Issue 655016 link

Starred by 1 user

Issue metadata

Status:	Fixed
Owner:	davidben@chromium.org
Closed:	Oct 2016
Cc:	kcc@chromium.org nyerramilli@chromium.org mmoroz@chromium.org
Components:	Internals>Network>SSL
EstimatedDays:	----
NextAction:	----
OS:	Linux
Pri:	2
Type:	Bug-Regression
Te-Logged Stability-Crash Reproducible Findit-for-crash Stability-Libfuzzer Clusterfuzz Stability-UndefinedBehaviorSanitizer

Crash in _start

Project Member Reported by ClusterFuzz, Oct 12 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5451599873048576

Fuzzer: libfuzzer_boringssl_client_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: UNKNOWN
Crash Address: 
Crash State:
  _start
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=424217:424275

Minimized Testcase (0.00 Kb): https://cluster-fuzz.appspot.com/download/AMIfv961IX1iTrHXx1e5_J2JhW__RLa_wbH3eBcHsqSX_AuTMpaqofZqEAxDHdsG-KwJSE9K3HpjO27Eb6vtikLnE7OaCiH6RKas2csEszQTEEakm7vg3ANvjcu9_tq6GyCkwC1JOiNS4ynWOXtEkxdYH4AT7LvQTg?testcase_id=5451599873048576

Issue manually filed by: nyerramilli

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

Comment 1 by nyerramilli@chromium.org, Oct 12 2016

Cc: nyerramilli@chromium.org
Components: Tools>Test>FindIt>CorrectResult
Labels: -Pri-1 -Type-Bug Findit-for-crash Te-Logged Pri-2 Type-Bug-Regression
Owner: kcc@chromium.org
Status: Assigned (was: Untriaged)

Findit Results:
Suspected CLs	The result is a list of CLs that change the crashed files.

Author: kcc
Project: chromium-libfuzzer
Changelist: https://chromium.googlesource.com/chromium/llvm-project/llvm/lib/Fuzzer.git/+/3e02228ebfee620dd4a2db0ee15a8084ca349183
Time: Thu Oct 06 05:14:00 2016
Lines 519 of file FuzzerDriver.cpp which potentially caused crash are changed in this cl (frame #2, "fuzzer::FuzzerDriver").

File FuzzerLoop.cpp is changed in this cl (and is part of stack frame #0, "fuzzer::Fuzzer::ExecuteCallback"; frame #1, "fuzzer::Fuzzer::ShuffleAndMinimize")
Minimum distance from crash line to modified line: 0. (file: FuzzerDriver.cpp, crashed on: 519, modified: 519).

Suspected Project: chromium-libfuzzer

based on Findit Results, assigning to kcc@, could you please check the issue.

Comment 2 by kcc@chromium.org, Oct 12 2016

Cc: mmoroz@chromium.org

max, ubsan again.

Comment 3 by mmoroz@chromium.org, Oct 12 2016

Cc: kcc@chromium.org
Components: Internals>Network>SSL
Owner: davidben@chromium.org

Looks like boringssl fuzzers use incorrect LLVMFuzzerTestOneInput() prototype: https://cs.chromium.org/chromium/src/third_party/boringssl/src/fuzz/client.cc?l=260

data should be "const uint8_t*".

David, would you mind updating boringssl fuzzers to use "const uint8_t* data"?

Comment 4 by davidben@chromium.org, Oct 12 2016

Status: Started (was: Assigned)

https://boringssl-review.googlesource.com/c/11580

Project Member

Comment 5 by bugdroid1@chromium.org, Oct 12 2016

The following revision refers to this bug:
  https://boringssl.googlesource.com/boringssl.git/+/0939f80c6a71b758e9df611aa6282c9212ae54e1

commit 0939f80c6a71b758e9df611aa6282c9212ae54e1
Author: David Benjamin <davidben@google.com>
Date: Wed Oct 12 14:35:18 2016

Fix fuzzer signatures.

They take a const pointer. See
http://llvm.org/docs/LibFuzzer.html#building

BUG= chromium:655016 

Change-Id: Id6c7584c7a875e822b1fbff72163c888d02a9f44
Reviewed-on: https://boringssl-review.googlesource.com/11580
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: Steven Valdez <svaldez@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>

[modify] https://crrev.com/0939f80c6a71b758e9df611aa6282c9212ae54e1/fuzz/cert.cc
[modify] https://crrev.com/0939f80c6a71b758e9df611aa6282c9212ae54e1/fuzz/client.cc
[modify] https://crrev.com/0939f80c6a71b758e9df611aa6282c9212ae54e1/fuzz/pkcs8.cc
[modify] https://crrev.com/0939f80c6a71b758e9df611aa6282c9212ae54e1/fuzz/privkey.cc
[modify] https://crrev.com/0939f80c6a71b758e9df611aa6282c9212ae54e1/fuzz/read_pem.cc
[modify] https://crrev.com/0939f80c6a71b758e9df611aa6282c9212ae54e1/fuzz/server.cc
[modify] https://crrev.com/0939f80c6a71b758e9df611aa6282c9212ae54e1/fuzz/spki.cc
[modify] https://crrev.com/0939f80c6a71b758e9df611aa6282c9212ae54e1/fuzz/ssl_ctx_api.cc

Comment 6 by davidben@chromium.org, Oct 12 2016

Status: Fixed (was: Started)

Thanks! Marking as fixed, but CF won't find it until BoringSSL next rolls into Chromium. (The last roll is currently blocked on some review.)

Comment 7 by mmoroz@chromium.org, Oct 13 2016

Thank you David for the quick fix!

Project Member

Comment 8 by ClusterFuzz, Oct 14 2016

ClusterFuzz has detected this issue as fixed in range 425081:425189.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5451599873048576

Fuzzer: libfuzzer_boringssl_client_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: UNKNOWN
Crash Address: 
Crash State:
  _start
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=424217:424275
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=425081:425189

Minimized Testcase (0.00 Kb): https://cluster-fuzz.appspot.com/download/AMIfv961IX1iTrHXx1e5_J2JhW__RLa_wbH3eBcHsqSX_AuTMpaqofZqEAxDHdsG-KwJSE9K3HpjO27Eb6vtikLnE7OaCiH6RKas2csEszQTEEakm7vg3ANvjcu9_tq6GyCkwC1JOiNS4ynWOXtEkxdYH4AT7LvQTg?testcase_id=5451599873048576

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Project Member

Comment 9 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

►

Issue 655016 link

Issue metadata

Crash in _start

Issue description

Comment 1 by nyerramilli@chromium.org, Oct 12 2016

Comment 1 Deleted

Comment 2 by kcc@chromium.org, Oct 12 2016

Comment 2 Deleted

Comment 3 by mmoroz@chromium.org, Oct 12 2016

Comment 3 Deleted

Comment 4 by davidben@chromium.org, Oct 12 2016

Comment 4 Deleted

Comment 5 by bugdroid1@chromium.org, Oct 12 2016

Comment 5 Deleted

Comment 6 by davidben@chromium.org, Oct 12 2016

Comment 6 Deleted

Comment 7 by mmoroz@chromium.org, Oct 13 2016

Comment 7 Deleted

Comment 8 by ClusterFuzz, Oct 14 2016

Comment 8 Deleted

Comment 9 by sheriffbot@chromium.org, Nov 22 2016

Comment 9 Deleted

Sign in to add a comment