Issue metadata
Sign in to add a comment
|
Heap-use-after-free in data_use_measurement::ChromeDataUseAscriber::ReadyToCommitMainFrameNavigation |
||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6002597715771392 Fuzzer: inferno_canvas_wrecker Job Type: linux_asan_chrome_gpu Platform Id: linux Crash Type: Heap-use-after-free READ 8 Crash Address: 0x61300016d5a8 Crash State: data_use_measurement::ChromeDataUseAscriber::ReadyToCommitMainFrameNavigation base::internal::Invoker<base::internal::BindState<void base::debug::TaskAnnotator::RunTask Recommended Security Severity: Critical Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_gpu&range=435487:435551 Minimized Testcase (0.20 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94hGCqavjXizqC_7O7cLqDM5uhOw977guge1jRuRmpt2GQ4RFOgjrWvztMEbqHPd2gWXG4Xm1RUdsf-mOB24jVLo7FqGO7W7mbElnl4OhgsAHgVlMD0cdny5jyPj8lOAy-w1Z8O6SJoCEA1FBvn04_S9ql2pg?testcase_id=6002597715771392 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Dec 1 2016
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Dec 1 2016
,
Dec 1 2016
kundaji, could you please take a look? Might be caused by https://chromium.googlesource.com/chromium/src/+/f1a0d5d8b91d0168d3a978f006758bfe2c9888b9
,
Dec 1 2016
,
Dec 1 2016
Confirming that this was caused by the cl mentioned in comment 4. Sending fix for review soon.
,
Dec 1 2016
,
Dec 1 2016
Closed https://bugs.chromium.org/p/chromium/issues/detail?id=670257 as duplicate
,
Dec 2 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/c6d437f401a1b5053d7d1bf3aa2b13c99d854e70 commit c6d437f401a1b5053d7d1bf3aa2b13c99d854e70 Author: kundaji <kundaji@chromium.org> Date: Fri Dec 02 00:46:45 2016 Set main frame id on DataUseRecorder created for render frame. Without this id, there is no way to look this instance up in the render frame map. BUG=670257, 670240 , 670438 Review-Url: https://codereview.chromium.org/2545963002 Cr-Commit-Position: refs/heads/master@{#435797} [modify] https://crrev.com/c6d437f401a1b5053d7d1bf3aa2b13c99d854e70/chrome/browser/data_use_measurement/chrome_data_use_ascriber.cc
,
Dec 2 2016
,
Dec 2 2016
,
Dec 3 2016
ClusterFuzz has detected this issue as fixed in range 435745:435840. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6002597715771392 Fuzzer: inferno_canvas_wrecker Job Type: linux_asan_chrome_gpu Platform Id: linux Crash Type: Heap-use-after-free READ 8 Crash Address: 0x61300016d5a8 Crash State: data_use_measurement::ChromeDataUseAscriber::ReadyToCommitMainFrameNavigation base::internal::Invoker<base::internal::BindState<void base::debug::TaskAnnotator::RunTask Recommended Security Severity: Critical Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_gpu&range=435487:435551 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_gpu&range=435745:435840 Minimized Testcase (0.20 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94hGCqavjXizqC_7O7cLqDM5uhOw977guge1jRuRmpt2GQ4RFOgjrWvztMEbqHPd2gWXG4Xm1RUdsf-mOB24jVLo7FqGO7W7mbElnl4OhgsAHgVlMD0cdny5jyPj8lOAy-w1Z8O6SJoCEA1FBvn04_S9ql2pg?testcase_id=6002597715771392 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Dec 3 2016
,
Dec 9 2016
,
Dec 9 2016
Your change meets the bar and is auto-approved for M56 (branch: 2924)
,
Dec 9 2016
According to the fuzzer report in comment 12, this wasn't regressed until M57 (regressed in https://chromium.googlesource.com/chromium/src/+/f1a0d5d8b91d0168d3a978f006758bfe2c9888b9). I just looked at the code from M56, and this fix can't be merged as the code it fixes doesn't exist. Can I get more context on why this was marked as Merge-Request-56? I'm not sure if there is a problem in M56 and what the fix would be as the ownership of the objects is more clear and a Use-After-Free seems unlikely as far as I could tell in looking at the code.
,
Dec 12 2016
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Dec 12 2016
Removing Merge-request based on Comment 16. There is nothing to merge back, and I don't know of a case where this is broken in M56. The fuzzer reported this broken as of 57.0.2938 and fixed 57.0.2939. I'm not sure why comment 14 added the merge request.
,
Dec 16 2016
,
Dec 16 2016
This bug requires manual review: No test file found in commits. Please contact the milestone owner if you have questions. Owners: amineer@(clank), cmasso@(bling), gkihumba@(cros), bustamante@(desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Dec 16 2016
This bug requires manual review: No test file found in commits. Please contact the milestone owner if you have questions. Owners: amineer@(clank), cmasso@(bling), gkihumba@(cros), bustamante@(desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Dec 16 2016
[Automated comment] removing mislabelled Merge-Review-56, Hotlist-Merge-Review
,
Dec 17 2016
Issue 671036 has been merged into this issue.
,
Jan 27 2017
,
Mar 11 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by sheriffbot@chromium.org
, Dec 1 2016