New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 640856 link

Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: Aug 2016
Cc:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: ----
Type: Bug



Sign in to add a comment

Use-of-uninitialized-value in Parser::AssignComments

Project Member Reported by ClusterFuzz, Aug 25 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4926244569481216

Fuzzer: libfuzzer_gn_parser_fuzzer
Job Type: libfuzzer_chrome_msan
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  Parser::AssignComments
  Parser::ParseFile
  Parser::Parse
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=413827:414117

Minimized Testcase (0.01 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94DLNRJSicgd4RVTStrukzzoZwXwKefez8jwzPAF5jRtxE2FIDt2ZOl708Rmo4Vugc8FfY0ApccR3OM1FUqTnsNFjNz12CWfx5Zrw1bimBckHw3qJ1JA_BgsDhYv_MJs1NYMt10wZl4NprWSDKQyBx1QP8jnQ?testcase_id=4926244569481216

#(t!((


Issue manually filed by: inferno

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
 
Cc: dpranke@chromium.org
Labels: -Security_Severity-Low -Security_Impact-Head Security_Impact-None
Owner: thakis@chromium.org
Status: Assigned (was: Untriaged)
Thanks for adding this Nico. Please reassign as needed. Removing security impact labels.

Comment 2 by thakis@chromium.org, Aug 25 2016

Labels: Build-Tools-GN
Probably doesn't have to be restricted either, right? Or is cluster-fuzz secret?

I'll take a look, since I added the fuzzer.
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam -Security_Impact-None Type-Bug
Removing security restrictions.

Comment 4 by thakis@chromium.org, Aug 25 2016

Cc: brettw@chromium.org scottmg@chromium.org
$ cat  ~/Downloads/fuzz-3-gn_parser_fuzzer 

#(t!((


What's happening here is that there are no non-comment tokens. So Parser::ParseFile() creates a new BlockNode but doesn't insert anything, and then AssignComments() calls GetRange().begin() on that BlockNode. BlockNode::GetRange() just returns LocationRange() if it doesn't have begin and end tokens and contains no statements, and the default constructor of LocationRange calls the default constructor of Location(), and that doesn't initialize byte_.

An easy fix would be to initialize byte_ to something (0?) but that might paper over other problems. But since there are no tokens, there's no token we could call BlockNode::set_begin_token with. Another possible fix would be to set byte_ to 0 in BlockNode::GetRange() at the bottom, then we'd still find other uninit locations.

But I think just initializing byte_ to 0 might be fine. Opinions?
byte_ should probably be initialized in the default Location() constructor for completeness. But I think AssignComments() should probably check that it's getting a valid range? I'm not totally sure though.

diff --git a/tools/gn/parser.cc b/tools/gn/parser.cc
index 57a398e..ab92071 100644
--- a/tools/gn/parser.cc
+++ b/tools/gn/parser.cc
@@ -819,6 +819,8 @@ void Parser::AssignComments(ParseNode* file) {
   // Assign line comments to syntax immediately following.
   int cur_comment = 0;
   for (auto* node : pre) {
+    if (node->GetRange().is_null())
+      continue;
     const Location& start = node->GetRange().begin();
     while (cur_comment < static_cast<int>(line_comment_tokens_.size())) {
       if (start.byte() >= line_comment_tokens_[cur_comment].location().byte()) {

?

Comment 6 by thakis@chromium.org, Aug 25 2016

Status: Started (was: Assigned)
https://codereview.chromium.org/2271383003/
Project Member

Comment 7 by bugdroid1@chromium.org, Aug 25 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c3b455922b7ddb748e9a7b351cac7a4586c7e374

commit c3b455922b7ddb748e9a7b351cac7a4586c7e374
Author: thakis <thakis@chromium.org>
Date: Thu Aug 25 20:21:35 2016

gn: Don't read unitialized memory on files containing just a comment.

The BlockNode::GetRange() of a block containing nothing doesn't have
an initialized bytes_ member.  Skip empty nodes, they'll be assinged
to the file block further down.

Patch sketch by scottmg.

BUG= 640856 

Review-Url: https://codereview.chromium.org/2271383003
Cr-Commit-Position: refs/heads/master@{#414522}

[modify] https://crrev.com/c3b455922b7ddb748e9a7b351cac7a4586c7e374/tools/gn/parser.cc

Comment 8 by thakis@chromium.org, Aug 25 2016

Status: Fixed (was: Started)
Project Member

Comment 9 by ClusterFuzz, Aug 26 2016

ClusterFuzz has detected this issue as fixed in range 414520:414607.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4926244569481216

Fuzzer: libfuzzer_gn_parser_fuzzer
Job Type: libfuzzer_chrome_msan
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  Parser::AssignComments
  Parser::ParseFile
  Parser::Parse
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=413827:414117
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=414520:414607

Minimized Testcase (0.01 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94DLNRJSicgd4RVTStrukzzoZwXwKefez8jwzPAF5jRtxE2FIDt2ZOl708Rmo4Vugc8FfY0ApccR3OM1FUqTnsNFjNz12CWfx5Zrw1bimBckHw3qJ1JA_BgsDhYv_MJs1NYMt10wZl4NprWSDKQyBx1QP8jnQ?testcase_id=4926244569481216

#(t!((


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Cc: mmoroz@chromium.org kcc@chromium.org aizatsky@chromium.org

Sign in to add a comment