Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user
Status: Fixed
Owner:
Closed: May 2015
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment
Use-of-uninitialized-value in ucnv_io_getConverterName_52
Project Member Reported by clusterf...@chromium.org, Dec 22 2014 Back to list
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5273829290016768

Fuzzer: Attekett_surku_fuzzer
Job Type: Linux_msan_chrome

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  ucnv_io_getConverterName_52
  ucnv_loadSharedData_52
  ucnv_createConverter_52
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=284099:284275

Minimized Testcase (0.02 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96Pbord3ACRAEqkN1OVf-IKuX1kLPRG_WG5XOSd-QC3-sPCEMCFAwRlz28Ta92U_CAsRcVhXEuJHWPCrQgn9pdUH7PL7G4YmEMukF-Z8oSxZmi7wx2tFIbhH70T2BRmJrkZvH8LV6O7QmkM_TFo0IK9S-2rcw
<?xml encoding="x"


Filer: inferno
 
Cc: attek...@gmail.com
Owner: js...@chromium.org
Status: Assigned
Project Member Comment 2 by clusterf...@chromium.org, Dec 22 2014
Labels: Pri-1
Comment 3 by rsesek@chromium.org, Dec 23 2014
Labels: M-40
Project Member Comment 4 by clusterf...@chromium.org, Jan 13 2015
Labels: Nag
jshin@: Uh oh! This issue is still open and hasn't been updated in the last 21 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member Comment 5 by clusterf...@chromium.org, Feb 3 2015
jshin@: Uh oh! This issue is still open and hasn't been updated in the last 42 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member Comment 6 by clusterf...@chromium.org, Feb 20 2015
Labels: -M-40 M-41
Project Member Comment 7 by clusterf...@chromium.org, Feb 24 2015
jshin@: Uh oh! This issue is still open and hasn't been updated in the last 63 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member Comment 8 by clusterf...@chromium.org, Mar 6 2015
ClusterFuzz has detected this issue as fixed in range 317790:319224.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5273829290016768

Fuzzer: Attekett_surku_fuzzer
Job Type: Linux_msan_chrome

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  ucnv_io_getConverterName_52
  ucnv_loadSharedData_52
  ucnv_createConverter_52
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=284099:284275
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=317790:319224

Minimized Testcase (0.02 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96Pbord3ACRAEqkN1OVf-IKuX1kLPRG_WG5XOSd-QC3-sPCEMCFAwRlz28Ta92U_CAsRcVhXEuJHWPCrQgn9pdUH7PL7G4YmEMukF-Z8oSxZmi7wx2tFIbhH70T2BRmJrkZvH8LV6O7QmkM_TFo0IK9S-2rcw
<?xml encoding="x"

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.

Project Member Comment 9 by clusterf...@chromium.org, Mar 6 2015
ClusterFuzz has detected this issue as fixed in range 317790:319224.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5273829290016768

Fuzzer: Attekett_surku_fuzzer
Job Type: Linux_msan_chrome

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  ucnv_io_getConverterName_52
  ucnv_loadSharedData_52
  ucnv_createConverter_52
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=284099:284275
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=317790:319224

Minimized Testcase (0.02 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96Pbord3ACRAEqkN1OVf-IKuX1kLPRG_WG5XOSd-QC3-sPCEMCFAwRlz28Ta92U_CAsRcVhXEuJHWPCrQgn9pdUH7PL7G4YmEMukF-Z8oSxZmi7wx2tFIbhH70T2BRmJrkZvH8LV6O7QmkM_TFo0IK9S-2rcw
<?xml encoding="x"

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.

Project Member Comment 10 by clusterf...@chromium.org, Mar 18 2015
jshin@: Uh oh! This issue is still open and hasn't been updated in the last 85 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member Comment 11 by clusterf...@chromium.org, Apr 3 2015
Labels: -M-41 M-42
Project Member Comment 12 by clusterf...@chromium.org, Apr 8 2015
jshin@: Uh oh! This issue is still open and hasn't been updated in the last 106 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member Comment 13 by clusterf...@chromium.org, Apr 30 2015
jshin@: Uh oh! This issue is still open and hasn't been updated in the last 128 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Cc: timwillis@chromium.org
Labels: -M-42 M-43
@jshin - CF believes that this fixed - is there an associated change?
Comment 15 by js...@chromium.org, May 18 2015
Comment #8 (detecting this as fixed) is perhaps false. clusterfuzz is likely to regard this as fixed because it does not see any ucnv_foo_52 in the stack (as opposed to ucnv_foo_54 due to an ICU version upgrade from ICU 52 to 54). 

There's a change that ICU 54 fixed this problem, but the change window given in comment #8 does not include the ICU version upgrade. 

I can't identify any uninitialized variable following through the stack trace in ICU 52. I'll build a msan build and see what's going on. 

It is not fixed. Jorge did a redo and it says Fixed:No. CF understands changes in stack frames and wont say fixed based on that. I think repro is just flaky, so try stuff manually to see how to fix.

Redo: jorgelo@chromium.org
Clusterfuzz-linux-high-end-0043: Fixed testing started in r330355 [2015-05-18 11:09:31]
Clusterfuzz-linux-high-end-0043: Fixed testing completed [0:01:58]
Yeah, we agree this is not fixed. Jungshik will try to repro manually.
From icu/source/common/ucnv_io.cpp:742:

            /*
             * After the first unsuccess converter lookup, check to see if
             * the name begins with 'x-'. If it does, strip it off and try
             * again.  This behaviour is similar to how ICU4J does it.
             */
            if (aliasTmp[0] == 'x' || aliasTmp[1] == '-') { // <-- Shouldn't that be &&?
                aliasTmp = aliasTmp+2;
            } else {
                break;
            }

Verified locally that this fixes the issue.
Jungshik, what do you think?
Labels: Cr-UI-Internationalization
Comment 21 by js...@chromium.org, May 26 2015
re comment 15:

"There's a change that ICU 54 fixed this problem" ; s/change/chance/  

 The lines in question has NOT changed for 4 years so that it's more than certain that this issue has not been fixed by ICU 54. 

