Null-dereference READ in midi::MidiService::DispatchSendMidiData |
||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5086352982147072 Fuzzer: ipc_fuzzer_gen Job Type: linux_asan_chrome_ipc Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000000 Crash State: midi::MidiService::DispatchSendMidiData bool IPC::MessageT<MidiHostMsg_SendData_Meta, std::__1::tuple<unsigned int, std: content::MidiHost::OnMessageReceived Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_ipc&range=488146:488166 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5086352982147072 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Jul 31 2017
This happens only on receiving an IPC in an unexpected order, e.g., receiving MidiHostMsg_SendData after MidiHostMsg_EndSession. So, let me reprioritize this. Also note that this should not be platform specific.
,
Aug 8 2017
,
Aug 18 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/78f5e86e47e0d85ff9a2d8fd097767f6be8b7997 commit 78f5e86e47e0d85ff9a2d8fd097767f6be8b7997 Author: Takashi Toyoshima <toyoshim@google.com> Date: Fri Aug 18 12:58:48 2017 Web MIDI: make the MidiService robust against illegal ipc sequences Now the MidiService raises a check failure when an illegal ipc sequence is detected. But to run with ipc fuzzer, it should be robust against such illegal ipc sequences rather than raising a check failure. BUG= 746969 , 750011 , 747662 Change-Id: Ica788bd5371b2352a011a5d40037ef7e0da3ee48 Reviewed-on: https://chromium-review.googlesource.com/605156 Reviewed-by: Yutaka Hirano <yhirano@chromium.org> Commit-Queue: Takashi Toyoshima <toyoshim@chromium.org> Cr-Commit-Position: refs/heads/master@{#495533} [modify] https://crrev.com/78f5e86e47e0d85ff9a2d8fd097767f6be8b7997/media/midi/midi_service.cc
,
Aug 21 2017
ClusterFuzz has detected this issue as fixed in range 495531:495551. Detailed report: https://clusterfuzz.com/testcase?key=5086352982147072 Fuzzer: ipc_fuzzer_gen Job Type: linux_asan_chrome_ipc Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000000 Crash State: midi::MidiService::DispatchSendMidiData bool IPC::MessageT<MidiHostMsg_SendData_Meta, std::__1::tuple<unsigned int, std: content::MidiHost::OnMessageReceived Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_ipc&range=488146:488166 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_ipc&range=495531:495551 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5086352982147072 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 21 2017
,
Aug 21 2017
ClusterFuzz has detected this issue as fixed in range 495531:495551. Detailed report: https://clusterfuzz.com/testcase?key=5086352982147072 Fuzzer: ipc_fuzzer_gen Job Type: linux_asan_chrome_ipc Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000000 Crash State: midi::MidiService::DispatchSendMidiData bool IPC::MessageT<MidiHostMsg_SendData_Meta, std::__1::tuple<unsigned int, std: content::MidiHost::OnMessageReceived Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_ipc&range=488146:488166 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_ipc&range=495531:495551 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5086352982147072 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 21 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/b5985781e77b51eab38ef967c0f4466401fd80fd commit b5985781e77b51eab38ef967c0f4466401fd80fd Author: Takashi Toyoshima <toyoshim@google.com> Date: Mon Aug 21 12:08:09 2017 Web MIDI: Check valid clients in MidiManager MidiService had a |active_clients_| to detect when it destructs MidiManager instance, but since MidiManager has a complete set of active clients, it would be simple and safe to ask MidiManager to check if there is at least one active client. Bug: 746969 , 750011 , 747662 Change-Id: I1491df4bc4b20c2605c979babb11e813d25702e4 Reviewed-on: https://chromium-review.googlesource.com/622294 Reviewed-by: Yutaka Hirano <yhirano@chromium.org> Commit-Queue: Takashi Toyoshima <toyoshim@chromium.org> Cr-Commit-Position: refs/heads/master@{#495918} [modify] https://crrev.com/b5985781e77b51eab38ef967c0f4466401fd80fd/media/midi/midi_manager.cc [modify] https://crrev.com/b5985781e77b51eab38ef967c0f4466401fd80fd/media/midi/midi_manager.h [modify] https://crrev.com/b5985781e77b51eab38ef967c0f4466401fd80fd/media/midi/midi_service.cc [modify] https://crrev.com/b5985781e77b51eab38ef967c0f4466401fd80fd/media/midi/midi_service.h |
||||
►
Sign in to add a comment |
||||
Comment 1 by msrchandra@chromium.org
, Jul 28 2017Labels: M-62 Test-Predator-Wrong
Owner: toyoshim@chromium.org
Status: Assigned (was: Untriaged)