Issue metadata
Sign in to add a comment
|
Use-after-poison in base::internal::FunctorTraits<void |
||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5804727341416448 Fuzzer: inferno_twister Job Type: windows_asan_chrome_no_sandbox Platform Id: windows Crash Type: Use-after-poison READ 4 Crash Address: 0x2d4a6148 Crash State: base::internal::FunctorTraits<void base::internal::Invoker<struct base::internal::BindState<void base::debug::TaskAnnotator::RunTask Sanitizer: address (ASAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=windows_asan_chrome_no_sandbox&range=479114:479249 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5804727341416448 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 15 2017
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 15 2017
,
Jun 16 2017
Another ResourceFinishObserver bug
,
Jun 16 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/e14c046442157236626bd0a8c8bf4d5128e6fd8e commit e14c046442157236626bd0a8c8bf4d5128e6fd8e Author: Yutaka Hirano <yhirano@chromium.org> Date: Fri Jun 16 10:01:30 2017 Trace ResourceFinishObservers appropriately when notifying Previously a posted task from Resource::TriggerNotificationForFinishObservers lacks a trace, which resulted in use-after-poison. This CL fixes that by using Persistent. Bug: 733581, 733507 , 733283 Change-Id: Id6593e8bdc3abf5e41242c50561e97f8258f4258 Reviewed-on: https://chromium-review.googlesource.com/538512 Reviewed-by: Keishi Hattori <keishi@chromium.org> Reviewed-by: Taiju Tsuiki <tzik@chromium.org> Commit-Queue: Yutaka Hirano <yhirano@chromium.org> Cr-Commit-Position: refs/heads/master@{#480006} [modify] https://crrev.com/e14c046442157236626bd0a8c8bf4d5128e6fd8e/third_party/WebKit/Source/platform/loader/fetch/Resource.cpp
,
Jun 17 2017
ClusterFuzz has detected this issue as fixed in range 479999:480013. Detailed report: https://clusterfuzz.com/testcase?key=5804727341416448 Fuzzer: inferno_twister Job Type: windows_asan_chrome_no_sandbox Platform Id: windows Crash Type: Use-after-poison READ 4 Crash Address: 0x2d4a6148 Crash State: base::internal::FunctorTraits<void base::internal::Invoker<struct base::internal::BindState<void base::debug::TaskAnnotator::RunTask Sanitizer: address (ASAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=windows_asan_chrome_no_sandbox&range=479114:479249 Fixed: https://clusterfuzz.com/revisions?job=windows_asan_chrome_no_sandbox&range=479999:480013 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5804727341416448 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 17 2017
ClusterFuzz testcase 5804727341416448 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jun 17 2017
,
Jul 26 2017
,
Sep 23 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by sheriffbot@chromium.org
, Jun 15 2017