ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=4956915062013952.

Unable to reproduce this locally with an asan build using ToT this morning.  Repro case has been running for about an hour.

Thanks for trying rtoy, assinging this to you to make sure the bug has an owner. 

Does the stack trace the reporter provided indicate any obvious bug?

Assuming this only impacts HEAD, but ClusterFuzz is not able to reproduce either.

I have another test case, which I could reduce and submit, if required. This is more reliable on Windows Dev/SXS.

6:100> r
rax=00000072f9722c60 rbx=00000072f9722c48 rcx=303372f972000000
rdx=0000000000000080 rsi=00000072f96cd208 rdi=0000000000000080
rip=00007ff9ef44849a rsp=000000c98c5ff640 rbp=0000000000000080
 r8=0000000000000080  r9=0000000000000001 r10=00000000ffff8000
r11=00000072f990d200 r12=000000c98c5ffae0 r13=0000000000000000
r14=0000000000000000 r15=0000000000000080
iopl=0         nv up ei pl nz na pe nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
chrome_child!blink::AudioHandler::IsInitialized [inlined in chrome_child!blink::AudioHandler::ProcessIfNecessary+0xa]:
00007ff9`ef44849a 8a410c          mov     al,byte ptr [rcx+0Ch] ds:303372f9`7200000c=??
6:100> k
 # Child-SP          RetAddr           Call Site
00 (Inline Function) --------`-------- chrome_child!blink::AudioHandler::IsInitialized [c:\b\c\b\win64_pgo\src\third_party\webkit\source\modules\webaudio\audionode.h @ 162] 
01 000000c9`8c5ff640 00007ff9`ef45b9b9 chrome_child!blink::AudioHandler::ProcessIfNecessary+0xa [c:\b\c\b\win64_pgo\src\third_party\webkit\source\modules\webaudio\audionode.cpp @ 311] 
02 000000c9`8c5ff680 00007ff9`ef45a5e7 chrome_child!blink::AudioNodeOutput::Pull+0x61 [c:\b\c\b\win64_pgo\src\third_party\webkit\source\modules\webaudio\audionodeoutput.cpp @ 141] 
03 000000c9`8c5ff6b0 00007ff9`ef45a57d chrome_child!blink::AudioNodeInput::SumAllConnections+0x5f [c:\b\c\b\win64_pgo\src\third_party\webkit\source\modules\webaudio\audionodeinput.cpp @ 194] 
04 000000c9`8c5ff6e0 00007ff9`ef4560ac chrome_child!blink::AudioNodeInput::Pull+0x4d [c:\b\c\b\win64_pgo\src\third_party\webkit\source\modules\webaudio\audionodeinput.cpp @ 223] 
05 000000c9`8c5ff710 00007ff9`ef4d1842 chrome_child!blink::AudioDestinationHandler::Render+0x130 [c:\b\c\b\win64_pgo\src\third_party\webkit\source\modules\webaudio\audiodestinationnode.cpp @ 94] 
06 000000c9`8c5ff7b0 00007ff9`ef4d16a2 chrome_child!blink::AudioDestination::RequestRender+0x186 [c:\b\c\b\win64_pgo\src\third_party\webkit\source\platform\audio\audiodestination.cpp @ 185] 
07 000000c9`8c5ff8b0 00007ff9`ee6c88e2 chrome_child!blink::AudioDestination::Render+0x1f6 [c:\b\c\b\win64_pgo\src\third_party\webkit\source\platform\audio\audiodestination.cpp @ 145] 
08 000000c9`8c5ff990 00007ff9`ed5b3bdc chrome_child!content::RendererWebAudioDeviceImpl::Render+0x106 [c:\b\c\b\win64_pgo\src\content\renderer\media\renderer_webaudiodevice_impl.cc @ 219] 
09 000000c9`8c5ffa00 00007ff9`ecaf44f5 chrome_child!media::SilentSinkSuspender::Render+0x104 [c:\b\c\b\win64_pgo\src\media\base\silent_sink_suspender.cc @ 86] 
0a 000000c9`8c5ffa90 00007ff9`ecaf425f chrome_child!media::AudioOutputDevice::AudioThreadCallback::Process+0x9d [c:\b\c\b\win64_pgo\src\media\audio\audio_output_device.cc @ 507] 
0b 000000c9`8c5ffb30 00007ff9`ec9f5f90 chrome_child!media::AudioDeviceThread::ThreadMain+0x93 [c:\b\c\b\win64_pgo\src\media\audio\audio_device_thread.cc @ 113] 
0c 000000c9`8c5ffb90 00007ffa`4c202774 chrome_child!base::`anonymous namespace'::ThreadFunc+0xb8 [c:\b\c\b\win64_pgo\src\base\threading\platform_thread_win.cc @ 91] 
0d 000000c9`8c5ffc00 00007ffa`4e510d51 KERNEL32!BaseThreadInitThunk+0x14
0e 000000c9`8c5ffc30 00000000`00000000 ntdll!RtlUserThreadStart+0x21
6:100> !lmi chrome_child
Loaded Module Info: [chrome_child] 
         Module: chrome_child
   Base Address: 00007ff9ec7d0000
     Image Name: C:\Program Files (x86)\Google\Chrome Dev\Application\63.0.3230.0\chrome_child.dll
   Machine Type: 34404 (X64)
     Time Stamp: 59d21d8c Mon Oct  2 04:05:48 2017
           Size: 3f33000
       CheckSum: 3d5bf60
Characteristics: 2022  
Debug Data Dirs: Type  Size     VA  Pointer
             CODEVIEW    54, 38c4080, 38c2280 RSDS - GUID: {86E5C60D-B51D-4327-82F0-E3930B77339F}
               Age: 1, Pdb: C:\b\c\b\win64_pgo\src\out\Release_x64\chrome_child.dll.pdb
                   ??   5d4, 38c40d4, 38c22d4 [Data not mapped]
     Image Type: FILE     - Image read successfully from debugger.
                 C:\Program Files (x86)\Google\Chrome Dev\Application\63.0.3230.0\chrome_child.dll
    Symbol Type: PDB      - Symbols loaded successfully from image path.
                 c:\symbols\chrome_child.dll.pdb\86E5C60DB51D432782F0E3930B77339F1\chrome_child.dll.pdb
       Compiler: MASM - front end [0.0 bld 0] - back end [14.11 bld 25507]
    Load Report: private symbols & lines, source indexed 
                 c:\symbols\chrome_child.dll.pdb\86E5C60DB51D432782F0E3930B77339F1\chrome_child.dll.pdb

				 

Please do upload the new testcase if it is more reliable, thanks!

Your gn config would also be useful if you have anything special set.

I had to google what a gn config is, so I guess mine is default. I download asan builds from commondatastorage, if that helps.

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

I kind of figured out why this must not be triggering on your end. Some part of the original testcase gets cached in the browser and hence the reduced version (i.e. AudioNode_Pull.html) only triggers on my end. 
So at the moment reduction/minimisation is hard. But I am working on it, hopefully will have a better PoC soon.

I am attaching a new PoC. This should work on Windows only and Chrome Stable 61.0.3163.100

Deleted: 33breakpoint.html 6.6 KB

33breakpoint.html 6.6 KB View Download

This new test doesn't reproduce on linux?

Only on Windows. Primarily because this test case crashes on Windows much more reliably than the earlier PoC for linux.

rtoy: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

[Bulk Edit]
URGENT - PTAL.
M63 Stable promotion is coming soon and your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and get it merged into the release branch ASAP. Thank you.

I have been unable to reproduce this locally on my windows machine using any of the supplied repro cases.  Cannot reproduce using the pre-built asan builds either.

inferno@ can't reproduce either. Recommended WontFix.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot