Issue metadata
Sign in to add a comment
|
Heap-use-after-free in base::subtle::RefCountedThreadSafeBase::Release |
||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5612038875512832 Fuzzer: inferno_layout_test_unmodified Job Type: windows_asan_chrome_no_sandbox Platform Id: windows Crash Type: Heap-use-after-free WRITE 4 Crash Address: 0x062826b0 Crash State: base::subtle::RefCountedThreadSafeBase::Release base::internal::WeakPtrBase::~WeakPtrBase blink::MainThreadTaskRunner::postTaskInternal Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_chrome_no_sandbox&range=415902:416283 Minimized Testcase (1.16 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96ZLGsQjqddYzjTzbRTFDZTyU_EOyA_peJWwRHuIcisdEdBD1h0qCw9jPJxWJibEfgyxjx5hsaL1IWlvZZEkS35SkoH6pcKMPDdbIcTT4BYBiFskbctGiUHAPww13u25rI2mVX5g4EOwbV943Z1bT7Yheb7qA?testcase_id=5612038875512832 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Sep 4 2016
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 4 2016
,
Sep 5 2016
I think haraken@'s shutdown revert cls should fix this and clusterfuzz should autoclose these in a day or two.
,
Sep 5 2016
,
Sep 7 2016
Any updates? If this is fixed, do you mind closing the bug.
,
Sep 7 2016
Moving to ReleaseBlock-Stable to keep track of this for M54
,
Sep 8 2016
,
Sep 18 2016
haraken: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 28 2016
Friendly ping, this a stable blocker for M54, please update the bug if it's been fixed (it looks like auto-close from clusterfuzz hasn't happened).
,
Oct 2 2016
haraken: Uh oh! This issue still open and hasn't been updated in the last 28 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 5 2016
This should have been fixed by me reverting the blink::shutdown CL (r416494).
,
Oct 5 2016
,
Oct 7 2016
,
Oct 21 2016
,
Oct 24 2016
[Automated comment] There appears to be on-going work (i.e. bugroid changes), needs manual review.
,
Oct 24 2016
the revert r416494 is already in M55, removing merge request.
,
Jan 11 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by sheriffbot@chromium.org
, Sep 4 2016