Issue metadata
Sign in to add a comment
|
Heap-use-after-free in device::MockBluetoothGattNotifySession::DoNotify |
||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6128744733605888 Fuzzer: inferno_twister Job Type: windows_syzyasan_content_shell Platform Id: windows Crash Type: Heap-use-after-free READ 4 Crash Address: 0x2b7225d3 Crash State: device::MockBluetoothGattNotifySession::DoNotify base::internal::Invoker<base::internal::BindState<void base::Timer::RunScheduledTask Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_content_shell&range=406472:406477 Minimized Testcase (0.64 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv97Y8i81K1fw4B7ruRyb_oDgJjiZFz7i-yuK_x17Oe8xuwqa3rkLvP5sfjneJl2wa83L5HRO5VcWqJrfKbulQpC4rSBxRb_nIoslvDQj3wcihep8RYSE2tnrQeJjrhV8iSny06mWI78Ex0-gnSJK8_gVU5wSnQ?testcase_id=6128744733605888 򻀤<script src=../../resources/testharness.js></script> <script src=../../resources/testharnessreport.js></script> <script src=../../resources/bluetooth/bluetooth-helpers.js></script> <script> promise_test(() => { return setBluetoothFakeAdapter('HeartRateAdapter') .then(() => requestDeviceWithKeyDown({ filters: [{services: ['heart_rate']}]})) .then(device => device.gatt.connect()) .then(gattServer => gattServer.getPrimaryService('heart_rate')) .then(service => service.getCharacteristic('heart_rate_measurement')) .then(characteristic => { return characteristic.startNotifications() }); }); </script> Additional requirements: Requires HTTP Filer: inferno See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 21 2016
How can I see the data bundle that the test uses? Last time this error was showing up because LayoutTests/resources was out of date.
,
Jul 21 2016
Sorry, it is a hack atm, download testcase from https://cluster-fuzz.appspot.com/testcase?key=6416462406746112 to see data bundle and then overlay this on top.
,
Jul 21 2016
The LayoutTests/resources folder is out of date so it's calling a test-only function that causes the browser to clean up all bluetooth state and that causes a crash when the test finishes and the browser is cleaning up. I think the fix would be to update LayoutTests/resources.
,
Jul 22 2016
,
Aug 24 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4668130859417600 Fuzzer: inferno_layout_test_unmodified Job Type: mac_asan_content_shell Platform Id: mac Crash Type: Heap-use-after-free READ 8 Crash Address: 0x61f00008c0a0 Crash State: device::MockBluetoothGattNotifySession::DoNotify base::Timer::RunScheduledTask base::debug::TaskAnnotator::RunTask Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_content_shell&range=402790:402831 Minimized Testcase (25.77 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94bO1a0GRgp9Kbsc1UYxz-9-J5Bt5KXS7FEdXp5fS8_FaCZbsqQuIJ__VDHttDaHFSF8zadaop2vbqCYK7zOZrQELBJfL4zvswWBcnsWPddlPIkewQVHqMn25JuJ4amOgz4Da1A5uy8tVJbJekzigkj6RZ7xR86r9M66YvYofeOUnpoD0g?testcase_id=4668130859417600 Issue manually filed by: mmoroz See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Nov 26 2016
,
Mar 4 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||
Comment 1 by infe...@chromium.org
, Jul 21 2016Owner: ortuno@chromium.org
Status: Assigned (was: Untriaged)