New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 444573 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: May 2015
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment

Use-of-uninitialized-value in ucnv_io_getConverterName_52

Project Member Reported by ClusterFuzz, Dec 22 2014

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5273829290016768

Fuzzer: Attekett_surku_fuzzer
Job Type: Linux_msan_chrome

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  ucnv_io_getConverterName_52
  ucnv_loadSharedData_52
  ucnv_createConverter_52
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=284099:284275

Minimized Testcase (0.02 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96Pbord3ACRAEqkN1OVf-IKuX1kLPRG_WG5XOSd-QC3-sPCEMCFAwRlz28Ta92U_CAsRcVhXEuJHWPCrQgn9pdUH7PL7G4YmEMukF-Z8oSxZmi7wx2tFIbhH70T2BRmJrkZvH8LV6O7QmkM_TFo0IK9S-2rcw
<?xml encoding="x"


Filer: inferno
 
Cc: attek...@gmail.com
Owner: js...@chromium.org
Status: Assigned
Project Member

Comment 2 by ClusterFuzz, Dec 22 2014

Labels: Pri-1

Comment 3 by rsesek@chromium.org, Dec 23 2014

Labels: M-40
Project Member

Comment 4 by ClusterFuzz, Jan 13 2015

Labels: Nag
jshin@: Uh oh! This issue is still open and hasn't been updated in the last 21 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member

Comment 5 by ClusterFuzz, Feb 3 2015

jshin@: Uh oh! This issue is still open and hasn't been updated in the last 42 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member

Comment 6 by ClusterFuzz, Feb 20 2015

Labels: -M-40 M-41
Project Member

Comment 7 by ClusterFuzz, Feb 24 2015

jshin@: Uh oh! This issue is still open and hasn't been updated in the last 63 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member

Comment 8 by ClusterFuzz, Mar 6 2015

ClusterFuzz has detected this issue as fixed in range 317790:319224.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5273829290016768

Fuzzer: Attekett_surku_fuzzer
Job Type: Linux_msan_chrome

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  ucnv_io_getConverterName_52
  ucnv_loadSharedData_52
  ucnv_createConverter_52
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=284099:284275
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=317790:319224

Minimized Testcase (0.02 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96Pbord3ACRAEqkN1OVf-IKuX1kLPRG_WG5XOSd-QC3-sPCEMCFAwRlz28Ta92U_CAsRcVhXEuJHWPCrQgn9pdUH7PL7G4YmEMukF-Z8oSxZmi7wx2tFIbhH70T2BRmJrkZvH8LV6O7QmkM_TFo0IK9S-2rcw
<?xml encoding="x"

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.

Project Member

Comment 9 by ClusterFuzz, Mar 6 2015

ClusterFuzz has detected this issue as fixed in range 317790:319224.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5273829290016768

Fuzzer: Attekett_surku_fuzzer
Job Type: Linux_msan_chrome

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  ucnv_io_getConverterName_52
  ucnv_loadSharedData_52
  ucnv_createConverter_52
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=284099:284275
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=317790:319224

Minimized Testcase (0.02 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96Pbord3ACRAEqkN1OVf-IKuX1kLPRG_WG5XOSd-QC3-sPCEMCFAwRlz28Ta92U_CAsRcVhXEuJHWPCrQgn9pdUH7PL7G4YmEMukF-Z8oSxZmi7wx2tFIbhH70T2BRmJrkZvH8LV6O7QmkM_TFo0IK9S-2rcw
<?xml encoding="x"

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.

Project Member

Comment 10 by ClusterFuzz, Mar 18 2015

jshin@: Uh oh! This issue is still open and hasn't been updated in the last 85 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member

Comment 11 by ClusterFuzz, Apr 3 2015

Labels: -M-41 M-42
Project Member

Comment 12 by ClusterFuzz, Apr 8 2015

jshin@: Uh oh! This issue is still open and hasn't been updated in the last 106 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Project Member

Comment 13 by ClusterFuzz, Apr 30 2015

jshin@: Uh oh! This issue is still open and hasn't been updated in the last 128 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz
Cc: timwillis@chromium.org
Labels: -M-42 M-43
@jshin - CF believes that this fixed - is there an associated change?

Comment 15 by js...@chromium.org, May 18 2015

Comment #8 (detecting this as fixed) is perhaps false. clusterfuzz is likely to regard this as fixed because it does not see any ucnv_foo_52 in the stack (as opposed to ucnv_foo_54 due to an ICU version upgrade from ICU 52 to 54). 

There's a change that ICU 54 fixed this problem, but the change window given in comment #8 does not include the ICU version upgrade. 

I can't identify any uninitialized variable following through the stack trace in ICU 52. I'll build a msan build and see what's going on. 

It is not fixed. Jorge did a redo and it says Fixed:No. CF understands changes in stack frames and wont say fixed based on that. I think repro is just flaky, so try stuff manually to see how to fix.

Redo: jorgelo@chromium.org
Clusterfuzz-linux-high-end-0043: Fixed testing started in r330355 [2015-05-18 11:09:31]
Clusterfuzz-linux-high-end-0043: Fixed testing completed [0:01:58]
Yeah, we agree this is not fixed. Jungshik will try to repro manually.
From icu/source/common/ucnv_io.cpp:742:

            /*
             * After the first unsuccess converter lookup, check to see if
             * the name begins with 'x-'. If it does, strip it off and try
             * again.  This behaviour is similar to how ICU4J does it.
             */
            if (aliasTmp[0] == 'x' || aliasTmp[1] == '-') { // <-- Shouldn't that be &&?
                aliasTmp = aliasTmp+2;
            } else {
                break;
            }

Verified locally that this fixes the issue.
Jungshik, what do you think?
Labels: Cr-UI-Internationalization

Comment 21 by js...@chromium.org, May 26 2015

re comment 15:

"There's a change that ICU 54 fixed this problem" ; s/change/chance/  

 The lines in question has NOT changed for 4 years so that it's more than certain that this issue has not been fixed by ICU 54. 

Thanks, mbarbella@. 
Just filed 
http://bugs.icu-project.org/trac/ticket/11696  (unaccessible because it's marked as sensitive. I added  mbarbella's patch to the bug. ) 

jorgelo@ : I got back my Linux box late last week and have built a msan build. I'll verify mbarbella's change.

Comment 22 by js...@chromium.org, May 26 2015

Just verified that mbarbella's change fixed the issue. 

I'll make a patch. 

Comment 23 by js...@chromium.org, May 26 2015

Status: Started
https://codereview.chromium.org/1145963004 : CL up. 

Will start with ToT and then make a merge request to 44 and 43 branches. 

Thanks!
Status: Fixed
Project Member

Comment 27 by bugdroid1@chromium.org, May 26 2015

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/886e691e17018818b7fc0978bcbe9a85436b506c

commit 886e691e17018818b7fc0978bcbe9a85436b506c
Author: jshin <jshin@chromium.org>
Date: Tue May 26 21:16:07 2015

Roll ICU from 5788e2736b3bc to f1ad7f9ba957

Summary of changes available at:
 https://chromium.googlesource.com/chromium/deps/icu/+log/5788e27..f1ad7f9

BUG= 444573 
TEST=See the bug
TBR=inferno

Review URL: https://codereview.chromium.org/1157143002

Cr-Commit-Position: refs/heads/master@{#331437}

[modify] http://crrev.com/886e691e17018818b7fc0978bcbe9a85436b506c/DEPS

Comment 28 by js...@chromium.org, May 26 2015

Cc: infe...@chromium.org
Labels: -Nag
I'll ask for merge to 44 once we have a nightly build with this change. After that, I'll ask for merge to 43. 

Project Member

Comment 29 by ClusterFuzz, May 26 2015

Labels: -Restrict-View-SecurityTeam Merge-Triage Restrict-View-SecurityNotify M-44
Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

- Your friendly ClusterFuzz
Project Member

Comment 30 by ClusterFuzz, May 27 2015

ClusterFuzz has detected this issue as fixed in range 331388:331444.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5273829290016768

Fuzzer: Attekett_surku_fuzzer
Job Type: Linux_msan_chrome

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  ucnv_io_getConverterName_52
  ucnv_loadSharedData_52
  ucnv_createConverter_52
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=284099:284275
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=331388:331444

Minimized Testcase (0.02 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96Pbord3ACRAEqkN1OVf-IKuX1kLPRG_WG5XOSd-QC3-sPCEMCFAwRlz28Ta92U_CAsRcVhXEuJHWPCrQgn9pdUH7PL7G4YmEMukF-Z8oSxZmi7wx2tFIbhH70T2BRmJrkZvH8LV6O7QmkM_TFo0IK9S-2rcw
<?xml encoding="x"

If you suspect that the result above is incorrect,try re-doing that job on the test case report page.

Comment 31 by js...@chromium.org, May 28 2015

Labels: -Merge-Triage Merge-Request-44
Requesting for merge to 44. 

What's to merge is https://codereview.chromium.org/1145963004 (note that the actual change is 1 liner replacing "||" with "&&" ). 

At least four canary builds went out (45.0.2414.[0-2], 45.0.2415.0 ) without a known issue reported attributed to this change (afaict). 


Labels: -Merge-Request-44 Merge-Approved-44 Hotlist-Merge-Approved
Approved for M44 (branch: 2403)
Project Member

Comment 33 by bugdroid1@chromium.org, May 28 2015

Labels: -Merge-Approved-44 merge-merged-2403
The following revision refers to this bug:
  http://goto.ext.google.com/viewvc/chrome-internal?view=rev&revision=74127

------------------------------------------------------------------
r74127 | jungshik@google.com | 2015-05-28T20:35:13.355615Z

-----------------------------------------------------------------

Comment 34 by js...@chromium.org, May 29 2015

Labels: Merge-Request-43
Requesting merge to M43 branch. 

Comment 35 by js...@chromium.org, May 29 2015

Again: 
what's to merge is https://codereview.chromium.org/1145963004 (note that the actual change is 1 liner replacing "||" with "&&" ).

It'll be done by making a m43 branch to third_party/icu and merging the above change to that branch. [1]  After that, third_party/icu will be rolled to that revision in buildspec for M43 (DEPS roll). 

[1] https://codereview.chromium.org/1162053002
Since this is medium severity, this does not need merging to m43.

Comment 37 by js...@chromium.org, May 29 2015

Labels: -M-43 -Merge-Request-43
Ok. Then, I'm removing M43 label as well as M43-Merge-Request.  
Labels: Release-0-M44
Labels: CVE-2015-1270
Labels: -reward-topanel reward-1000 reward-unpaid
Congrats: $500 for the bug + $500 for CF.
Labels: -reward-unpaid reward-inprocess
Project Member

Comment 42 by ClusterFuzz, Sep 1 2015

Labels: -Restrict-View-SecurityNotify
Bulk update: removing view restriction from closed bugs.
Labels: -reward-inprocess
Processing via our e-payment system takes ~7 days, but the reward should be on its way to you. Thanks again for your help!
Project Member

Comment 44 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 45 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Labels: CVE_description-submitted

Sign in to add a comment