Issue metadata
Sign in to add a comment
|
Heap-use-after-free in base::ObserverListBase<content::RenderThreadObserver>::RemoveObserver |
||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6293441862696960 Fuzzer: inferno_twister Job Type: linux_asan_chrome_chromeos Platform Id: linux Crash Type: Heap-use-after-free READ 8 Crash Address: 0x611000057340 Crash State: base::ObserverListBase<content::RenderThreadObserver>::RemoveObserver content::ImageDownloaderImpl::~ImageDownloaderImpl content::ImageDownloaderImpl::~ImageDownloaderImpl Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=413791:414128 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95aE9kzr7xMzOK7aCbPIFE5nUlEaFVHwI3tEQYtWo95cHMq82jXNRFvyFQ3_wrsXj3Gvu-RAkuYSS8QBgvpXY2UL3k2msJcrUg4ADsI8U3ZYsUDtC9BFVXZ7z3gC5StBS43jhK4n1CpxMrl43Ps62QCASxSLA?testcase_id=6293441862696960 Additional requirements: Requires HTTP Issue manually filed by: inferno See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Aug 25 2016
,
Aug 25 2016
Hi, Oliver. Would you please give me access to the detailed report? Thanks!
,
Aug 25 2016
Try click on https://cluster-fuzz.appspot.com/testcase?key=6293441862696960, it should give you access. If not, clear your issue tracker token by https://cluster-fuzz.appspot.com/clearissuetrackertokens and retrying.
,
Aug 25 2016
It works now. Thanks!
,
Aug 25 2016
Hi, Leon. Would you please take a look? I think the problem is - the message loop is shutdown. - during its destructor it calls connection error on ImageDownloaderImpl. - the strong binding of ImageDownloaderImpl causes it to be destructed. - the destructor calls RenderThread::Get()->RemoveObserver(this), which is not valid any more.
,
Aug 25 2016
,
Aug 26 2016
,
Aug 26 2016
,
Aug 26 2016
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 26 2016
,
Aug 27 2016
ClusterFuzz has detected this issue as fixed in range 414742:414800. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6293441862696960 Fuzzer: inferno_twister Job Type: linux_asan_chrome_chromeos Platform Id: linux Crash Type: Heap-use-after-free READ 8 Crash Address: 0x611000057340 Crash State: base::ObserverListBase<content::RenderThreadObserver>::RemoveObserver content::ImageDownloaderImpl::~ImageDownloaderImpl content::ImageDownloaderImpl::~ImageDownloaderImpl Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=413791:414128 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=414742:414800 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95aE9kzr7xMzOK7aCbPIFE5nUlEaFVHwI3tEQYtWo95cHMq82jXNRFvyFQ3_wrsXj3Gvu-RAkuYSS8QBgvpXY2UL3k2msJcrUg4ADsI8U3ZYsUDtC9BFVXZ7z3gC5StBS43jhK4n1CpxMrl43Ps62QCASxSLA?testcase_id=6293441862696960 Additional requirements: Requires HTTP See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 29 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/d2ac649bc631233f4355860a011d3d30f985bb67 commit d2ac649bc631233f4355860a011d3d30f985bb67 Author: leon.han <leon.han@intel.com> Date: Mon Aug 29 09:06:13 2016 Forbid ImageDownloaderImpl from accessing RenderThread instance after message loop shutdown. This CL fixes the crash caused by following possible scenario: - the message loop is shutdown. - during its destructor it calls connection error on ImageDownloaderImpl. - the strong binding of ImageDownloaderImpl causes it to be destructed. - the destructor calls RenderThread::Get()->RemoveObserver(this), which is not valid any more. BUG= 640999 TBR=jochen@chromium.org Review-Url: https://codereview.chromium.org/2286603002 Cr-Commit-Position: refs/heads/master@{#414985} [modify] https://crrev.com/d2ac649bc631233f4355860a011d3d30f985bb67/content/renderer/image_downloader/image_downloader_impl.cc
,
Sep 1 2016
,
Sep 6 2016
Per #12 is sounds like this is fixed, removing the ReleaseBlock-Beta label
,
Sep 6 2016
,
Sep 6 2016
,
Sep 9 2016
,
Sep 9 2016
Your change meets the bar and is auto-approved for M54 (branch: 2840)
,
Sep 12 2016
Will pick commit d2ac649bc631233f4355860a011d3d30f985bb67 into M54 branch soon.
,
Sep 12 2016
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 13 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/a64d2294bbe77cf839715bfefa407d61147e79d6 commit a64d2294bbe77cf839715bfefa407d61147e79d6 Author: Vaclav Brozek <vabr@chromium.org> Date: Tue Sep 13 10:15:30 2016 Forbid ImageDownloaderImpl from accessing RenderThread instance after message loop shutdown. This CL fixes the crash caused by following possible scenario: - the message loop is shutdown. - during its destructor it calls connection error on ImageDownloaderImpl. - the strong binding of ImageDownloaderImpl causes it to be destructed. - the destructor calls RenderThread::Get()->RemoveObserver(this), which is not valid any more. BUG= 640999 TBR=jochen@chromium.org Review-Url: https://codereview.chromium.org/2286603002 Cr-Commit-Position: refs/heads/master@{#414985} (cherry picked from commit d2ac649bc631233f4355860a011d3d30f985bb67) Review URL: https://codereview.chromium.org/2335173002 . Cr-Commit-Position: refs/branch-heads/2840@{#324} Cr-Branched-From: 1ae106dbab4bddd85132d5b75c670794311f4c57-refs/heads/master@{#414607} [modify] https://crrev.com/a64d2294bbe77cf839715bfefa407d61147e79d6/content/renderer/image_downloader/image_downloader_impl.cc
,
Oct 12 2016
Issue 642067 has been merged into this issue.
,
Oct 27 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/a64d2294bbe77cf839715bfefa407d61147e79d6 commit a64d2294bbe77cf839715bfefa407d61147e79d6 Author: Vaclav Brozek <vabr@chromium.org> Date: Tue Sep 13 10:15:30 2016 Forbid ImageDownloaderImpl from accessing RenderThread instance after message loop shutdown. This CL fixes the crash caused by following possible scenario: - the message loop is shutdown. - during its destructor it calls connection error on ImageDownloaderImpl. - the strong binding of ImageDownloaderImpl causes it to be destructed. - the destructor calls RenderThread::Get()->RemoveObserver(this), which is not valid any more. BUG= 640999 TBR=jochen@chromium.org Review-Url: https://codereview.chromium.org/2286603002 Cr-Commit-Position: refs/heads/master@{#414985} (cherry picked from commit d2ac649bc631233f4355860a011d3d30f985bb67) Review URL: https://codereview.chromium.org/2335173002 . Cr-Commit-Position: refs/branch-heads/2840@{#324} Cr-Branched-From: 1ae106dbab4bddd85132d5b75c670794311f4c57-refs/heads/master@{#414607} [modify] https://crrev.com/a64d2294bbe77cf839715bfefa407d61147e79d6/content/renderer/image_downloader/image_downloader_impl.cc
,
Dec 13 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by infe...@chromium.org
, Aug 25 2016Status: Assigned (was: Untriaged)