Issue metadata
Sign in to add a comment
|
Heap-use-after-free in message_center::NotificationList::GetNotification |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5315975902396416 Fuzzer: inferno_flicker Job Type: linux_asan_chrome_chromeos Platform Id: linux Crash Type: Heap-use-after-free READ 1 Crash Address: 0x6190003469a8 Crash State: message_center::NotificationList::GetNotification message_center::NotificationList::GetNotificationDelegate message_center::MessageCenterImpl::ClickOnNotification Sanitizer: address (ASAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_chromeos&range=579348:579349 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5315975902396416 Additional requirements: Requires Gestures Additional requirements: Requires HTTP Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Aug 1
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/d540c125c10e32575ff60069ee0ca91fa9979898 (New implementation of MessagePopupCollection). If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
,
Aug 1
,
Aug 1
,
Aug 1
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 1
,
Aug 2
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/de64e7eb67b9acd46ad60cea2df2631e25285ed0 commit de64e7eb67b9acd46ad60cea2df2631e25285ed0 Author: Tetsui Ohkubo <tetsui@chromium.org> Date: Thu Aug 02 06:06:52 2018 Fix MessagePopupCollection asan failure. Rather than closing popups immediately, we should close the popups with animation and let MessagePopupCollection::Update() close them eventually. Ideally MarkAllPopupsShown is problematic and this should be cleaned up along with UiController, but for now the fix should be acceptable as it just replicates the behavior of old MessagePopupCollection. Steps to repro: 1. Create a notification 2. Click on a notification TEST=manual(asan build) BUG= 869593 , 869716 Change-Id: Ifdfc7c2a362727740401e6e16845d8d770877730 Reviewed-on: https://chromium-review.googlesource.com/1158118 Reviewed-by: Yoshiki Iguchi <yoshiki@chromium.org> Commit-Queue: Tetsui Ohkubo <tetsui@chromium.org> Cr-Commit-Position: refs/heads/master@{#580087} [modify] https://crrev.com/de64e7eb67b9acd46ad60cea2df2631e25285ed0/chrome/browser/notifications/message_center_notification_manager.cc [modify] https://crrev.com/de64e7eb67b9acd46ad60cea2df2631e25285ed0/ui/message_center/views/message_popup_collection.cc [modify] https://crrev.com/de64e7eb67b9acd46ad60cea2df2631e25285ed0/ui/message_center/views/message_popup_collection_unittest.cc
,
Aug 2
,
Aug 2
ClusterFuzz has detected this issue as fixed in range 580086:580087. Detailed report: https://clusterfuzz.com/testcase?key=5315975902396416 Fuzzer: inferno_flicker Job Type: linux_asan_chrome_chromeos Platform Id: linux Crash Type: Heap-use-after-free READ 1 Crash Address: 0x6190003469a8 Crash State: message_center::NotificationList::GetNotification message_center::NotificationList::GetNotificationDelegate message_center::MessageCenterImpl::ClickOnNotification Sanitizer: address (ASAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_chromeos&range=579348:579349 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_chromeos&range=580086:580087 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5315975902396416 Additional requirements: Requires Gestures Additional requirements: Requires HTTP See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 2
ClusterFuzz testcase 5315975902396416 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Aug 2
,
Aug 15
,
Nov 8
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by ClusterFuzz
, Aug 1Labels: Test-Predator-Auto-Components