Issue metadata
Sign in to add a comment
|
Heap-use-after-free in mojo::edk::Channel::Message::TakeHandles |
||||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4834289136173056 Fuzzer: miaubiz_svg_fuzzer Job Type: mac_asan_chrome Platform Id: mac Crash Type: Heap-use-after-free WRITE 2 Crash Address: 0x62100462e512 Crash State: mojo::edk::Channel::Message::TakeHandles mojo::edk::NodeChannel::RelayEventMessage mojo::edk::NodeController::SendPeerEvent Sanitizer: address (ASAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=489314:489341 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4834289136173056 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Jul 26 2017
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 26 2017
,
Jul 26 2017
(Security Sheriff Triage) rockot@-- this seems to have been caused by https://chromium-review.googlesource.com/584038 because that's the only mojo related CL in the regression range. If you aren't the right owner, please help find them or mark the bug as Untriaged. [Could be a dupe of issue 748856 ]
,
Jul 26 2017
,
Jul 27 2017
ClusterFuzz has detected this issue as fixed in range 489609:489657. Detailed report: https://clusterfuzz.com/testcase?key=4834289136173056 Fuzzer: miaubiz_svg_fuzzer Job Type: mac_asan_chrome Platform Id: mac Crash Type: Heap-use-after-free WRITE 2 Crash Address: 0x62100462e512 Crash State: mojo::edk::Channel::Message::TakeHandles mojo::edk::NodeChannel::RelayEventMessage mojo::edk::NodeController::SendPeerEvent Sanitizer: address (ASAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=489314:489341 Fixed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=489609:489657 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4834289136173056 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 27 2017
,
Nov 3 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 3 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/8ba0f617bf443e32d1ae3c8f2a80062b0865e15b commit 8ba0f617bf443e32d1ae3c8f2a80062b0865e15b Author: Ashley Enstad <ashleymarie@chromium.org> Date: Fri Nov 03 19:48:15 2017 Adding and using a very basic merge script. Only using this script for the One Buildbot Step Test Builder while we iterate on it until it actually has the proper functionality. Adding the basic empty script now to make sure it's called with the arguments I'm expecting and to make sure we know how to tell bots to use it. BUG= chromium:748889 Change-Id: I6a274748ded461c34b81818a1957662096f90502 Reviewed-on: https://chromium-review.googlesource.com/751142 Commit-Queue: Ashley Enstad <ashleymarie@chromium.org> Reviewed-by: Emily Hanley <eyaich@chromium.org> Cr-Commit-Position: refs/heads/master@{#513878} [modify] https://crrev.com/8ba0f617bf443e32d1ae3c8f2a80062b0865e15b/testing/buildbot/chromium.perf.fyi.json [modify] https://crrev.com/8ba0f617bf443e32d1ae3c8f2a80062b0865e15b/tools/perf/chromium.perf.fyi.extras.json [add] https://crrev.com/8ba0f617bf443e32d1ae3c8f2a80062b0865e15b/tools/perf/core/merge_script.py [add] https://crrev.com/8ba0f617bf443e32d1ae3c8f2a80062b0865e15b/tools/perf/core/merge_script_unittest.py [add] https://crrev.com/8ba0f617bf443e32d1ae3c8f2a80062b0865e15b/tools/perf/core/test_data/merge_1.json [add] https://crrev.com/8ba0f617bf443e32d1ae3c8f2a80062b0865e15b/tools/perf/core/test_data/merge_2.json
,
Nov 16 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/tools/build/+/3e84ee8e15a80f69becdbf43aa9dc5d2a0130786 commit 3e84ee8e15a80f69becdbf43aa9dc5d2a0130786 Author: Ashley Enstad <ashleymarie@chromium.org> Date: Thu Nov 16 19:53:23 2017 Adding the One Buildbot Step Test Builder as an optional trybot. Adding a trybot for folks working on the chromium perf refactor to reduce buildbot steps. BUG= chromium:748889 Change-Id: I04348d3019185ec55e546a10a7a77c8c4d8dcc42 Reviewed-on: https://chromium-review.googlesource.com/749449 Reviewed-by: David Tu <dtu@chromium.org> Commit-Queue: Ashley Enstad <ashleymarie@chromium.org> [modify] https://crrev.com/3e84ee8e15a80f69becdbf43aa9dc5d2a0130786/masters/master.tryserver.chromium.perf/master.cfg [modify] https://crrev.com/3e84ee8e15a80f69becdbf43aa9dc5d2a0130786/masters/master.tryserver.chromium.perf/slaves.cfg [modify] https://crrev.com/3e84ee8e15a80f69becdbf43aa9dc5d2a0130786/scripts/slave/recipe_modules/chromium_tests/trybots.py |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by sheriffbot@chromium.org
, Jul 26 2017