New issue
Advanced search Search tips

Issue 627355 link

Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: Aug 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 1
Type: Bug-Security



Sign in to add a comment

Crash in _platform_memmove$VARIANT$Nehalem

Project Member Reported by ClusterFuzz, Jul 12 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6100230152126464

Fuzzer: libfuzzer_safe_browsing_dmg_fuzzer
Job Type: mac_libfuzzer_chrome_asan
Platform Id: mac

Crash Type: UNKNOWN
Crash Address: 0x61500020b500
Crash State:
  _platform_memmove$VARIANT$Nehalem
  safe_browsing::dmg::UDIFBlockChunkReadStream::Read
  safe_browsing::dmg::UDIFPartitionReadStream::Read
  
Recommended Security Severity: Medium


Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95_D4HOedfMljEmWke5VVJ-WS8aC2PhKA2TAFO4pwjnEqWS-0fNj17RdqsY0GLgX_0E75io43XhoR4pQ9oR2dxdX2mwVRobNjx2SRfSYsWZ08kD6YdAvK47vAlMMTn7hsS7zDSQC1D4xVUP8vRhmFt6apd_YA?testcase_id=6100230152126464


Filer: ochang

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
 

Comment 1 by och...@chromium.org, Jul 12 2016

Cc: mmoroz@chromium.org
Labels: -Security_Severity-Medium Security_Severity-High
Owner: rsesek@chromium.org
Status: Assigned (was: Available)
rsesek, is this the bug you were expecting? 

Comment 2 by rsesek@chromium.org, Jul 12 2016

Status: Started (was: Assigned)
Yup. https://codereview.chromium.org/2141963002/
Project Member

Comment 3 by sheriffbot@chromium.org, Jul 12 2016

Labels: Pri-1
Project Member

Comment 4 by bugdroid1@chromium.org, Jul 13 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/41b7abbdb0a34bc77373673dd1400dfdf8c4d84c

commit 41b7abbdb0a34bc77373673dd1400dfdf8c4d84c
Author: rsesek <rsesek@chromium.org>
Date: Wed Jul 13 00:09:01 2016

Validate safe_browsing::dmg::UDIFBlock data before attempting to read at its offsets.

This change also validates that the blkx plist does not run past the end of the
file.

BUG= 627355 
TEST=Clusterfuzz coverage.
R=mark@chromium.org

Review-Url: https://codereview.chromium.org/2141963002
Cr-Commit-Position: refs/heads/master@{#404862}

[modify] https://crrev.com/41b7abbdb0a34bc77373673dd1400dfdf8c4d84c/chrome/utility/safe_browsing/mac/hfs.cc
[modify] https://crrev.com/41b7abbdb0a34bc77373673dd1400dfdf8c4d84c/chrome/utility/safe_browsing/mac/udif.cc
[modify] https://crrev.com/41b7abbdb0a34bc77373673dd1400dfdf8c4d84c/chrome/utility/safe_browsing/mac/udif.h

Components: Services>Safebrowsing
Labels: Security_Impact-Stable
Project Member

Comment 6 by sheriffbot@chromium.org, Jul 13 2016

Labels: M-51

Comment 7 by rsesek@chromium.org, Jul 14 2016

Status: Fixed (was: Started)
Project Member

Comment 8 by sheriffbot@chromium.org, Jul 15 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: -ClusterFuzz Clusterfuzz
Status: Started (was: Fixed)
Clusterfuzz seems to have found a different variant with the same stack. Another fix coming.
Project Member

Comment 10 by bugdroid1@chromium.org, Aug 2 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/e1a415e9785da06e836c9929ec764487a4abb80f

commit e1a415e9785da06e836c9929ec764487a4abb80f
Author: rsesek <rsesek@chromium.org>
Date: Tue Aug 02 21:26:31 2016

[Mac] Convert a DCHECK to a condition in safe_browsing::dmg::UDIFBlockChunkReadStream::Seek.

BUG= 627355 

Review-Url: https://codereview.chromium.org/2202343004
Cr-Commit-Position: refs/heads/master@{#409324}

[modify] https://crrev.com/e1a415e9785da06e836c9929ec764487a4abb80f/chrome/utility/safe_browsing/mac/udif.cc

Project Member

Comment 11 by ClusterFuzz, Aug 3 2016

ClusterFuzz has detected this issue as fixed in range 409316:409332.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6100230152126464

Fuzzer: libfuzzer_safe_browsing_dmg_fuzzer
Job Type: mac_libfuzzer_chrome_asan
Platform Id: mac

Crash Type: UNKNOWN
Crash Address: 0x61500020b500
Crash State:
  _platform_memmove$VARIANT$Nehalem
  safe_browsing::dmg::UDIFBlockChunkReadStream::Read
  safe_browsing::dmg::UDIFPartitionReadStream::Read
  
Recommended Security Severity: Medium

Fixed: https://cluster-fuzz.appspot.com/revisions?job=mac_libfuzzer_chrome_asan&range=409316:409332

Minimized Testcase (7.97 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96Oj_kON-ertOXRK55sIEHzmluSYmqDrJxWqoIgUTLsS38csZdRQ3e1Rrt0VsfAmCATzVDcOnb4q1uULTDB950_pSPOmyuKQqeWArMGOB0QwFcPom6KUO5d22a4dIZBJDqznrODc3np56Z0laieVNO9bUlnmQ?testcase_id=6100230152126464

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 12 by sheriffbot@chromium.org, Aug 3 2016

Labels: -M-51 M-52
Status: Fixed (was: Started)
Project Member

Comment 14 by sheriffbot@chromium.org, Aug 6 2016

Labels: Merge-Request-53

Comment 15 by dimu@chromium.org, Aug 6 2016

Labels: -Merge-Request-53 Merge-Approved-53 Hotlist-Merge-Approved
Your change meets the bar and is auto-approved for M53 (branch: 2785)
Please merge your change to M53 branch 2785 today before 5:00 PM PT so we can take it in for this week Beta release. Thank you.
Project Member

Comment 17 by bugdroid1@chromium.org, Aug 8 2016

Labels: -merge-approved-53 merge-merged-2785
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/9fa921f0231392e89c9bd2280bb18224591e7f13

commit 9fa921f0231392e89c9bd2280bb18224591e7f13
Author: Robert Sesek <rsesek@chromium.org>
Date: Mon Aug 08 19:00:39 2016

[Mac] Convert a DCHECK to a condition in safe_browsing::dmg::UDIFBlockChunkReadStream::Seek.

BUG= 627355 

Review-Url: https://codereview.chromium.org/2202343004
Cr-Commit-Position: refs/heads/master@{#409324}
(cherry picked from commit e1a415e9785da06e836c9929ec764487a4abb80f)

Review URL: https://codereview.chromium.org/2225123002 .

Cr-Commit-Position: refs/branch-heads/2785@{#530}
Cr-Branched-From: 68623971be0cfc492a2cb0427d7f478e7b214c24-refs/heads/master@{#403382}

[modify] https://crrev.com/9fa921f0231392e89c9bd2280bb18224591e7f13/chrome/utility/safe_browsing/mac/udif.cc

Labels: -Hotlist-Merge-Approved
Labels: -M-52 M-53 Release-0-M53
Labels: CVE-2016-5167
Project Member

Comment 21 by sheriffbot@chromium.org, Nov 10 2016

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: CVE_description-submitted

Sign in to add a comment