Issue metadata
Sign in to add a comment
|
Heap-use-after-free in v8_inspector::V8ConsoleMessage::reportToFrontend |
||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5896548854792192 Fuzzer: inferno_layout_test_unmodified Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: Heap-use-after-free READ 8 Crash Address: 0x61100003a690 Crash State: v8_inspector::V8ConsoleMessage::reportToFrontend v8_inspector::V8RuntimeAgentImpl::enable v8_inspector::protocol::Runtime::DispatcherImpl::enable Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=417794:417842 Minimized Testcase (0.20 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv96w9xkOcXIKSPyZOlzJ1tMMDnUKp2gTMBO5MLIGnTmUkV1AV7GmioMz4PQ2mFOaCQn4TzIqdNuqX-5eRpIpOwNXB2VhuilSdlR3a8Q1V1ZVEs6iTaJaVbQIe6obpLZQlDkQ03ViJSlUKtyrDfNbRgQc7f_WXQ?testcase_id=5896548854792192 <script> function navigate() { anchor = document.createElement("a"); anchor.href = "about:blank"; anchor.click(); } var a = new Date(); a.toString = () => navigate(); console.log(42, a); </script> Additional requirements: Requires Gestures Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Oct 18 2016
,
Oct 18 2016
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 18 2016
,
Oct 18 2016
,
Oct 19 2016
Aleksey, didn't we fix this already?
,
Oct 19 2016
I'm able to reproduce it with asan. Will take a look.
,
Oct 19 2016
,
Oct 20 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/820811f5820377c7f9ab677959a8059e2656803e commit 820811f5820377c7f9ab677959a8059e2656803e Author: kozyatinskiy <kozyatinskiy@chromium.org> Date: Thu Oct 20 21:35:34 2016 [inspector] fix UAF in another part of console code BUG= chromium:656823 R=dgozman@chromium.org Review-Url: https://chromiumcodereview.appspot.com/2436783003 Cr-Commit-Position: refs/heads/master@{#40484} [modify] https://crrev.com/820811f5820377c7f9ab677959a8059e2656803e/src/inspector/v8-console-message.cc
,
Oct 22 2016
,
Oct 22 2016
ClusterFuzz has detected this issue as fixed in range 426782:426801. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5896548854792192 Fuzzer: inferno_layout_test_unmodified Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: Heap-use-after-free READ 8 Crash Address: 0x61100003a690 Crash State: v8_inspector::V8ConsoleMessage::reportToFrontend v8_inspector::V8RuntimeAgentImpl::enable v8_inspector::protocol::Runtime::DispatcherImpl::enable Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=417794:417842 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=426782:426801 Minimized Testcase (0.20 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv96w9xkOcXIKSPyZOlzJ1tMMDnUKp2gTMBO5MLIGnTmUkV1AV7GmioMz4PQ2mFOaCQn4TzIqdNuqX-5eRpIpOwNXB2VhuilSdlR3a8Q1V1ZVEs6iTaJaVbQIe6obpLZQlDkQ03ViJSlUKtyrDfNbRgQc7f_WXQ?testcase_id=5896548854792192 <script> function navigate() { anchor = document.createElement("a"); anchor.href = "about:blank"; anchor.click(); } var a = new Date(); a.toString = () => navigate(); console.log(42, a); </script> Additional requirements: Requires Gestures See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Oct 22 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Oct 22 2016
,
Oct 24 2016
[Automated comment] There appears to be on-going work (i.e. bugroid changes), needs manual review.
,
Oct 24 2016
,
Oct 24 2016
Your change meets the bar and is auto-approved for M55 (branch: 2883)
,
Oct 24 2016
We need to merge it into V8 since inspector is in V8 in M55. Michael, please take a look.
,
Oct 25 2016
,
Oct 25 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/eccd4149ffe865370e976d3a8f6ae358ad28c531 commit eccd4149ffe865370e976d3a8f6ae358ad28c531 Author: Alexey Kozyatinskiy <kozyatinskiy@chromium.org> Date: Tue Oct 25 15:06:25 2016 Merged: [inspector] fix UAF in another part of console code Revision: 820811f5820377c7f9ab677959a8059e2656803e BUG= chromium:656823 LOG=N NOTRY=true NOPRESUBMIT=true NOTREECHECKS=true R=kozyatinskiy@chromium.org Review URL: https://codereview.chromium.org/2449003003 . Cr-Commit-Position: refs/branch-heads/5.5@{#26} Cr-Branched-From: 3cbd5838bd8376103daa45d69dade929ee4e0092-refs/heads/5.5.372@{#1} Cr-Branched-From: b3c8b0ce2c9af0528837d8309625118d4096553b-refs/heads/master@{#40015} [modify] https://crrev.com/eccd4149ffe865370e976d3a8f6ae358ad28c531/src/inspector/v8-console-message.cc
,
Oct 25 2016
Per comment #19, this is already merged to M55. If nothing is pending for M55, please remove "merge-approved-5.5" and "merge-approved-55" labels. Thank you.
,
Oct 25 2016
,
Oct 28 2016
,
Jan 28 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by mmoroz@chromium.org
, Oct 18 2016Labels: Pri-1
Owner: dgozman@chromium.org
Status: Available (was: Untriaged)