New issue
Advanced search Search tips

Issue 856588 link

Starred by 1 user
Status: Duplicate
Merged: issue 853520
Owner:
rtoy@chromium.org
Closed: Jul 10
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment

heap use after free in libc++/trunk/include/memory

Reported by cdsrc2...@gmail.com, Jun 26 2018 
UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36

Steps to reproduce the problem:
1. Build source code 
    config args.gn file as below:
		use_sanitizer_coverage = true
		is_asan = true
		is_debug = false
		enable_nacl = false
		treat_warnings_as_errors = false
	ninja -j4 -C out/chrome_asan chrome
2. Build a mini web server.
	I used python twisted module to build the webserver.
	1) run python web.py

3. ./chrome http://127.0.0.1:8605/poc.html

What is the expected behavior?

What went wrong?
Got Use after free crash.
In two different version of chromium,both can get UAF crash.But the stacktraces are little different.

In chromium 69.0.03452.0,stacktrace see 69.0.03452.0_crash.txt
In chromium 69.0.03451.0,stacktrace see 69.0.03451.0_crash.txt

Did this work before? N/A 

Chrome version: 69.0.3452.0  Channel: n/a
OS Version: 16.04
Flash Version:
69.0.3451.0_crash.txt
24.3 KB View Download
69.0.3452.0_crash.txt
17.1 KB View Download
poc.html
1.5 KB View Download
webserver.tar.gz
4.9 KB Download

Comment 1 by infe...@chromium.org, Jun 26 2018

Components: Blink>WebAudio
Labels: Security_Impact-Stable Security_Severity-High
Owner: rtoy@chromium.org
Status: Assigned (was: Unconfirmed)

Comment 2 by infe...@chromium.org, Jun 26 2018

Labels: M-67

Comment 3 by cdsrc2...@gmail.com, Jun 27 2018 

Sorry to submit the wrong 69.0.3451.0_crash_txt file.
The correct one is here.
69.0.3451.0_crash.txt
29.0 KB View Download

Comment 4 by cdsrc2...@gmail.com, Jun 27 2018 

Oh,I'm soory.
I reconfirmed,and sure this issue and my previous issue(https://bugs.chromium.org/p/chromium/issues/detail?id=853520) are duplicated. Please set duplicate state.
thank you~
Project Member

Comment 5 by sheriffbot@chromium.org, Jun 27 2018

Labels: -Pri-2 Pri-1
Project Member

Comment 6 by sheriffbot@chromium.org, Jul 10 

rtoy: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 7 by rtoy@chromium.org, Jul 10

Mergedinto: 853520
Status: Duplicate (was: Assigned)
Per c#4, duping to  issue 853520
Project Member

Comment 8 by sheriffbot@chromium.org, Dec 5

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment