Reproducer attached.

Deleted: fuzz-2-libxml_xml_read_memory_fuzzer 624 bytes

fuzz-2-libxml_xml_read_memory_fuzzer 624 bytes View Download

I've tried to file the same bug at https://bugzilla.gnome.org/enter_bug.cgi?product=libxml2, but haven't found how to file a non-public bug.

Source code to reproduce: https://cs.chromium.org/chromium/src/testing/libfuzzer/fuzzers/libxml_xml_read_memory_fuzzer.cc

Should be built with MSan: https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md#Reproducing-MSan-bugs

dominicc: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

I filed a protected bug on bugzilla.gnome.org:

 Bug 767734 : Use-of-uninitialized-value in xmlDictLookup
<https://bugzilla.gnome.org/show_bug.cgi?id=767734>

Taking a look.

> Reproducer attached.

Max, I don't think this attachment in Comment #1 is the same test case from Comment #0.

I can't get an MSan crash to reproduce on libxml2 v2.9.4 from upstream master with the attachment from Comment #1, but I can when I copy-pasted the text above to create crbug-616698-MSan-fuzz-2-libxml_xml_read_memory_fuzzer.xml (attached).

Deleted: crbug-616698-MSan-fuzz-2-libxml_xml_read_memory_fuzzer.xml 349 bytes

crbug-616698-MSan-fuzz-2-libxml_xml_read_memory_fuzzer.xml 349 bytes View Download

After reproducing with the attachment from Comment #9, I discovered that applying the patch for GNOME  Bug 766956  also fixes this issue.

 Bug 766956 : Heap Out-of-bound read and UAF in xmlDictComputeFastKey from xmlParseNameComplex
<https://bugzilla.gnome.org/show_bug.cgi?id=766956>

I've duped GNOME  Bug 767734  (which was filed for this issue) to  Bug 766956 .

ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5493011496828928

Fuzzer: libfuzzer_libxml_xml_read_memory_fuzzer
Job Type: libfuzzer_chrome_msan
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  xmlDictLookup
  xmlParseNameComplex
  xmlParseName
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=372875:372885

Minimized Testcase (0.34 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95LJ4k9ZK8jxosjbc8zeGsaXLdQHuz_1Efy6v3UGmqYx39OOWPtE76YeCaWo17TG3L9-baC3DSbLl-vPnP6vuX6LifObRZeX5SOzFzKPiD-rv4QBYt9sQaZosfm1wZfrmR0kW-nJzDkIBQHfSvlqEVWkV3Jgg?testcase_id=5493011496828928
<?xmh ven="1.0"?>
<!DOCTYPE test [
<!ELEMENT test (#PCDATA) >
<!ENTITY % xx '&#37;zz;
<![INCLUDE[
&#37;zz;<![INCLUDE[&#37;MENT&#37;MENTD&#377;MENTD&#37;zNMT9KENSMYSYSTEM;MENT9&#37;zz;'>
<!ENTITY % zz '&#60;!ENTITY<?xDOCTYPEm~?>' >
%xx;�ggKENSMYNT&#35;MENTD&#372zz;'>
<!ENBITY % zz '&#60;!EN#3&##37;z ';!EY'#x;g
<!ENTent ref="b�:b>r.B"/>				
e		</


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

David, you are right, I've downloaded wrong file (looks like I've mixed them up due to collision of names), sorry about that.

Attaching correct reproducer, though it probably doesn't matter since you've got it from the issue description.

Deleted: fuzz-2-libxml_xml_read_memory_fuzzer 349 bytes

fuzz-2-libxml_xml_read_memory_fuzzer 349 bytes View Download

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5409264688693248

Fuzzer: libfuzzer_libxml_xml_read_memory_fuzzer
Job Type: libfuzzer_chrome_msan
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  xmlDictLookup
  xmlParseNameComplex
  xmlParseName
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=395689:395794

Minimized Testcase (0.17 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95jDzKaP_97R12Bazf7KwKwrx5SnfjD09dzRqJe2PUFcz25TaBZ1QD_A-OnfifjkauKTsLdXIYzRajbyEkdLHCLB_yKjIk5AYkt62IeO3YAWzrJRO9H1jolSoWATvbK3w-oJvoQ6KKK64DFPLw_6ZNMNAXRtA?testcase_id=5409264688693248
 <?h?><!DOCTYPEt[<!ELEMENT : (A)><!ENTITY % xx '&#09;<![INCLUDE[<?xml??;
<!DOCTYPE:[<?xm?><!ATTLIST
:
xmljs:schema
ID	"i"	xmlnsNO&#3000;000&#37;z;'><!ENTITYz>%xx;TANNITO:: ID


Filer: mmoroz

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4556820375142400

Fuzzer: libfuzzer_libxml_xml_read_memory_fuzzer
Job Type: libfuzzer_chrome_msan
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  xmlDictLookup
  xmlParseNameComplex
  xmlParseName
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=395689:395794

Minimized Testcase (2.03 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97hlVk8Q9uy5cz20qvBibX12uutqgvsBSfEo8YUIsxC759wYlPM1uzhb-gsZKL3EyEqDbmsVY73eTtseRG1471sT2YV0HM2QDoHP4hR4aH0IQz47p3eaHl4NTKZAN2bzrKFojt2Wz7F-9c00aRvXA3Q01VqoQ?testcase_id=4556820375142400

Filer: tanin

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

dominicc: any updates here? Thanks!

I haven't got to this one yet sorry. Next week.

ClusterFuzz has detected this issue as fixed in range 410288:410335.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4556820375142400

Fuzzer: libfuzzer_libxml_xml_read_memory_fuzzer
Job Type: libfuzzer_chrome_msan
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  xmlDictLookup
  xmlParseNameComplex
  xmlParseName
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=395689:395794
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=410288:410335

Minimized Testcase (2.03 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97hlVk8Q9uy5cz20qvBibX12uutqgvsBSfEo8YUIsxC759wYlPM1uzhb-gsZKL3EyEqDbmsVY73eTtseRG1471sT2YV0HM2QDoHP4hR4aH0IQz47p3eaHl4NTKZAN2bzrKFojt2Wz7F-9c00aRvXA3Q01VqoQ?testcase_id=4556820375142400

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

dominicc: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Do we know if this is really fixed or not?  Thanks!

This issue is not fixed yet.  As mentioned in Comment #10, this issue will be fixed by:

 Bug 766956 : Heap Out-of-bound read and UAF in xmlDictComputeFastKey from xmlParseNameComplex
<https://bugzilla.gnome.org/show_bug.cgi?id=766956>

I just posted a patch to the bug that fixes the issue.

Can we apply the patch in Chromium or should wait? If we can, dominicc@, would you mind taking a look?

> Can we apply the patch in Chromium or should wait? If we can, dominicc@, would you mind taking a look?

You can apply the fix now.  The fix has already shipped to Apple OSes; I was unable to post a patch until recently, which is why I described the fix in English first.

Thanks David for keeping us posted!

I'll take a look Wednesday.

Friendly ping from the security sheriff. domnicc, do you have any updates on this? Thanks!

No update. I'm travelling next week, I will try to work on this though.

This is top of stack now, working on this.

> This is top of stack now, working on this.

Reminder: Please review the patch attached to this upstream bug as I believe it fixes this issue:

 Bug 766956 : Heap Out-of-bound read and UAF in xmlDictComputeFastKey from xmlParseNameComplex
<https://bugzilla.gnome.org/show_bug.cgi?id=766956>

Thanks ddkilzer I will take a look.

Security ppl, halp? I'm having trouble building msan this morning:

[2234/25485] ACTION //third_party/instrumented_...ed_libraries(//build/toolchain/linux:clang_x64)
FAILED: obj/third_party/instrumented_libraries/msan-chained-origins.txt 
python ../../third_party/instrumented_libraries/scripts/unpack_binaries.py msan-chained-origins /usr/local/google/work/ca/src/third_party/instrumented_libraries/binaries /usr/local/google/work/ca/src/out/msan/instrumented_libraries_prebuilt obj/third_party/instrumented_libraries
tar (child): /usr/local/google/work/ca/src/third_party/instrumented_libraries/binaries/msan-chained-origins-trusty.tgz: Cannot open: No such file or directory
tar (child): Error is not recoverable: exiting now
tar: Child returned status 2
tar: Error is not recoverable: exiting now
Traceback (most recent call last):
  File "../../third_party/instrumented_libraries/scripts/unpack_binaries.py", line 42, in <module>
    sys.exit(main(*sys.argv[1:]))
  File "../../third_party/instrumented_libraries/scripts/unpack_binaries.py", line 29, in main
    target_dir])
  File "/usr/lib/python2.7/subprocess.py", line 540, in check_call
    raise CalledProcessError(retcode, cmd)
subprocess.CalledProcessError: Command '['tar', '-zxf', '/usr/local/google/work/ca/src/third_party/instrumented_libraries/binaries/msan-chained-origins-trusty.tgz', '-C', '/usr/local/google/work/ca/src/out/msan/instrumented_libraries_prebuilt']' returned non-zero exit status 2
[2283/25485] CC obj/third_party/ffmpeg/ffmpeg_internal/h264qpel.o
ninja: build stopped: subcommand failed.

With these gn options:

is_debug=false
use_libfuzzer=true
is_msan=true
msan_track_origins=2
use_prebuilt_instrumented_libraries=true
enable_nacl=false
proprietary_codecs=true
ffmpeg_branding="ChromeOS"

The error doesn't seem to be libFuzzer-specific. Just to be sure, did you run gclient sync && gclient runhooks?

I've just used the gn options listed in c#34 and successfully built libxml_xml_read_memory_fuzzer. Which target are your trying to build?

I've tried to build chrome with those parameters and it worked as well. I think that gclient runhooks can be the issue, since third_party/instrumented_libraries/binaries/msan-chained-origins-trusty.tgz doesn't exist on your machine.

Thanks--working now!

It seems that runhooks is not enough. You have to do runhooks, *and then edit gn args even if you're not changing them* and then build. I guess there's some dependency problem here?

Hm! Editing of 'gn args' invokes 'gn gen' then, may be that's the last step...

I can't reproduce any of these at r440736. Here's history, if you can sanity check me:

 2113  [2016-12-28 11:34:41 +0900] GYP_DEFINES='msan=1 use_prebuilt_instrumented_libraries=1' gclient sync
 2114  [2016-12-28 11:35:03 +0900] git branch
 2115  [2016-12-28 11:36:20 +0900] gn gen out/libfuzzer '--args=is_debug=false use_libfuzzer=true is_msan=true msan_track_origins=2 use_prebuilt_instrumented_libraries=true enable_nacl=false proprietary_codecs=true ffmpeg_branding="ChromeOS"'
 2116  [2016-12-28 11:36:42 +0900] ninja -C out/libfuzzer libfuzzer_libxml_xml_read_memory_fuzzer
 2117  [2016-12-28 11:36:48 +0900] ninja -C out/libfuzzer libxml_xml_read_memory_fuzzer
 2118  [2016-12-28 11:37:54 +0900] out/libfuzzer/libxml_xml_read_memory_fuzzer ../../repros/cr616698/fuzz-2-libxml_xml_read_memory_fuzzer 
 2119  [2016-12-28 11:38:56 +0900] mv ~/Downloads/fuzz-1-libxml_xml_read_memory_fuzzer ../../repros/cr616698
 2120  [2016-12-28 11:39:03 +0900] cat ../../repros/cr616698/fuzz-1-libxml_xml_read_memory_fuzzer 
 2121  [2016-12-28 11:39:13 +0900] out/libfuzzer/libxml_xml_read_memory_fuzzer ../../repros/cr616698/fuzz-1-libxml_xml_read_memory_fuzzer 
 2122  [2016-12-28 11:39:37 +0900] out/libfuzzer/libxml_xml_read_memory_fuzzer (elided)/repros/cr616698/fuzz-1-libxml_xml_read_memory_fuzzer 
 2123  [2016-12-28 11:41:12 +0900] mv ~/Downloads/fuzz-3-libxml_xml_read_memory_fuzzer ../../repros/cr616698
 2124  [2016-12-28 11:41:21 +0900] out/libfuzzer/libxml_xml_read_memory_fuzzer (elided)/repros/cr616698/fuzz-3-libxml_xml_read_memory_fuzzer 

None of these repro; they just produce output like this:

INFO: Seed: 1998960503
INFO: Loaded 0 modules (0 guards): 
out/libfuzzer/libxml_xml_read_memory_fuzzer: Running 1 inputs 1 time(s) each.
Running: (elided)/repros/cr616698/fuzz-3-libxml_xml_read_memory_fuzzer
Executed (elided)/repros/cr616698/fuzz-3-libxml_xml_read_memory_fuzzer in 19 ms
***
*** NOTE: fuzzing was not performed, you have only
***       executed the target code on a fixed set of inputs.
***

Hmmm, all reproducible CF reports linked here are marked as Fixed, but one report: https://cluster-fuzz.appspot.com/v2/testcase-detail/5493011496828928?noredirect=1 looks still not fixed.

When I'm trying to reproduce it the same way as you did, it is not reproducible. However, if I add `-runs=2` argument (ClusterFuzz uses `-runs=100`), it crashes.

If you don't mind, I re-open the issue for further investigation...


$ out/msan/libxml_xml_read_memory_fuzzer ./5493011496828928 -runs=1
INFO: Seed: 1507313532
INFO: Loaded 0 modules (0 guards): 
<...>/out/msan/libxml_xml_read_memory_fuzzer: Running 1 inputs 1 time(s) each.
Running: ./5493011496828928
Executed ./5493011496828928 in 92 ms
***
*** NOTE: fuzzing was not performed, you have only
***       executed the target code on a fixed set of inputs.
***



$ out/msan/libxml_xml_read_memory_fuzzer ./5493011496828928 -runs=2
INFO: Seed: 3070330750
INFO: Loaded 0 modules (0 guards): 
<...>/out/msan/libxml_xml_read_memory_fuzzer: Running 1 inputs 2 time(s) each.
Running: ./5493011496828928
==63358==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0x75dc2a in xmlDictLookup third_party/libxml/src/dict.c:853:25
    #1 0x547c66 in xmlParseNameComplex third_party/libxml/src/parser.c
    #2 0x5307a0 in xmlParseName third_party/libxml/src/parser.c:3493:12
    #3 0x59963c in xmlParsePEReference third_party/libxml/src/parser.c:8074:12
    #4 0x59df3f in xmlParseConditionalSections third_party/libxml/src/parser.c:6861:3
    #5 0x59dad3 in xmlParseConditionalSections third_party/libxml/src/parser.c:6857:3
    #6 0x598b6d in xmlParseMarkupDecl third_party/libxml/src/parser.c:7045:6
    #7 0x5e00b3 in xmlParseInternalSubset third_party/libxml/src/parser.c:8490:6
    #8 0x5dd13a in xmlParseDocument third_party/libxml/src/parser.c:10938:6
    #9 0x5e9dc7 in xmlDoRead third_party/libxml/src/parser.c:15449:5
    #10 0x5ea564 in xmlReadMemory third_party/libxml/src/parser.c:15535:13
    #11 0x48bd72 in LLVMFuzzerTestOneInput testing/libfuzzer/fuzzers/libxml_xml_read_memory_fuzzer.cc:17:18
    #12 0x4badef in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) third_party/libFuzzer/src/FuzzerLoop.cpp:539:13
    #13 0x4bb5d7 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long) third_party/libFuzzer/src/FuzzerLoop.cpp:490:3
    #14 0x48d595 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) third_party/libFuzzer/src/FuzzerDriver.cpp:267:6
    #15 0x4925ba in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) third_party/libFuzzer/src/FuzzerDriver.cpp:484:9
    #16 0x4c96f0 in main third_party/libFuzzer/src/FuzzerMain.cpp:20:10
    #17 0x7f09eb4c3f44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287
    #18 0x41f8dc in _start (/usr/local/google/home/mmoroz/Projects/new/chromium/src/out/msan/libxml_xml_read_memory_fuzzer+0x41f8dc)

  Uninitialized value was created by a heap allocation
    #0 0x446256 in __interceptor_malloc (/usr/local/google/home/mmoroz/Projects/new/chromium/src/out/msan/libxml_xml_read_memory_fuzzer+0x446256)
    #1 0x785fd3 in xmlHashCreate third_party/libxml/src/hash.c:180:13
    #2 0x78649f in xmlHashCreateDict third_party/libxml/src/hash.c:211:13
    #3 0x687a65 in xmlAddElementDecl third_party/libxml/src/valid.c:1453:17
    #4 0x7175a0 in xmlSAX2ElementDecl third_party/libxml/src/SAX2.c:819:16
    #5 0x596fd6 in xmlParseElementDecl third_party/libxml/src/parser.c:6791:10
    #6 0x598d82 in xmlParseMarkupDecl third_party/libxml/src/parser.c:7003:4
    #7 0x5e00b3 in xmlParseInternalSubset third_party/libxml/src/parser.c:8490:6
    #8 0x5dd13a in xmlParseDocument third_party/libxml/src/parser.c:10938:6
    #9 0x5e9dc7 in xmlDoRead third_party/libxml/src/parser.c:15449:5
    #10 0x5ea564 in xmlReadMemory third_party/libxml/src/parser.c:15535:13
    #11 0x48bd72 in LLVMFuzzerTestOneInput testing/libfuzzer/fuzzers/libxml_xml_read_memory_fuzzer.cc:17:18
    #12 0x4badef in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) third_party/libFuzzer/src/FuzzerLoop.cpp:539:13
    #13 0x4bb5d7 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long) third_party/libFuzzer/src/FuzzerLoop.cpp:490:3
    #14 0x48d595 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) third_party/libFuzzer/src/FuzzerDriver.cpp:267:6
    #15 0x4925ba in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) third_party/libFuzzer/src/FuzzerDriver.cpp:484:9
    #16 0x4c96f0 in main third_party/libFuzzer/src/FuzzerMain.cpp:20:10
    #17 0x7f09eb4c3f44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287

SUMMARY: MemorySanitizer: use-of-uninitialized-value third_party/libxml/src/dict.c:853:25 in xmlDictLookup
Exiting

I cannot reproduce this at r443167.

Here's what I tried:

