Issue metadata
Sign in to add a comment
|
Use-of-uninitialized-value in DetermineTextLanguage |
||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5194958088175616 Fuzzer: libfuzzer_language_detection_fuzzer Job Type: libfuzzer_chrome_msan Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: DetermineTextLanguage translate::DeterminePageLanguage LLVMFuzzerTestOneInput Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=391220:391272 Minimized Testcase (0.00 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95jUpD6g_a1eIlFX_F1vf_uSJf_GfmVjDtlAH5XKDOR425T1W7y1VarzuNKyNG7u_oAA7tgfP3f4fayCnsIC_ycs87s4FIQli4-S2AIsbCFFALiGCLZc-IyKmmtcZ-GVGQlO_6xcWiIci1XXBELvLXfqHnYSA Filer: mmoroz See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
May 4 2016
,
May 4 2016
,
May 6 2016
,
May 6 2016
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
May 10 2016
Empirically, this code is safe. The array isn't filled with zeroes or anything, but the CLD code fills in the language values before the check of the contents at line 107. Since it's just an equality check, this shouldn't be capable of causing a crash; the worst thing that could happen is that we'd identify the wrong language for translation. The change that caused the regression is rkaplow@'s: https://chromium.googlesource.com/chromium/src/+/80f25b767e1a4b060f085b82e32f016ea4db881e I think we can just initialize the array and this should go away.
,
May 10 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5843696548839424 Fuzzer: inferno_twister Job Type: linux_msan_chrome Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: ==8==WARNING: translate::DeterminePageLanguage translate::TranslateHelper::PageCapturedImpl Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=391244:391280 Minimized Testcase (48.74 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96gbQD2KPGOy7jrGUu59mdG6iS-EQxaBGQWOadqZ4IQjW1xPdVKQXQCoG8HcE2dNwrm4r2g42ItXlWJdD6Dbpv-NWbsD0fqcuLvhxXJrCjfTPxh6-pG01HQjnWOFlZYfwjhbaUt2UsyUg3_4vce8-GlqI9c5FPGqPjtzJjzGuwGAM522L4 Additional requirements: Requires HTTP Filer: mmoroz See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
May 10 2016
ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5843696548839424 Fuzzer: inferno_twister Job Type: linux_msan_chrome Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: ==8==WARNING: translate::DeterminePageLanguage translate::TranslateHelper::PageCapturedImpl Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=391244:391280 Minimized Testcase (48.74 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96gbQD2KPGOy7jrGUu59mdG6iS-EQxaBGQWOadqZ4IQjW1xPdVKQXQCoG8HcE2dNwrm4r2g42ItXlWJdD6Dbpv-NWbsD0fqcuLvhxXJrCjfTPxh6-pG01HQjnWOFlZYfwjhbaUt2UsyUg3_4vce8-GlqI9c5FPGqPjtzJjzGuwGAM522L4 Additional requirements: Requires HTTP See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
May 10 2016
,
May 11 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/875061e4f515021649992139a8eb0a85104b13ad commit 875061e4f515021649992139a8eb0a85104b13ad Author: andrewhayden <andrewhayden@chromium.org> Date: Wed May 11 07:26:48 2016 Initialize CLD score/language arrays prior to use, for pedantic safety. BUG= 609097 Review-Url: https://codereview.chromium.org/1964823003 Cr-Commit-Position: refs/heads/master@{#392872} [modify] https://crrev.com/875061e4f515021649992139a8eb0a85104b13ad/components/translate/core/language_detection/language_detection_util.cc
,
May 11 2016
This should now be fixed.
,
May 11 2016
,
May 11 2016
,
May 13 2016
ClusterFuzz has detected this issue as fixed in range 392626:393388. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5194958088175616 Fuzzer: libfuzzer_language_detection_fuzzer Job Type: libfuzzer_chrome_msan Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: DetermineTextLanguage translate::DeterminePageLanguage LLVMFuzzerTestOneInput Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=391220:391272 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=392626:393388 Minimized Testcase (0.00 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95jUpD6g_a1eIlFX_F1vf_uSJf_GfmVjDtlAH5XKDOR425T1W7y1VarzuNKyNG7u_oAA7tgfP3f4fayCnsIC_ycs87s4FIQli4-S2AIsbCFFALiGCLZc-IyKmmtcZ-GVGQlO_6xcWiIci1XXBELvLXfqHnYSA See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 17 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
,
Apr 27 2017
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by mmoroz@chromium.org
, May 4 2016Owner: andrewhayden@chromium.org