New issue
Advanced search Search tips

Issue 759754 link

Starred by 1 user
Status: WontFix
Owner:
tguilbert@chromium.org
Closed: Sep 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment

Heap-use-after-free in base::internal::Invoker<base::internal::BindState<long

Project Member Reported by ClusterFuzz, Aug 28 2017 
Detailed report: https://clusterfuzz.com/testcase?key=6173899116249088

Fuzzer: inferno_flicker
Job Type: linux_asan_chrome_media
Platform Id: linux

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x6110000ac700
Crash State:
  base::internal::Invoker<base::internal::BindState<long
  void base::internal::ReturnAsParamAdapter<long>
  base::internal::Invoker<base::internal::BindState<void
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_media&range=493893:493928

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6173899116249088

Additional requirements: Requires Gestures

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.

Comment 1 by ta...@google.com, Aug 28 2017

Components: Blink>Media
Owner: tguilbert@chromium.org
Status: Assigned (was: Untriaged)
tguilbert@, this seems to come from https://chromium.googlesource.com/chromium/src/+/2e591393c960659617b4907c5142f691b3578cce

Could you take a look? Thank you.
Project Member

Comment 2 by sheriffbot@chromium.org, Aug 29 2017

Labels: M-62
Project Member

Comment 3 by sheriffbot@chromium.org, Aug 29 2017

Labels: ReleaseBlock-Stable
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 4 by sheriffbot@chromium.org, Aug 29 2017

Labels: Pri-1

Comment 5 by tguilbert@chromium.org, Aug 29 2017 

It seems like this is the same issues as 754997.

That bug was incorrectly marked as verified by clusterfuzz. This is due to the fact that it seems hard to repro the issue.

I was never able to reproduce the issue myself, I will give it another shot.
Project Member

Comment 6 by sheriffbot@chromium.org, Sep 6 2017

Labels: -Security_Impact-Head Security_Impact-Beta
Project Member

Comment 7 by sheriffbot@chromium.org, Sep 13 2017 

tguilbert: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 8 by ClusterFuzz, Sep 14 2017

Status: WontFix (was: Assigned)
ClusterFuzz testcase 6173899116249088 is flaky and no longer crashes, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 9 by sheriffbot@chromium.org, Dec 21 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment