sep 22 2017
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by mmoroz@chromium.org
, Jul 18 2016Labels: -Security_Severity-High Security_Severity-Medium
Owner: sa...@chromium.org