Issue metadata
Sign in to add a comment
|
Crash in base::debug::StackDumpExceptionFilter |
||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5465827537321984 Fuzzer: marty_html_twiddler Job Type: windows_syzyasan_chrome Platform Id: windows Crash Type: UNKNOWN Crash Address: 0x2483e533 Crash State: base::debug::StackDumpExceptionFilter Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_chrome&range=406639:406657 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96P8VchtCJaDe5PiWhq7-w9FZ2FKypcgFIqDXhCe6MfRBfYhPFuH5q_TRCdMLVvdwkN_ZUouY-SNRO_DFb8sEBsypzcTEhFwoDnbpxTY6LOKR-jmpQVRMpRrjMcgqEJDCaunLrHswU27QsGFp6kVa1tTpSy7V9thzg00xCfLK0xOpMEK5c?testcase_id=5465827537321984 Filer: inferno See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 22 2016
,
Jul 22 2016
Moving component to Internals, please change if not appropriate.
,
Jul 29 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6362885597167616 Fuzzer: inferno_twister Job Type: windows_syzyasan_chrome Platform Id: windows Crash Type: UNKNOWN Crash Address: 0x005cde33 Crash State: base::debug::StackDumpExceptionFilter Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_chrome&range=408381:408405 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94Oq6rtxPi_IiLzQ0iKbVgiQV83GzfRwc2X8efRSgFgI9lfIYcLwFYXPeVs5rVQchqaHphhuGVtb7esROBPtXcsLvJgxkPshnwbxJNs0nH8F8IuHg7wKGbkpftk9AcObWMk9VuEpapLNCJRj9H_yobtEBkh_HRkfhzB98mwsJJ-XaG4PKA?testcase_id=6362885597167616 Filer: tanin See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Aug 5 2016
sebmarchand: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 9 2016
I can repro this, it looks like a simple OOM: 01 0499eeb4 100c7845 chrome_child!base::`anonymous namespace'::OnNoMemory+0x11 [c:\b\c\b\win_syzyasan_lkgr\src\base\process\memory_win.cc @ 41] 02 0499eec0 100c77cd chrome_child!base::allocator::WinCallNewHandler+0x15 [c:\b\c\b\win_syzyasan_lkgr\src\base\allocator\winheap_stubs_win.cc @ 66] 03 0499eed0 12904a72 chrome_child!malloc+0x17 [c:\b\c\b\win_syzyasan_lkgr\src\base\allocator\allocator_shim_win.cc @ 72] 04 0499eedc 1017e7b6 chrome_child!operator new+0x2c [f:\dd\vctools\crt\vcstartup\src\heap\new_scalar.cpp @ 19] 05 0499eef4 1017e697 chrome_child!cc::ListContainerHelper::CharAllocator::AllocateNewList+0x59 [c:\b\c\b\win_syzyasan_lkgr\src\cc\base\list_container_helper.cc @ 247] 06 (Inline) -------- chrome_child!cc::ListContainerHelper::CharAllocator::Allocate+0x64 [c:\b\c\b\win_syzyasan_lkgr\src\cc\base\list_container_helper.cc @ 131] 07 0499ef00 113de76c chrome_child!cc::ListContainerHelper::Allocate+0x2b [c:\b\c\b\win_syzyasan_lkgr\src\cc\base\list_container_helper.cc @ 461] 08 (Inline) -------- chrome_child!cc::ListContainer<cc::DrawQuad>::AllocateAndConstruct+0x813fe6e0 [c:\b\c\b\win_syzyasan_lkgr\src\cc\base\list_container.h @ 118] 09 (Inline) -------- chrome_child!cc::RenderPass::CreateAndAppendDrawQuad+0x813fe6e0 [c:\b\c\b\win_syzyasan_lkgr\src\cc\quads\render_pass.h @ 95] 0a 0499ef40 1134ecc9 chrome_child!cc::SolidColorLayerImpl::AppendSolidQuads+0xbb [c:\b\c\b\win_syzyasan_lkgr\src\cc\layers\solid_color_layer_impl.cc @ 58] 0b 0499f78c 11340797 chrome_child!cc::PictureLayerImpl::AppendQuads+0xb5 [c:\b\c\b\win_syzyasan_lkgr\src\cc\layers\picture_layer_impl.cc @ 166] 0c 0499f91c 113471ba chrome_child!cc::LayerTreeHostImpl::CalculateRenderPasses+0x77f [c:\b\c\b\win_syzyasan_lkgr\src\cc\trees\layer_tree_host_impl.cc @ 922] 0d 0499f9cc 1140eebd chrome_child!cc::LayerTreeHostImpl::PrepareToDraw+0x3db [c:\b\c\b\win_syzyasan_lkgr\src\cc\trees\layer_tree_host_impl.cc @ 1112] 0e 0499fa34 114104ec chrome_child!cc::ProxyImpl::DrawAndSwapInternal+0x64 [c:\b\c\b\win_syzyasan_lkgr\src\cc\trees\proxy_impl.cc @ 630] 0f 0499fa70 1141549c chrome_child!cc::ProxyImpl::ScheduledActionDrawAndSwapIfPossible+0xa8 [c:\b\c\b\win_syzyasan_lkgr\src\cc\trees\proxy_impl.cc @ 521] 10 0499fa88 11416467 chrome_child!cc::Scheduler::DrawAndSwapIfPossible+0x39 [c:\b\c\b\win_syzyasan_lkgr\src\cc\scheduler\scheduler.cc @ 615] 11 0499fb2c 11415e3e chrome_child!cc::Scheduler::ProcessScheduledActions+0x21c [c:\b\c\b\win_syzyasan_lkgr\src\cc\scheduler\scheduler.cc @ 691] 12 0499fb8c 1140d378 chrome_child!cc::Scheduler::OnBeginImplFrameDeadline+0x107 [c:\b\c\b\win_syzyasan_lkgr\src\cc\scheduler\scheduler.cc @ 604] 13 (Inline) -------- chrome_child!base::internal::FunctorTraits<void (__thiscall cc::ProxyMain::*)(void),void>::Invoke+0x8142d378 [c:\b\c\b\win_syzyasan_lkgr\src\base\bind_internal.h @ 214] 14 (Inline) -------- chrome_child!base::internal::InvokeHelper<1,void>::MakeItSo+0x42 [c:\b\c\b\win_syzyasan_lkgr\src\base\bind_internal.h @ 303] 15 (Inline) -------- chrome_child!base::internal::Invoker<base::internal::BindState<void (__thiscall cc::ProxyMain::*)(void),base::WeakPtr<cc::ProxyMain> >,void __cdecl(void)>::RunImpl+0x4f [c:\b\c\b\win_syzyasan_lkgr\src\base\bind_internal.h @ 346] 16 0499fba0 10197f7f chrome_child!base::internal::Invoker<base::internal::BindState<void (__thiscall cc::ProxyMain::*)(void),base::WeakPtr<cc::ProxyMain> >,void __cdecl(void)>::Run+0x37 [c:\b\c\b\win_syzyasan_lkgr\src\base\bind_internal.h @ 324] 17 (Inline) -------- chrome_child!base::Callback<void __cdecl(void),1>::Run+0x1a [c:\b\c\b\win_syzyasan_lkgr\src\base\callback.h @ 389] 18 0499fba8 12b6f088 chrome_child!base::CancelableCallback<void __cdecl(void)>::Forward+0x6 [c:\b\c\b\win_syzyasan_lkgr\src\base\cancelable_callback.h @ 107] 19 (Inline) -------- chrome_child!base::internal::FunctorTraits<void (__thiscall gpu::GpuChannelManager::*)(void),void>::Invoke+0x82b8f071 [c:\b\c\b\win_syzyasan_lkgr\src\base\bind_internal.h @ 214] 1a 0499fbb4 12b6fc30 chrome_child!base::internal::InvokeHelper<1,void>::MakeItSo<void (__thiscall gpu::GpuChannelManager::*const &)(void),base::WeakPtr<gpu::GpuChannelManager> const &>+0x21 [c:\b\c\b\win_syzyasan_lkgr\src\base\bind_internal.h @ 303] 1b (Inline) -------- chrome_child!base::internal::Invoker<base::internal::BindState<void (__thiscall gpu::GpuChannelManager::*)(void),base::WeakPtr<gpu::GpuChannelManager> >,void __cdecl(void)>::RunImpl+0x82b8fc1c [c:\b\c\b\win_syzyasan_lkgr\src\base\bind_internal.h @ 346] 1c 0499fbc4 10e2d29d chrome_child!base::internal::Invoker<base::internal::BindState<void (__thiscall