Thanks, mbarbella@. 
Just filed 
http://bugs.icu-project.org/trac/ticket/11696  (unaccessible because it's marked as sensitive. I added  mbarbella's patch to the bug. ) 

jorgelo@ : I got back my Linux box late last week and have built a msan build. I'll verify mbarbella's change.
Comment 22 by js...@chromium.org, May 26 2015
Just verified that mbarbella's change fixed the issue. 

I'll make a patch. 

Comment 23 by js...@chromium.org, May 26 2015
Status: Started
https://codereview.chromium.org/1145963004 : CL up. 

Will start with ToT and then make a merge request to 44 and 43 branches. 

Thanks!
Status: Fixed
Project Member Comment 27 by bugdroid1@chromium.org, May 26 2015
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/886e691e17018818b7fc0978bcbe9a85436b506c

commit 886e691e17018818b7fc0978bcbe9a85436b506c
Author: jshin <jshin@chromium.org>
Date: Tue May 26 21:16:07 2015

Roll ICU from 5788e2736b3bc to f1ad7f9ba957

Summary of changes available at:
 https://chromium.googlesource.com/chromium/deps/icu/+log/5788e27..f1ad7f9

BUG= 444573 
TEST=See the bug
TBR=inferno

Review URL: https://codereview.chromium.org/1157143002

Cr-Commit-Position: refs/heads/master@{#331437}

[modify] http://crrev.com/886e691e17018818b7fc0978bcbe9a85436b506c/DEPS

Comment 28 by js...@chromium.org, May 26 2015
Cc: infe...@chromium.org
Labels: -Nag
I'll ask for merge to 44 once we have a nightly build with this change. After that, I'll ask for merge to 43. 

Project Member Comment 29 by clusterf...@chromium.org, May 26 2015
Labels: -Restrict-View-SecurityTeam Merge-Triage Restrict-View-SecurityNotify M-44
Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

- Your friendly ClusterFuzz
Project Member Comment 30 by clusterf...@chromium.org, May 27 2015
ClusterFuzz has detected this issue as fixed in range 331388:331444.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5273829290016768

Fuzzer: Attekett_surku_fuzzer
Job Type: Linux_msan_chrome

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  ucnv_io_getConverterName_52
  ucnv_loadSharedData_52
  ucnv_createConverter_52
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=284099:284275
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=331388:331444

Minimized Testcase (0.02 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96Pbord3ACRAEqkN1OVf-IKuX1kLPRG_WG5XOSd-QC3-sPCEMCFAwRlz28Ta92U_CAsRcVhXEuJHWPCrQgn9pdUH7PL7G4YmEMukF-Z8oSxZmi7wx2tFIbhH70T2BRmJrkZvH8LV6O7QmkM_TFo0IK9S-2rcw
<?xml encoding="x"

If you suspect that the result above is incorrect,try re-doing that job on the test case report page.
Comment 31 by js...@chromium.org, May 28 2015
Labels: -Merge-Triage Merge-Request-44
Requesting for merge to 44. 

What's to merge is https://codereview.chromium.org/1145963004 (note that the actual change is 1 liner replacing "||" with "&&" ). 

At least four canary builds went out (45.0.2414.[0-2], 45.0.2415.0 ) without a known issue reported attributed to this change (afaict). 


Labels: -Merge-Request-44 Merge-Approved-44 Hotlist-Merge-Approved
Approved for M44 (branch: 2403)
Project Member Comment 33 by bugdroid1@chromium.org, May 28 2015
Labels: -Merge-Approved-44 merge-merged-2403
The following revision refers to this bug:
  http://goto.ext.google.com/viewvc/chrome-internal?view=rev&revision=74127

------------------------------------------------------------------
r74127 | jungshik@google.com | 2015-05-28T20:35:13.355615Z

-----------------------------------------------------------------
Comment 34 by js...@chromium.org, May 29 2015
Labels: Merge-Request-43
Requesting merge to M43 branch. 

Comment 35 by js...@chromium.org, May 29 2015
Again: 
what's to merge is https://codereview.chromium.org/1145963004 (note that the actual change is 1 liner replacing "||" with "&&" ).

It'll be done by making a m43 branch to third_party/icu and merging the above change to that branch. [1]  After that, third_party/icu will be rolled to that revision in buildspec for M43 (DEPS roll). 

[1] https://codereview.chromium.org/1162053002
Since this is medium severity, this does not need merging to m43.
Comment 37 by js...@chromium.org, May 29 2015
Labels: -M-43 -Merge-Request-43
Ok. Then, I'm removing M43 label as well as M43-Merge-Request.  
Labels: Release-0-M44
Labels: CVE-2015-1270
Labels: -reward-topanel reward-1000 reward-unpaid
Congrats: $500 for the bug + $500 for CF.
Labels: -reward-unpaid reward-inprocess
Project Member Comment 42 by clusterf...@chromium.org, Sep 1 2015
Labels: -Restrict-View-SecurityNotify
Bulk update: removing view restriction from closed bugs.
Labels: -reward-inprocess
Processing via our e-payment system takes ~7 days, but the reward should be on its way to you. Thanks again for your help!
Project Member Comment 44 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 45 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment