New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 677961 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Last visit > 30 days ago
Closed: Jan 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 1
Type: Bug-Security



Sign in to add a comment

Heap-use-after-free in base::ObserverListBase<content::MediaSessionObserver>::begin

Project Member Reported by ClusterFuzz, Jan 3 2017

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4699768359223296

Fuzzer: inferno_twister
Job Type: windows_syzyasan_content_shell
Platform Id: windows

Crash Type: Heap-use-after-free READ 4
Crash Address: 0x2c910f2f
Crash State:
  base::ObserverListBase<content::MediaSessionObserver>::begin
  device::MockBluetoothGattNotifySession::DoNotify
  base::internal::Invoker<base::internal::BindState<void
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_content_shell&range=441084:441086

Minimized Testcase (0.64 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96Ev1UcLaVbdGuCdYTsfj-sVVxxaxNoA9DyPqeNMMWBr_5l9-ogGbmClq-IhFcvBl_01fzr3WCf4Mg2ApPtcHsqvDIZaMReLtRD4ksIgkJyKLKqtvMB6tynI5Ymz8lzudyy1ySXyN7t7rfzn1KrtcZi7YTG6TOdT0A2keR-qVUr_JvkzjHtXn0BMADYeL7uGdrQ018doAokCquNVeNsFHYh3aY03lJzwbYF3K74yHmiHyM46aHcrGCU8uSSXA6OFdtYAAL_CGh6PvXeE9S9AJGe40s7xfcZeAzITX5Ei-dxHsca5DihURorMjgEtG-kU8tygLB1t_74U-Vqj9bkq8otyThVZNA7KOasNWUTiwq5WyVUzEM?testcase_id=4699768359223296
<script src=../../resources/testharness.js></script>
<script src=../../resources/testharnessreport.js></script>
<script src=../../resources/bluetooth/bluetooth-helpers.js></script>
<script>
promise_test(() => {
  return setBluetoothFakeAdapter('HeartRateAdapter')
    .then(() => requestDeviceWithKeyDown({
      filters: [{services: ['heart_rate']}]}))
    .then(device => device.gatt.connect())
    .then(gattServer => gattServer.getPrimaryService('heart_rate'))
    .then(service => service.getCharacteristic('heart_rate_measurement'))
    .then(characteristic => {
      return characteristic.startNotifications()
    });
});
</script>


Additional requirements: Requires HTTP

Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Components: Internals
Labels: Pri-1
Owner: tzik@chromium.org
Status: Available (was: Untriaged)
Not sure whether the issue is in bind_internal or on a higher level.

tzik@, would you mind taking a look and helping to triage this?
Project Member

Comment 2 by sheriffbot@chromium.org, Jan 4 2017

Labels: M-57
Project Member

Comment 3 by sheriffbot@chromium.org, Jan 4 2017

Labels: ReleaseBlock-Beta
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 4 by sheriffbot@chromium.org, Jan 4 2017

Status: Assigned (was: Available)

Comment 5 by tzik@chromium.org, Jan 5 2017

Cc: tzik@chromium.org
Owner: ortuno@chromium.org
Rerouting to ortuno@.

Comment 6 by ortuno@chromium.org, Jan 17 2017

Hmm, this seems similar to  Issue 604671  and  Issue 621850 . Is there a way to see what resources are being used? Last time the resources were out of date and causing this problem.
Project Member

Comment 7 by ClusterFuzz, Jan 20 2017

ClusterFuzz has detected this issue as fixed in range 444601:444637.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4699768359223296

Fuzzer: inferno_twister
Job Type: windows_syzyasan_content_shell
Platform Id: windows

Crash Type: Heap-use-after-free READ 4
Crash Address: 0x2c910f2f
Crash State:
  base::ObserverListBase<content::MediaSessionObserver>::begin
  device::MockBluetoothGattNotifySession::DoNotify
  base::internal::Invoker<base::internal::BindState<void
  
Memory Tool: SYZYASAN

Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_content_shell&range=441084:441086
Fixed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_content_shell&range=444601:444637

Minimized Testcase (0.64 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96Ev1UcLaVbdGuCdYTsfj-sVVxxaxNoA9DyPqeNMMWBr_5l9-ogGbmClq-IhFcvBl_01fzr3WCf4Mg2ApPtcHsqvDIZaMReLtRD4ksIgkJyKLKqtvMB6tynI5Ymz8lzudyy1ySXyN7t7rfzn1KrtcZi7YTG6TOdT0A2keR-qVUr_JvkzjHtXn0BMADYeL7uGdrQ018doAokCquNVeNsFHYh3aY03lJzwbYF3K74yHmiHyM46aHcrGCU8uSSXA6OFdtYAAL_CGh6PvXeE9S9AJGe40s7xfcZeAzITX5Ei-dxHsca5DihURorMjgEtG-kU8tygLB1t_74U-Vqj9bkq8otyThVZNA7KOasNWUTiwq5WyVUzEM?testcase_id=4699768359223296
<script src=../../resources/testharness.js></script>
<script src=../../resources/testharnessreport.js></script>
<script src=../../resources/bluetooth/bluetooth-helpers.js></script>
<script>
promise_test(() => {
  return setBluetoothFakeAdapter('HeartRateAdapter')
    .then(() => requestDeviceWithKeyDown({
      filters: [{services: ['heart_rate']}]}))
    .then(device => device.gatt.connect())
    .then(gattServer => gattServer.getPrimaryService('heart_rate'))
    .then(service => service.getCharacteristic('heart_rate_measurement'))
    .then(characteristic => {
      return characteristic.startNotifications()
    });
});
</script>


Additional requirements: Requires HTTP

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 8 by ClusterFuzz, Jan 20 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 4699768359223296 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 9 by sheriffbot@chromium.org, Jan 20 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Cc: scheib@chromium.org
Labels: -ReleaseBlock-Beta
Project Member

Comment 12 by sheriffbot@chromium.org, Apr 28 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment