Issue metadata
Sign in to add a comment
|
Use-of-uninitialized-value in ui::XVisualManager::XVisualManager |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5850676679933952 Fuzzer: libfuzzer_gpu_angle_fuzzer Job Type: libfuzzer_chrome_msan Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: ui::XVisualManager::XVisualManager base::DefaultSingletonTraits<ui::XVisualManager>::New base::Singleton<ui::XVisualManager, base::DefaultSingletonTraits<ui::XVisualMana Sanitizer: memory (MSAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=474161:474211 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5850676679933952 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
May 24 2017
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
May 24 2017
,
May 26 2017
thomasanderson@: Would you mind having a look at this regression report? ClusterFuzz is reporting use of uninitialized memory from the XVisualManager allocation. I don't see any recent changes that might be related, though. Are you a good person to look into this, or can you recommend a different owner?
,
May 26 2017
,
May 26 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/6a5692489564312b0ef27ad53e81289f8d3092d6 commit 6a5692489564312b0ef27ad53e81289f8d3092d6 Author: thomasanderson <thomasanderson@chromium.org> Date: Fri May 26 22:16:03 2017 X11: Fix use-of-uninitialized-variable Some failure paths in XGetVisualInfo don't set |nitems_return| to 0, and instead just return nullptr directly. This CL initializes that variable to 0 manually to handle those cases. BUG= 725884 R=derat@chromium.org Review-Url: https://codereview.chromium.org/2910753002 Cr-Commit-Position: refs/heads/master@{#475159} [modify] https://crrev.com/6a5692489564312b0ef27ad53e81289f8d3092d6/ui/base/x/x11_util.cc
,
May 27 2017
,
May 27 2017
This bug requires manual review: We are only 9 days from stable. Please contact the milestone owner if you have questions. Owners: amineer@(Android), cmasso@(iOS), gkihumba@(ChromeOS), Abdul Syed@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
May 27 2017
,
May 27 2017
Please mark security bugs as fixed as soon as the fix lands, and before requesting merges. This update is based on the merge- labels applied to this issue. Please reopen if this update was incorrect. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
May 27 2017
Your change meets the bar and is auto-approved for M60. Please go ahead and merge the CL to branch 3112 manually. Please contact milestone owner if you have questions. Owners: amineer@(Android), cmasso@(iOS), josafat@(ChromeOS), bustamante@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
May 28 2017
,
May 29 2017
+awhalley for chrome security review.
,
May 30 2017
No need to get this out with this week's 59 release.
,
May 30 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/00b8c5e102551cff803b67ca26678c0f1b0348e8 commit 00b8c5e102551cff803b67ca26678c0f1b0348e8 Author: thomasanderson <thomasanderson@chromium.org> Date: Tue May 30 18:20:27 2017 [Merge to M60] X11: Fix use-of-uninitialized-variable > Some failure paths in XGetVisualInfo don't set |nitems_return| to 0, > and instead just return nullptr directly. This CL initializes that > variable to 0 manually to handle those cases. > > BUG= 725884 > R=derat@chromium.org > > Review-Url: https://codereview.chromium.org/2910753002 > Cr-Commit-Position: refs/heads/master@{#475159} BUG= 725884 TBR=derat@chromium.org NOTRY=true NOPRESUBMIT=true Review-Url: https://codereview.chromium.org/2912123002 Cr-Commit-Position: refs/branch-heads/3112@{#34} Cr-Branched-From: b6460e24cf59f429d69de255538d0fc7a425ccf9-refs/heads/master@{#474897} [modify] https://crrev.com/00b8c5e102551cff803b67ca26678c0f1b0348e8/ui/base/x/x11_util.cc
,
Jun 1 2017
ClusterFuzz has detected this issue as fixed in range 475922:475964. Detailed report: https://clusterfuzz.com/testcase?key=5850676679933952 Fuzzer: libFuzzer_gpu_angle_fuzzer Job Type: libfuzzer_chrome_msan Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: ui::XVisualManager::XVisualManager base::DefaultSingletonTraits<ui::XVisualManager>::New base::Singleton<ui::XVisualManager, base::DefaultSingletonTraits<ui::XVisualMana Sanitizer: memory (MSAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=474161:474211 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=475922:475964 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5850676679933952 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 6 2017
,
Jun 6 2017
,
Sep 3 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by sheriffbot@chromium.org
, May 24 2017