Corrupt-block in SkMallocPixelRef::~SkMallocPixelRef |
||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5775640899092480 Fuzzer: inferno_layout_test_unmodified Job Type: windows_syzyasan_chrome Platform Id: windows Crash Type: Corrupt-block Crash Address: 0x7fff9030 Crash State: base::allocator::WinHeapFree sk_free_releaseproc SkMallocPixelRef::~SkMallocPixelRef Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_chrome&range=408661:408692 Minimized Testcase (13.11 Kb): https://cluster-fuzz.appspot.com/download/AMIfv9659_YMScWGpgOloEk5ZiGVEKbK9ir2E8OynD67_7sBkloXQswTmC3_FYt8RrvBaYqIe0V7Dc11aA4P6PiWj8IU72Hf3tog7RsUk3axqBV7n2HOyDQjw-h1zRQ9EmdMwx3BtsTWJdr0HFc0cH1R6x_aR3HLhQ?testcase_id=5775640899092480 Filer: tanin See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Aug 2 2016
,
Aug 2 2016
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 2 2016
,
Aug 2 2016
,
Aug 2 2016
,
Aug 15 2016
Any updates? M54's branch point is next Thursday (8/25)
,
Aug 16 2016
reed: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 30 2016
reed: Uh oh! This issue still open and hasn't been updated in the last 28 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 1 2016
,
Sep 7 2016
Moving to ReleaseBlock-Stable to keep track of this for M54
,
Sep 7 2016
,
Sep 28 2016
Friendly ping, this a stable blocker for M54, please try to have a fix in by the first week of October so it can be fixed in time for the release.
,
Oct 1 2016
We commit ourselves to a 60 day deadline for fixing for high severity vulnerabilities, and have exceeded it here. If you're unable to look into this soon, could you please find another owner or remove yourself so that this gets back into the security triage queue? For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 7 2016
Hi again reed@ - anybody else who could take a look if you're not going to get to this soon? Cheers!
,
Oct 10 2016
,
Oct 11 2016
,
Oct 11 2016
Per #16 moving to M55, sheriffbot will always add RBS back for medium/high security issues with Security_Impact-Beta.
,
Oct 26 2016
**** Bulk edit - please ignore if not applicable **** A friendly reminder that M55 Stable is launch is coming soon! Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and get it merged into the release branch ASAP so it gets enough baking time in Beta (before Stable promotion). Thank you!
,
Oct 31 2016
**** Bulk edit - please ignore if not applicable **** A friendly reminder that M55 Stable is launch is coming soon! Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and get it merged into the release branch ASAP so it gets enough baking time in Beta (before Stable promotion). Thank you!
,
Nov 7 2016
**** Bulk edit - please ignore if not applicable **** A friendly reminder that M55 Stable is launch is coming soon! Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and get it merged into the release branch ASAP so it gets enough baking time in Beta (before Stable promotion). Thank you! Also due to Thanksgiving holidays in US, please make sure all fixes are ready and merged to M55 latest by 5:00 PM PT Friday, 11/18/16.
,
Nov 7 2016
,
Nov 7 2016
This looks very much like bug 656554 - assigning to Seb to investigate whether this is the same issue (allocator bug).
,
Nov 14 2016
**** Bulk edit - please ignore if not applicable **** A friendly reminder that M55 Stable is launch is coming soon! Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and get it merged into the release branch ASAP so it gets enough baking time in Beta (before Stable promotion). Thank you! Also due to Thanksgiving holidays in US, please make sure fix is ready and merged to M55 latest by 5:00 PM PT Friday, 11/18/16 (sooner the better).
,
Nov 18 2016
Very likely a tools issue. Removing ReleaseBlock-Stable
,
Nov 18 2016
,
Nov 18 2016
Remvoing "ReleaseBlock-Stable" per comment #25.
,
Nov 19 2016
,
Nov 19 2016
,
Nov 28 2016
sebmarchand: friendly ping :) Any update on this?
,
Nov 28 2016
Yes, sorry for the delay. This has been fixed in SyzyAsan and I'll roll deps soon in Chrome.
,
Nov 29 2016
Thanks for the update! Since this is a syzyasan issue, I'm flipping labels.
,
Dec 7 2016
This should be fixed now.
,
Dec 12 2016
|
||||||||||||||||||||||
►
Sign in to add a comment |
||||||||||||||||||||||
Comment 1 by raymes@chromium.org
, Aug 2 2016Components: Infra>Client>Skia
Labels: Pri-1
Owner: halcanary@chromium.org
Status: Assigned (was: Untriaged)