New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 624343 link

Starred by 1 user
Status: Verified
Owner:
groby@chromium.org
Last visit > 30 days ago
Closed: Dec 2016
Cc:
kcc@chromium.org
rouslan@chromium.org
mmoroz@chromium.org
infe...@chromium.org
och...@chromium.org
aizatsky@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment

Crash in SuggestMgr::leftcommonsubstring

Project Member Reported by ClusterFuzz, Jun 29 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6645225435168768

Fuzzer: libfuzzer_hunspell_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000091
Crash State:
  SuggestMgr::leftcommonsubstring
  SuggestMgr::ngsuggest
  Hunspell::suggest
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=401846:401864

Minimized Testcase (0.03 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94DbYaxDUptpjqk3aYrHuR_7HtXSiWcEBAG5PbBVm7LZPB9hvPk5juMstAFwQIRyhFefvE-1z-Umj91iZttqlzKeeJvh5XdEfo9XS-u00S8unI1CkS_T-WnnZIR98d_bY28t-2leJtWA_seLhj6w_JvDNHtdg?testcase_id=6645225435168768

Filer: mmoroz

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

Comment 1 by mmoroz@chromium.org, Jun 29 2016

Cc: mmoroz@chromium.org rouslan@chromium.org kcc@chromium.org aizatsky@chromium.org
Labels: Pri-1
Owner: groby@chromium.org
Looks like not a security issue (null-deref), but since we've just started to fuzz hunspell, I speculatively mark it as a Low Severity to keep it safe.

Looks like we are hitting this crash very quickly, would be nice to get it fixed and continue fuzzing with better coverage.
Project Member

Comment 2 by ClusterFuzz, Jun 29 2016 

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4698042800537600

Fuzzer: libfuzzer_hunspell_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000091
Crash State:
  SuggestMgr::leftcommonsubstring
  SuggestMgr::ngsuggest
  Hunspell::suggest
  

Minimized Testcase (0.19 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94IzgJfuwDLUFDKESqvBjGWsaKnxlVWzFJQflAuzfqwB7dzqePKelmQukQeEMQdGksDHEVnrhC82S0QWteitSOM3sChUKH5rN3Cg9nSofcn2DK7kkGdkodi0MUYM2LbcbGQk9s9nnnQywTymX6P8GXUBmstmw?testcase_id=4698042800537600

Filer: mmoroz

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
Project Member

Comment 3 by sheriffbot@chromium.org, Jun 29 2016

Labels: -Pri-1 Pri-2
Project Member

Comment 4 by sheriffbot@chromium.org, Jun 29 2016

Status: Assigned (was: Available)

Comment 5 by palmer@chromium.org, Jun 29 2016

Components: UI>Browser>Spellcheck
Labels: -OS-Linux M-53 OS-All
Project Member

Comment 6 by ClusterFuzz, Jun 30 2016 

ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6645225435168768

Fuzzer: libfuzzer_hunspell_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000091
Crash State:
  SuggestMgr::leftcommonsubstring
  SuggestMgr::ngsuggest
  Hunspell::suggest
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=401846:401864

Minimized Testcase (0.03 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94DbYaxDUptpjqk3aYrHuR_7HtXSiWcEBAG5PbBVm7LZPB9hvPk5juMstAFwQIRyhFefvE-1z-Umj91iZttqlzKeeJvh5XdEfo9XS-u00S8unI1CkS_T-WnnZIR98d_bY28t-2leJtWA_seLhj6w_JvDNHtdg?testcase_id=6645225435168768

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 7 by ClusterFuzz, Jul 6 2016 

ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4698042800537600

Fuzzer: libfuzzer_hunspell_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000091
Crash State:
  SuggestMgr::leftcommonsubstring
  SuggestMgr::ngsuggest
  Hunspell::suggest
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=401846:401864

Minimized Testcase (0.19 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94IzgJfuwDLUFDKESqvBjGWsaKnxlVWzFJQflAuzfqwB7dzqePKelmQukQeEMQdGksDHEVnrhC82S0QWteitSOM3sChUKH5rN3Cg9nSofcn2DK7kkGdkodi0MUYM2LbcbGQk9s9nnnQywTymX6P8GXUBmstmw?testcase_id=4698042800537600

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 8 by sheriffbot@chromium.org, Jul 21 2016

Labels: -Security_Impact-Head Security_Impact-Beta
Project Member

Comment 9 by ClusterFuzz, Aug 27 2016 

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5849359910699008

Fuzzer: libfuzzer_hunspell_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000091
Crash State:
  SuggestMgr::leftcommonsubstring
  SuggestMgr::ngsuggest
  Hunspell::suggest
  

Minimized Testcase (0.07 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94ywQx0ZiiZoMc3GRJGX0f1E4a0fHr0y4I5WcMskmh5lsW7hsm6cDB6V11ZcURo37zB7j8y7JqtUJDJ_TvfliIZH68RnCsXZe6LLxhtvJvaekZB4UKlggqDUdMA6EM6vDzcfyqjNh5DmJcEPgQWgrG_ixxszA?testcase_id=5849359910699008

Issue manually filed by: mmoroz

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
Project Member

Comment 10 by sheriffbot@chromium.org, Sep 1 2016

Labels: -Security_Impact-Beta Security_Impact-Stable
Project Member

Comment 11 by sheriffbot@chromium.org, Oct 13 2016

Labels: -M-53 M-54

Comment 12 by mmoroz@chromium.org, Nov 9 2016

Cc: och...@chromium.org infe...@chromium.org
Labels: -Pri-2 Pri-1
Any chance to fix this? Fuzzer almost always hits this crash and literally does nothing for the last 4 months.

Comment 13 by mmoroz@chromium.org, Nov 9 2016 

I'm not familiar with hunspell's codebase, but after a quick look it seems that global `csconv` pointer (https://cs.chromium.org/chromium/src/third_party/hunspell/src/hunspell/suggestmgr.hxx?sq=package:chromium&type=cs&rcl=1478665324&l=45)

is not initialized in some cases:

https://cs.chromium.org/chromium/src/third_party/hunspell/src/hunspell/suggestmgr.cxx?q=file:src/third_party/hunspell/src/hunspell/suggestmgr.cxx+csconv&sq=package:chromium&dr=C&l=128

but then it can be used anyway:

https://cs.chromium.org/chromium/src/third_party/hunspell/src/hunspell/suggestmgr.cxx?sq=package:chromium&type=cs&l=1998



Not sure if it is a bug or an incorrect usage (we do not initialize something?), but it shouldn't take much time for people familiar with hunspell.

I'd recommend to use some of recent CF reports (e.g. https://cluster-fuzz.appspot.com/v2/testcase-detail/5849359910699008) to reproduce.

Thanks in advance!
Project Member

Comment 14 by sheriffbot@chromium.org, Dec 2 2016

Labels: -M-54 M-55
Project Member

Comment 15 by ClusterFuzz, Dec 14 2016 

ClusterFuzz has detected this issue as fixed in range 438154:438196.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5849359910699008

Fuzzer: libfuzzer_hunspell_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000091
Crash State:
  SuggestMgr::leftcommonsubstring
  SuggestMgr::ngsuggest
  Hunspell::suggest
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=401846:401864
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=438154:438196

Minimized Testcase (0.07 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94ywQx0ZiiZoMc3GRJGX0f1E4a0fHr0y4I5WcMskmh5lsW7hsm6cDB6V11ZcURo37zB7j8y7JqtUJDJ_TvfliIZH68RnCsXZe6LLxhtvJvaekZB4UKlggqDUdMA6EM6vDzcfyqjNh5DmJcEPgQWgrG_ixxszA?testcase_id=5849359910699008

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 16 by ClusterFuzz, Dec 14 2016

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 5849359910699008 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 17 by sheriffbot@chromium.org, Dec 15 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 18 by sheriffbot@chromium.org, Mar 23 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 19 by lafo...@chromium.org, Apr 27 2017

Components: -UI>Browser>Spellcheck UI>Browser>Language>Spellcheck

Sign in to add a comment