New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 633470 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Dec 2016
Cc:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 1
Type: Bug



Sign in to add a comment

Corrupt-block in SkMallocPixelRef::~SkMallocPixelRef

Project Member Reported by ClusterFuzz, Aug 2 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5775640899092480

Fuzzer: inferno_layout_test_unmodified
Job Type: windows_syzyasan_chrome
Platform Id: windows

Crash Type: Corrupt-block
Crash Address: 0x7fff9030
Crash State:
  base::allocator::WinHeapFree
  sk_free_releaseproc
  SkMallocPixelRef::~SkMallocPixelRef
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_chrome&range=408661:408692

Minimized Testcase (13.11 Kb): https://cluster-fuzz.appspot.com/download/AMIfv9659_YMScWGpgOloEk5ZiGVEKbK9ir2E8OynD67_7sBkloXQswTmC3_FYt8RrvBaYqIe0V7Dc11aA4P6PiWj8IU72Hf3tog7RsUk3axqBV7n2HOyDQjw-h1zRQ9EmdMwx3BtsTWJdr0HFc0cH1R6x_aR3HLhQ?testcase_id=5775640899092480

Filer: tanin

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Cc: reed@chromium.org
Components: Infra>Client>Skia
Labels: Pri-1
Owner: halcanary@chromium.org
Status: Assigned (was: Untriaged)
Another one that looks like skia. halcanary/reed could you help triage? Thanks
Project Member

Comment 2 by sheriffbot@chromium.org, Aug 2 2016

Labels: M-54
Project Member

Comment 3 by sheriffbot@chromium.org, Aug 2 2016

Labels: ReleaseBlock-Beta
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Cc: -reed@chromium.org halcanary@chromium.org
Owner: reed@chromium.org

Comment 5 by reed@chromium.org, Aug 2 2016

Owner: reed@google.com
Components: -Infra>Client>Skia Internals>Skia
Any updates? M54's branch point is next Thursday (8/25)
Project Member

Comment 8 by sheriffbot@chromium.org, Aug 16 2016

reed: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 9 by sheriffbot@chromium.org, Aug 30 2016

reed: Uh oh! This issue still open and hasn't been updated in the last 28 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 10 by sheriffbot@chromium.org, Sep 1 2016

Labels: -Security_Impact-Head Security_Impact-Beta
Labels: -ReleaseBlock-Beta ReleaseBlock-Stable
Moving to ReleaseBlock-Stable to keep track of this for M54

Comment 12 by wfh@chromium.org, Sep 7 2016

Summary: Corrupt-block in SkMallocPixelRef::~SkMallocPixelRef (was: Corrupt-block in base::allocator::WinHeapFree)
Friendly ping, this a stable blocker for M54, please try to have a fix in by the first week of October so it can be fixed in time for the release.
Project Member

Comment 14 by sheriffbot@chromium.org, Oct 1 2016

Labels: Deadline-Exceeded
We commit ourselves to a 60 day deadline for fixing for high severity vulnerabilities, and have exceeded it here. If you're unable to look into this soon, could you please find another owner or remove yourself so that this gets back into the security triage queue?

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Hi again reed@ - anybody else who could take a look if you're not going to get to this soon?  Cheers!
Labels: -ReleaseBlock-Stable
Project Member

Comment 17 by sheriffbot@chromium.org, Oct 11 2016

Labels: ReleaseBlock-Stable
Labels: -M-54 M-55
Per #16 moving to M55, sheriffbot will always add RBS back for medium/high security issues with Security_Impact-Beta.
**** Bulk edit -  please ignore if not applicable ****

A friendly reminder that M55 Stable is launch is coming soon! Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and get it merged into the release branch ASAP so it gets enough baking time in Beta (before Stable promotion). Thank you!
**** Bulk edit -  please ignore if not applicable ****

A friendly reminder that M55 Stable is launch is coming soon! Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and get it merged into the release branch ASAP so it gets enough baking time in Beta (before Stable promotion). Thank you!


**** Bulk edit -  please ignore if not applicable ****

A friendly reminder that M55 Stable is launch is coming soon! Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and get it merged into the release branch ASAP so it gets enough baking time in Beta (before Stable promotion). Thank you!

Also due to Thanksgiving holidays in US, please make sure all fixes are ready and merged to M55 latest by 5:00 PM PT Friday, 11/18/16.
Cc: siggi@google.com hcm@google.com reed@google.com robertph...@google.com
Owner: sebmarchand@chromium.org
This looks very much like  bug 656554  - assigning to Seb to investigate whether this is the same issue (allocator bug).
**** Bulk edit -  please ignore if not applicable ****


A friendly reminder that M55 Stable is launch is coming soon! Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and get it merged into the release branch ASAP so it gets enough baking time in Beta (before Stable promotion). Thank you!

Also due to Thanksgiving holidays in US, please make sure fix is ready and merged to M55 latest by 5:00 PM PT Friday, 11/18/16 (sooner the better).
Labels: -ReleaseBlock-Stable
Very likely a tools issue.  Removing ReleaseBlock-Stable
Project Member

Comment 26 by sheriffbot@chromium.org, Nov 18 2016

Labels: ReleaseBlock-Stable
Labels: -ReleaseBlock-Stable
Remvoing "ReleaseBlock-Stable" per comment #25.
Project Member

Comment 28 by sheriffbot@chromium.org, Nov 19 2016

Labels: ReleaseBlock-Stable
Labels: -M-55 -ReleaseBlock-Stable M-56
sebmarchand: friendly ping :) Any update on this?
Yes, sorry for the delay. This has been fixed in SyzyAsan and I'll roll deps soon in Chrome.
Components: -Internals>Skia
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam -Security_Severity-High -Security_Impact-Beta Type-Bug
Thanks for the update! Since this is a syzyasan issue, I'm flipping labels.
This should be fixed now.
Status: Fixed (was: Assigned)

Sign in to add a comment