Issue metadata
Sign in to add a comment
|
Use-of-uninitialized-value in sse41::blit_row_s32a_opaque |
||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5130952057815040 Fuzzer: inferno_layout_test_unmodified Job Type: linux_msan_chrome Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: sse41::blit_row_s32a_opaque Sprite_D32_S32::blitRect SkScan::FillIRect Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=401651:401798 Minimized Testcase (0.47 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97yzmiY5Mp1gB6ysaOOhH2is1vZ8rg14z25Qin87Yg4dHfeptn5UhlCpujZWSKkrpySM2bmaKaJZ5T64XFXkBjNskABxsP5L0e5RFXe4zhquz0PabwOieaMqBG1PMT_PwhpBwz77QYzsWPT_ZX7phhsC8O8jA?testcase_id=5130952057815040 Filer: inferno See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 23 2016
,
Jul 23 2016
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 24 2016
,
Jul 25 2016
I don't see anything obvious in the regression range, and I have no commits there AFAICT. The only major thing I can see from the Chrome side is enne@'s switch to --enable-begin-frame-scheduling. Assigning to reed@ for delegation / triage.
,
Jul 25 2016
,
Jul 25 2016
The failure here ( Uninitialized bytes in __msan_check_mem_is_initialized at offset 0 inside [0x7efa7f668000, 992) ) is reminding us that sse41::blit_row_s32a_opaque() requires its src array to be initialized. Whatever image we're blitting here is not marked as fully initialized by MSAN. This is also harmless at this level of the stack... despite the panic from MSAN if it were to branch on them, blit_row_s32a_opaque() will never behave badly even when given uninitialized inputs. But it does perhaps indicate a problem with whatever's created that image.
,
Jul 31 2016
ClusterFuzz has detected this issue as fixed in range 408734:408781. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5130952057815040 Fuzzer: inferno_layout_test_unmodified Job Type: linux_msan_chrome Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: sse41::blit_row_s32a_opaque Sprite_D32_S32::blitRect SkScan::FillIRect Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=401651:401798 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=408734:408781 Minimized Testcase (0.47 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97yzmiY5Mp1gB6ysaOOhH2is1vZ8rg14z25Qin87Yg4dHfeptn5UhlCpujZWSKkrpySM2bmaKaJZ5T64XFXkBjNskABxsP5L0e5RFXe4zhquz0PabwOieaMqBG1PMT_PwhpBwz77QYzsWPT_ZX7phhsC8O8jA?testcase_id=5130952057815040 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 16 2016
Re-opening just for a minute.
,
Aug 16 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5667112511340544 Fuzzer: inferno_canvas_wrecker Job Type: linux_msan_chrome Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: sse41::blit_row_s32a_opaque Sprite_D32_S32::blitRect SkScan::FillIRect Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=406944:407004 Minimized Testcase (0.47 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97UWz3MGBEq3vx7NMfKLgt4hpuTJK11V5N8o7w6Ul7HePx9uwpMIVHK3atkupeL2nEjP0h0GwNdEyv-ahDZcdyDSd8wzifTQR5pZQucZj0SO_OSsEIdMxubbaZbvqv04g4toi0ejXD9ggHx53Fe02y_BLKeLQ?testcase_id=5667112511340544 Issue manually filed by: mmoroz See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Aug 16 2016
,
Sep 14 2016
ClusterFuzz has detected this issue as fixed in range 418377:418438. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5667112511340544 Fuzzer: inferno_canvas_wrecker Job Type: linux_msan_chrome Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: sse41::blit_row_s32a_opaque Sprite_D32_S32::blitRect SkScan::FillIRect Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=406944:407004 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=418377:418438 Minimized Testcase (0.47 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97UWz3MGBEq3vx7NMfKLgt4hpuTJK11V5N8o7w6Ul7HePx9uwpMIVHK3atkupeL2nEjP0h0GwNdEyv-ahDZcdyDSd8wzifTQR5pZQucZj0SO_OSsEIdMxubbaZbvqv04g4toi0ejXD9ggHx53Fe02y_BLKeLQ?testcase_id=5667112511340544 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 22 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by infe...@chromium.org
, Jul 23 2016Components: Internals>Skia
Labels: Pri-1
Owner: senorblanco@chromium.org
Status: Assigned (was: Untriaged)