Testcase to reproduce.

Deleted: fuzz-3-libxml_xml_read_memory_fuzzer 633 bytes

fuzz-3-libxml_xml_read_memory_fuzzer 633 bytes View Download

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5781030870450176

Fuzzer: libfuzzer_libxml_xml_read_memory_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Stack-overflow
Crash Address: 0x7ffeaf422f58
Crash State:
  printf_common
  __xmlRaiseError
  xmlFatalErr
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=372859:372879

Minimized Testcase (0.62 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94ja26iLOh7fT35B_zw5wukXqUWQrxSDXo0eoCfcrYxZ4tGMHzt50zGWehR48XyVbPU8cX7Odcs_qCx6GEB0-hL9UMEkE6Rayb3uUdwU9Hhhk6CvNSvUdY-hnrVUu_LAF56GT6vyDnp5SC1a1jbICnLLm59xQ

Filer: mmoroz

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5781030870450176

Fuzzer: libfuzzer_libxml_xml_read_memory_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Stack-overflow
Crash Address: 0x7ffeaf422f58
Crash State:
  printf_common
  __xmlRaiseError
  xmlFatalErr
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=372859:372879

Minimized Testcase (0.62 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94ja26iLOh7fT35B_zw5wukXqUWQrxSDXo0eoCfcrYxZ4tGMHzt50zGWehR48XyVbPU8cX7Odcs_qCx6GEB0-hL9UMEkE6Rayb3uUdwU9Hhhk6CvNSvUdY-hnrVUu_LAF56GT6vyDnp5SC1a1jbICnLLm59xQ

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

dominicc: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

dominicc: Uh oh! This issue still open and hasn't been updated in the last 28 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Yeah, this one doesn't look like a security vulnerability. I'm opening this up.

ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6751166423105536

Fuzzer: libfuzzer_libxml_xml_read_memory_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Stack-overflow
Crash Address: 0x7ffc92a99f78
Crash State:
  printf_common
  __xmlRaiseError
  xmlFatalErrMsg
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=372859:372879

Minimized Testcase (0.62 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96N4Ygka8wN4JlLOFI78b_FP0f4VaZv5qw9COICxZCs4fYQdmEBp3q3PMmS63tGI6WY8HLsr9Kq1jOt3jfhyzdvuYHMVsjpeE9gnD-sobvy5jfAOCzzpC8xk1e-JLdH1LauNBt8TycMSTgDnr_B94ptZ4Y3gQ

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6397362369200128

Fuzzer: libfuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Stack-overflow
Crash Address: 0x7ffcb1779fb8
Crash State:
  printf_common
  __xmlRaiseError
  xmlFatalErrMsg
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=372859:372879

Minimized Testcase (0.31 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96EUQk8YHmIGID0s8kpZJTiTh7xQOCIQ-CyhXwsk9mbuznvtFBpVXeNFszwFsaTvszcMGcTk-RaGnSh4ZtUEtFvXC1lVmx40a2Ya3iHnu4tI8GxkpSOSrg7UwIztR-s8VHbSPzyxZEy9LVivoMkq27pWZ-SLw?testcase_id=6397362369200128

Filer: mmoroz

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

ClusterFuzz has detected this issue as fixed in range 414042:414068.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6397362369200128

Fuzzer: libfuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Stack-overflow
Crash Address: 0x7ffc519d6f18
Crash State:
  printf_common
  __xmlRaiseError
  xmlFatalErrMsg
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=395675:395769
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=414042:414068

Minimized Testcase (0.62 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97u1AeAVpFIsK3ZNhFCxQWfJu--Q5brGdFX4iZlTWACIJLDeS2vIXh2tvIFEGCMhXfYlZCwDT5vpHT4Yw4ZIKalLDW-HNfqtmfXYTDCEnz112hQYIxdhF8mP7OSQTXmOpV1-PU7lR7ck9_tBEfRi-6g-Ko1UQ?testcase_id=6397362369200128

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6590378738450432

Fuzzer: libfuzzer_libxml_xml_read_memory_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: Stack-overflow
Crash Address: 0x7fffd334fff8
Crash State:
  __xmlRaiseError
  xmlNsErr
  xmlParseStartTag2
  

Minimized Testcase (1.73 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97KVamaveCRAy-X3f9KocRYxuh0BIhiAxFga2_iW_xXxT2Hna_oO8_CSDr5R0TqXWwCAs7ToXQIt9Nozg_6dfp_L0kkIfLhWNT_2MvWkLN2N3F2aD0Zivlg6sD52pyQnRMd51IMxvFJFcTV48J1OMfnSrPKOQ?testcase_id=6590378738450432

Additional requirements: Requires Gestures

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6435469279887360

Fuzzer: libfuzzer_libxml_xml_read_memory_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: Stack-overflow
Crash Address: 0x7fff56e83fe8
Crash State:
  printf_common
  __xmlRaiseError
  xmlErrValid
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan_debug&range=395717:395804

Minimized Testcase (1.82 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97ngpkr3lwG2VbpnT8htldb4ft9nMMa_G13LKowt7_5oahkGnjKGgUHJtHTUilc8S8Rjmej6lLi0_m9TvFM_1By1-Lq17sncpLKV0ws7L3rajNgbmf8qNKIv1aKmWuGYV-QmHWwIYr9PcucQNdrZhkDXZpYSQ?testcase_id=6435469279887360

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

ClusterFuzz has detected this issue as fixed in range 436882:436912.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6435469279887360

Fuzzer: libfuzzer_libxml_xml_read_memory_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: Stack-overflow
Crash Address: 0x7fff56e83fe8
Crash State:
  printf_common
  __xmlRaiseError
  xmlErrValid
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan_debug&range=395717:395804
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan_debug&range=436882:436912

Minimized Testcase (1.82 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97ngpkr3lwG2VbpnT8htldb4ft9nMMa_G13LKowt7_5oahkGnjKGgUHJtHTUilc8S8Rjmej6lLi0_m9TvFM_1By1-Lq17sncpLKV0ws7L3rajNgbmf8qNKIv1aKmWuGYV-QmHWwIYr9PcucQNdrZhkDXZpYSQ?testcase_id=6435469279887360

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz has detected this issue as fixed in range 436882:436912.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6590378738450432

Fuzzer: libfuzzer_libxml_xml_read_memory_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: Stack-overflow
Crash Address: 0x7fffd334fff8
Crash State:
  __xmlRaiseError
  xmlNsErr
  xmlParseStartTag2
  
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan_debug&range=436882:436912

Minimized Testcase (1.73 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97KVamaveCRAy-X3f9KocRYxuh0BIhiAxFga2_iW_xXxT2Hna_oO8_CSDr5R0TqXWwCAs7ToXQIt9Nozg_6dfp_L0kkIfLhWNT_2MvWkLN2N3F2aD0Zivlg6sD52pyQnRMd51IMxvFJFcTV48J1OMfnSrPKOQ?testcase_id=6590378738450432

Additional requirements: Requires Gestures

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Looking at the repro for https://cluster-fuzz.appspot.com/v2/testcase-detail/6435469279887360 it also uses recursive entities with lots of intermediate stuff, so some (all?) of these may be dups of Issue 628581.

I'll wait to see if CF closes the rest.

Incidentally Issue 628581 has some other ideas for mitigations which might be useful (for example if instead of recursive entities there are just large inputs with long chains of different entities. These would also defeat some of the per-element recursion guards.)

I can still reproduce the first CF report. This is recursion between xmlParseConditionalSections and xmlParseMarkupDecl. It's not clear to me if this is recursive entity expansion (probably, that dafroot thing) or the parser getting wedged and not making any progress (xmlParseMarkupDecl has a switch statement which says errors will be detected "later" but I'm not sure when.)

Here's a hand-minimized repro:

<!DOCTYPE root [
<!ENTITY % a '<![INCLUDE[&#37;a;
<!DOCTYPE x [' >
%a;

Sorry for not attaching this, I'm away from my desktop.

I guess xmlInputPush or inputPush could record the reason for the input, and finding the entity already on the stack, report an error.

Bulk-WontFixing these bugs. This was a bug on ClusterFuzz side, see bug 717534. We will start seeing new testcases auto-filed in a day or two. We can't leave these open as ClusterFuzz won't autoverify them after ClusterFuzz-Wrong label.

We have made a bunch of changes on ClusterFuzz side, so resetting ClusterFuzz-Wrong label.