gpu::GpuChannelManager::*)(void),base::WeakPtr<gpu::GpuChannelManager> >,void __cdecl(void)>::Run+0x13 [c:\b\c\b\win_syzyasan_lkgr\src\base\bind_internal.h @ 324] 1d (Inline) -------- chrome_child!base::Callback<void __cdecl(void),1>::Run+0x1c [c:\b\c\b\win_syzyasan_lkgr\src\base\callback.h @ 389] 1e 0499fc24 10dcc32e chrome_child!base::debug::TaskAnnotator::RunTask+0x100 [c:\b\c\b\win_syzyasan_lkgr\src\base\debug\task_annotator.cc @ 54] 1f 0499fd6c 10dcb752 chrome_child!base::MessageLoop::RunTask+0x2fb [c:\b\c\b\win_syzyasan_lkgr\src\base\message_loop\message_loop.cc @ 497] 20 (Inline) -------- chrome_child!base::MessageLoop::DeferOrRunPendingTask+0x80deb741 [c:\b\c\b\win_syzyasan_lkgr\src\base\message_loop\message_loop.cc @ 505] 21 0499fe2c 10e2fe6d chrome_child!base::MessageLoop::DoWork+0x25e [c:\b\c\b\win_syzyasan_lkgr\src\base\message_loop\message_loop.cc @ 629] 22 0499fe60 10dcbef0 chrome_child!base::MessagePumpDefault::Run+0x140 [c:\b\c\b\win_syzyasan_lkgr\src\base\message_loop\message_pump_default.cc @ 36] 23 0499fe6c 10e1a59d chrome_child!base::MessageLoop::RunHandler+0x11 [c:\b\c\b\win_syzyasan_lkgr\src\base\message_loop\message_loop.cc @ 459] 24 0499fe90 10e08660 chrome_child!base::RunLoop::Run+0x65 [c:\b\c\b\win_syzyasan_lkgr\src\base\run_loop.cc @ 36] 25 0499fe98 10e08bba chrome_child!base::Thread::Run+0xb [c:\b\c\b\win_syzyasan_lkgr\src\base\threading\thread.cc @ 229] 26 0499fee8 10de5953 chrome_child!base::Thread::ThreadMain+0x12c [c:\b\c\b\win_syzyasan_lkgr\src\base\threading\thread.cc @ 304] 27 0499ff04 742738f4 chrome_child!base::`anonymous namespace'::ThreadFunc+0x82 [c:\b\c\b\win_syzyasan_lkgr\src\base\threading\platform_thread_win.cc @ 86] 28 0499ff18 77295de3 KERNEL32!BaseThreadInitThunk+0x24 29 0499ff60 77295dae ntdll!__RtlUserThreadStart+0x2f 2a 0499ff70 00000000 ntdll!_RtlUserThreadStart+0x1b We should do something to handle this in a better way in SyzyAsan, we should probably look for the win::kOomExceptionCode exception code.
,
Aug 24 2016
sebmarchand: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 31 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/fd76103704c54eec019f2e7cb56aab8c71681aa3 commit fd76103704c54eec019f2e7cb56aab8c71681aa3 Author: sebmarchand <sebmarchand@chromium.org> Date: Wed Aug 31 22:34:01 2016 Roll Syzygy deps to v0.8.20.6 BUG= 629006 , 630372 Review-Url: https://codereview.chromium.org/2298273003 Cr-Commit-Position: refs/heads/master@{#415785} [modify] https://crrev.com/fd76103704c54eec019f2e7cb56aab8c71681aa3/DEPS
,
Sep 2 2016
I've rescheduled the fuzzer run to see if the commit in #8 has fixed this issue.
,
Sep 8 2016
Any update on this ?
,
Sep 27 2016
Clusterfuzz reported: Known crash revision 406657 did not crash. Test case appears to be flaky. :-\
,
Oct 4 2016
I wonder if it's worth moving this to WontFix?
,
Oct 11 2016
Both crashes are not reproducible anymore. Thanks!
,
Oct 11 2016
,
Jan 17 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by infe...@chromium.org
, Jul 21 2016Labels: -Security_Impact-Head Security_Impact-Stable Pri-1
Owner: sebmarchand@chromium.org
Status: Assigned (was: Untriaged)