Issue metadata
Sign in to add a comment
|
Heap-use-after-free in base::WaitableEvent::Signal |
||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5854749121576960 Fuzzer: ochang_search_index_mutator Job Type: linux_asan_chrome_chromeos Platform Id: linux Crash Type: Heap-use-after-free READ 1 Crash Address: 0x6070000876d1 Crash State: base::WaitableEvent::Signal content::AudioMessageFilter::OnChannelClosing IPC::ChannelProxy::Context::OnRemoveFilter Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=413455:413506 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95XqSfkvfVPPOxuIu0FpSwsHswkhuBtj5D5NVELaQCzIzvW-wF-lyGq_SlU8SI5mYOkTEKQ2otopq8a0wXI3Sc5vNLkY-XQnNoovKJWHkFBTpeUleuwj2r9Qsk5fMNVeg6_MM77MPdG5-NXtFspvktKEVlj2w?testcase_id=5854749121576960 Additional requirements: Requires Gestures Issue manually filed by: mmoroz See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Aug 24 2016
,
Aug 24 2016
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 24 2016
,
Aug 24 2016
Looks like it's crashing here https://cs.chromium.org/chromium/src/media/audio/audio_output_device.cc?l=428 => grunell, guidou, olka
,
Aug 25 2016
AOD is accessed on IO thread after deleted on main thread. Could happen if Stop() is never called on it. When moving to Mojo we'll get rid of living on two threads, that will solve it properly. Meanwhile, seems like the solution is to make sure Stop() is always called. Assigning to Olga to look at the new mixing code.
,
Aug 25 2016
,
Aug 25 2016
CL under review https://codereview.chromium.org/2275343002/
,
Sep 1 2016
ClusterFuzz has detected this issue as fixed in range 415049:415582. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5854749121576960 Fuzzer: ochang_search_index_mutator Job Type: linux_asan_chrome_chromeos Platform Id: linux Crash Type: Heap-use-after-free READ 1 Crash Address: 0x6070000876d1 Crash State: base::WaitableEvent::Signal content::AudioMessageFilter::OnChannelClosing IPC::ChannelProxy::Context::OnRemoveFilter Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=413455:413506 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=415049:415582 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95XqSfkvfVPPOxuIu0FpSwsHswkhuBtj5D5NVELaQCzIzvW-wF-lyGq_SlU8SI5mYOkTEKQ2otopq8a0wXI3Sc5vNLkY-XQnNoovKJWHkFBTpeUleuwj2r9Qsk5fMNVeg6_MM77MPdG5-NXtFspvktKEVlj2w?testcase_id=5854749121576960 Additional requirements: Requires Gestures See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Sep 1 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Sep 1 2016
,
Sep 5 2016
,
Sep 6 2016
Your change meets the bar and is auto-approved for M54 (branch: 2840)
,
Sep 8 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/4048f667b58d4a55da76ebea5d3aae61d30c8f53 commit 4048f667b58d4a55da76ebea5d3aae61d30c8f53 Author: olka <olka@chromium.org> Date: Thu Sep 08 11:01:15 2016 Stopping cached AudioOutputDevices on AudioRendererSinkCache destruction. BUG= 640576 Review-Url: https://codereview.chromium.org/2275343002 Cr-Commit-Position: refs/heads/master@{#415296} (cherry picked from commit 7c54ad8cf953810135f3684e4eada4c5625efe1c) TBR=dalecurtis@chromium.org NOTRY=true NOPRESUBMIT=true Review-Url: https://codereview.chromium.org/2323463003 Cr-Commit-Position: refs/branch-heads/2840@{#232} Cr-Branched-From: 1ae106dbab4bddd85132d5b75c670794311f4c57-refs/heads/master@{#414607} [modify] https://crrev.com/4048f667b58d4a55da76ebea5d3aae61d30c8f53/content/renderer/media/audio_renderer_sink_cache_impl.cc
,
Oct 27 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/4048f667b58d4a55da76ebea5d3aae61d30c8f53 commit 4048f667b58d4a55da76ebea5d3aae61d30c8f53 Author: olka <olka@chromium.org> Date: Thu Sep 08 11:01:15 2016 Stopping cached AudioOutputDevices on AudioRendererSinkCache destruction. BUG= 640576 Review-Url: https://codereview.chromium.org/2275343002 Cr-Commit-Position: refs/heads/master@{#415296} (cherry picked from commit 7c54ad8cf953810135f3684e4eada4c5625efe1c) TBR=dalecurtis@chromium.org NOTRY=true NOPRESUBMIT=true Review-Url: https://codereview.chromium.org/2323463003 Cr-Commit-Position: refs/branch-heads/2840@{#232} Cr-Branched-From: 1ae106dbab4bddd85132d5b75c670794311f4c57-refs/heads/master@{#414607} [modify] https://crrev.com/4048f667b58d4a55da76ebea5d3aae61d30c8f53/content/renderer/media/audio_renderer_sink_cache_impl.cc
,
Dec 8 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by mmoroz@chromium.org
, Aug 24 2016Components: Blink>GetUserMedia
Labels: Pri-1
Owner: dalecur...@chromium.org