Issue metadata
Sign in to add a comment
|
Crash in base::PendingTask::PendingTask |
||||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6601400088002560 Fuzzer: bj_broddelwerk Job Type: windows_syzyasan_chrome Platform Id: windows Crash Type: UNKNOWN Crash Address: 0x00edf91f Crash State: base::PendingTask::PendingTask base::MessageLoop::DoWork base::MessagePumpDefault::Run Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_chrome&range=404895:404947 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97ejfrrtoJPgJ7yphIzuBeW-Jbdk1BkkmyaxPriDlB9AEy-ZQF6Edf5N-VbOY8KGtMSkUCj8b6q1s68dTuyS0aBnZrL64V4HNV1bG2D-IdSYWPxJwXQHu_jd7taNpifFQFIh2jTQt5_u2QST9hbnjmXDX-Zk6KmagecOJIvsoOpDXGuE0Q?testcase_id=6601400088002560 Filer: mmoroz See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 18 2016
,
Jul 18 2016
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 18 2016
,
Jul 18 2016
,
Jul 19 2016
M53 beta launch is next week.Your bug is labelled as Beta ReleaseBlock, pls make sure to land the fix before 6:00 PM PST, Friday (07/22/16). Thank you.
,
Jul 20 2016
Removing RB-B since it's not a new crash. https://crash.corp.google.com/browse?q=stable_signature%20CONTAINS%20%27base%3A%3APendingTask%3A%3APendingTask%27
,
Jul 20 2016
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 21 2016
,
Jul 21 2016
,
Jul 21 2016
,
Jul 21 2016
,
Jul 22 2016
,
Aug 3 2016
tzik: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 3 2016
M53 Stable launch is coming soon.Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix asap so it gets chance to bake in beta before stable promotion. Thank you.
,
Aug 10 2016
Hi tzik@. Though it might not be new, it's still a security issue - could you possibly prioritise taking a look? Cheers!
,
Aug 12 2016
Hmm... The crash looks so confusing to me. E.g. on http://crash/4e995dfc00000000, std::deque<>::push_back calls to base::PendingTask::PendingTask at 07FEEE5DCF50h. The disasm of the point is `48 89 5c 24 08`, which is `mov qword ptr [rsp+8h],rbx`. It doesn't make sense to me to read `rbx` at the beginning of a function. Isn't this a compiler bug or caused by a broken binary?
,
Aug 15 2016
M53 Stable launch is coming VERY soon.Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix asap so it gets chance to bake in beta before stable promotion later this month. Thank you.
,
Aug 16 2016
Chris, Sebastien, could this be a syzyasan bug, can you please take a look.
,
Aug 17 2016
,
Aug 17 2016
chrisha: Uh oh! This issue still open and hasn't been updated in the last 30 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 18 2016
Please try to resolve this ASAP as we're very close to M53 Stable promotion. Please request a merge to M53 branch 2785 once change is landed/baked/verified in Canary. Thank you.
,
Aug 22 2016
A friendly reminder that M53 Stable is launching VERY soon! Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and get it merged into the release branch ASAP (before 5:00 PM PT, Tuesday) so we can take it for this week LAST Beta release for Desktop. Thank you! Note: Merge has to happen by Friday, August 26th, 5:00 PM PST in order to make into the desktop Stable final build cut.
,
Aug 22 2016
,
Aug 22 2016
Was traveling last week and just seeing this now. Am traveling again this week, and Seb is OOO as well. tzik: Why were you looking at that minidump on go/crash? This is an ASAN bug and has a repro as well as stack trace information available on cluster-fuzz. aarya: I'm confused regarding the stack trace provided by CF. It looks like we're starting in ReportCrashWithProtobufAndMemoryRanges, before entering message loop machinery in chrome_child? This to me looks like something has gone wrong much sooner, either in Crashpad or Kasko.
,
Aug 23 2016
chrisha: Because the failure didn't repro on my machine, and the minidump in the CF report didn't work for me on MSVC. It didn't show meaningful call stack, and the symbol server probably doesn't know the binary.
,
Aug 23 2016
,
Aug 23 2016
,
Aug 26 2016
Removing ReleaseBlock after discussion with inferno.
,
Aug 28 2016
,
Aug 29 2016
,
Aug 31 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/fd76103704c54eec019f2e7cb56aab8c71681aa3 commit fd76103704c54eec019f2e7cb56aab8c71681aa3 Author: sebmarchand <sebmarchand@chromium.org> Date: Wed Aug 31 22:34:01 2016 Roll Syzygy deps to v0.8.20.6 BUG= 629006 , 630372 Review-Url: https://codereview.chromium.org/2298273003 Cr-Commit-Position: refs/heads/master@{#415785} [modify] https://crrev.com/fd76103704c54eec019f2e7cb56aab8c71681aa3/DEPS
,
Sep 9 2016
,
Sep 27 2016
Anything more needed for this bug or can it be marked fixed?
,
Sep 28 2016
ClusterFuzz cannot reproduce it, let's mark as Fixed.
,
Sep 29 2016
,
Oct 7 2016
,
Jan 5 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by mmoroz@chromium.org
, Jul 18 2016Components: Content>Core
Labels: M-53 Pri-2
Owner: tzik@chromium.org