Crash in blink::PtrStorageImpl<blink::WebCryptoAlgorithmPrivate, |
||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6666569393635328 Fuzzer: libfuzzer_v8_serialized_script_value_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000028 Crash State: blink::PtrStorageImpl<blink::WebCryptoAlgorithmPrivate, blink::PtrStorageImpl<blink::WebCryptoAlgorithmPrivate, blink::WebPrivatePtr<blink::WebCryptoAlgorithmPrivate, Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=425604:425615 Minimized Testcase (0.01 Kb): https://cluster-fuzz.appspot.com/download/AMIfv949Ql9_Q80a1C9SBFfg030gDiR08TlYHeYOE_V0DsBRWNRS6Cu8rcLM9NMnfTzZzeaDw-LUHxo4GR3jK8rtBXan55UbLMattRYJlNIDjokpWiWWUW2KGW78zO9W_7QWXrfXJamFvrNP3Pk6TkmWQ_FWlVc-qQ?testcase_id=6666569393635328 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Nov 30 2016
Definitely is that CL. Will look tomorrow.
,
Nov 30 2016
,
Dec 1 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/2e33aac2a71771c2e5780d4e2abb95540760fdcf commit 2e33aac2a71771c2e5780d4e2abb95540760fdcf Author: jbroman <jbroman@chromium.org> Date: Thu Dec 01 02:10:35 2016 Have all overloads of webcrypto::AlgorithmImplementation::DeserializeKeyForClone check the params type. Presently neither this nor the calling code checks that the algorithm ID and key params type correspond correctly. This code already knows what the expected value is, so it seems a reasonable place to check. BUG= 669649 Review-Url: https://codereview.chromium.org/2544533002 Cr-Commit-Position: refs/heads/master@{#435528} [modify] https://crrev.com/2e33aac2a71771c2e5780d4e2abb95540760fdcf/components/webcrypto/algorithms/aes.cc [modify] https://crrev.com/2e33aac2a71771c2e5780d4e2abb95540760fdcf/components/webcrypto/algorithms/ec.cc [modify] https://crrev.com/2e33aac2a71771c2e5780d4e2abb95540760fdcf/components/webcrypto/algorithms/hkdf.cc [modify] https://crrev.com/2e33aac2a71771c2e5780d4e2abb95540760fdcf/components/webcrypto/algorithms/hmac.cc [modify] https://crrev.com/2e33aac2a71771c2e5780d4e2abb95540760fdcf/components/webcrypto/algorithms/pbkdf2.cc [modify] https://crrev.com/2e33aac2a71771c2e5780d4e2abb95540760fdcf/components/webcrypto/algorithms/rsa.cc [modify] https://crrev.com/2e33aac2a71771c2e5780d4e2abb95540760fdcf/third_party/WebKit/Source/bindings/modules/v8/serialization/V8ScriptValueSerializerForModulesTest.cpp
,
Dec 1 2016
ClusterFuzz has detected this issue as fixed in range 435516:435560. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6666569393635328 Fuzzer: libfuzzer_v8_serialized_script_value_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000028 Crash State: blink::PtrStorageImpl<blink::WebCryptoAlgorithmPrivate, blink::PtrStorageImpl<blink::WebCryptoAlgorithmPrivate, blink::WebPrivatePtr<blink::WebCryptoAlgorithmPrivate, Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=425604:425615 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=435516:435560 Minimized Testcase (0.01 Kb): https://cluster-fuzz.appspot.com/download/AMIfv949Ql9_Q80a1C9SBFfg030gDiR08TlYHeYOE_V0DsBRWNRS6Cu8rcLM9NMnfTzZzeaDw-LUHxo4GR3jK8rtBXan55UbLMattRYJlNIDjokpWiWWUW2KGW78zO9W_7QWXrfXJamFvrNP3Pk6TkmWQ_FWlVc-qQ?testcase_id=6666569393635328 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Dec 1 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
||||
►
Sign in to add a comment |
||||
Comment 1 by mummare...@chromium.org
, Nov 29 2016Labels: Test-Predator-Wrong M-57
Owner: jbroman@chromium.org
Status: Assigned (was: Untriaged)