Use-of-uninitialized-value in int OT::SortedArrayOf<OT::GlyphID, OT::IntType<unsigned short, 2u> >::bsearch<un |
|||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6603291950841856 Fuzzer: libfuzzer_harfbuzz_fuzzer Job Type: libfuzzer_chrome_msan Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: int OT::SortedArrayOf<OT::GlyphID, OT::IntType<unsigned short, 2u> >::bsearch<un OT::CoverageFormat1::get_coverage OT::Coverage::get_coverage Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=423366:423427 Minimized Testcase (1.35 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96nwCVPiTPQypAlHpAvefYBN5BjLkVRE0nIg308YqOYG7YHG2_B-QKeBi24BVOGXertTwqSDqSMSaGiFgbtIKptvkoWdPSUZsl6aSeFB3JTB16e-61no_J4u6LVqMF2Ji-8uukj88Wd0SOA0QoM0i8CQ4sKvA?testcase_id=6603291950841856 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Nov 24 2016
,
Nov 24 2016
,
Nov 24 2016
,
Nov 25 2016
,
Nov 26 2016
Too late to consider an M55 blocker.
,
Dec 8 2016
behdad: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Dec 9 2016
,
Dec 16 2016
Please prioritize so this can make M56 stable - behdad@ are you the right person to take a look?
,
Dec 18 2016
Humm. I cannot reproduce this using the test case and valgrind. Can someone help me reproduce please?
,
Dec 19 2016
Ok, I just checked and copy of harfbuzz we carry is from September. I suggest we update to latest version first and see if this still happens. I'm out of ideas otherwise, short of someone pointing me to a Linux binary I can download to run MSAN.
,
Dec 23 2016
behdad: Uh oh! This issue still open and hasn't been updated in the last 29 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 3 2017
,
Jan 3 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/4cff0bd9837375a461d56f354b7bfe8858923722 commit 4cff0bd9837375a461d56f354b7bfe8858923722 Author: eae <eae@chromium.org> Date: Tue Jan 03 19:49:26 2017 Roll HarfBuzz to 1.3.4 BUG= 668338 TBR=drott@chromium.org Review-Url: https://codereview.chromium.org/2609123003 Cr-Commit-Position: refs/heads/master@{#441189} [modify] https://crrev.com/4cff0bd9837375a461d56f354b7bfe8858923722/third_party/harfbuzz-ng/NEWS [modify] https://crrev.com/4cff0bd9837375a461d56f354b7bfe8858923722/third_party/harfbuzz-ng/README [modify] https://crrev.com/4cff0bd9837375a461d56f354b7bfe8858923722/third_party/harfbuzz-ng/README.chromium [modify] https://crrev.com/4cff0bd9837375a461d56f354b7bfe8858923722/third_party/harfbuzz-ng/src/hb-coretext.cc [modify] https://crrev.com/4cff0bd9837375a461d56f354b7bfe8858923722/third_party/harfbuzz-ng/src/hb-font-private.hh [modify] https://crrev.com/4cff0bd9837375a461d56f354b7bfe8858923722/third_party/harfbuzz-ng/src/hb-gobject-structs.cc [modify] https://crrev.com/4cff0bd9837375a461d56f354b7bfe8858923722/third_party/harfbuzz-ng/src/hb-open-type-private.hh [add] https://crrev.com/4cff0bd9837375a461d56f354b7bfe8858923722/third_party/harfbuzz-ng/src/hb-ot-cbdt-table.hh [modify] https://crrev.com/4cff0bd9837375a461d56f354b7bfe8858923722/third_party/harfbuzz-ng/src/hb-ot-font.cc [add] https://crrev.com/4cff0bd9837375a461d56f354b7bfe8858923722/third_party/harfbuzz-ng/src/hb-ot-layout-math-table.hh [modify] https://crrev.com/4cff0bd9837375a461d56f354b7bfe8858923722/third_party/harfbuzz-ng/src/hb-ot-layout-private.hh [modify] https://crrev.com/4cff0bd9837375a461d56f354b7bfe8858923722/third_party/harfbuzz-ng/src/hb-ot-layout.cc [add] https://crrev.com/4cff0bd9837375a461d56f354b7bfe8858923722/third_party/harfbuzz-ng/src/hb-ot-math.h [modify] https://crrev.com/4cff0bd9837375a461d56f354b7bfe8858923722/third_party/harfbuzz-ng/src/hb-ot-shape-complex-myanmar-machine.hh [modify] https://crrev.com/4cff0bd9837375a461d56f354b7bfe8858923722/third_party/harfbuzz-ng/src/hb-ot.h [modify] https://crrev.com/4cff0bd9837375a461d56f354b7bfe8858923722/third_party/harfbuzz-ng/src/hb-version.h
,
Jan 5 2017
Rolling harfbuzz did *not* fix it. For build, go to https://cluster-fuzz.appspot.com/v2/testcase-detail/6603291950841856?noredirect=1 and click the "Build" button near the top.
,
Jan 13 2017
Any thoughts behdad@?
,
Jan 13 2017
> Any thoughts behdad@? No, because I cannot reproduce on Linux using valgrind, and setting up msan is out not feasible for me this quarter.
,
Jan 20 2017
,
Jan 27 2017
Behdad, this reproduces very easily with the following commands:
gn gen out/libfuzzer '--args=use_libfuzzer=true is_msan=true is_debug=false enable_nacl=false' --check
ninja -C out/libfuzzer harfbuzz_fuzzer
./out/libfuzzer/harfbuzz_fuzzer ~/Downloads/fuzz-0-harfbuzz_fuzzer
I don't think any special "setting up msan" is required here, the Chrome's build system does that for you.
==8137==WARNING: MemorySanitizer: use-of-uninitialized-value
#0 0x5b1185 in bsearch<unsigned int> third_party/harfbuzz-ng/src/hb-open-type-private.hh:1052:11
#1 0x5b1185 in get_coverage third_party/harfbuzz-ng/src/hb-ot-layout-common-private.hh:692
#2 0x5b1185 in OT::Coverage::get_coverage(unsigned int) const third_party/harfbuzz-ng/src/hb-ot-layout-common-private.hh:881
#3 0x62051f in OT::SingleSubstFormat2::apply(OT::hb_apply_context_t*) const third_party/harfbuzz-ng/src/hb-ot-layout-gsub-table.hh:168:42
#4 0x61dfe9 in dispatch<OT::SingleSubstFormat2> third_party/harfbuzz-ng/src/hb-ot-layout-gsubgpos-private.hh:446:56
#5 0x61dfe9 in dispatch<OT::hb_apply_context_t> third_party/harfbuzz-ng/src/hb-ot-layout-gsub-table.hh:245
Uninitialized value was created by a heap allocation
#0 0x445b4b in __interceptor_realloc (/usr/local/google/home/kcc/chromium/src/out/libfuzzer/harfbuzz_fuzzer+0x445b4b)
#1 0x523179 in hb_buffer_t::enlarge(unsigned int) third_party/harfbuzz-ng/src/hb-buffer.cc:142:34
#2 0x532e4e in ensure third_party/harfbuzz-ng/src/hb-buffer-private.hh:258:56
#3 0x532e4e in hb_buffer_add_utf<hb_utf32_t<true> > third_party/harfbuzz-ng/src/hb-buffer.cc:1482
#4 0x532e4e in hb_buffer_add_utf32 third_party/harfbuzz-ng/src/hb-buffer.cc:1604
#5 0x48bac1 in LLVMFuzzerTestOneInput third_party/harfbuzz-ng/fuzz/harfbuzz_fuzzer.cc:36:5
,
Feb 3 2017
,
Feb 8 2017
A friendly reminder that M57 Stable is launch is coming soon! Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and get it merged into the release branch ASAP so it gets enough baking time in Beta (before Stable promotion). Thank you!
,
Feb 13 2017
,
Feb 16 2017
A friendly reminder that M57 Stable is launch is coming VERY soon! Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and get it merged into the release branch (2987) ASAP so it gets enough baking time in Beta (before Stable promotion). Thank you!
,
Feb 21 2017
I'm OK to push this to 58, if we can tackle it early in the cycle.
,
Mar 31 2017
behdad@ - did you get a chance to try the repro steps in #19? Anybody else you could take a look at this if you're still swamped?
,
Apr 4 2017
I have debugged this, but have not finished fixing. However, there's no security implications.
,
Apr 24 2017
Changing to Type-Bug per #26
,
May 3 2017
ClusterFuzz has detected this issue as fixed in range 468788:468811. Detailed report: https://clusterfuzz.com/testcase?key=6603291950841856 Fuzzer: libfuzzer_harfbuzz_fuzzer Job Type: libfuzzer_chrome_msan Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: int OT::SortedArrayOf<OT::GlyphID, OT::IntType<unsigned short, 2u> >::bsearch<un OT::CoverageFormat1::get_coverage OT::Coverage::get_coverage Sanitizer: memory (MSAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=423366:423427 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=468788:468811 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6603291950841856 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
May 3 2017
ClusterFuzz testcase 6603291950841856 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
May 3 2017
,
Aug 9 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||
Comment 1 by dominickn@chromium.org
, Nov 24 2016Owner: behdad@chromium.org
Status: Assigned (was: Untriaged)