Issue metadata
Sign in to add a comment
|
Container-overflow in void blink::TraceTrait<blink::HeapVectorBacking<blink::MediaKeySystemConfigurati |
||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4626526349033472 Fuzzer: lcamtuf_cross_fuzz Job Type: linux_asan_chrome_chromeos Platform Id: linux Crash Type: Container-overflow READ 8 Crash Address: 0x7ebcdf767930 Crash State: void blink::TraceTrait<blink::HeapVectorBacking<blink::MediaKeySystemConfigurati blink::ThreadHeap::processMarkingStack blink::ThreadState::collectGarbage Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97xJW_tjqfMEPxwEG9LQF7DHhITLMdaWyUI0lyEnDtmmZJX2ZTPuOEJH6GuS7Za1CNyb3-zU0vREgu0J4QaTCg5NAYPZ3Qjj70iSLO51E47nBQxPM4RhNl-dYvyvWv6SUA4umSxX3_AaxH66SFhJvOXpN-8MEwIhrvShYm6zQsAuf4jf382e-ntbBv8iGbF19IGU-5Sf_3g1RlI1hSyJMAuyGjfOkjtZqTg5S1s4LIcd5O_B6Y4-uBJhsoxea_-qOFgwFHlaSwlk0wPPUmsYTjCjBdsTw05dn32RimhHC3yk9oQLxzy_yj12wkHE4ejkJrhY9CPQ3skaRcMzTQ8sHK08drSmASNkd99rby21K2XHfpbnFY?testcase_id=4626526349033472 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jan 2 2017
,
Jan 2 2017
This looks like it is related to Oilpan. haraken@, can you please take a look, and re-assign if I am wrong?
,
Jan 3 2017
This is crashing when vTableInitialized is accessing an uninitialized payload. ==1==ERROR: AddressSanitizer: container-overflow on address 0x7ebb869686b8 at pc 0x7fb03a6c5869 bp 0x7ffd1aeb4010 sp 0x7ffd1aeb4008 READ of size 8 at 0x7ebb869686b8 thread T0 (chrome) SCARINESS: 23 (8-byte-read-container-overflow) #0 0x7fb03a6c5868 in vTableInitialized third_party/WebKit/Source/platform/heap/HeapPage.h:346:13 #1 0x7fb03a6c5868 in trace<blink::Visitor *> third_party/WebKit/Source/platform/heap/TraceTraits.h:541 #2 0x7fb03a6c5868 in void blink::TraceTrait<blink::HeapVectorBacking<blink::MediaKeySystemConfiguration, WTF::VectorTraits<blink::MediaKeySystemConfiguration> > >::trace<blink::Visitor*>(blink::Visitor*, void*) third_party/WebKit/Source/platform/heap/TraceTraits.h:281 #3 0x7fb02ad7729c in call third_party/WebKit/Source/platform/heap/CallbackStack.h:35:35 #4 0x7fb02ad7729c in popAndInvokeTraceCallback third_party/WebKit/Source/platform/heap/Heap.cpp:338 #5 0x7fb02ad7729c in blink::ThreadHeap::processMarkingStack(blink::Visitor*) third_party/WebKit/Source/platform/heap/Heap.cpp:461 #6 0x7fb02ada7e60 in blink::ThreadState::collectGarbage(blink::BlinkGC::StackState, blink::BlinkGC::GCType, blink::BlinkGC::GCReason) third_party/WebKit/Source/platform/heap/ThreadState.cpp:1780:12 HeapPage::markPointer is intentionally calling vTableInitialized for a maybe-uninitialized payload to check if the vtable has been initialized or not. So I don't think this is a real problem. Is there any way to suppress the crash (or a way to reorganize code to circumvent the crash)?
,
Jan 3 2017
I think lifting out the #ifdef from the "else" just below, would take care of it.
,
Jan 3 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/765e5dbf71e1b44b314694bc1935c30503fa0f35 commit 765e5dbf71e1b44b314694bc1935c30503fa0f35 Author: sigbjornf <sigbjornf@opera.com> Date: Tue Jan 03 10:51:10 2017 Always adjust container size when tracing HeapVectorBacking contents. R=haraken BUG= 677738 Review-Url: https://codereview.chromium.org/2602363002 Cr-Commit-Position: refs/heads/master@{#441107} [modify] https://crrev.com/765e5dbf71e1b44b314694bc1935c30503fa0f35/third_party/WebKit/Source/platform/heap/TraceTraits.h
,
Jan 3 2017
,
Jan 17 2017
haraken: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 17 2017
Does it still reproduce with #6 in scope?
,
Jan 17 2017
I don't know when the fuzzer will show up here and verify, but it would be okay to mark this as fixed.
,
Jan 17 2017
Agreed, the container size should now be correctly in place for that overflow not to trigger.
,
Jan 18 2017
,
Mar 6 2017
,
Mar 17 2017
,
Mar 17 2017
Your change meets the bar and is auto-approved for M58. Please go ahead and merge the CL to branch 3029 manually. Please contact milestone owner if you have questions. Owners: amineer@(Android), cmasso@(iOS), bhthompson@(ChromeOS), govind@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 17 2017
#6 is part of M58 already (cf. https://chromium.googlesource.com/chromium/src/+log/58.0.3029.25/third_party/WebKit/Source/platform/heap/TraceTraits.h .)
,
Mar 20 2017
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 20 2017
See #16
,
Apr 26 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by sheriffbot@chromium.org
, Jan 2 2017