Issue metadata
Sign in to add a comment
|
Wild-access in blink::EventTarget::TraceWrappers |
||||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6723998762401792 Fuzzer: inferno_twister Job Type: windows_syzyasan_content_shell Platform Id: windows Crash Type: Wild-access READ 4 Crash Address: 0x20646973 Crash State: blink::EventTarget::TraceWrappers blink::ScriptWrappableVisitor::DispatchTraceWrappers blink::TraceTrait<blink::PushEvent>::TraceMarkedWrapper Memory Tool: SYZYASAN Regressed: https://clusterfuzz.com/revisions?job=windows_syzyasan_content_shell&range=491650:491661 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6723998762401792 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Aug 8 2017
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 8 2017
,
Aug 8 2017
I'm guessing this is the v8 roll in the regression range, since there didn't seem to be any other suspicious changes. Feel free to assign back to me if that is not the case. Thanks !!!
,
Aug 9 2017
The V8 roll doesn't contain anything suspicious either: https://chromium.googlesource.com/v8/v8/+log/45ad6a02..43bd6d3f Also, while there is V8 further down on the stack, the top handful of frames is not in V8, which makes it unlikely that this is a V8 issue.
,
Aug 9 2017
mlippautz, you've been in the scriptwrappable code recently (cd39e5b0ea), could you take a look?
,
Aug 10 2017
Presumably this is related to issue 753293 which showed up at the same time. I will check back and see if it also fixes this issue.
,
Aug 10 2017
Kicked off another task on CF after fixing issue 753293 to check whether it also fixed this one.
,
Aug 11 2017
ClusterFuzz has detected this issue as fixed in range 493198:493237. Detailed report: https://clusterfuzz.com/testcase?key=6723998762401792 Fuzzer: inferno_twister Job Type: windows_syzyasan_content_shell Platform Id: windows Crash Type: Wild-access READ 4 Crash Address: 0x20646973 Crash State: blink::EventTarget::TraceWrappers blink::ScriptWrappableVisitor::DispatchTraceWrappers blink::TraceTrait<blink::PushEvent>::TraceMarkedWrapper Memory Tool: SYZYASAN Regressed: https://clusterfuzz.com/revisions?job=windows_syzyasan_content_shell&range=491650:491661 Fixed: https://clusterfuzz.com/revisions?job=windows_syzyasan_content_shell&range=493198:493237 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6723998762401792 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 11 2017
,
Oct 5 2017
,
Nov 17 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by sheriffbot@chromium.org
, Aug 8 2017