engedy: This could be a duplicate of bug 766208. Can you please take a look?

CC'ing Camille here too, given that RFI::OnFailedNavigation is PlzNavigate-specific.

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Automatically applying components based on information from OWNERS files. If this seems incorrect, please apply the Test-Predator-Wrong-Components label.

engedy: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

@Nasko, given that you reviewed the fix from clamy@, could you please take a quick look and confirm that this is a duplicate of Issue 766208?

Looks like everyone who'd be able to confirm is OOO. 

It does look like this is a dupe of issue 766208.  (This bug is about Windows and that one is about Android.)

However, neither bug is actually fixed, since the CL that landed for issue 766208 apparently wasn't sufficient.

I'll mark this as a dupe, but there's useful info in both ClusterFuzz reports.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/45d4e94f5b511114536b8445e2327b838642ba20

commit 45d4e94f5b511114536b8445e2327b838642ba20
Author: Nasko Oskov <nasko@chromium.org>
Date: Fri Oct 13 01:01:43 2017

Check weak_this after calling DidFailProvisionalLoad.

This CL fixes an UaF bug in RenderFrameImpl::OnFailedNavigation. It is
a followup to r503419 since DidFailProvisionalLoad calls
LoadNavigationErrorPage internally and it should also be guarded by a
check of weak_this.

Bug: 766208,  766250 
Change-Id: Ia359607ce35ce282330a30f5f5b9c79a2656c5f3
Reviewed-on: https://chromium-review.googlesource.com/717460
Reviewed-by: Charlie Reis <creis@chromium.org>
Commit-Queue: Nasko Oskov <nasko@chromium.org>
Cr-Commit-Position: refs/heads/master@{#508575}
[modify] https://crrev.com/45d4e94f5b511114536b8445e2327b838642ba20/content/renderer/render_frame_impl.cc

ClusterFuzz has detected this issue as fixed in range 508529:508578.

Detailed report: https://clusterfuzz.com/testcase?key=6139676628090880

Fuzzer: ifratric-browserfuzzer-v3
Job Type: windows_asan_chrome_no_sandbox
Platform Id: windows

Crash Type: Heap-use-after-free WRITE 1
Crash Address: 0x0894545e
Crash State:
  content::RenderFrameImpl::OnFailedNavigation
  IPC::MessageT<struct FrameMsg_FailedNavigation_Meta,class std::tuple<struct cont
  content::RenderFrameImpl::OnMessageReceived
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=windows_asan_chrome_no_sandbox&range=502241:502259
Fixed: https://clusterfuzz.com/revisions?job=windows_asan_chrome_no_sandbox&range=508529:508578

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6139676628090880

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/070183e8410ae7e89f6edca883132348c5a433a7

commit 070183e8410ae7e89f6edca883132348c5a433a7
Author: Nasko Oskov <nasko@chromium.org>
Date: Wed Oct 25 18:55:37 2017

Check weak_this after calling DidFailProvisionalLoad.

This CL fixes an UaF bug in RenderFrameImpl::OnFailedNavigation. It is
a followup to r503419 since DidFailProvisionalLoad calls
LoadNavigationErrorPage internally and it should also be guarded by a
check of weak_this.

Bug: 766208,  766250 
Change-Id: Ia359607ce35ce282330a30f5f5b9c79a2656c5f3
Reviewed-on: https://chromium-review.googlesource.com/717460
Reviewed-by: Charlie Reis <creis@chromium.org>
Commit-Queue: Nasko Oskov <nasko@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#508575}(cherry picked from commit 45d4e94f5b511114536b8445e2327b838642ba20)
Reviewed-on: https://chromium-review.googlesource.com/738272
Reviewed-by: Nasko Oskov <nasko@chromium.org>
Cr-Commit-Position: refs/branch-heads/3202@{#748}
Cr-Branched-From: fa6a5d87adff761bc16afc5498c3f5944c1daa68-refs/heads/master@{#499098}
[modify] https://crrev.com/070183e8410ae7e89f6edca883132348c5a433a7/content/renderer/render_frame_impl.cc

Both regressed and fixed in M63, removing ReleaseBlock-Stable

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot