New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 753782 link

Starred by 1 user
Status: WontFix
Owner:
andypaicu@chromium.org
Last visit > 30 days ago
Closed: Nov 2017
Cc:
sandeepkumars@chromium.org
etienneb@chromium.org
jbroman@chromium.org
lukasza@chromium.org
msrchandra@chromium.org
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac , Fuchsia
Pri: 2
Type: Bug



Sign in to add a comment

Direct-leak in PartitionAllocGenericFlags

Project Member Reported by ClusterFuzz, Aug 9 2017 
Detailed report: https://clusterfuzz.com/testcase?key=6673136803381248

Fuzzer: afl_content_security_policy_fuzzer
Job Type: afl_chrome_asan
Platform Id: linux

Crash Type: Direct-leak
Crash Address: 
Crash State:
  PartitionAllocGenericFlags
  PartitionAllocGeneric
  BufferMalloc
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=afl_chrome_asan&range=430251:430593

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6673136803381248


Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

Comment 1 by etienneb@chromium.org, Aug 15 2017

Cc: etienneb@chromium.org

Comment 2 by sandeepkumars@chromium.org, Aug 29 2017

Cc: msrchandra@chromium.org sandeepkumars@chromium.org
Labels: M-60 Test-Predator-Wrong-CLs
Owner: palmer@chromium.org
Status: Assigned (was: Untriaged)
Predator and CL could not provide any possible suspects.
Using Code Search for the file, "partition_alloc.h" assigning to the concern owner who might be related.

Suspecting Commit#
https://chromium.googlesource.com/chromium/src/+/6a6836143aac1e1ad32aae278e0e9f9e2488d322

@palmer -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

Comment 3 by palmer@chromium.org, Aug 29 2017

Cc: jbroman@chromium.org andypaicu@chromium.org lukasza@chromium.org
Labels: OS-Android OS-Chrome OS-Fuchsia OS-Mac OS-Windows
I don't think there is likely to be a leak inside Partition Alloc itself; it may be a side-effect of the Content Security Policy parsing code accepting the repro test case for much longer than it should (the test case is total insanity, and I'd hope the parser would reject it almost immediately).

+jbroman and lukasza, authors of the fuzzer, and andypaicu, third_party/WebKit/Source/core/frame/csp OWNER)

Comment 4 by palmer@chromium.org, Aug 29 2017

Cc: -andypaicu@chromium.org
Owner: andypaicu@chromium.org
Oh, also, in ASan builds, MEMORY_TOOL_REPLACES_ALLOCATOR is true, which means Partition Alloc is not even in use. So I'll pass this on to andypaicu to decide if it's a CSP parser/handler bug.

Comment 5 by mmoroz@chromium.org, Oct 24 2017 

For more information, please see https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md.

The link referenced in the description is no longer valid.

(bulk edit)
Project Member

Comment 6 by ClusterFuzz, Nov 14 2017

Status: WontFix (was: Assigned)
ClusterFuzz testcase 6673136803381248 is flaky and no longer crashes, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment