Issue 638273 link

Starred by 1 user

Issue metadata

Status:	Fixed
Owner:	█ robert.b...@intel.com Last visit > 30 days ago
Closed:	Aug 2016
Cc:	mmoroz@chromium.org
EstimatedDays:	----
NextAction:	----
OS:	----
Pri:	3
Type:	Bug

Fuzz ui::EdidParser

Project Member Reported by robert.b...@intel.com, Aug 16 2016

Issue description

The EDID is untrusted data and may be badly formed. See this paper for some attacks using EDID: https://media.blackhat.com/bh-eu-12/Davis/bh-eu-12-Davis-HDMI-WP.pdf

We should ensure Chromium's EDID parser (used on X11 & ChromeOS) is robust.

Project Member

Comment 1 by bugdroid1@chromium.org, Aug 18 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/1e7c1a2f73e24fd7cbe6de2dd53bba6ab7b5f05c

commit 1e7c1a2f73e24fd7cbe6de2dd53bba6ab7b5f05c
Author: robert.bradford <robert.bradford@intel.com>
Date: Thu Aug 18 18:42:03 2016

ui: Fix potential out-of-bounds array access in EDID parser

When checking the that the size of the array is sufficient for all
accesses, including the value in the third byte, the header byte was not
taken into consideration.

This bug was found with the fuzzer in: https://crrev.com/2252643003

BUG= 638273 
TEST=No ASan issues with fuzzer after change; existing unittest passes.

Review-Url: https://codereview.chromium.org/2249973006
Cr-Commit-Position: refs/heads/master@{#412899}

[modify] https://crrev.com/1e7c1a2f73e24fd7cbe6de2dd53bba6ab7b5f05c/ui/display/util/edid_parser.cc

Project Member

Comment 2 by bugdroid1@chromium.org, Aug 18 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/386b95802b6b54a5b07a8fd6aed7348cf846edac

commit 386b95802b6b54a5b07a8fd6aed7348cf846edac
Author: robert.bradford <robert.bradford@intel.com>
Date: Thu Aug 18 23:51:50 2016

ui: Add a libfuzzer based fuzzer for EDID parser

The seed data comes from the unittest.

TEST=Run built fuzzer and then observe that ASan finds a
heap-buffer-overflow
BUG= 638273 

Review-Url: https://codereview.chromium.org/2252643003
Cr-Commit-Position: refs/heads/master@{#412974}

[modify] https://crrev.com/386b95802b6b54a5b07a8fd6aed7348cf846edac/ui/display/util/BUILD.gn
[add] https://crrev.com/386b95802b6b54a5b07a8fd6aed7348cf846edac/ui/display/util/edid_parser_fuzzer.cc
[add] https://crrev.com/386b95802b6b54a5b07a8fd6aed7348cf846edac/ui/display/util/fuzz_corpus/internal
[add] https://crrev.com/386b95802b6b54a5b07a8fd6aed7348cf846edac/ui/display/util/fuzz_corpus/lp2565a
[add] https://crrev.com/386b95802b6b54a5b07a8fd6aed7348cf846edac/ui/display/util/fuzz_corpus/lp2565b
[add] https://crrev.com/386b95802b6b54a5b07a8fd6aed7348cf846edac/ui/display/util/fuzz_corpus/misdetected
[add] https://crrev.com/386b95802b6b54a5b07a8fd6aed7348cf846edac/ui/display/util/fuzz_corpus/normal
[add] https://crrev.com/386b95802b6b54a5b07a8fd6aed7348cf846edac/ui/display/util/fuzz_corpus/overscan

Comment 3 by robert.b...@intel.com, Aug 23 2016

Status: Fixed (was: Started)

Comment 4 by mmoroz@chromium.org, Aug 29 2016

Cc: mmoroz@chromium.org

Hi Robert! This is great to see your fuzzer running, but there is a problem: it writes too many ERROR messages into stderr. I wonder, if that's possible to disable error reporting in the source code of the fuzzer?

Comment 5 by mmoroz@chromium.org, Aug 30 2016

I've uploaded a CL to disable excessive logging: https://codereview.chromium.org/2294733002/

►

Issue 638273 link

Issue metadata

Fuzz ui::EdidParser

Issue description

Comment 1 by bugdroid1@chromium.org, Aug 18 2016

Comment 1 Deleted

Comment 2 by bugdroid1@chromium.org, Aug 18 2016

Comment 2 Deleted

Comment 3 by robert.b...@intel.com, Aug 23 2016

Comment 3 Deleted

Comment 4 by mmoroz@chromium.org, Aug 29 2016

Comment 4 Deleted

Comment 5 by mmoroz@chromium.org, Aug 30 2016

Comment 5 Deleted

Sign in to add a comment