Issue metadata
Sign in to add a comment
|
Use-of-uninitialized-value in OT::RangeRecord::cmp |
||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5887298756673536 Fuzzer: libfuzzer_harfbuzz_fuzzer Job Type: libfuzzer_chrome_msan Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: OT::RangeRecord::cmp int OT::SortedArrayOf<OT::RangeRecord, OT::IntType<unsigned short, 2u> >::bsearc OT::CoverageFormat2::get_coverage Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=423366:423427 Minimized Testcase (0.99 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96dNzZZ2FOX6_KBINrrm3cZMQ_e9_rNfs8zIKfr5Z5OuUa2kCLzmR2uBZbAAFf6vzOUukJT3UUL3D_94U3O2JI6OByEhbS5eNngNovCtDkUci4rQu5VvwmemDcFtHhf-exEIJ2hWaUz23BHuKAcNfZMsfj_4A?testcase_id=5887298756673536 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Nov 23 2016
,
Nov 23 2016
,
Nov 23 2016
,
Nov 23 2016
,
Nov 23 2016
behdad: this is a RBS use of uninitialised value. Can you please take a look?
,
Dec 8 2016
behdad: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Dec 9 2016
Could you look into this Behdad and comment on the implications?
,
Dec 18 2016
Humm. I cannot reproduce this using the test case and valgrind. Can someone help me reproduce please?
,
Dec 18 2016
You need to create a MSAN libFuzzer build, see instructions at https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md (Reproducing LibFuzzer + MSan bugs section)
,
Dec 18 2016
Thanks. But that page doesn't help one set it up without a Chrome build first, which is outside of my current resources.
,
Dec 19 2016
Ok, I just checked and copy of harfbuzz we carry is from September. I suggest we update to latest version first and see if this still happens. I'm out of ideas otherwise, short of someone pointing me to a Linux binary I can download to run MSAN.
,
Dec 23 2016
behdad: Uh oh! This issue still open and hasn't been updated in the last 29 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 4 2017
ClusterFuzz has detected this issue as fixed in range 441170:441211. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5887298756673536 Fuzzer: libfuzzer_harfbuzz_fuzzer Job Type: libfuzzer_chrome_msan Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: OT::RangeRecord::cmp int OT::SortedArrayOf<OT::RangeRecord, OT::IntType<unsigned short, 2u> >::bsearc OT::CoverageFormat2::get_coverage Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=423366:423427 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=441170:441211 Minimized Testcase (0.99 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96dNzZZ2FOX6_KBINrrm3cZMQ_e9_rNfs8zIKfr5Z5OuUa2kCLzmR2uBZbAAFf6vzOUukJT3UUL3D_94U3O2JI6OByEhbS5eNngNovCtDkUci4rQu5VvwmemDcFtHhf-exEIJ2hWaUz23BHuKAcNfZMsfj_4A?testcase_id=5887298756673536 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jan 4 2017
ClusterFuzz testcase 5887298756673536 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jan 4 2017
,
Jan 13 2017
Hi behdad - looks like the harfbuzz roll did fix this one. What do you think about merging that to M56 at this point?
,
Jan 13 2017
That will be for drott@ to decide.
,
Jan 17 2017
Thoughts drott@?
,
Jan 18 2017
Weighing issue severity vs. risks of skipping the Beta for the larger than usual HarfBuzz roll (https://chromium.googlesource.com/chromium/src/+/4cff0bd9837375a461d56f354b7bfe8858923722%5E%21/#F0), I would prefer not to manually merge this to stable.
,
Jan 18 2017
,
Apr 13 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by sheriffbot@chromium.org
, Nov 23 2016