Issue metadata
Sign in to add a comment
|
Use-of-uninitialized-value in xmlParseEndTag2 |
||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6683930786267136 Fuzzer: libfuzzer_libxml_xml_read_memory_fuzzer Job Type: libfuzzer_chrome_msan Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: xmlParseEndTag2 xmlParseElement xmlParseContent Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=372875:372885 Minimized Testcase (0.01 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv978apGMMcBS0H-Q2LBFl9Ur3HzdoNQA5sQ-doBwC5gPeFjNCYHH4S9CzeB8veP14uGKWuxUxAM_jLIGUal2adBujNW4ssU2Fyn_csiyr2MCYGCgYic31D_hM4foYke2-SUDec4wNFjI1oZDwDYKg9gvunoVJA <n><n:n><L</n Filer: mmoroz See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Mar 10 2016
,
Mar 11 2016
[Environment] MSAN_OPTIONS = print_stats=1:symbolize=1:coverage=0
Running command: <...>/libxml_xml_read_memory_fuzzer -runs=65536 /mnt/scratch0/clusterfuzz/slave-bot/inputs/fuzzer-testcases/fuzz-3-libxml_xml_read_memory_fuzzer
Seed: 3065005559
<...>/libxml_xml_read_memory_fuzzer: Running 1 inputs 65536 time(s) each.
==26103==WARNING: MemorySanitizer: use-of-uninitialized-value
#0 0x77d575 in xmlParseEndTag2 third_party/libxml/src/parser.c:9829:13
#1 0x75f287 in xmlParseElement third_party/libxml/src/parser.c:10239:2
#2 0x759e17 in xmlParseContent third_party/libxml/src/parser.c:10043:6
#3 0x75e90d in xmlParseElement third_party/libxml/src/parser.c:10216:5
#4 0x78af55 in xmlParseDocument third_party/libxml/src/parser.c:10913:2
#5 0x79bcf4 in xmlDoRead third_party/libxml/src/parser.c:15391:5
#6 0x79c769 in xmlReadMemory third_party/libxml/src/parser.c:15477:13
#7 0x49b72b in LLVMFuzzerTestOneInput testing/libfuzzer/fuzzers/libxml_xml_read_memory_fuzzer.cc:17:18
#8 0x6127bc in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) third_party/llvm/lib/Fuzzer/FuzzerLoop.cpp:306:13
#9 0x5f20a7 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*) third_party/llvm/lib/Fuzzer/FuzzerDriver.cpp:240:3
#10 0x5f6cac in FuzzerDriver third_party/llvm/lib/Fuzzer/FuzzerDriver.cpp:350:9
#11 0x5f6cac in fuzzer::FuzzerDriver(int, char**, int (*)(unsigned char const*, unsigned long)) third_party/llvm/lib/Fuzzer/FuzzerDriver.cpp:387
#12 0x5f1bc8 in main third_party/llvm/lib/Fuzzer/FuzzerMain.cpp:25:10
#13 0x7f2610a7cec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287
#14 0x41df74 in _start (<...>/libxml_xml_read_memory_fuzzer+0x41df74)
Uninitialized value was created by a heap allocation
#0 0x43e4e9 in __interceptor_malloc third_party/llvm/compiler-rt/lib/msan/msan_interceptors.cc:1003
#1 0x9aec23 in xmlBufCreateSize third_party/libxml/src/buf.c:172:36
#2 0x900844 in xmlAllocParserInputBuffer third_party/libxml/src/xmlIO.c:2432:19
#3 0x9030bf in xmlParserInputBufferCreateMem third_party/libxml/src/xmlIO.c:3033:11
#4 0x795f37 in xmlCreateMemoryParserCtxt third_party/libxml/src/parser.c:14579:11
#5 0x79c6a0 in xmlReadMemory third_party/libxml/src/parser.c:15474:12
#6 0x49b72b in LLVMFuzzerTestOneInput testing/libfuzzer/fuzzers/libxml_xml_read_memory_fuzzer.cc:17:18
#7 0x6127bc in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) third_party/llvm/lib/Fuzzer/FuzzerLoop.cpp:306:13
#8 0x5f20a7 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*) third_party/llvm/lib/Fuzzer/FuzzerDriver.cpp:240:3
#9 0x5f6cac in FuzzerDriver third_party/llvm/lib/Fuzzer/FuzzerDriver.cpp:350:9
#10 0x5f6cac in fuzzer::FuzzerDriver(int, char**, int (*)(unsigned char const*, unsigned long)) third_party/llvm/lib/Fuzzer/FuzzerDriver.cpp:387
#11 0x5f1bc8 in main third_party/llvm/lib/Fuzzer/FuzzerMain.cpp:25:10
#12 0x7f2610a7cec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287
SUMMARY: MemorySanitizer: use-of-uninitialized-value third_party/libxml/src/parser.c:9829:13 in xmlParseEndTag2
Unique heap origins: 125
Stack depot allocated bytes: 15792
Unique origin histories: 7
History depot allocated bytes: 168
Exiting
DEATH:
0x3c,0x6e,0x3e,0x3c,0x6e,0x3a,0x6e,0x3e,0x3c,0x4c,0x3c,0x2f,0x6e,
<n><n:n><L</n
artifact_prefix=./; Test unit written to ./crash-2ccfd71e37dcc1bae5b274025593a9fb2d91cfd7
Base64: PG4+PG46bj48TDwvbg==
,
Mar 16 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4960965380014080 Fuzzer: libfuzzer_libxml_xml_read_memory_fuzzer Job Type: libfuzzer_chrome_msan Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: xmlParseEndTag2 xmlParseElement xmlParseDocument Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=372875:372885 Minimized Testcase (0.01 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv96bEtD23C80SHClDLJ1nY2kxnVi_nL_Jx5EdJp1KPjxYjsyjtpTo2VUuEEvsC1rI1cFodIybwiIyyXY_U2EjzUZnM0bcvq7z-EKVMnF2EUogY39bQit7CfG5Qum0abNl_jaGyhYVOAkdpyqd-tdgmUIwQLDJg <n:n><L</n Filer: mmoroz See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Mar 24 2016
ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6683930786267136 Fuzzer: libfuzzer_libxml_xml_read_memory_fuzzer Job Type: libfuzzer_chrome_msan Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: xmlParseEndTag2 xmlParseElement xmlParseContent Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=372875:372885 Minimized Testcase (0.01 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv978apGMMcBS0H-Q2LBFl9Ur3HzdoNQA5sQ-doBwC5gPeFjNCYHH4S9CzeB8veP14uGKWuxUxAM_jLIGUal2adBujNW4ssU2Fyn_csiyr2MCYGCgYic31D_hM4foYke2-SUDec4wNFjI1oZDwDYKg9gvunoVJA <n><n:n><L</n See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Mar 25 2016
ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4960965380014080 Fuzzer: libfuzzer_libxml_xml_read_memory_fuzzer Job Type: libfuzzer_chrome_msan Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: xmlParseEndTag2 xmlParseElement xmlParseDocument Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=372875:372885 Minimized Testcase (0.01 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv96bEtD23C80SHClDLJ1nY2kxnVi_nL_Jx5EdJp1KPjxYjsyjtpTo2VUuEEvsC1rI1cFodIybwiIyyXY_U2EjzUZnM0bcvq7z-EKVMnF2EUogY39bQit7CfG5Qum0abNl_jaGyhYVOAkdpyqd-tdgmUIwQLDJg <n:n><L</n See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Apr 6 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6163240853176320 Fuzzer: libfuzzer_libxml_xml_read_memory_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow READ 1 Crash Address: 0x61600000fbe2 Crash State: xmlParseEndTag2 xmlParseElement xmlParseContent Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=378984:379001 Minimized Testcase (0.74 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95mNuvdxTmAaTZDl2jnUeYD6fpZBFnzgDoUBFBS6S9z4t1hQFwPpKENou1ZfOWQ6XY1H3pYogIAvtqVYU-rvnCIb8wNjfonhKdB21DcfZxso8PzYeyx4P8YC7cIZpW_bhqfrLyslX19LVjKJpd4sI6iRd3Ddw Filer: mmoroz See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Apr 6 2016
,
Apr 6 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4596495705178112 Fuzzer: libfuzzer_libxml_xml_read_memory_fuzzer Job Type: libfuzzer_chrome_msan Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: xmlParseEndTag2 xmlParseElement xmlParseDocument Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=372875:372885 Minimized Testcase (0.02 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv94ucjupucRaJCaq3c9_GWEBnu7VWfmNI8cCOIzD34YFVGTeIkuHAAsDKfy3KzSNGGlwDwNZSIYNaCY74Zba1AScmXCK86_-TYiTXrd4CPNj40NGyMn20YnVfTa5gTphtZpaUpaa_sNHU0ZPRIilHl-PX0uYqg <IDREFS:f:>*ove</f: Filer: mmoroz See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Apr 7 2016
I'll take a look at this too. First glance, is this a dup of Issue 595262 ?
,
Apr 7 2016
,
Apr 7 2016
Should be reproducible:
$ libfuzzer-linux-release-385289/libxml_xml_read_memory_fuzzer ./593690
INFO: Seed: 1648041152
libfuzzer-linux-release-385289/libxml_xml_read_memory_fuzzer: Running 1 inputs 1 time(s) each.
==37056==WARNING: MemorySanitizer: use-of-uninitialized-value
#0 0x6c1dae in xmlParseEndTag2 third_party/libxml/src/parser.c:9829:13
#1 0x6a8446 in xmlParseElement third_party/libxml/src/parser.c:10239:2
#2 0x6cc300 in xmlParseDocument third_party/libxml/src/parser.c:10913:2
#3 0x6d8f32 in xmlDoRead third_party/libxml/src/parser.c:15391:5
#4 0x6d9621 in xmlReadMemory third_party/libxml/src/parser.c:15477:13
#5 0x4859f4 in LLVMFuzzerTestOneInput testing/libfuzzer/fuzzers/libxml_xml_read_memory_fuzzer.cc:17:18
#6 0x4a37cc in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) third_party/libFuzzer/src/FuzzerLoop.cpp:322:13
#7 0x486cd6 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*) third_party/libFuzzer/src/FuzzerDriver.cpp:240:3
#8 0x48b8dc in FuzzerDriver third_party/libFuzzer/src/FuzzerDriver.cpp:351:9
#9 0x48b8dc in fuzzer::FuzzerDriver(int, char**, int (*)(unsigned char const*, unsigned long)) third_party/libFuzzer/src/FuzzerDriver.cpp:396
#10 0x4be618 in main third_party/libFuzzer/src/FuzzerMain.cpp:25:10
#11 0x7f3820f85ec4 in __libc_start_main /build/eglibc-3GlaMS/eglibc-2.19/csu/libc-start.c:287
#12 0x41deb8 in _start (/tmp/msan/libfuzzer-linux-release-385289/libxml_xml_read_memory_fuzzer+0x41deb8)
Uninitialized value was created by a heap allocation
#0 0x4429b2 in __interceptor_malloc (/tmp/msan/libfuzzer-linux-release-385289/libxml_xml_read_memory_fuzzer+0x4429b2)
#1 0x85a2e1 in xmlBufCreateSize third_party/libxml/src/buf.c:172:36
#2 0x7dc208 in xmlAllocParserInputBuffer third_party/libxml/src/xmlIO.c:2432:19
#3 0x7ddfa8 in xmlParserInputBufferCreateMem third_party/libxml/src/xmlIO.c:3033:11
#4 0x6d452f in xmlCreateMemoryParserCtxt third_party/libxml/src/parser.c:14579:11
#5 0x6d9555 in xmlReadMemory third_party/libxml/src/parser.c:15474:12
#6 0x4859f4 in LLVMFuzzerTestOneInput testing/libfuzzer/fuzzers/libxml_xml_read_memory_fuzzer.cc:17:18
#7 0x4a37cc in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) third_party/libFuzzer/src/FuzzerLoop.cpp:322:13
#8 0x486cd6 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*) third_party/libFuzzer/src/FuzzerDriver.cpp:240:3
#9 0x48b8dc in FuzzerDriver third_party/libFuzzer/src/FuzzerDriver.cpp:351:9
#10 0x48b8dc in fuzzer::FuzzerDriver(int, char**, int (*)(unsigned char const*, unsigned long)) third_party/libFuzzer/src/FuzzerDriver.cpp:396
#11 0x4be618 in main third_party/libFuzzer/src/FuzzerMain.cpp:25:10
#12 0x7f3820f85ec4 in __libc_start_main /build/eglibc-3GlaMS/eglibc-2.19/csu/libc-start.c:287
SUMMARY: MemorySanitizer: use-of-uninitialized-value third_party/libxml/src/parser.c:9829:13 in xmlParseEndTag2
Exiting
DEATH:
0x3c,0x49,0x44,0x52,0x45,0x46,0x53,0x3a,0x66,0x3a,0x3e,0x2a,0x6f,0x76,0x65,0x3c,0x2f,0x66,0x3a,
<IDREFS:f:>*ove</f:
,
Apr 7 2016
These look similar to Issue 595262 which I was debugging today; see comments on that bug for more. I had no problem reproducing the ASAN failure over there. I can provide a bandaid immediately, because xmlParseEndTag2 is effectively making an assumption that if strncmp(foo, bar, n) == 0, then strlen(foo) >= n, which isn't valid. But if it is OK I want to poke at this a bit more; it looks like a regression and something about the end tag we're looking for and its length have gotten out of sync. I want to understand that a bit better.
