New issue
Advanced search Search tips

Issue 828524 link

Starred by 1 user
Status: Fixed
Owner:
jam@chromium.org
Closed: Apr 2018
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Chrome , Mac
Pri: 0
Type: Bug-Security
Proj-Servicification



Sign in to add a comment

Heap-use-after-free in safe_browsing::SafeBrowsingNetworkContext::SharedURLLoaderFactory::GetURLLoaderF

Project Member Reported by ClusterFuzz, Apr 3 2018 
Detailed report: https://clusterfuzz.com/testcase?key=5550078149001216

Fuzzer: ksakamoto_woff2_fuzzer
Job Type: linux_asan_chrome_v8_arm
Platform Id: linux

Crash Type: Heap-use-after-free WRITE 4
Crash Address: 0xd712fa74
Crash State:
  safe_browsing::SafeBrowsingNetworkContext::SharedURLLoaderFactory::GetURLLoaderF
  safe_browsing::SafeBrowsingNetworkContext::SharedURLLoaderFactory::CreateLoaderA
  network::SimpleURLLoaderImpl::StartRequest
  
Sanitizer: address (ASAN)

Recommended Security Severity: Critical

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_v8_arm&range=547620:547621

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5550078149001216

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
Project Member

Comment 1 by ClusterFuzz, Apr 3 2018

Labels: OS-Chrome
Project Member

Comment 2 by ClusterFuzz, Apr 3 2018

Labels: Fuzz-Blocker M-67 ReleaseBlock-Beta
This crash occurs very frequently on linux platform and is likely preventing the fuzzer ksakamoto_woff2_fuzzer from making much progress. Fixing this will allow more bugs to be found.

Marking this bug as a blocker for next Beta release.

If this is incorrect, please add ClusterFuzz-Wrong label and remove the ReleaseBlock-Beta label.

Comment 3 by jialiul@chromium.org, Apr 3 2018

Components: Internals>Services>Network
Owner: jam@chromium.org
Status: Assigned (was: Untriaged)
Hi jam@,
Seems to be related your change https://chromium-review.googlesource.com/c/chromium/src/+/989835.
Could you take a look? 

Thanks!

Comment 4 by jam@chromium.org, Apr 3 2018

Status: Fixed (was: Assigned)
Thanks, this is fixed in https://chromium.googlesource.com/chromium/src/+/b1de19fafd15eca9ab03ce0a190050d2eae9782e
Project Member

Comment 5 by ClusterFuzz, Apr 3 2018

Labels: OS-Mac
Project Member

Comment 6 by sheriffbot@chromium.org, Apr 4 2018

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 7 by jam@chromium.org, Apr 9 2018 

 Issue 829989  has been merged into this issue.
Project Member

Comment 8 by ClusterFuzz, Apr 9 2018

Components: Internals>Core
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Comment 9 by awhalley@google.com, Apr 30 2018

Labels: -ReleaseBlock-Beta
Project Member

Comment 10 by sheriffbot@chromium.org, Jul 11

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 11 by sheriffbot@chromium.org, Jul 28

Labels: Pri-0

Sign in to add a comment