 2049  [2017-01-12 16:33:37 +0900] GYP_DEFINES='msan=1 use_prebuilt_instrumented_libraries=1' gclient sync
 2050  [2017-01-12 16:35:01 +0900] $ gn gen out/libfuzzer '--args=is_debug=false use_libfuzzer=true is_msan=true msan_track_origins=2 use_prebuilt_instrumented_libraries=true enable_nacl=false proprietary_codecs=true ffmpeg_branding="ChromeOS"'
 2051  [2017-01-12 16:35:06 +0900] gn gen out/libfuzzer '--args=is_debug=false use_libfuzzer=true is_msan=true msan_track_origins=2 use_prebuilt_instrumented_libraries=true enable_nacl=false proprietary_codecs=true ffmpeg_branding="ChromeOS"'
 2052  [2017-01-12 16:35:36 +0900] ninja -C out/libfuzzer libxml_xml_read_memory_fuzzer
 2053  [2017-01-12 16:36:27 +0900] out/libfuzzer/libxml_xml_read_memory_fuzzer ~/Downloads/fuzz-2-libxml_xml_read_memory_fuzzer --runs=1
 2054  [2017-01-12 16:36:33 +0900] out/libfuzzer/libxml_xml_read_memory_fuzzer ~/Downloads/fuzz-2-libxml_xml_read_memory_fuzzer --runs=2
 2055  [2017-01-12 16:36:39 +0900] out/libfuzzer/libxml_xml_read_memory_fuzzer ~/Downloads/fuzz-2-libxml_xml_read_memory_fuzzer -runs=2
 2056  [2017-01-12 16:36:57 +0900] out/libfuzzer/libxml_xml_read_memory_fuzzer ~/Downloads/fuzz-2-libxml_xml_read_memory_fuzzer -runs=100
 2057  [2017-01-12 16:37:24 +0900] out/libfuzzer/libxml_xml_read_memory_fuzzer ~/Downloads/fuzz-2-libxml_xml_read_memory_fuzzer\ \(1\) -runs=100
 2058  [2017-01-12 16:38:14 +0900] git log
 2059  [2017-01-12 16:38:49 +0900] out/libfuzzer/libxml_xml_read_memory_fuzzer ~/Downloads/fuzz-2-libxml_xml_read_memory_fuzzer\ \(1\) -runs=1
 2060  [2017-01-12 16:38:50 +0900] out/libfuzzer/libxml_xml_read_memory_fuzzer ~/Downloads/fuzz-2-libxml_xml_read_memory_fuzzer\ \(1\) -runs=2
 2061  [2017-01-12 16:38:52 +0900] out/libfuzzer/libxml_xml_read_memory_fuzzer ~/Downloads/fuzz-2-libxml_xml_read_memory_fuzzer\ \(1\) -runs=1000
 2062  [2017-01-12 16:38:54 +0900] out/libfuzzer/libxml_xml_read_memory_fuzzer ~/Downloads/fuzz-2-libxml_xml_read_memory_fuzzer\ \(1\) -runs=10000
 2063  [2017-01-12 16:39:05 +0900] out/libfuzzer/libxml_xml_read_memory_fuzzer ~/Downloads/fuzz-2-libxml_xml_read_memory_fuzzer -runs=10000
 2064  [2017-01-12 16:39:13 +0900] out/libfuzzer/libxml_xml_read_memory_fuzzer ~/Downloads/fuzz-2-libxml_xml_read_memory_fuzzer -runs=2

"... (1)" is the unminimized testcase from the bug.

Halp? Could you tell me which revision you're synced to, and/or try r443167?

To be honest, I don't know which revision I used, but it should be something from 28th of Dec. I still have that build on my machine, so if you know how to distinguish revision from binaries or gn/ninja files, I can extract an exact number.

I've just tried r443167 and it doesn't reproduce anymore. Could any of recent fixes resolve this problem also?

I've clicked "redo fixed" job on CF to force it to verify, but anyway I believe we can close it now.

ClusterFuzz has detected this issue as fixed in range 442469:442524.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5493011496828928

Fuzzer: libfuzzer_libxml_xml_read_memory_fuzzer
Job Type: libfuzzer_chrome_msan
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  xmlDictLookup
  xmlParseNameComplex
  xmlParseName
  
Sanitizer: memory (MSAN)

Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=372875:372885
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=442469:442524

Minimized Testcase (0.34 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95LJ4k9ZK8jxosjbc8zeGsaXLdQHuz_1Efy6v3UGmqYx39OOWPtE76YeCaWo17TG3L9-baC3DSbLl-vPnP6vuX6LifObRZeX5SOzFzKPiD-rv4QBYt9sQaZosfm1wZfrmR0kW-nJzDkIBQHfSvlqEVWkV3Jgg?testcase_id=5493011496828928
<?xmh ven="1.0"?>
<!DOCTYPE test [
<!ELEMENT test (#PCDATA) >
<!ENTITY % xx '&#37;zz;
<![INCLUDE[
&#37;zz;<![INCLUDE[&#37;MENT&#37;MENTD&#377;MENTD&#37;zNMT9KENSMYSYSTEM;MENT9&#37;zz;'>
<!ENTITY % zz '&#60;!ENTITY<?xDOCTYPEm~?>' >
%xx;�ggKENSMYNT&#35;MENTD&#372zz;'>
<!ENBITY % zz '&#60;!EN#3&##37;z ';!EY'#x;g
<!ENTent ref="b�:b>r.B"/>				
e		</


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

The only likely candidate is  Issue 620679 .

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Upstream fix:

https://git.gnome.org/browse/libxml2/commit/?id=e26630548e7d138d2c560844c43820b6767251e3