Issue metadata
Sign in to add a comment
|
Heap-use-after-free in PermissionRequestManager::AddRequest |
||||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5712831153176576 Fuzzer: mojo_fuzzer Job Type: linux_asan_chrome_mojo Platform Id: linux Crash Type: Heap-use-after-free READ 8 Crash Address: 0x60e0000ef380 Crash State: PermissionRequestManager::AddRequest PermissionContextBase::DecidePermission PermissionContextBase::RequestPermission Sanitizer: address (ASAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mojo&range=555295:555297 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5712831153176576 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
May 3 2018
To reproduce: Build chrome with these GN flags: enable_ipc_fuzzer = true is_asan = true is_component_build = false is_debug = false is_lsan = true sanitizer_coverage_flags = "trace-pc-guard" strip_absolute_paths_from_debug_symbols = true v8_enable_verify_heap = true Copy (or link) the "gen" directory from the build output to the directory containing the testcase html (replacing the existing "gen" dir). Run: out/Build/chrome --enable-blink-features=MojoJS --allow-file-access-from-files /path/to/testcase.html
,
May 3 2018
,
May 3 2018
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
May 3 2018
,
May 3 2018
The regression range in the original report only contains a one-line modification to a JS file in the Developer Tools, which seems implausible as a culprit.
,
May 3 2018
Right, ignore the regression range for this testcase -- unfortunately support for mojo fuzzing has only very recently been added and older builds that we have don't work for regression testing.
,
May 3 2018
Right, so issue could go back a ways. Assigning per owners file.
,
May 7 2018
,
May 7 2018
Issue 839220 has been merged into this issue.
,
May 7 2018
,
May 10 2018
ClusterFuzz has detected this issue as fixed in range 557449:557450. Detailed report: https://clusterfuzz.com/testcase?key=5712831153176576 Fuzzer: mojo_fuzzer Job Type: linux_asan_chrome_mojo Platform Id: linux Crash Type: Heap-use-after-free READ 8 Crash Address: 0x60e0000ef380 Crash State: PermissionRequestManager::AddRequest PermissionContextBase::DecidePermission PermissionContextBase::RequestPermission Sanitizer: address (ASAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mojo&range=554953:554956 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mojo&range=557449:557450 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5712831153176576 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
May 10 2018
ClusterFuzz testcase 4762597086461952 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
May 10 2018
,
May 10 2018
I think the fix hasn't been committed yet -- the testcase in question likely no longer reproduces because there are other messages in it which are now invalid after https://chromium.googlesource.com/chromium/src/+log/8f65f7ab322420c82e41a04a8a9180cda3d01c5f..47df4b2c0b9dd21416767c0b31a824435a75e9b1?pretty=fuller&n=10000 Also, given the age of the code here this probably affects stable.
,
May 14 2018
Detailed report: https://clusterfuzz.com/testcase?key=5158328192466944 Fuzzer: mojo_fuzzer Job Type: linux_asan_chrome_mojo Platform Id: linux Crash Type: Heap-use-after-free READ 8 Crash Address: 0x60e000130060 Crash State: PermissionRequestManager::AddRequest PermissionContextBase::DecidePermission NotificationPermissionContext::DecidePermission Sanitizer: address (ASAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mojo&range=554953:554956 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5158328192466944 See https://github.com/google/clusterfuzz-tools for more information.
,
May 15 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/2a246a6063194fa95755942eb1bd1d18f3d67fcb commit 2a246a6063194fa95755942eb1bd1d18f3d67fcb Author: Raymes Khoury <raymes@chromium.org> Date: Tue May 15 01:09:25 2018 Fix a use-after-free in PermissionContextBase Currently we assume that there will only be at most one of each PermissionType in a call to PermissionServiceImpl::RequestPermissions. However we never actually verify this and if it turns out to be true, it triggers a use-after-free in PermissionContextBase. Verify that this is the case otherwise call ReceivedBadMessage. Bug: 839197 Change-Id: I1270486ed942f20422a068c686c46d02e5f10da2 Reviewed-on: https://chromium-review.googlesource.com/1053333 Reviewed-by: Timothy Loh <timloh@chromium.org> Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Commit-Queue: Raymes Khoury <raymes@chromium.org> Cr-Commit-Position: refs/heads/master@{#558569} [modify] https://crrev.com/2a246a6063194fa95755942eb1bd1d18f3d67fcb/content/browser/permissions/permission_service_impl.cc
,
May 15 2018
ClusterFuzz has detected this issue as fixed in range 558567:558577. Detailed report: https://clusterfuzz.com/testcase?key=5158328192466944 Fuzzer: mojo_fuzzer Job Type: linux_asan_chrome_mojo Platform Id: linux Crash Type: Heap-use-after-free READ 8 Crash Address: 0x60e000130060 Crash State: PermissionRequestManager::AddRequest PermissionContextBase::DecidePermission NotificationPermissionContext::DecidePermission Sanitizer: address (ASAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mojo&range=554953:554956 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mojo&range=558567:558577 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5158328192466944 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
May 15 2018
,
Jun 5 2018
,
Jun 8 2018
,
Jun 8 2018
This bug requires manual review: M68 has already been promoted to the beta branch, so this requires manual review Please contact the milestone owner if you have questions. Owners: cmasso@(Android), kariahda@(iOS), bhthompson@(ChromeOS), abdulsyed@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 8 2018
No merge needed
,
Jul 23
,
Aug 22
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by ClusterFuzz
, May 3 2018Labels: Test-Predator-Auto-Components