Issue metadata
Sign in to add a comment
|
Heap-use-after-free in blink::AXLayoutObject::GetDocument |
||||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5788119696932864 Fuzzer: inferno_twister Job Type: mac_asan_content_shell Platform Id: mac Crash Type: Heap-use-after-free READ 8 Crash Address: 0x61100025afe0 Crash State: blink::AXLayoutObject::GetDocument blink::AXObjectCacheImpl::PostPlatformNotification blink::AXObjectCacheImpl::NotificationPostTimerFired Sanitizer: address (ASAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=mac_asan_content_shell&range=502229:502259 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5788119696932864 Additional requirements: Requires HTTP Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Sep 24 2017
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 24 2017
,
Sep 25 2017
nektar, could you please take a look at this, or pass it to someone better suited for it? Thanks!
,
Sep 29 2017
Issue 769581 has been merged into this issue.
,
Oct 1 2017
Automatically applying components based on information from OWNERS files. If this seems incorrect, please apply the Test-Predator-Wrong-Components label.
,
Oct 1 2017
,
Oct 8 2017
nektar: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 18 2017
,
Oct 23 2017
nektar: Uh oh! This issue still open and hasn't been updated in the last 29 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 26 2017
ClusterFuzz testcase 5008410662928384 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Oct 26 2017
,
Oct 27 2017
,
Oct 28 2017
,
Oct 28 2017
This bug requires manual review: M63 has already been promoted to the beta branch, so this requires manual review Please contact the milestone owner if you have questions. Owners: cmasso@(Android), cmasso@(iOS), gkihumba@(ChromeOS), govind@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 28 2017
I don't see any CL here to merge. + awhalley@ (Security TPM), could you ptal?
,
Oct 31 2017
Hi dougt@ - there's an AX CL in the fix list - not immediately obvious at quick glance if it's related, mind taking a quick look to see if it might be (if so if it's a candidate for an M63 merge?) Thanks!
,
Oct 31 2017
Where's the fix list? Based on the minimized testcase, my guess is that this has been a longstanding bug but it's very hard to repro, and quite likely the testcase is very sensitive to tiny code changes. So it's probably not really fixed, but it's going to require more work to figure out what's going on. Or I could be wrong and this is just a symptom of some other bug that was fixed.
,
Oct 31 2017
Could not repo on Windows this morning (although I do notice that the bug looks like it's only marked as Linux and Mac).
,
Nov 1 2017
,
Nov 1 2017
Please mark security bugs as fixed as soon as the fix lands, and before requesting merges. This update is based on the merge- labels applied to this issue. Please reopen if this update was incorrect. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 3 2017
The (rather big) fix range is: https://chromium.googlesource.com/chromium/src/+log/6cb6e5c0e17babc4b68a2e4a2a628beff31b64d5..21c822a677b5424cba1219b3722c20f988208819?pretty=fuller&n=10000 which was from the duped issue 769581 I've just kicked off a few clusterfuzz retries
,
Nov 8 2017
ClusterFuzz testcase 5788119696932864 is still reproducing on tip-of-tree build (trunk). Please re-test your fix against this testcase and if the fix was incorrect or incomplete, please re-open the bug. Otherwise, ignore this notification and add ClusterFuzz-Wrong label.
,
Feb 8 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 27 2018
|
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by sheriffbot@chromium.org
, Sep 24 2017