New issue
Advanced search Search tips

Issue 647926 link

Starred by 1 user
Status: WontFix
Owner:
wangxianzhu@chromium.org
Closed: Oct 2016
Cc:
mbarbe...@chromium.org
vmp...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment

Heap-use-after-free in blink::PaintController::commitNewDisplayItems

Project Member Reported by ClusterFuzz, Sep 17 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5952312755617792

Fuzzer: inferno_webbot
Job Type: linux_asan_chrome_v8_arm
Platform Id: linux

Crash Type: Heap-use-after-free READ 4
Crash Address: 0xcd7806c0
Crash State:
  blink::PaintController::commitNewDisplayItems
  blink::GraphicsLayer::paint
  blink::FrameView::synchronizedPaintRecursively
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=395786:395857

Minimized Testcase (0.10 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95mIFXWHLM1VSel-Uixuc-4OJstZeLcCez8Rx9jzLW4iUKE5JdxhzUiSnYrzwlBL6UPo4PcLM7htgDlYHtkgoGZThxKAVRumjBE3Df3VwEJ9ovdW4Imgq3maET_8eB4niQ_3EFpQH-PRBm6reMZCsxWPvGWZg?testcase_id=5952312755617792
<script>
window.open("http://instacarro.com");
window.location = "http://hariduskeskus.ee";</script>


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
Project Member

Comment 1 by sheriffbot@chromium.org, Sep 17 2016

Labels: M-53
Project Member

Comment 2 by sheriffbot@chromium.org, Sep 17 2016

Labels: Pri-1

Comment 3 by penny...@chromium.org, Sep 19 2016

Components: Blink>Paint
Owner: wangxianzhu@chromium.org
Status: Assigned (was: Untriaged)

Comment 4 by wangxianzhu@chromium.org, Sep 22 2016 

Can't reproduce with local asan build or following the reproducing instructions (https://docs.google.com/document/d/15ZqPDlz3a8Ac08uWWBc-tM4IZzhP-kYEuQAXiJRiH24/edit#heading=h.uoltawkpum5p).

Comment 5 by aarya@google.com, Sep 22 2016

Cc: mbarbe...@chromium.org
on clusterfuzz this is still reproducing. Maybe only reproduces in xvfb ? Marty, can you please add the Xvfb command from startup script, i have trouble reaching it (ooo).

Comment 6 by mbarbe...@chromium.org, Sep 22 2016 

These are the commands we're using to set up xvfb and blackbox:

Xvfb :1 -screen 0 1280x1024x24 -ac -nolisten tcp
DISPLAY=:1 blackbox

Comment 7 by wangxianzhu@chromium.org, Sep 22 2016 

Using xvfb and blackbox, still can't reproduce locally.

Also the run_gestures_on_device_local.py seems to already start xvfb and blackbox.
Project Member

Comment 8 by sheriffbot@chromium.org, Oct 7 2016 

wangxianzhu: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 9 by wangxianzhu@chromium.org, Oct 7 2016

Status: WontFix (was: Assigned)
Closing according to the latest result on clusterfuzz bot:

[2016-10-06 21:14:28] wangxianzhu@google.com: Redo task(s): blame, progression, regression
[2016-10-06 14:15:45] clusterfuzz-linux-0332: Blame task started.
[2016-10-06 14:15:59] clusterfuzz-linux-0332: Blame task finished.
[2016-10-06 14:16:14] clusterfuzz-linux-0258: Regression task started.
[2016-10-06 14:16:23] clusterfuzz-linux-0332: Progression task started: r423512.
[2016-10-06 14:24:36] clusterfuzz-linux-0258: Regression task errored out: Known crash revision 419238 did not crash.
[2016-10-06 14:24:44] clusterfuzz-linux-0332: Progression task in-progress: Testing r419238:r423512.
[2016-10-06 14:25:59] clusterfuzz-linux-0223: Regression task started.
[2016-10-06 14:32:53] clusterfuzz-linux-0332: Progression task errored out: Known crash revision 419238 did not crash.
[2016-10-06 14:32:53] clusterfuzz-linux-0332: Progression task errored out: Test case appears to be flaky.
[2016-10-06 14:34:14] clusterfuzz-linux-0223: Regression task errored out: Known crash revision 419238 did not crash.
[2016-10-06 14:34:14] clusterfuzz-linux-0223: Regression task errored out: Test case appears to be flaky.
[2016-10-06 14:34:23] clusterfuzz-linux-high-end-0071: Blame task started.
[2016-10-06 14:34:26] clusterfuzz-linux-0362: Blame task started.
[2016-10-06 14:34:35] clusterfuzz-linux-high-end-0071: Blame task finished.
[2016-10-06 14:34:39] clusterfuzz-linux-0362: Blame task finished.
Project Member

Comment 10 by sheriffbot@chromium.org, Jan 14 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment