New issue
Advanced search Search tips

Issue 827046 link

Starred by 1 user
Status: Fixed
Owner:
emir...@chromium.org
Closed: Apr 2018
Cc:
dcasta...@chromium.org
piman@chromium.org
metzman@chromium.org
dsinclair@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment

Heap-use-after-free in gpu::CommandBufferProxyImpl::DisconnectChannel

Project Member Reported by ClusterFuzz, Mar 29 2018 
Detailed report: https://clusterfuzz.com/testcase?key=6302443248549888

Fuzzer: phoglund_webrtc_peerconnection
Job Type: linux_tsan_chrome_mp
Platform Id: linux

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x7b5c0004fe28
Crash State:
  gpu::CommandBufferProxyImpl::DisconnectChannel
  gpu::CommandBufferProxyImpl::LockAndDisconnectChannel
  base::internal::Invoker<base::internal::BindState<void
  
Sanitizer: thread (TSAN)

Recommended Security Severity: High

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6302443248549888

Additional requirements: Requires HTTP

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.

Note: This crash might not be reproducible with the provided testcase. That said, for the past 14 days we've been seeing this crash frequently. If you are unable to reproduce this, please try a speculative fix based on the crash stacktrace in the report. The fix can be verified by looking at the crash statistics in the report, a day after the fix is deployed. We will auto-close the bug if the crash is not seen for 14 days.
Project Member

Comment 1 by ClusterFuzz, Mar 29 2018

Components: Internals>Core Internals>GPU>Internals
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 2 by sheriffbot@chromium.org, Mar 29 2018

Labels: Pri-1

Comment 3 by mmoroz@chromium.org, Mar 30 2018

Cc: piman@chromium.org
Labels: Security_Impact-Head M-67
Owner: danakj@chromium.org
Status: Assigned (was: Untriaged)
Dana, could you please take a look? Unfortunately, CF can't find a reliable reproducer, but this crash occurs several times every day. Maybe it is possible to land a speculative fix based on the stacktrace.

Comment 4 by mmoroz@chromium.org, Mar 30 2018

Cc: -piman@chromium.org
Owner: piman@chromium.org
Oh, Dana seems to be OOO for a little while. Antoine, could you take a look or help to find an owner please?

Comment 5 by mmoroz@chromium.org, Mar 30 2018

Cc: metzman@chromium.org
metzman@ has been looking into GPU fuzzing, CC'ing him just FYI.

Comment 6 by piman@chromium.org, Apr 2 2018

Cc: piman@chromium.org
Owner: emir...@chromium.org
This is the media context, deleted on the wrong thread. Looks like  crbug.com/826539  , which should be fixed with https://chromium-review.googlesource.com/c/chromium/src/+/984438

->emircan to confirm/close.

Comment 7 by emir...@chromium.org, Apr 2 2018

Cc: dcasta...@chromium.org
Status: Fixed (was: Assigned)
Project Member

Comment 8 by sheriffbot@chromium.org, Apr 3 2018

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 9 by sheriffbot@chromium.org, Jul 10

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment