New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 651702 link

Starred by 1 user
Status: Verified
Owner:
keishi@chromium.org
Closed: Oct 2016
Cc:
therealh...@gmail.com
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment

Use-after-poison in blink::LocalFileSystem::from

Project Member Reported by ClusterFuzz, Sep 30 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5433359633481728

Fuzzer: therealholden_worker
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Use-after-poison READ 8
Crash Address: 0x7ec9137a5600
Crash State:
  blink::LocalFileSystem::from
  blink::WorkerGlobalScopeFileSystem::webkitRequestFileSystemSync
  blink::SharedWorkerGlobalScopePartialV8Internal::webkitRequestFileSystemSyncMeth
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=421705:421761

Minimized Testcase (3.68 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95WCBp0uo82KatDtsIYhdHNBQaEbJLmnNOnjzrRD9dcL0l1-thPMSSKYLCKTuZryTBybp1nEk-m-CJk0h4aYcobrCmei-W6mmDrAXpJy8e2htn-c-cmu06ByrH2xw5WbVxIHuISFp001FtsxmeY2ciwjuQxgg?testcase_id=5433359633481728

Additional requirements: Requires HTTP

Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
Project Member

Comment 1 by sheriffbot@chromium.org, Sep 30 2016

Labels: M-55
Project Member

Comment 2 by sheriffbot@chromium.org, Sep 30 2016

Labels: ReleaseBlock-Beta
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 3 by sheriffbot@chromium.org, Sep 30 2016

Labels: Pri-1

Comment 4 by kenrb@chromium.org, Sep 30 2016

Components: Blink>MemoryAllocator>GarbageCollection
Owner: keishi@chromium.org
Status: Assigned (was: Untriaged)
keishi@: There is a use-after-poison regression, possibly related to one of your CLs that falls in the regression range: https://chromium.googlesource.com/chromium/src/+/62d4e2e8f5ca66516854cbdbd1402d344410ec75

Can you please have a look at this?

Comment 5 by kenrb@chromium.org, Oct 3 2016 

 Issue 652091  has been merged into this issue.

Comment 6 by awhalley@chromium.org, Oct 3 2016 

Note that we're imminently promoting M55 to Beta and this bug is marked as a blocker for that.  Please prioritize accordingly.  Thanks!

Comment 7 by gov...@chromium.org, Oct 4 2016 

A friendly reminder that M55 Beta launch is coming soon! Your bug is labelled as Beta ReleaseBlock, pls make sure to land the fix ASAP. Thank you.
Project Member

Comment 8 by ClusterFuzz, Oct 6 2016

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Comment 9 by therealh...@gmail.com, Oct 6 2016 

This was fixed @ 423122 ( issue 591606  c#48) and is a revert of c#45 421731.
Project Member

Comment 10 by sheriffbot@chromium.org, Oct 6 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 11 by awhalley@chromium.org, Oct 16 2016

Labels: -reward-topanel reward-0
No reward for this one I'm afraid as it was discovered internally before the report.

Comment 12 by awhalley@chromium.org, Oct 25 2016

Labels: -ReleaseBlock-Beta
Project Member

Comment 13 by sheriffbot@chromium.org, Jan 12 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment