Issue metadata
Sign in to add a comment
|
Heap-buffer-overflow in big2_toUtf8 |
||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5666251714330624 Fuzzer: afl_expat_xml_parse_fuzzer Job Type: afl_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow READ 1 Crash Address: 0x625000737101 Crash State: big2_toUtf8 doProlog prologInitProcessor Recommended Security Severity: Medium Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97XziTk46Bt5apRIMdh9cwWT9F6cKGNMn7MX7B1gwU3GTihTlupCR5aF0Tg4q-eWlVWEt07hUECxKVuigMFX8A3cQjrtjrvb-WKd8_TgNpcTL6hOn6HG9X3-th-rEtu_U5hnSIUpg9gDaMCpbzD81tsMdgSag?testcase_id=5666251714330624 Issue manually filed by: metzman See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Aug 12 2016
Assigning to expat owners.
,
Aug 12 2016
,
Aug 12 2016
+CCing kcc Kostya, this bug was found by AFL the same day it started using libFuzzer's corpus, but libFuzzer hasn't found it as of yet. I'll try to post an update if libFuzzer finds it later today.
,
Aug 12 2016
amazing!
,
Aug 12 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5039575921852416 Fuzzer: libfuzzer_expat_xml_parse_fuzzer Job Type: libfuzzer_chrome_msan Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: little2_entityValueTok storeEntityValue doProlog Recommended Security Severity: Medium Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97xbwkoqdrJVlQF1UFULY3YjHp8YeDgExZ9iYq72Ea-cLhItjvWJTOX3YvbPdD6JdfnJq-7Elq8cW7jOD3EzUt4eiRzwOtRkMaMlPiTS7LLSe0Cd_8zkvxTAQS1QzrwHyC-DF_6SL58_WzzifI54V8DZPztaA?testcase_id=5039575921852416 Issue manually filed by: ochang See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Aug 13 2016
ClusterFuzz has detected this issue as fixed in range 411446:411587. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5039575921852416 Fuzzer: libfuzzer_expat_xml_parse_fuzzer Job Type: libfuzzer_chrome_msan Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: little2_entityValueTok storeEntityValue doProlog Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=411312:411446 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=411446:411587 Minimized Testcase (0.09 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96bv4r0uZoyEGThk3NbtKYsAgPVngGLqffZDm1TRMgsRYisLDxxd5gle_XJPI8hzH4uvuwmCg4RIDoOB1qXFFTXH3DzBBcOu-ki-o7f9wxK81hrYXlX4whLKJDnINV6ZJG-LATcsiOC2u7zmnov8u31nz63pA?testcase_id=5039575921852416 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 13 2016
,
Aug 15 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6573921312964608 Fuzzer: expat_xml_parse_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow READ 1 Crash Address: 0x61d00001f281 Crash State: big2_toUtf8 poolAppend poolStoreString Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=411420:411575 Minimized Testcase (0.17 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97QVEAyaiZJIs4y1MduDXe474qyCDh4bmW1LA9vHvqEM-wIAcLyxB1QS0E-4GElVE0IEkKMaQ9DskXxH9QuJDBKEFP_y3eEe_MincYMQjJ-SQs_z3wPEsald2MEEp0ioHSvEyZj2W4ekcBSqlo-mq-7SP8AIA?testcase_id=6573921312964608 Issue manually filed by: ochang See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Aug 26 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5133757977985024 Fuzzer: libfuzzer_expat_xml_parse_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow READ 1 Crash Address: 0x61d00001f281 Crash State: little2_entityValueTok storeEntityValue doProlog Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=411420:411575 Minimized Testcase (0.09 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97gBb2d7cVqbX3Q6c4Uzdz4EY0c2IVYNuw2QOlIOCsxrjWWcN-0iimRD_r6cPRb3DqkvH4UqfD4xFiaLoW4szEU_xnJlE1ZkZkM7p3IGnHl0z4uH7no_x_GBl3IfrCunaFO_mlrvrx3NigtJa-vTs64aMaeFQ?testcase_id=5133757977985024 Issue manually filed by: mmoroz See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Aug 26 2016
dominicc: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 10 2016
dominicc: Uh oh! This issue still open and hasn't been updated in the last 29 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 11 2016
Friendly ping from Security Sheriff: this is heap-buffer-overflow affecting Stable. Should we report the issue upstream? Looks like maintainers are responsive to security issues: http://expat.sourceforge.net/
,
Oct 13 2016
,
Nov 28 2016
Friendly ping dominicc: This hasn't had activity for some time, do we have an idea on the course of action to take?
