New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 665779 link

Starred by 1 user
Status: Duplicate
Owner:
jkarlin@chromium.org
Closed: Jan 2017
Cc:
ajha@chromium.org
sadrul@chromium.org
w...@chromium.org
sebmarchand@chromium.org
piman@chromium.org
chrisha@chromium.org
cbentzel@chromium.org
mac-bugs-priority@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 1
Type: Bug-Security



Sign in to add a comment

Heap-use-after-free in disk_cache::BackendImpl::SyncOpenNextEntry

Project Member Reported by ClusterFuzz, Nov 16 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5198168703893504

Fuzzer: ipc_fuzzer_gen
Job Type: mac_asan_chrome_ipc
Platform Id: mac

Crash Type: Heap-use-after-free WRITE 8
Crash Address: 0x6060008940a8
Crash State:
  disk_cache::BackendImpl::SyncOpenNextEntry
  disk_cache::BackendIO::ExecuteBackendOperation
  base::debug::TaskAnnotator::RunTask
  
Recommended Security Severity: Critical

Regressed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_chrome_ipc&range=432166:432259

Minimized Testcase (323.95 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94ELlJEMlk1g028IZn9gj-L39s_zG6FfBhaLjUWu42KMx4Su1fbYfdiPEdmTsGTI1EKSQCwtLv6bwM7iixTASY29CnrlDn7jkfxmKz3L5az8_pnMjBVIRGHHRhAXnpstXFZegADsPQDn2T1pHk8Fxh7a_kBnmzNIeBZfsuDiJATssrj1DY?testcase_id=5198168703893504

Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
Project Member

Comment 1 by sheriffbot@chromium.org, Nov 16 2016

Labels: M-56
Project Member

Comment 2 by sheriffbot@chromium.org, Nov 16 2016

Labels: ReleaseBlock-Beta
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 3 by sheriffbot@chromium.org, Nov 16 2016

Labels: Pri-0

Comment 4 by mea...@chromium.org, Nov 17 2016

Components: Internals>Network>Cache
Owner: gavinp@chromium.org
Status: Assigned (was: Untriaged)
This is a UAF in the browser process, so I'm keeping the severity level suggested by clusterfuzz (critical).

gavinp: Can you please take a look and reassign if appropriate?

Comment 5 by gavinp@chromium.org, Nov 17 2016

Status: Started (was: Assigned)
On it. TY.

Comment 6 by gavinp@chromium.org, Nov 18 2016

Cc: cbentzel@chromium.org

Comment 7 by och...@chromium.org, Nov 29 2016

Labels: -Pri-0 -Security_Severity-Critical Security_Severity-High Pri-1
Oops, wrong severity. ipc fuzzers assume a compromised renderer so this is only high.
Project Member

Comment 8 by sheriffbot@chromium.org, Dec 2 2016

Labels: -Security_Impact-Head Security_Impact-Beta

Comment 9 by bustamante@google.com, Dec 8 2016

Labels: -ReleaseBlock-Beta ReleaseBlock-Stable
Moving to ReleaseBlock-Stable so this still gets tracked in the milestone

Comment 10 by siggi@chromium.org, Dec 21 2016

Cc: chrisha@chromium.org
This has been dogging SyzyASAN canaries since Nov 9. See bug 663589.

Comment 11 by infe...@chromium.org, Dec 22 2016

Cc: sadrul@chromium.org

Comment 12 by awhalley@chromium.org, Jan 13 2017 

note since this hasn't been updated in awhile, also see https://bugs.chromium.org/p/chromium/issues/detail?id=663589#c14
Project Member

Comment 13 by sheriffbot@chromium.org, Jan 15 2017

Labels: Deadline-Exceeded
We commit ourselves to a 60 day deadline for fixing for high severity vulnerabilities, and have exceeded it here. If you're unable to look into this soon, could you please find another owner or remove yourself so that this gets back into the security triage queue?

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 14 Deleted

Comment 15 by awhalley@chromium.org, Jan 25 2017

Labels: -M-57 ReleaseBlock-Stable M-56

Comment 16 by gavinp@chromium.org, Jan 25 2017

Mergedinto: 663589
Status: Duplicate (was: Started)
Closing this as a dup; merging it into the existing issue for the shader cache

Comment 17 by awhalley@chromium.org, Jan 30 2017

Labels: -ReleaseBlock-Stable

Comment 18 by siggi@chromium.org, Feb 22 2017

Cc: w...@chromium.org

Comment 19 by cbentzel@chromium.org, Feb 25 2017

Owner: cbentzel@chromium.org
Reassigning to myself, along with the dup.

Comment 20 by cbentzel@chromium.org, Feb 28 2017

Owner: jkarlin@chromium.org
Project Member

Comment 21 by ClusterFuzz, Mar 2 2017 

ClusterFuzz has detected this issue as fixed in range 454233:454289.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5198168703893504

Fuzzer: ipc_fuzzer_gen
Job Type: mac_asan_chrome_ipc
Platform Id: mac

Crash Type: Heap-use-after-free WRITE 8
Crash Address: 0x6060008940a8
Crash State:
  disk_cache::BackendImpl::SyncOpenNextEntry
  disk_cache::BackendIO::ExecuteBackendOperation
  base::debug::TaskAnnotator::RunTask
  
Sanitizer: address (ASAN)

Recommended Security Severity: Critical

Regressed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_chrome_ipc&range=432166:432259
Fixed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_chrome_ipc&range=454233:454289

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94ELlJEMlk1g028IZn9gj-L39s_zG6FfBhaLjUWu42KMx4Su1fbYfdiPEdmTsGTI1EKSQCwtLv6bwM7iixTASY29CnrlDn7jkfxmKz3L5az8_pnMjBVIRGHHRhAXnpstXFZegADsPQDn2T1pHk8Fxh7a_kBnmzNIeBZfsuDiJATssrj1DY?testcase_id=5198168703893504


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 22 by sheriffbot@chromium.org, Jun 10 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment