Issue metadata
Sign in to add a comment
|
Heap-use-after-free in ash::UnifiedSystemTrayBubble::ActivateBubble |
||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5923640609341440 Fuzzer: inferno_flicker Job Type: linux_asan_chrome_chromeos Platform Id: linux Crash Type: Heap-use-after-free READ 8 Crash Address: 0x60e0003f0f88 Crash State: ash::UnifiedSystemTrayBubble::ActivateBubble ash::AcceleratorController::PerformAction ash::AcceleratorController::AcceleratorPressed Sanitizer: address (ASAN) Recommended Security Severity: High Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5923640609341440 Additional requirements: Requires Gestures Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Jun 16 2018
,
Jun 16 2018
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 16 2018
,
Jun 19 2018
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/68da3cf8d8b28f325bbb79fff94f5fdd52d5c02b (Enable UnifiedSystemTray by default.). If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
,
Jun 20 2018
It's interesting we have such path
freed by thread T0 (chrome) here:
#0 0x5639bbae0ad2 in operator delete(void*) _asan_rtl_:3
#1 0x5639cdecbeea in operator() buildtools/third_party/libc++/trunk/include/memory:2321:5
#2 0x5639cdecbeea in reset buildtools/third_party/libc++/trunk/include/memory:2634
#3 0x5639cdecbeea in HideBubbleInternal ash/system/unified/unified_system_tray.cc:265
#4 0x5639cdecbeea in ash::UnifiedSystemTray::UiDelegate::HideMessageCenter() ash/system/unified/unified_system_tray.cc:101
#5 0x5639d5434001 in message_center::UiController::HideMessageCenterBubble() ui/message_center/ui_controller.cc:54:14
#6 0x5639d5417a47 in message_center::MessageCenterImpl::OnBlockingStateChanged(message_center::NotificationBlocker*) ui/message_center/message_center_impl.cc:86:14
#7 0x5639d5429a81 in message_center::NotificationBlocker::NotifyBlockingStateChanged() ui/message_center/notification_blocker.cc:38:14
#8 0x5639cdda6de7 in ash::Shell::NotifyFullscreenStateChanged(bool, aura::Window*) ash/shell.cc:635:14
#9 0x5639ce00abc4 in UpdateFullscreenState ash/wm/workspace/workspace_layout_manager.cc:382:19
#10 0x5639ce00abc4 in OnWindowActivated ash/wm/workspace/workspace_layout_manager.cc:269
#11 0x5639ce00abc4 in non-virtual thunk to ash::WorkspaceLayoutManager::OnWindowActivated(wm::ActivationChangeObserver::ActivationReason, aura::Window*, aura::Window*) ash/wm/workspace/workspace_layout_manager.cc:0
#12 0x5639d4b276b2 in wm::FocusController::SetActiveWindow(wm::ActivationChangeObserver::ActivationReason, aura::Window*, aura::Window*) ui/wm/core/focus_controller.cc:329:14
#13 0x5639d4b22f84 in wm::FocusController::FocusAndActivateWindow(wm::ActivationChangeObserver::ActivationReason, aura::Window*) ui/wm/core/focus_controller.cc:215:5
#14 0x5639cb689887 in views::NativeWidgetAura::Activate() ui/views/widget/native_widget_aura.cc:600:56
#15 0x5639cb5db819 in views::FocusManager::SetFocusedViewWithReason(views::View*, views::FocusManager::FocusChangeReason) ui/views/focus/focus_manager.cc:342:14
#16 0x5639cdecf2b1 in ash::UnifiedSystemTrayBubble::ActivateBubble() ash/system/unified/unified_system_tray_bubble.cc:93:18
#17 0x5639cdc1f2de in HandleToggleSystemTrayBubble ash/accelerators/accelerator_controller.cc:445:13
#18 0x5639cdc1f2de in ash::AcceleratorController::PerformAction(ash::AcceleratorAction, ui::Accelerator const&) ash/accelerators/accelerator_controller.cc:1654
#19 0x5639cdc2147f in ash::AcceleratorController::AcceleratorPressed(ui::Accelerator const&) ash/accelerators/accelerator_controller.cc:1115:3
,
Jun 20 2018
,
Jun 22 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/9485d7c4b123ec95fbbfeee361f47580a62eb610 commit 9485d7c4b123ec95fbbfeee361f47580a62eb610 Author: Tetsui Ohkubo <tetsui@chromium.org> Date: Fri Jun 22 01:37:02 2018 Fix ActivateBubble asan failure. Changing focus of a view may cause UnifiedSystemTrayBubble to destruct. (See stack trace of https://crbug.com/853434#c6 ) At the point UnifiedSystemTrayBubble is deleted, the widget is still not deleted, so we should explicitly check if the widget is closing. TEST=manual BUG= 853434 Change-Id: I2d4a146393ad6d0a39d5c8b78ea3c3623d04b91e Reviewed-on: https://chromium-review.googlesource.com/1107036 Reviewed-by: Yoshiki Iguchi <yoshiki@chromium.org> Commit-Queue: Tetsui Ohkubo <tetsui@chromium.org> Cr-Commit-Position: refs/heads/master@{#569499} [modify] https://crrev.com/9485d7c4b123ec95fbbfeee361f47580a62eb610/ash/system/unified/unified_system_tray_bubble.cc
,
Jun 22 2018
,
Jun 22 2018
ClusterFuzz has detected this issue as fixed in range 569497:569506. Detailed report: https://clusterfuzz.com/testcase?key=5923640609341440 Fuzzer: inferno_flicker Job Type: linux_asan_chrome_chromeos Platform Id: linux Crash Type: Heap-use-after-free READ 8 Crash Address: 0x60e0003f0f88 Crash State: ash::UnifiedSystemTrayBubble::ActivateBubble ash::AcceleratorController::PerformAction ash::AcceleratorController::AcceleratorPressed Sanitizer: address (ASAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_chromeos&range=566724:566725 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_chromeos&range=569497:569506 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5923640609341440 Additional requirements: Requires Gestures See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 22 2018
ClusterFuzz testcase 5923640609341440 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jun 22 2018
,
Aug 15
,
Sep 28
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by ClusterFuzz
, Jun 16 2018Labels: Test-Predator-Auto-Components