Suspected CLs:
==============
The result is a list of CLs that change the crashed files.

Author: Steven Valdez
Project: chromium-boringssl
Changelist: https://boringssl.googlesource.com/boringssl.git/+/c4aa727e739df266371fdf5b0c84aaa1d852f24d
Time: Mon Oct 03 12:25:56 2016 -0400
Lines 244-254 of file tls13_enc.c which potentially caused crash are changed in this cl (frame #6, "tls13_set_handshake_traffic").
Minimum distance from crash line to modified line: 0. (file: tls13_enc.c, crashed on: 241, modified: 241).

Suspected Project: chromium-boringssl
Suspected Component: Internals>Network

svaldez@ : Could you please take a look into this if the above Cl is related to your change.

The following revision refers to this bug:
  https://boringssl.googlesource.com/boringssl.git/+/b6b6ff3bef673afaa4d05400564f8f4f4d31ad9c

commit b6b6ff3bef673afaa4d05400564f8f4f4d31ad9c
Author: Steven Valdez <svaldez@google.com>
Date: Wed Oct 26 15:56:35 2016

Verifying resumption cipher validity with current configuration.

BUG= chromium:659593 

Change-Id: I73a4751609b85df7cd40f0f60dc3f3046a490940
Reviewed-on: https://boringssl-review.googlesource.com/11861
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>

[modify] https://crrev.com/b6b6ff3bef673afaa4d05400564f8f4f4d31ad9c/ssl/handshake_server.c
[modify] https://crrev.com/b6b6ff3bef673afaa4d05400564f8f4f4d31ad9c/ssl/internal.h
[modify] https://crrev.com/b6b6ff3bef673afaa4d05400564f8f4f4d31ad9c/ssl/s3_lib.c
[modify] https://crrev.com/b6b6ff3bef673afaa4d05400564f8f4f4d31ad9c/ssl/test/bssl_shim.cc
[modify] https://crrev.com/b6b6ff3bef673afaa4d05400564f8f4f4d31ad9c/ssl/test/runner/runner.go
[modify] https://crrev.com/b6b6ff3bef673afaa4d05400564f8f4f4d31ad9c/ssl/test/test_config.cc
[modify] https://crrev.com/b6b6ff3bef673afaa4d05400564f8f4f4d31ad9c/ssl/test/test_config.h
[modify] https://crrev.com/b6b6ff3bef673afaa4d05400564f8f4f4d31ad9c/ssl/tls13_server.c

The following revision refers to this bug:
  https://boringssl.googlesource.com/boringssl.git/+/305e6fb7f75ad48a9ca156a8131b767ac0b1baf0

commit 305e6fb7f75ad48a9ca156a8131b767ac0b1baf0
Author: David Benjamin <davidben@google.com>
Date: Thu Oct 27 22:19:00 2016

Revise ssl_cipher_get_evp_aead.

This is still rather a mess with how it's tied to SSL_AEAD_CTX_new
(probably these should get encapsulated in an SSL_AEAD struct), but this
avoids running the TLS 1.3 nonce logic on fake AEADs. This is impossible
based on cipher version checks, but we shouldn't need to rely on it.

It's also a little tidier since out_mac_secret_len is purely a function
of algorithm_mac.

BUG= chromium:659593 

Change-Id: Icc24d43c54a582bcd189d55958e2d232ca2db4dd
Reviewed-on: https://boringssl-review.googlesource.com/11842
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: Steven Valdez <svaldez@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>

[modify] https://crrev.com/305e6fb7f75ad48a9ca156a8131b767ac0b1baf0/ssl/ssl_cipher.c

 Issue 659470  has been merged into this issue.

The following revision refers to this bug:
  https://boringssl.googlesource.com/boringssl.git/+/4b0d0e4c5ef19055b3ff17ed3d760f9b10d76641

commit 4b0d0e4c5ef19055b3ff17ed3d760f9b10d76641
Author: David Benjamin <davidben@google.com>
Date: Fri Oct 28 21:17:14 2016

Validate input iv/mac sizes in SSL_AEAD_CTX_new.

This should never happen, but the SSL_AEAD_CTX_new layer should enforce
key sizes as it's not locally obvious at the call site the caller didn't
get confused. There's still a mess of asserts below, but those should be
fixed by cutting the SSL_CIPHER/SSL_AEAD_CTX boundary differently.

(enc_key_len is validated by virtue of being passed into EVP_AEAD.)

BUG= chromium:659593 

Change-Id: I8c91609bcef14ca1509c87aab981bbad6556975f
Reviewed-on: https://boringssl-review.googlesource.com/11940
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>

[modify] https://crrev.com/4b0d0e4c5ef19055b3ff17ed3d760f9b10d76641/ssl/ssl_aead_ctx.c
[modify] https://crrev.com/4b0d0e4c5ef19055b3ff17ed3d760f9b10d76641/ssl/tls13_enc.c

Alright, the root issue has been fixed. Also a few parts where layers weren't locally checking all the things they should were also fixed. Should be rolling into Chromium shortly once the CQ behaves.

ClusterFuzz has detected this issue as fixed in range 428469:428574.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4939136189595648

Fuzzer: libfuzzer_boringssl_server_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  *out_fixed_iv_len >= 8
  ssl_cipher_get_evp_aead
  tls13_set_traffic_key
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan_debug&range=425081:425196
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan_debug&range=428469:428574

Minimized Testcase (1.68 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96msuPzMfqm4YgtJGxUhVsKqXwjF34sq0IKuZDe8HMPb2eG7UvDyY1Gkrpu4GedI_2kt6v46TRg6TPQ_OPpSKOyUIC22RrB83_fRg9NsDS5_bRlDcNc30MitJn1u8W4xrrwFw-IanCl44tJ3QS6gRc_STpUkA?testcase_id=4939136189595648

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

 Issue 659221  has been merged into this issue.