Issue metadata
Sign in to add a comment
|
Heap-use-after-free in base::debug::TaskAnnotator::RunTask |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4823965235937280 Fuzzer: lcamtuf_cross_fuzz Job Type: mac_asan_chrome Platform Id: mac Crash Type: Heap-use-after-free READ 8 Crash Address: 0x61300016a9d8 Crash State: base::debug::TaskAnnotator::RunTask base::MessageLoop::RunTask base::MessageLoop::DoWork Sanitizer: address (ASAN) Recommended Security Severity: High Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4823965235937280 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information. Note: This crash might not be reproducible with the provided testcase. That said, for the past 14 days we've been seeing this crash frequently. If you are unable to reproduce this, please try a speculative fix based on the crash stacktrace in the report. The fix can be verified by looking at the crash statistics in the report, a day after the fix is deployed. We will auto-close the bug if the crash is not seen for 14 days.
,
Sep 5
,
Sep 5
toyoshim: Any idea what might be going on here? We're seeing a lot of non-reproducible crashes with this stack. Feel free to pass it back to me for re-triage if you don't think it's related to midi.
,
Sep 6
,
Sep 19
toyoshim: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 21
Uh oh! Sorry I didn't notice this issue was assigned to me. I just checked code around, and notice there could be a race between the main and io threads. I can have a fix soon. But, as far as I understand, there is only once chance to cause this crash per one browser session on shutting down. Windows code has a correct thread-safe code and should not cause this issue. cc:yhirano in advance for code review.
,
Sep 27
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/01567e2e304544d17f45a97ca374ee97df2edf9a commit 01567e2e304544d17f45a97ca374ee97df2edf9a Author: Takashi Toyoshima <toyoshim@chromium.org> Date: Thu Sep 27 11:20:52 2018 MidiManager: Fix a potential race on macOS CompleteInitialization can be posted at a place after DeleteSoon's task, and it can potentially cause a UAF crash. This happens only on browser's shutdown sequence, and it won't practically. But just in case and to make ASAN bots happy:) Bug: 880665 , 672793 Change-Id: I8435290b4df7068d456368624935d3007a2c52d7 Reviewed-on: https://chromium-review.googlesource.com/1238297 Commit-Queue: Takashi Toyoshima <toyoshim@chromium.org> Reviewed-by: Yutaka Hirano <yhirano@chromium.org> Cr-Commit-Position: refs/heads/master@{#594667} [modify] https://crrev.com/01567e2e304544d17f45a97ca374ee97df2edf9a/media/midi/midi_manager.cc [modify] https://crrev.com/01567e2e304544d17f45a97ca374ee97df2edf9a/media/midi/midi_manager.h [modify] https://crrev.com/01567e2e304544d17f45a97ca374ee97df2edf9a/media/midi/midi_manager_android.cc [modify] https://crrev.com/01567e2e304544d17f45a97ca374ee97df2edf9a/media/midi/midi_manager_mac.cc [modify] https://crrev.com/01567e2e304544d17f45a97ca374ee97df2edf9a/media/midi/midi_manager_mac.h [modify] https://crrev.com/01567e2e304544d17f45a97ca374ee97df2edf9a/media/midi/midi_manager_usb.cc [modify] https://crrev.com/01567e2e304544d17f45a97ca374ee97df2edf9a/media/midi/midi_manager_usb.h [modify] https://crrev.com/01567e2e304544d17f45a97ca374ee97df2edf9a/media/midi/midi_manager_winrt.cc [modify] https://crrev.com/01567e2e304544d17f45a97ca374ee97df2edf9a/media/midi/midi_service.cc
,
Sep 27
should be fixed now. I triggered a REDO TASK to check if the issue still reproduces.
,
Sep 27
ClusterFuzz has detected this issue as fixed in range 568548:568568. Detailed report: https://clusterfuzz.com/testcase?key=4823965235937280 Fuzzer: lcamtuf_cross_fuzz Job Type: mac_asan_chrome Platform Id: mac Crash Type: Heap-use-after-free READ 8 Crash Address: 0x61300016a9d8 Crash State: base::debug::TaskAnnotator::RunTask base::MessageLoop::RunTask base::MessageLoop::DoWork Sanitizer: address (ASAN) Recommended Security Severity: High Fixed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=568548:568568 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4823965235937280 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Sep 27
ClusterFuzz testcase 4823965235937280 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Sep 28
,
Oct 15
,
Oct 26
,
Oct 26
This bug requires manual review: M71 has already been promoted to the beta branch, so this requires manual review Please contact the milestone owner if you have questions. Owners: benmason@(Android), kariahda@(iOS), kbleicher@(ChromeOS), govind@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 26
(Already in 71)
,
Dec 3
,
Jan 4
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by ClusterFuzz
, Sep 5Labels: Test-Predator-Auto-Components