,
Dec 2 2016
,
Jan 26 2017
,
Jan 31 2017
Another friendly ping from the security sheriff: do we have an upstream fix yet?
,
Jan 31 2017
I have not got to this yet.
,
Mar 10 2017
,
Mar 16 2017
,
Mar 21 2017
Friendly ping from security sheriff. Any update?
,
Mar 22 2017
I have not got to this yet. There are some upstream changes we should roll described in Issue 703537 . After that someone needs to see if this reproduces and look at it in the debugger. This is in DTD processing which we do include.
,
Mar 24 2017
qingchengl rolled expat in r459025. CF has closed a bunch of bugs as a result. We should look at this next.
,
Mar 24 2017
ClusterFuzz has detected this issue as fixed in range 459012:459027. Detailed report: https://clusterfuzz.com/testcase?key=6573921312964608 Fuzzer: expat_xml_parse_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow READ 1 Crash Address: 0x61d00001f281 Crash State: big2_toUtf8 poolAppend poolStoreString Sanitizer: address (ASAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=411420:411575 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=459012:459027 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv966pKjmWVCu5gUYTIsCBw82fLGiBytt1wIcrywK_HjLi72krhylrkrrcwyBAzevF5KRbkh1rkuWVKFk2pcJpdB_U2iTx491N8HN00DFtfdnZel6bg1vC_TlcVzDXNfeCf6V3ULfDXrLyVxybc_BkRzJOFixS7EqOIgv64Xwqgmw6t8bZhqJG3r_2MXLs44cPWbPOH95uNZzsGlGTU7ICaiH_VIggqU8CbTZyfWyca4LTqUbjjzqCupWBFJWtoVvKNkDsyS4K-5V4gN426MOljmxnfCu7_aXPwqd-4R6WHpT5Ik8BoWO1vlq9uo5MAQOupo0ySMsQLEmCXbWm7z96i1cTHq99d8jMv6_e6lB-WVNeK_aBgo?testcase_id=6573921312964608 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Mar 24 2017
ClusterFuzz has detected this issue as fixed in range 459012:459027. Detailed report: https://clusterfuzz.com/testcase?key=5133757977985024 Fuzzer: libfuzzer_expat_xml_parse_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Heap-buffer-overflow READ 1 Crash Address: 0x61d00001f281 Crash State: little2_entityValueTok storeEntityValue doProlog Sanitizer: address (ASAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=411420:411575 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=459012:459027 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv97hgfdkYl8PN9KKGzRaMB0s8oJjEgh74GERBJtRDnuhbxpUC9nwzVlRmtQCWugqXVsGuqr1c1eWnfSjJxeO5DtEaxo09UMHrklQGZEKT7_9PNxBOtdlA3SSiFKXWwsYTPGRZ1MH5eeHoIB3mRI8XpGDP5_AY2Ken50K9b6-gkWg7178qqiqtjDLAiG7y1_ZYjPTdlhNS8GbnHBxKJVIAJsqHiaDmy1gTP7NK4V8captJZ2VTXqVSrNa2MscGwPUEti2WPyBs2Wfo77JafNezd3CXVh-crA2Nu9yPxN2uiC69Fvt_1HFYsvc2gL_EnUVJ84ehldiQt7USsQakGrQFYoolTDlzLx9oFvew0Hr50amWAhKrvU?testcase_id=5133757977985024 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Mar 24 2017
,
Mar 24 2017
,
Jun 30 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by sheriffbot@chromium.org
, Aug 12 2016