New issue
Advanced search Search tips

Issue 698593 link

Starred by 1 user

Issue metadata

Status: Verified
Owner: ----
Closed: Mar 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment

Heap-use-after-free in _gdk_window_process_updates_recurse

Project Member Reported by ClusterFuzz, Mar 5 2017

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6124862495260672

Fuzzer: attekett_dom_fuzzer
Job Type: linux_tsan_chrome_mp
Platform Id: linux

Crash Type: Heap-use-after-free READ 1
Crash Address: 0x7b080010db58
Crash State:
  _gdk_window_process_updates_recurse
  base::MessageLoop::RunHandler
  base::RunLoop::Run
  
Sanitizer: thread (TSAN)

Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_tsan_chrome_mp&range=330349:330355

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94x4ahUtP_y30tVhdauRJvNS2ShF_1HbU5RpFLK143ETa094rDHgQpM_oEVvJ0_Fcxd7T7WY1CN702dQpVdGnq4joKwegJCXAd858G7FqrTiDHPDSF_PBo25AIuEptW5bOJryFDFQvw-nW0gL64buqo5oGVZ5SO0lTB8U_O7gT-oioJ5eMMqmGFzLERSCgpcHM1NeV5bATpuZFDt8SY7t7kUwGLZO2IWUO7Ivlk47KXRguozWAq1dTgtVrXoWUsgrqW04OTmH1znifY70Ggq8xGBZ2l6geo2xL6S3wC-q96LCfdH0CGgXm6SFwKt-7jvPui7BBTeXJHYppsQOrjdSi9tEVXQUhsKXsEGf1aJLupPV3yMHY?testcase_id=6124862495260672


Additional requirements: Requires Gestures

Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Project Member

Comment 1 by sheriffbot@chromium.org, Mar 6 2017

Labels: M-58
Project Member

Comment 2 by sheriffbot@chromium.org, Mar 6 2017

Labels: ReleaseBlock-Beta
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 3 by sheriffbot@chromium.org, Mar 6 2017

Labels: Pri-1

Comment 4 by vakh@chromium.org, Mar 6 2017

Cc: kinuko@chromium.org mbarbe...@chromium.org
Components: UI>Browser>Core
mbarbella@ -- not sure how to triage this.
The regression range for this is 5 CLs from 2015: https://chromium.googlesource.com/chromium/src/+log/f7ff218fef8a0cb4d1d972e09ac60f4dcd6a74ea..46439ad2021110ab9cbed34a8d7e04fe41008ae9

One of those CLs looks suspicious but is a revert: https://codereview.chromium.org/1129953004
I didn't look too closely, but since this has gestures I'm guessing it might be a somewhat flaky crash. If it is, the regression range won't necessarily be accurate.
We're close to promoting M58 to Beta (next week March 16th). This bug is listed as RB-Beta-blocker. Can you please take a look at this bug and resolve before Beta promotion?
Project Member

Comment 7 by ClusterFuzz, Mar 9 2017

ClusterFuzz has detected this issue as fixed in range 455565:455674.

Detailed report: https://clusterfuzz.com/testcase?key=6124862495260672

Fuzzer: attekett_dom_fuzzer
Job Type: linux_tsan_chrome_mp
Platform Id: linux

Crash Type: Heap-use-after-free READ 1
Crash Address: 0x7b080010db58
Crash State:
  _gdk_window_process_updates_recurse
  base::MessageLoop::RunHandler
  base::RunLoop::Run
  
Sanitizer: thread (TSAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=linux_tsan_chrome_mp&range=330349:330355
Fixed: https://clusterfuzz.com/revisions?job=linux_tsan_chrome_mp&range=455565:455674

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv94x4ahUtP_y30tVhdauRJvNS2ShF_1HbU5RpFLK143ETa094rDHgQpM_oEVvJ0_Fcxd7T7WY1CN702dQpVdGnq4joKwegJCXAd858G7FqrTiDHPDSF_PBo25AIuEptW5bOJryFDFQvw-nW0gL64buqo5oGVZ5SO0lTB8U_O7gT-oioJ5eMMqmGFzLERSCgpcHM1NeV5bATpuZFDt8SY7t7kUwGLZO2IWUO7Ivlk47KXRguozWAq1dTgtVrXoWUsgrqW04OTmH1znifY70Ggq8xGBZ2l6geo2xL6S3wC-q96LCfdH0CGgXm6SFwKt-7jvPui7BBTeXJHYppsQOrjdSi9tEVXQUhsKXsEGf1aJLupPV3yMHY?testcase_id=6124862495260672


Additional requirements: Requires Gestures

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 8 by ClusterFuzz, Mar 9 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Untriaged)
ClusterFuzz testcase 6124862495260672 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 9 by sheriffbot@chromium.org, Mar 9 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: -ReleaseBlock-Beta -reward-topanel -M-58 reward-0 M-59
Project Member

Comment 11 by sheriffbot@chromium.org, Jun 15 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment