New issue
Advanced search Search tips

Issue 715018 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Apr 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Chrome , Mac
Pri: 1
Type: Bug-Security



Sign in to add a comment

Heap-use-after-free in views::View::RemoveObserver

Project Member Reported by ClusterFuzz, Apr 25 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5101195938234368

Fuzzer: ifratric-browserfuzzer-v3
Job Type: linux_asan_chrome_chromeos
Platform Id: linux

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x602000409950
Crash State:
  views::View::RemoveObserver
  views::ThemedSolidBackground::~ThemedSolidBackground
  views::View::~View
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_chromeos&range=466837:466857

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5101195938234368


Additional requirements: Requires Gestures

Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Project Member

Comment 1 by sheriffbot@chromium.org, Apr 25 2017

Labels: M-59
Project Member

Comment 2 by sheriffbot@chromium.org, Apr 25 2017

Labels: ReleaseBlock-Beta
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 3 by sheriffbot@chromium.org, Apr 25 2017

Labels: Pri-1

Comment 4 by gov...@chromium.org, Apr 25 2017

A friendly reminder that M59 Beta  launch is coming soon! Your bug is labelled as Release Block Beta. All fixes need to be merged into the release branch (3071) latest by tomorrow, 04/26 4:00 PM PT in order to make into the desktop Beta final build cut. Thank you!

Comment 5 by palmer@chromium.org, Apr 25 2017

Cc: sadrul@chromium.org sky@chromium.org
Components: Internals>Views
Labels: OS-Chrome OS-Mac OS-Windows
Owner: msw@chromium.org
Status: Assigned (was: Untriaged)
msw: Can I give you this to resolve or reassign? Thanks. :)

Comment 6 by msw@chromium.org, Apr 25 2017

Owner: est...@chromium.org
ThemedSolidBackground -> estade
Labels: -ReleaseBlock-Beta ReleaseBlock-Stable
Won't block Beta for this, pushing to ReleaseBlock-Stable.

Comment 8 by est...@chromium.org, Apr 25 2017

I do not understand how this could be present in M59. Why do we believe it's in 59? It landed well after the branch point and it has been reverted (the fix is simple and I will re-land soon).
Project Member

Comment 9 by ClusterFuzz, Apr 26 2017

ClusterFuzz has detected this issue as fixed in range 466945:466956.

Detailed report: https://clusterfuzz.com/testcase?key=5101195938234368

Fuzzer: ifratric-browserfuzzer-v3
Job Type: linux_asan_chrome_chromeos
Platform Id: linux

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x602000409950
Crash State:
  views::View::RemoveObserver
  views::ThemedSolidBackground::~ThemedSolidBackground
  views::View::~View
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_chromeos&range=466837:466857
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_chromeos&range=466945:466956

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5101195938234368


Additional requirements: Requires Gestures

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 10 by ClusterFuzz, Apr 26 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 5101195938234368 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 11 by sheriffbot@chromium.org, Apr 26 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Cc: mbarbe...@chromium.org
Labels: -ReleaseBlock-Stable -M-59 M-60
Re #8, very true, the regression range is in M60.  Not sure why sheriff bot got that wrong, will have a poke.
Project Member

Comment 13 by sheriffbot@chromium.org, Aug 2 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment