Issue metadata
Sign in to add a comment
|
Use-of-uninitialized-value in pr_UnlockedFindLibrary |
||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6549406281367552 Fuzzer: libfuzzer_net_host_resolver_impl_fuzzer Job Type: libfuzzer_chrome_msan Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: pr_UnlockedFindLibrary pr_LoadLibraryByPathname PR_LoadLibraryWithFlags Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=423366:423427 Minimized Testcase (0.00 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94_DoaNXu-E4xPjKOA4Evpnp0dLswtxhRjSCh4vGtj_phhFZLctDWublU7HbNesIYLikezNFqkahL9Tu6W6IFTeTunLjnoxW-QKkRbbIalMqnqpMX8S9FBZPjhO1FR07prNT4yT8CJIqaZn90nMC-uJ1MfBSA?testcase_id=6549406281367552 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Oct 6 2016
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 6 2016
,
Oct 6 2016
sleevi, undoubtedly an upstream issue, can you route this to the appropriate people? Thanks.
,
Oct 6 2016
,
Oct 6 2016
inferno: This is using NSPR 4.10.10, while the current NSPR release is 4.13. Do you know of a way to see if this test reproduces in current stable? From the clusterfuzz documentation, it wasn't clear how to build an intrustmented_libraries version of NSPR so that it would be picked up. I could LD_PRELOAD it in, I suppose, but I wanted to sanity check first.
,
Oct 6 2016
that version is probably the default for trusty, so instrumented lib scripts are building on that. https://www.chromium.org/developers/testing/instrumented-libraries-for-dynamic-tools. +cc Alex, any idea if how we can build newer version 4.13.
,
Oct 7 2016
,
Oct 7 2016
Guess one could hack third_party/instrumented_libraries/scripts/download_build_install.py to use a newer version of NSPR. Shouldn't be harder than manually downloading the source, replacing the 4.10 checkout with it and rebuilding NSPR.
,
Oct 7 2016
OK, I'll see if I can get to that next Tuesday (at the earliest)
,
Oct 7 2016
**** Bulk edit - please ignore if not applicable **** This bug is reported as M55 Beta blocker and we're getting closer to M55 Beta promotion. Please plan to have fix ready and merged to M55 branch (2883) by 5:00 PM PT, Monday(10/10) so it has enough baking time in Dev before Beta promotion. Thank you.
,
Oct 7 2016
Ryan - anyone to assign to given the 10/10 deadline and your next tuesday comment?
,
Oct 7 2016
I tried looking into it. I couldn't get the scripts for building the instrumented libraries to work but after some futzing I manually got nss&nspr from trunk built with msan enabled. The error still repros, but it doesn't make any sense.
I can even insert in pr_UnlockedFindLibrary the following code:
if (strcmp("hello", "goodbye") == 0)
return NULL;
And that will also cause a use-of-uninitialized-value error in fuzzer::TracePC::AddValueForStrcmp.
Something seems to be messed up with asan or libfuzzer.
,
Oct 8 2016
Is this still happening in top-of-trunk?
,
Oct 10 2016
Removing RBB - this is in a system module that Chrome depends on, so there's no way we can RBB it.
,
Oct 11 2016
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 11 2016
inferno: Any way to get CF to stop adding RB-B?
,
Oct 12 2016
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 13 2016
,
Oct 13 2016
,
Dec 2 2016
,
Dec 16 2016
ClusterFuzz has detected this issue as fixed in range 438777:438804. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6549406281367552 Fuzzer: libfuzzer_net_host_resolver_impl_fuzzer Job Type: libfuzzer_chrome_msan Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: pr_UnlockedFindLibrary pr_LoadLibraryByPathname PR_LoadLibraryWithFlags Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=423366:423427 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=438777:438804 Minimized Testcase (0.00 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94_DoaNXu-E4xPjKOA4Evpnp0dLswtxhRjSCh4vGtj_phhFZLctDWublU7HbNesIYLikezNFqkahL9Tu6W6IFTeTunLjnoxW-QKkRbbIalMqnqpMX8S9FBZPjhO1FR07prNT4yT8CJIqaZn90nMC-uJ1MfBSA?testcase_id=6549406281367552 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Dec 16 2016
ClusterFuzz testcase 6549406281367552 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Dec 17 2016
,
Mar 25 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 21 2018
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by sheriffbot@chromium.org
, Oct 6 2016