Issue metadata
Sign in to add a comment
|
Heap-use-after-free in blink::PaintController::commitNewDisplayItems |
||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5952312755617792 Fuzzer: inferno_webbot Job Type: linux_asan_chrome_v8_arm Platform Id: linux Crash Type: Heap-use-after-free READ 4 Crash Address: 0xcd7806c0 Crash State: blink::PaintController::commitNewDisplayItems blink::GraphicsLayer::paint blink::FrameView::synchronizedPaintRecursively Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=395786:395857 Minimized Testcase (0.10 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv95mIFXWHLM1VSel-Uixuc-4OJstZeLcCez8Rx9jzLW4iUKE5JdxhzUiSnYrzwlBL6UPo4PcLM7htgDlYHtkgoGZThxKAVRumjBE3Df3VwEJ9ovdW4Imgq3maET_8eB4niQ_3EFpQH-PRBm6reMZCsxWPvGWZg?testcase_id=5952312755617792 <script> window.open("http://instacarro.com"); window.location = "http://hariduskeskus.ee";</script> Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Sep 17 2016
,
Sep 19 2016
,
Sep 22 2016
Can't reproduce with local asan build or following the reproducing instructions (https://docs.google.com/document/d/15ZqPDlz3a8Ac08uWWBc-tM4IZzhP-kYEuQAXiJRiH24/edit#heading=h.uoltawkpum5p).
,
Sep 22 2016
on clusterfuzz this is still reproducing. Maybe only reproduces in xvfb ? Marty, can you please add the Xvfb command from startup script, i have trouble reaching it (ooo).
,
Sep 22 2016
These are the commands we're using to set up xvfb and blackbox: Xvfb :1 -screen 0 1280x1024x24 -ac -nolisten tcp DISPLAY=:1 blackbox
,
Sep 22 2016
Using xvfb and blackbox, still can't reproduce locally. Also the run_gestures_on_device_local.py seems to already start xvfb and blackbox.
,
Oct 7 2016
wangxianzhu: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 7 2016
Closing according to the latest result on clusterfuzz bot: [2016-10-06 21:14:28] wangxianzhu@google.com: Redo task(s): blame, progression, regression [2016-10-06 14:15:45] clusterfuzz-linux-0332: Blame task started. [2016-10-06 14:15:59] clusterfuzz-linux-0332: Blame task finished. [2016-10-06 14:16:14] clusterfuzz-linux-0258: Regression task started. [2016-10-06 14:16:23] clusterfuzz-linux-0332: Progression task started: r423512. [2016-10-06 14:24:36] clusterfuzz-linux-0258: Regression task errored out: Known crash revision 419238 did not crash. [2016-10-06 14:24:44] clusterfuzz-linux-0332: Progression task in-progress: Testing r419238:r423512. [2016-10-06 14:25:59] clusterfuzz-linux-0223: Regression task started. [2016-10-06 14:32:53] clusterfuzz-linux-0332: Progression task errored out: Known crash revision 419238 did not crash. [2016-10-06 14:32:53] clusterfuzz-linux-0332: Progression task errored out: Test case appears to be flaky. [2016-10-06 14:34:14] clusterfuzz-linux-0223: Regression task errored out: Known crash revision 419238 did not crash. [2016-10-06 14:34:14] clusterfuzz-linux-0223: Regression task errored out: Test case appears to be flaky. [2016-10-06 14:34:23] clusterfuzz-linux-high-end-0071: Blame task started. [2016-10-06 14:34:26] clusterfuzz-linux-0362: Blame task started. [2016-10-06 14:34:35] clusterfuzz-linux-high-end-0071: Blame task finished. [2016-10-06 14:34:39] clusterfuzz-linux-0362: Blame task finished.
,
Jan 14 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by sheriffbot@chromium.org
, Sep 17 2016