,
Apr 13 2016
,
Apr 19 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/27a27edb43e42023db7d154dcd9f66a500296cc1 commit 27a27edb43e42023db7d154dcd9f66a500296cc1 Author: dominicc <dominicc@chromium.org> Date: Tue Apr 19 04:46:41 2016 Do not advance beyond the closing tag length in xmlParseEndTag2 BUG= 593690 , 595262 TEST=libxml_xml_read_memory_fuzzer Review URL: https://codereview.chromium.org/1873693002 Cr-Commit-Position: refs/heads/master@{#388137} [modify] https://crrev.com/27a27edb43e42023db7d154dcd9f66a500296cc1/third_party/libxml/README.chromium [modify] https://crrev.com/27a27edb43e42023db7d154dcd9f66a500296cc1/third_party/libxml/src/parser.c
,
Apr 19 2016
,
Apr 19 2016
,
Apr 20 2016
ClusterFuzz has detected this issue as fixed in range 387014:388388. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4596495705178112 Fuzzer: libfuzzer_libxml_xml_read_memory_fuzzer Job Type: libfuzzer_chrome_msan Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: xmlParseEndTag2 xmlParseElement xmlParseDocument Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=372875:372885 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=387014:388388 Minimized Testcase (0.02 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv94ucjupucRaJCaq3c9_GWEBnu7VWfmNI8cCOIzD34YFVGTeIkuHAAsDKfy3KzSNGGlwDwNZSIYNaCY74Zba1AScmXCK86_-TYiTXrd4CPNj40NGyMn20YnVfTa5gTphtZpaUpaa_sNHU0ZPRIilHl-PX0uYqg <IDREFS:f:>*ove</f: See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
May 12 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/6efc7f88ba163d2a6dcc1cb50fc2a34f42584bd4 commit 6efc7f88ba163d2a6dcc1cb50fc2a34f42584bd4 Author: Dominic Cooney <dominicc@chromium.org> Date: Thu May 12 00:13:41 2016 Do not advance beyond the closing tag length in xmlParseEndTag2 BUG= 593690 , 595262 TEST=libxml_xml_read_memory_fuzzer Review URL: https://codereview.chromium.org/1873693002 Cr-Commit-Position: refs/heads/master@{#388137} (cherry picked from commit 27a27edb43e42023db7d154dcd9f66a500296cc1) Review URL: https://codereview.chromium.org/1975593002 . Cr-Commit-Position: refs/branch-heads/2704@{#511} Cr-Branched-From: 6e53600def8f60d8c632fadc70d7c1939ccea347-refs/heads/master@{#386251} [modify] https://crrev.com/6efc7f88ba163d2a6dcc1cb50fc2a34f42584bd4/third_party/libxml/README.chromium [modify] https://crrev.com/6efc7f88ba163d2a6dcc1cb50fc2a34f42584bd4/third_party/libxml/src/parser.c
,
Jul 26 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
,
Jul 28
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by mmoroz@chromium.org
, Mar 10 2016Components: Blink>XML
Owner: scottmg@chromium.org