Issue metadata
Sign in to add a comment
|
SIGSEGV, RIP = 0x0 |
||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6010908929425408 Fuzzer: libfuzzer_media_vpx_video_decoder_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000000 Crash State: NULL Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=392685:393435 Minimized Testcase (0.01 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94kr3nDIpNuy5kcj62hBUmNeQoe9sl7yfCMrGWqYT9ll3sstc4444_GC1kkZJL13GHvOfAZNxcLaLTVZpcF5H76wPxWUzR0SuuKqX_hSNsJKPdVOqRECc-HFJd3kmbZVehcy5Ym6O1LHWju9WI-QCrnsaFCNQ Filer: mmoroz See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Jun 17 2016
,
Jun 17 2016
,
Jun 17 2016
,
Jun 17 2016
(over to libvpx team)
,
Jun 18 2016
,
Jun 18 2016
,
Jun 21 2016
,
Jun 21 2016
I've identified the root cause inside libvpx. Working on a fix upstream. Will update the details here when the upstream fix lands.
,
Jun 22 2016
,
Jun 23 2016
The following revision refers to this bug: https://chromium.googlesource.com/webm/libvpx/+/aa1c813c43c6b2e43036d5573f361924195d65b7 commit aa1c813c43c6b2e43036d5573f361924195d65b7 Author: Vignesh Venkatasubramanian <vigneshv@google.com> Date: Wed Jun 22 17:24:27 2016 vp9: Fix potential SEGV in decoder_peek_si_internal decoder_peek_si_internal could potentially read more bytes than what actually exists in the input buffer. We check for the buffer size to be at least 8, but we try to read up to 10 bytes in the worst case. A well crafted file could thus cause a segfault. Likely change that introduced this bug was: https://chromium-review.googlesource.com/#/c/70439 (git hash: 7c43fb6) BUG= chromium:621095 Change-Id: Id74880cfdded44caaa45bbdbaac859c09d3db752 [modify] https://crrev.com/aa1c813c43c6b2e43036d5573f361924195d65b7/vp9/vp9_dx_iface.c [modify] https://crrev.com/aa1c813c43c6b2e43036d5573f361924195d65b7/test/decode_api_test.cc
,
Jun 23 2016
This has been fixed upstream and i've verified locally that this patch indeed fixes the underlying SEGV. The next libvpx roll should pick this up. Unless we want to roll just to pick this up. Dale, wdyt?
,
Jun 23 2016
It's sec-sev-high, so I think you should roll it and merge it as far back as possible.
,
Jun 23 2016
Ok, i will do a roll and will ping you if i need help with the merging back.
,
Jun 23 2016
How to cherry-pick for libvpx: https://docs.google.com/document/d/1BOvTg_JaXdTnk1kt2ywfKEuVQbaUzlh8s4FPkzZO9mA/edit let me know if you run into any issues. Would be good to see how clear that doc is though.
,
Jun 27 2016
The buildspec files look like they have finally moved to git which invalidates the procedure. I'll take care of rolling this to M52. Hopefully the change lands ~soon today and I'll set up a cherry pick later this week.
,
Jun 27 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/f7a16f12bcfd7d079ae3b5a5deaeffad21b3740a commit f7a16f12bcfd7d079ae3b5a5deaeffad21b3740a Author: vigneshv <vigneshv@chromium.org> Date: Mon Jun 27 19:18:17 2016 https://chromium.googlesource.com/webm/libvpx.git/+log/243029faff45..1c0a9f36f15a $ git log 243029faf..1c0a9f36f --date=short --no-merges --format='%ad %ae %s' 2016-06-25 jzern vp9_pickmode: revert rd modeling change for hbd 2016-06-25 jzern Revert "Update vpx subpixel 1d filter ssse3 asm" 2016-06-24 jackychen vp9: Code clean, move low temp var logic out of choose_partitioning. 2016-06-24 jackychen vp9: Change the scheme for modeling rd for bsize 32x32. 2016-06-24 marpan vp9-svc: Remove some unneeded code/comment. 2016-06-22 yuryg cosmetics: Beautify whitespaces and line wrapping 2016-06-22 yuryg cosmetics: Change few types to their posix version 2016-06-24 yuryg cosmetics: Make few conditions clearer 2016-06-23 yaowu Rationalize type to avoid integer out of range 2016-06-23 jzern datarate_test,DatarateTestLarge: normalize bits type 2016-06-23 jzern Revert "vp9: Change the scheme for modeling rd for bsize 32x32." 2016-06-23 johannkoenig configure: clean up var style and set_all usage 2016-06-22 vigneshv vp9: Fix potential SEGV in decoder_peek_si_internal 2016-06-22 johannkoenig Fail early when android target does not include --sdk-path 2016-06-22 johannkoenig vp8 machine setup: mark unused variable 2016-06-22 johannkoenig vp8 realtime encoder: mark unused variable 2016-06-22 johannkoenig vp8 error concealment: remove unused variables 2016-06-22 aconverse vpx_lpf_horizontal_4_sse2: Remove dead load. 2016-06-21 angiebird set interp_filter to SWITCHABLE_FILTER for intra block 2016-06-22 johannkoenig Add default flags for arm64/armv8 builds (...) BUG= 621095 Review-Url: https://codereview.chromium.org/2091483005 Cr-Commit-Position: refs/heads/master@{#402252} [modify] https://crrev.com/f7a16f12bcfd7d079ae3b5a5deaeffad21b3740a/DEPS [modify] https://crrev.com/f7a16f12bcfd7d079ae3b5a5deaeffad21b3740a/third_party/libvpx/README.chromium [modify] https://crrev.com/f7a16f12bcfd7d079ae3b5a5deaeffad21b3740a/third_party/libvpx/source/config/linux/arm-neon-cpu-detect/vpx_config.asm [modify] https://crrev.com/f7a16f12bcfd7d079ae3b5a5deaeffad21b3740a/third_party/libvpx/source/config/linux/arm-neon-cpu-detect/vpx_config.h [modify] https://crrev.com/f7a16f12bcfd7d079ae3b5a5deaeffad21b3740a/third_party/libvpx/source/config/linux/arm-neon/vpx_config.asm [modify] https://crrev.com/f7a16f12bcfd7d079ae3b5a5deaeffad21b3740a/third_party/libvpx/source/config/linux/arm-neon/vpx_config.h [modify] https://crrev.com/f7a16f12bcfd7d079ae3b5a5deaeffad21b3740a/third_party/libvpx/source/config/linux/arm/vpx_config.asm [modify] https://crrev.com/f7a16f12bcfd7d079ae3b5a5deaeffad21b3740a/third_party/libvpx/source/config/linux/arm/vpx_config.h [modify] https://crrev.com/f7a16f12bcfd7d079ae3b5a5deaeffad21b3740a/third_party/libvpx/source/config/linux/arm64/vpx_config.asm [modify] https://crrev.com/f7a16f12bcfd7d079ae3b5a5deaeffad21b3740a/third_party/libvpx/source/config/linux/arm64/vpx_config.h [modify] https://crrev.com/f7a16f12bcfd7d079ae3b5a5deaeffad21b3740a/third_party/libvpx/source/config/linux/generic/vpx_config.asm [modify] https://crrev.com/f7a16f12bcfd7d079ae3b5a5deaeffad21b3740a/third_party/libvpx/source/config/linux/generic/vpx_config.h [modify] https://crrev.com/f7a16f12bcfd7d079ae3b5a5deaeffad21b3740a/third_party/libvpx/source/config/linux/ia32/vpx_config.asm [modify] https://crrev.com/f7a16f12bcfd7d079ae3b5a5deaeffad21b3740a/third_party/libvpx/source/config/linux/ia32/vpx_config.h [modify] https://crrev.com/f7a16f12bcfd7d079ae3b5a5deaeffad21b3740a/third_party/libvpx/source/config/linux/mips64el/vpx_config.h [modify] https://crrev.com/f7a16f12bcfd7d079ae3b5a5deaeffad21b3740a/third_party/libvpx/source/config/linux/mipsel/vpx_config.h [modify] https://crrev.com/f7a16f12bcfd7d079ae3b5a5deaeffad21b3740a/third_party/libvpx/source/config/linux/x64/vpx_config.asm [modify] https://crrev.com/f7a16f12bcfd7d079ae3b5a5deaeffad21b3740a/third_party/libvpx/source/config/linux/x64/vpx_config.h [modify] https://crrev.com/f7a16f12bcfd7d079ae3b5a5deaeffad21b3740a/third_party/libvpx/source/config/mac/ia32/vpx_config.asm [modify] https://crrev.com/f7a16f12bcfd7d079ae3b5a5deaeffad21b3740a/third_party/libvpx/source/config/mac/ia32/vpx_config.h [modify] https://crrev.com/f7a16f12bcfd7d079ae3b5a5deaeffad21b3740a/third_party/libvpx/source/config/mac/x64/vpx_config.asm [modify] https://crrev.com/f7a16f12bcfd7d079ae3b5a5deaeffad21b3740a/third_party/libvpx/source/config/mac/x64/vpx_config.h [modify] https://crrev.com/f7a16f12bcfd7d079ae3b5a5deaeffad21b3740a/third_party/libvpx/source/config/nacl/vpx_config.asm [modify] https://crrev.com/f7a16f12bcfd7d079ae3b5a5deaeffad21b3740a/third_party/libvpx/source/config/nacl/vpx_config.h [modify] https://crrev.com/f7a16f12bcfd7d079ae3b5a5deaeffad21b3740a/third_party/libvpx/source/config/vpx_version.h [modify] https://crrev.com/f7a16f12bcfd7d079ae3b5a5deaeffad21b3740a/third_party/libvpx/source/config/win/ia32/vpx_config.asm [modify] https://crrev.com/f7a16f12bcfd7d079ae3b5a5deaeffad21b3740a/third_party/libvpx/source/config/win/ia32/vpx_config.h [modify] https://crrev.com/f7a16f12bcfd7d079ae3b5a5deaeffad21b3740a/third_party/libvpx/source/config/win/x64/vpx_config.asm [modify] https://crrev.com/f7a16f12bcfd7d079ae3b5a5deaeffad21b3740a/third_party/libvpx/source/config/win/x64/vpx_config.h
,
Jun 27 2016
** IMPORTANT change in M52 merge date due to first 2 weeks of July no release weeks ** M52 Stable is launching very soon! Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and get it merged ASAP. All changes MUST be merged into the release branch by 5pm on July 1 to make into the desktop Stable final build cut. Thank you!
,
Jun 28 2016
ClusterFuzz has detected this issue as fixed in range 402149:402292. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6010908929425408 Fuzzer: libfuzzer_media_vpx_video_decoder_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000000 Crash State: NULL Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=392685:393435 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=402149:402292 Minimized Testcase (0.01 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94kr3nDIpNuy5kcj62hBUmNeQoe9sl7yfCMrGWqYT9ll3sstc4444_GC1kkZJL13GHvOfAZNxcLaLTVZpcF5H76wPxWUzR0SuuKqX_hSNsJKPdVOqRECc-HFJd3kmbZVehcy5Ym6O1LHWju9WI-QCrnsaFCNQ?testcase_id=6010908929425408 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 28 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jun 28 2016
,
Jun 28 2016
The following revision refers to this bug: https://chromium.googlesource.com/webm/libvpx/+/240f8e56e4039e7c3911bf7bfceef3e349190b55 commit 240f8e56e4039e7c3911bf7bfceef3e349190b55 Author: Johann <johannkoenig@google.com> Date: Tue Jun 28 23:40:03 2016 vp9: Fix potential SEGV in decoder_peek_si_internal decoder_peek_si_internal could potentially read more bytes than what actually exists in the input buffer. We check for the buffer size to be at least 8, but we try to read up to 10 bytes in the worst case. A well crafted file could thus cause a segfault. Likely change that introduced this bug was: https://chromium-review.googlesource.com/#/c/70439 (git hash: 7c43fb6) BUG= chromium:621095 (cherry picked from commit aa1c813c43c6b2e43036d5573f361924195d65b7) Change-Id: Id74880cfdded44caaa45bbdbaac859c09d3db752 [modify] https://crrev.com/240f8e56e4039e7c3911bf7bfceef3e349190b55/vp9/vp9_dx_iface.c [modify] https://crrev.com/240f8e56e4039e7c3911bf7bfceef3e349190b55/test/decode_api_test.cc
,
Jun 29 2016
This is tagged M52 but is it merge-approved? I can't upload a change for review to https://chrome-internal.googlesource.com/chrome/tools/buildspec buildspec$ git cl upload Using 50% similarity for rename/copy detection. Override with --similarity. Command "git config rietveld.server" failed. Could not find settings file. You must configure your review setup by running "git cl config". should I merge via SVN? svn://svn.chromium.org/chrome/branches/2743
,
Jun 29 2016
,
Jun 30 2016
Ping. Should I merge this?
,
Jun 30 2016
I think script is broken, ping tpm via go/chromeschedule
,
Jun 30 2016
CC'd tpm
,
Jun 30 2016
,
Jun 30 2016
Before we approve merge to M52, Could you please confirm whether this change is baked/verified in Canary and safe to merge?
,
Jun 30 2016
It landed in HEAD as part of https://bugs.chromium.org/p/chromium/issues/detail?id=621095#c18 and was verified by clusterfuzz in https://bugs.chromium.org/p/chromium/issues/detail?id=621095#c20 I made a cherry pick to the upstream branch in https://bugs.chromium.org/p/chromium/issues/detail?id=621095#c23 so that it doesn't have to take all the extra stuff that got rolled in c18.
,
Jun 30 2016
Approving merge to M52 branch 2743 based on comment #31.
,
Jun 30 2016
The following revision refers to this bug: https://chrome-internal.googlesource.com/chrome/tools/buildspec/+/2176ce60c4924649318705ab53ad791b0055bfdc commit 2176ce60c4924649318705ab53ad791b0055bfdc Author: Johann <johannkoenig@google.com> Date: Thu Jun 30 18:34:32 2016
,
Jul 4 2016
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 7 2016
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 7 2016
It looks like Johann merged this change to M52 [1]. [1] https://chromereviews.googleplex.com/464647013/
,
Jul 7 2016
Monorail won't let me remove the 'merge-approved' label. Trying if taking over the bug works.
,
Jul 7 2016
I still am not able to remove the 'Merge-Approved' labels. Can someone help?
,
Jul 8 2016
Removing 'Merge-Approved' labels.
,
Oct 4 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by mmoroz@chromium.org
, Jun 17 2016Labels: Pri-1
Owner: dalecur...@chromium.org
Summary: SIGSEGV, RIP = 0x0 (was: NO STACK)