New issue
Advanced search Search tips

Issue 827039 link

Starred by 1 user
Status: Fixed
Owner:
emir...@chromium.org
Closed: Apr 2018
Cc:
dcasta...@chromium.org
piman@chromium.org
metzman@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows
Pri: 1
Type: Bug-Security



Sign in to add a comment

Heap-use-after-free in gpu::CommandBufferProxyImpl::DisconnectChannel

Project Member Reported by ClusterFuzz, Mar 29 2018 
Detailed report: https://clusterfuzz.com/testcase?key=5429305388302336

Fuzzer: ochang_media2
Job Type: windows_asan_chrome_no_sandbox
Platform Id: windows

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x12bdff3c0108
Crash State:
  gpu::CommandBufferProxyImpl::DisconnectChannel
  base::debug::TaskAnnotator::RunTask
  base::MessageLoop::RunTask
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5429305388302336

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.

Note: This crash might not be reproducible with the provided testcase. That said, for the past 14 days we've been seeing this crash frequently. If you are unable to reproduce this, please try a speculative fix based on the crash stacktrace in the report. The fix can be verified by looking at the crash statistics in the report, a day after the fix is deployed. We will auto-close the bug if the crash is not seen for 14 days.
Project Member

Comment 1 by ClusterFuzz, Mar 29 2018

Labels: OS-Linux
Project Member

Comment 2 by ClusterFuzz, Mar 29 2018

Components: Internals>Core
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 3 by sheriffbot@chromium.org, Mar 29 2018

Labels: Pri-1

Comment 4 by mmoroz@chromium.org, Mar 30 2018

Labels: Security_Impact-Head M-67
Owner: piman@chromium.org
Status: Assigned (was: Untriaged)
Looks similar to  issue 827046 , but stacktrace is slightly different.

Unfortunately, this also doesn't have a reliable reproducer, but we could try a speculative fix and then evaluate crash stats to see whether it helped.

Comment 5 by mmoroz@chromium.org, Mar 30 2018

Cc: metzman@chromium.org
metzman@ has been looking into GPU fuzzing, CC'ing him just FYI.

Comment 6 by piman@chromium.org, Apr 2 2018

Cc: piman@chromium.org
Owner: emir...@chromium.org
This is the media context, deleted on the wrong thread. Looks like  crbug.com/826539  , which should be fixed with https://chromium-review.googlesource.com/c/chromium/src/+/984438

->emircan to confirm/close.

Comment 7 by emir...@chromium.org, Apr 2 2018

Cc: dcasta...@chromium.org
Status: Fixed (was: Assigned)
Project Member

Comment 8 by sheriffbot@chromium.org, Apr 3 2018

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 9 by sheriffbot@chromium.org, Jul 10

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment