New issue
Advanced search Search tips

Issue 657919 link

Starred by 2 users
Status: Duplicate
Merged: issue 657862
Owner: ----
Closed: Oct 2016
Cc:
reillyg@chromium.org
awhalley@chromium.org
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 0
Type: Bug-Security



Sign in to add a comment

Heap-use-after-free in instance

Project Member Reported by ClusterFuzz, Oct 20 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5698760040775680

Fuzzer: inferno_twister
Job Type: linux_lsan_chrome_mp
Platform Id: linux

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x60600046ce48
Crash State:
  instance
  get
  content::IndexedDBCallbacks::IOThreadHelper::SendSuccessInteger
  
Recommended Security Severity: Critical

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=426410:426422

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv965FY3w1eysB9BPpDYVIHxBhedU5YPXTojcn4DvVp192_JwewcAR3gN4VHf2F3h-FNN4F5RhFV5oo9_QdyzTuPyudbwfn22RX5D6DD5jVt_j3u6XRU85kVAWFabz8Sdz4pOB3JXSpUGVKRI5kcZCYXUQD7zY5pYzKmsvegrfcrQqynZdcY?testcase_id=5698760040775680


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
Project Member

Comment 1 by ClusterFuzz, Oct 21 2016 

ClusterFuzz has detected this issue as fixed in range 426561:426648.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5698760040775680

Fuzzer: inferno_twister
Job Type: linux_lsan_chrome_mp
Platform Id: linux

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x60600046ce48
Crash State:
  instance
  get
  content::IndexedDBCallbacks::IOThreadHelper::SendSuccessInteger
  
Recommended Security Severity: Critical

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=426410:426422
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=426561:426648

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv965FY3w1eysB9BPpDYVIHxBhedU5YPXTojcn4DvVp192_JwewcAR3gN4VHf2F3h-FNN4F5RhFV5oo9_QdyzTuPyudbwfn22RX5D6DD5jVt_j3u6XRU85kVAWFabz8Sdz4pOB3JXSpUGVKRI5kcZCYXUQD7zY5pYzKmsvegrfcrQqynZdcY?testcase_id=5698760040775680


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 2 by sheriffbot@chromium.org, Oct 21 2016

Labels: M-55
Project Member

Comment 3 by sheriffbot@chromium.org, Oct 21 2016

Labels: ReleaseBlock-Beta
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 4 by sheriffbot@chromium.org, Oct 21 2016

Labels: Pri-0

Comment 5 by gov...@chromium.org, Oct 22 2016

Cc: awhalley@chromium.org
+ awhalley@, could you ptal as this is blocking Next week beta release on Wednesday, 10/26/16. Thank you.
Project Member

Comment 6 by sheriffbot@chromium.org, Oct 22 2016

Labels: -Security_Impact-Head Security_Impact-Beta
Project Member

Comment 7 by sheriffbot@chromium.org, Oct 22 2016

Labels: -ReleaseBlock-Beta ReleaseBlock-Stable

Comment 8 by mbarbe...@chromium.org, Oct 23 2016

Mergedinto: 657862
Status: Duplicate (was: Untriaged)

Comment 9 by gov...@chromium.org, Oct 27 2016

Cc: reillyg@chromium.org
Project Member

Comment 10 by sheriffbot@chromium.org, Jan 29 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment