New issue
Advanced search Search tips

Issue 643982 link

Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: Oct 2016
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 1
Type: Bug-Security



Sign in to add a comment

Heap-use-after-free in base::subtle::RefCountedThreadSafeBase::Release

Project Member Reported by ClusterFuzz, Sep 4 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5612038875512832

Fuzzer: inferno_layout_test_unmodified
Job Type: windows_asan_chrome_no_sandbox
Platform Id: windows

Crash Type: Heap-use-after-free WRITE 4
Crash Address: 0x062826b0
Crash State:
  base::subtle::RefCountedThreadSafeBase::Release
  base::internal::WeakPtrBase::~WeakPtrBase
  blink::MainThreadTaskRunner::postTaskInternal
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_chrome_no_sandbox&range=415902:416283

Minimized Testcase (1.16 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96ZLGsQjqddYzjTzbRTFDZTyU_EOyA_peJWwRHuIcisdEdBD1h0qCw9jPJxWJibEfgyxjx5hsaL1IWlvZZEkS35SkoH6pcKMPDdbIcTT4BYBiFskbctGiUHAPww13u25rI2mVX5g4EOwbV943Z1bT7Yheb7qA?testcase_id=5612038875512832

Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Project Member

Comment 1 by sheriffbot@chromium.org, Sep 4 2016

Labels: M-54
Project Member

Comment 2 by sheriffbot@chromium.org, Sep 4 2016

Labels: ReleaseBlock-Beta
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 3 by sheriffbot@chromium.org, Sep 4 2016

Labels: Pri-1
Owner: haraken@chromium.org
Status: Assigned (was: Untriaged)
I think haraken@'s shutdown revert cls should fix this and clusterfuzz should autoclose these in a day or two.
Project Member

Comment 5 by sheriffbot@chromium.org, Sep 5 2016

Labels: -Security_Impact-Head Security_Impact-Beta
Any updates?  If this is fixed, do you mind closing the bug.
Labels: -ReleaseBlock-Beta ReleaseBlock-Stable
Moving to ReleaseBlock-Stable to keep track of this for M54
Components: Blink>DOM
Project Member

Comment 9 by sheriffbot@chromium.org, Sep 18 2016

haraken: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Friendly ping, this a stable blocker for M54, please update the bug if it's been fixed (it looks like auto-close from clusterfuzz hasn't happened).
Project Member

Comment 11 by sheriffbot@chromium.org, Oct 2 2016

haraken: Uh oh! This issue still open and hasn't been updated in the last 28 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Status: Fixed (was: Assigned)
This should have been fixed by me reverting the blink::shutdown CL (r416494).

Project Member

Comment 13 by sheriffbot@chromium.org, Oct 5 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: -ReleaseBlock-Stable
Project Member

Comment 15 by sheriffbot@chromium.org, Oct 21 2016

Labels: Merge-Request-55

Comment 16 by dimu@google.com, Oct 24 2016

Labels: -Merge-Request-55 Merge-Review-55 Hotlist-Merge-Review
[Automated comment] There appears to be on-going work (i.e. bugroid changes), needs manual review.
Labels: -Hotlist-Merge-review -Merge-Review-55
the revert r416494 is already in M55, removing merge request.
Project Member

Comment 18 by sheriffbot@chromium.org, Jan 11 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment