Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4825426925191168 Fuzzer: inferno_webbot Job Type: mac_asan_chrome Platform Id: mac Crash Type: Heap-use-after-free READ 8 Crash Address: 0x60d00015d520 Crash State: mojo::BindingSet<network_hints::mojom::NetworkHints>::AddBinding ChromeRenderMessageFilter::BindNetworkHints base::internal::Invoker<base::internal::BindState<void Regressed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_chrome&range=407005:407057 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94bWiu7DPffdKUNvGoLdT6H0-ORQiLffRspj0n4_xwxcSFRb5c5ZHB4_ImSmrqPYFf4OF0vtoMhv52zaKeO-HFDo6U5gTbpBYI8gj6VEVbcsDFPfggAaOlsxotFgM8THjx6H_8kR60I0tBK4l1bpD023R1d5w?testcase_id=4825426925191168 Filer: inferno See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
Author: tibell Project: chromium Changelist: https://chromium.googlesource.com/chromium/src//+/1efd0ad3153587609220eeec1be6c1b2bbf9964b Time: Fri Jul 22 03:35:53 2016 Lines 127-131 of file chrome_render_message_filter.cc which potentially caused crash are changed in this cl (frame #2, "ChromeRenderMessageFilter::BindNetworkHints"). Minimum distance from crash line to modified line: 0. (file: chrome_render_message_filter.cc, crashed on: 128, modified: 128). Suspected Project: chromium
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/0773f761ce9ed103aa297808ac89771bc010d70c commit 0773f761ce9ed103aa297808ac89771bc010d70c Author: tibell <tibell@chromium.org> Date: Mon Jul 25 01:00:43 2016 Revert of Convert network hints to Mojo (patchset #16 id:300001 of https://codereview.chromium.org/2144533002/ ) BUG= 630749 NOPRESUBMIT=true Skipping presubmit as I'm removing OWNERS files I added. Reason for revert: Use-after-free issue: https://bugs.chromium.org/p/chromium/issues/detail?id=630749 Original issue's description: > Convert network hints to Mojo > > Previously landed as: refs/heads/master@{#406780} > > Committed: https://crrev.com/1efd0ad3153587609220eeec1be6c1b2bbf9964b > Cr-Commit-Position: refs/heads/master@{#407030} TBR=sammc@chromium.org,dcheng@chromium.org,juliatuttle@chromium.org,halliwell@chromium.org,sky@chromium.org,mbarbella@chromium.org,blundell@chromium.org,mbarbella@google.com # Not skipping CQ checks because original CL landed more than 1 days ago. Review-Url: https://codereview.chromium.org/2179693002 Cr-Commit-Position: refs/heads/master@{#407395} [modify] https://crrev.com/0773f761ce9ed103aa297808ac89771bc010d70c/chrome/browser/BUILD.gn [modify] https://crrev.com/0773f761ce9ed103aa297808ac89771bc010d70c/chrome/browser/chrome_content_browser_client.cc [modify] https://crrev.com/0773f761ce9ed103aa297808ac89771bc010d70c/chrome/browser/extensions/BUILD.gn [modify] https://crrev.com/0773f761ce9ed103aa297808ac89771bc010d70c/chrome/browser/renderer_host/chrome_render_message_filter.cc [modify] https://crrev.com/0773f761ce9ed103aa297808ac89771bc010d70c/chrome/browser/renderer_host/chrome_render_message_filter.h [modify] https://crrev.com/0773f761ce9ed103aa297808ac89771bc010d70c/chrome/chrome_browser.gypi [modify] https://crrev.com/0773f761ce9ed103aa297808ac89771bc010d70c/chrome/renderer/chrome_content_renderer_client.cc [modify] https://crrev.com/0773f761ce9ed103aa297808ac89771bc010d70c/chrome/renderer/chrome_content_renderer_client.h [modify] https://crrev.com/0773f761ce9ed103aa297808ac89771bc010d70c/chrome/renderer/chrome_render_thread_observer.cc [modify] https://crrev.com/0773f761ce9ed103aa297808ac89771bc010d70c/chrome/renderer/chrome_render_thread_observer.h [modify] https://crrev.com/0773f761ce9ed103aa297808ac89771bc010d70c/chromecast/browser/cast_content_browser_client.cc [modify] https://crrev.com/0773f761ce9ed103aa297808ac89771bc010d70c/chromecast/browser/cast_content_browser_client.h [modify] https://crrev.com/0773f761ce9ed103aa297808ac89771bc010d70c/components/network_hints.gypi [modify] https://crrev.com/0773f761ce9ed103aa297808ac89771bc010d70c/components/network_hints/browser/BUILD.gn [modify] https://crrev.com/0773f761ce9ed103aa297808ac89771bc010d70c/components/network_hints/browser/DEPS [delete] https://crrev.com/9756dcab651b7c31a1bc029d68800e71bc6dae16/components/network_hints/browser/network_hints_impl.h [rename] https://crrev.com/0773f761ce9ed103aa297808ac89771bc010d70c/components/network_hints/browser/network_hints_message_filter.cc [add] https://crrev.com/0773f761ce9ed103aa297808ac89771bc010d70c/components/network_hints/browser/network_hints_message_filter.h [modify] https://crrev.com/0773f761ce9ed103aa297808ac89771bc010d70c/components/network_hints/common/BUILD.gn [add] https://crrev.com/0773f761ce9ed103aa297808ac89771bc010d70c/components/network_hints/common/network_hints_message_generator.cc [add] https://crrev.com/0773f761ce9ed103aa297808ac89771bc010d70c/components/network_hints/common/network_hints_message_generator.h [rename] https://crrev.com/0773f761ce9ed103aa297808ac89771bc010d70c/components/network_hints/common/network_hints_messages.cc [add] https://crrev.com/0773f761ce9ed103aa297808ac89771bc010d70c/components/network_hints/common/network_hints_messages.h [delete] https://crrev.com/9756dcab651b7c31a1bc029d68800e71bc6dae16/components/network_hints/public/cpp/BUILD.gn [delete] https://crrev.com/9756dcab651b7c31a1bc029d68800e71bc6dae16/components/network_hints/public/cpp/OWNERS [delete] https://crrev.com/9756dcab651b7c31a1bc029d68800e71bc6dae16/components/network_hints/public/cpp/network_hints.typemap [delete] https://crrev.com/9756dcab651b7c31a1bc029d68800e71bc6dae16/components/network_hints/public/cpp/network_hints_param_traits.h [delete] https://crrev.com/9756dcab651b7c31a1bc029d68800e71bc6dae16/components/network_hints/public/interfaces/BUILD.gn [delete] https://crrev.com/9756dcab651b7c31a1bc029d68800e71bc6dae16/components/network_hints/public/interfaces/OWNERS [delete] https://crrev.com/9756dcab651b7c31a1bc029d68800e71bc6dae16/components/network_hints/public/interfaces/network_hints.mojom [modify] https://crrev.com/0773f761ce9ed103aa297808ac89771bc010d70c/components/network_hints/renderer/BUILD.gn [modify] https://crrev.com/0773f761ce9ed103aa297808ac89771bc010d70c/components/network_hints/renderer/DEPS [modify] https://crrev.com/0773f761ce9ed103aa297808ac89771bc010d70c/components/network_hints/renderer/renderer_dns_prefetch.cc [modify] https://crrev.com/0773f761ce9ed103aa297808ac89771bc010d70c/components/network_hints/renderer/renderer_dns_prefetch.h [modify] https://crrev.com/0773f761ce9ed103aa297808ac89771bc010d70c/components/network_hints/renderer/renderer_preconnect.cc [modify] https://crrev.com/0773f761ce9ed103aa297808ac89771bc010d70c/components/network_hints/renderer/renderer_preconnect.h [modify] https://crrev.com/0773f761ce9ed103aa297808ac89771bc010d70c/components/typemaps.gni [modify] https://crrev.com/0773f761ce9ed103aa297808ac89771bc010d70c/ipc/ipc_message_start.h [modify] https://crrev.com/0773f761ce9ed103aa297808ac89771bc010d70c/tools/ipc_fuzzer/fuzzer/fuzzer.cc [delete] https://crrev.com/9756dcab651b7c31a1bc029d68800e71bc6dae16/tools/ipc_fuzzer/message_lib/OWNERS [modify] https://crrev.com/0773f761ce9ed103aa297808ac89771bc010d70c/tools/ipc_fuzzer/message_lib/all_messages.h
ClusterFuzz has detected this issue as fixed in range 407394:407396. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4825426925191168 Fuzzer: inferno_webbot Job Type: mac_asan_chrome Platform Id: mac Crash Type: Heap-use-after-free READ 8 Crash Address: 0x60d00015d520 Crash State: mojo::BindingSet<network_hints::mojom::NetworkHints>::AddBinding ChromeRenderMessageFilter::BindNetworkHints base::internal::Invoker<base::internal::BindState<void Regressed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_chrome&range=407005:407057 Fixed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_chrome&range=407394:407396 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94bWiu7DPffdKUNvGoLdT6H0-ORQiLffRspj0n4_xwxcSFRb5c5ZHB4_ImSmrqPYFf4OF0vtoMhv52zaKeO-HFDo6U5gTbpBYI8gj6VEVbcsDFPfggAaOlsxotFgM8THjx6H_8kR60I0tBK4l1bpD023R1d5w?testcase_id=4825426925191168 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Issue 630994 has been merged into this issue.
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Comment 1 by infe...@chromium.org
, Jul 22 2016Owner: tibell@chromium.org
Status: Assigned (was: Untriaged)