Issue metadata
Sign in to add a comment
|
use-after-poison in WTF::TraceInCollectionTrait<WTF::WeakHandlingFlag::NoWeakHandlingInCollections,WTF::ShouldWeakPointersBeMarkedStrongly::WeakPointersActWeak,blink::HeapVectorBacking<blink::Member<blink::ScrollableArea>,WTF::VectorTraits<blink::Member<blink::ScrollableArea> > >,void>::trace<blink::Visitor *>
Reported by
0in.em...@gmail.com,
Aug 31 2016
|
||||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2837.0 Safari/537.36 Steps to reproduce the problem: 1. Run chromium ASAN with --js-flags="--expose-gc" 2. Open attached file 3. What is the expected behavior? crash. What went wrong? Asan detects use-after-poison. I've tried to implement gc() as heap-spray and run it on beta build, but no crash observed. Did this work before? N/A Chrome version: 55.0.2845.0 Channel: dev OS Version: 6.1 (Windows 7, Windows Server 2008 R2) Flash Version: Shockwave Flash 22.0 r0
,
Sep 1 2016
,
Sep 1 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5641109307129856 Job Type: windows_asan_chrome Platform Id: windows Crash Type: Use-after-poison READ 4 Crash Address: 0x291a3524 Crash State: blink::ThreadHeap::popAndInvokeTraceCallback blink::ThreadHeap::processMarkingStack blink::ThreadHeap::collectGarbage Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_chrome&range=415042:415049 Minimized Testcase (1.21 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97vddo7kF8pJdlH0dgj-FcSJI5ZPFXwfp8YQ5L-C25DWiRRlgJWcSorL2VXLdkOrzzv1q5TVkqtz29fr4orzYU7GkIA_s6uOATykxUC5WXw8aOdEwpJqJvwPLVsSiHHNoB6R0xehUU2CDl8VmwwKWOgBcbaNA?testcase_id=5641109307129856 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. A recommended severity was added to this bug. Please change the severity if it is inaccurate.
,
Sep 1 2016
,
Sep 1 2016
sigbjornf@opera.com: Assigning it to you since I think this is the culprit CL: https://chromium.googlesource.com/chromium/src/+/174054b089b91ea41c4baa09bcc7b6762fe42005 Feel free to assign it back if you think that's not what caused it. haraken@chromium.org: CC'ing you for https://chromium.googlesource.com/chromium/src/+/2b383e44008c0d30d7c73f71c028e30934823955 since that look's like the other possible culprit.
,
Sep 1 2016
,
Sep 1 2016
I'm sorry, but I've been diverted to non-Blink work, so hoping either haraken@ or keishi@ can take a look. Issue 638228 might be related (I didn't understand why it was marked as fixed by the clusterfuzz, but perhaps I missed a fix.)
,
Sep 1 2016
,
Sep 2 2016
,
Sep 2 2016
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 3 2016
,
Sep 6 2016
Friendly ping, this is currently a Beta-blocker and needs to get fixed and merged as soon as feasible, as M54 is going to beta this Thursday 9/8
,
Sep 7 2016
Moving to ReleaseBlock-Stable to keep track of this for M54
,
Sep 14 2016
keishi: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 28 2016
keishi: Uh oh! This issue still open and hasn't been updated in the last 28 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 28 2016
Friendly ping, this a stable blocker for M54, please try to have a fix in by the first week of October so it can be fixed in time for the release.
,
Oct 10 2016
,
Oct 11 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5641109307129856 Job Type: windows_asan_chrome Platform Id: windows Crash Type: Use-after-poison READ 4 Crash Address: 0x291a3524 Crash State: blink::ThreadHeap::popAndInvokeTraceCallback blink::ThreadHeap::processMarkingStack blink::ThreadHeap::collectGarbage Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_chrome&range=415042:415049 Minimized Testcase (1.21 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97vddo7kF8pJdlH0dgj-FcSJI5ZPFXwfp8YQ5L-C25DWiRRlgJWcSorL2VXLdkOrzzv1q5TVkqtz29fr4orzYU7GkIA_s6uOATykxUC5WXw8aOdEwpJqJvwPLVsSiHHNoB6R0xehUU2CDl8VmwwKWOgBcbaNA?testcase_id=5641109307129856 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Oct 11 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5641109307129856 Job Type: windows_asan_chrome Platform Id: windows Crash Type: Use-after-poison READ 4 Crash Address: 0x0bd03524 Crash State: blink::ThreadHeap::popAndInvokeTraceCallback blink::ThreadHeap::processMarkingStack blink::ThreadHeap::collectGarbage Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_chrome&range=415042:415049 Minimized Testcase (1.21 Kb): https://cluster-fuzz.appspot.com/download/AMIfv956AulD9rG8YnnO0YV0_0R52xKBFGWPl8jlgVaVR99Sdoqp-jhH_LkIvvPG_iL7hfaPpXmGKCbRqffMQ1e4gSvdZHN2K-OFF816eb1G2qOICWlkqx5p5O3EZ-GpM6QOJsh24CBDf4rqV0TziBa6fAmy9ewubA?testcase_id=5641109307129856 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Oct 11 2016
Friendly ping. keishi@, may be you can re-assign this if you don't have cycles?
,
Oct 11 2016
,
Oct 11 2016
Sorry, I haven't had any luck yet, but I am working on fixing this and crbug.com/644097 now.
,
Oct 11 2016
Per #17 moving to M55, Sheriffbot will always flag medium/high severity issues with the Security_Impact-Beta label.
,
Oct 21 2016
,
Oct 26 2016
**** Bulk edit - please ignore if not applicable **** A friendly reminder that M55 Stable is launch is coming soon! Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and get it merged into the release branch ASAP so it gets enough baking time in Beta (before Stable promotion). Thank you!
,
Oct 30 2016
We commit ourselves to a 60 day deadline for fixing for high severity vulnerabilities, and have exceeded it here. If you're unable to look into this soon, could you please find another owner or remove yourself so that this gets back into the security triage queue? For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 31 2016
Cannot reproduce locally nor on bots.
,
Nov 4 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5641109307129856 Platform Id: windows Crash Type: Use-after-poison READ 4 Crash Address: 0x0bd03524 Crash State: blink::ThreadHeap::popAndInvokeTraceCallback blink::ThreadHeap::processMarkingStack blink::ThreadHeap::collectGarbage Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_chrome&range=415042:415049 Minimized Testcase (1.21 Kb): https://cluster-fuzz.appspot.com/download/AMIfv956AulD9rG8YnnO0YV0_0R52xKBFGWPl8jlgVaVR99Sdoqp-jhH_LkIvvPG_iL7hfaPpXmGKCbRqffMQ1e4gSvdZHN2K-OFF816eb1G2qOICWlkqx5p5O3EZ-GpM6QOJsh24CBDf4rqV0TziBa6fAmy9ewubA?testcase_id=5641109307129856 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Feb 6 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by ClusterFuzz
, Sep 1 2016