dominicc, could you please take a look at this?

Max, looks like your fuzzer changes caught this.

changing the target on oss-fuzz to the one on chromium makes it reproduce there too, so this bug still exists in upstream.

On it.

I cannot reproduce this:

4807ace9c09b Switch tabs from VR shell. - When clicking on a tab in VR shell this tab is shown in the content quad.
redacted@redacted:redacted$ gn gen out/libfuzzer_asan_debug '--args=is_debug=true use_libfuzzer=true is_asan=true enable_nacl=false proprietary_codecs=true ffmpeg_branding="ChromeOS"'
Done. Made 5266 targets from 1211 files in 928ms
redacted@redacted:redacted$ ninja -C out/libfuzzer_asan_debug libxml_xml_read_memory_fuzzer
ninja: Entering directory `out/libfuzzer_asan_debug'
[336/336] LINK ./libxml_xml_read_memory_fuzzer
redacted@redacted:redacted$ out/libfuzzer_asan_debug/libxml_xml_read_memory_fuzzer redacted/clusterfuzz-testcase-5610393478365184
INFO: Seed: 3497758454
INFO: Loaded 0 modules (0 guards): 
out/libfuzzer_asan_debug/libxml_xml_read_memory_fuzzer: Running 1 inputs 1 time(s) each.
Running: redacted/clusterfuzz-testcase-5610393478365184
Executed redacted/clusterfuzz-testcase-5610393478365184 in 5 ms
***
*** NOTE: fuzzing was not performed, you have only
***       executed the target code on a fixed set of inputs.
***

Dominic, I've managed to reproduce it with `-runs=10000` argument on both Release and Debug builds. 

I wonder why CF can reproduce with `-runs=100`, but I cannot...

Thanks, that repros now.

I think this relies on XML_PARSE_DTDVALID being set in the options; I think Blink only uses XML_PARSE_NODICT | XML_PARSE_NOENT | XML_PARSE_HUGE. I can't say with absolute certainty that libxml doesn't flip that on, but I suspect Blink is not vulnerable to this.

We should configure libxml without LIBXML_VALID_ENABLED since I believe we're not using this.

ail, this may be of interest to other users though.

I'm not sure that ail@ has access to CF links, so attaching reproducer here.

Fuzz target: https://cs.chromium.org/chromium/src/testing/libfuzzer/fuzzers/libxml_xml_read_memory_fuzzer.cc

Deleted: clusterfuzz-testcase-5610393478365184 73 bytes

clusterfuzz-testcase-5610393478365184 73 bytes View Download

Value of `options` argument calculated via std::hash is 825904465

Thanks for that. That does indeed include XML_PARSE_DTDVALID (1<<4), written into ctxt->validate by xmlCtxtUseOptionsInternal and checked at xmlSAX2AttributeInternal third_party/libxml/src/SAX2.c:1216.

Thanks Dominic for the analysis. I've created similar issue in oss-fuzz tracker: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=598

Hopefully upstream maintainers can take care of it :)

This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Removing ReleaseBlock label as per c#7.

This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Marty, what is a proper way to remove ReleaseBlock label?

In this case, we should be using Security_Impact-None rather than Beta. If all else fails you can add ReleaseBlock-NA, but if there's a real reason it shouldn't be a release blocker it usually means some other labels need to change (e.g. severity, impact, type).

That makes sense, thank you for the explanation!

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/aa1586759de407c9631115b3de0ea85acb5b622f

commit aa1586759de407c9631115b3de0ea85acb5b622f
Author: dominicc <dominicc@chromium.org>
Date: Wed Mar 29 12:46:13 2017

Roll libxml to e905f08123e4a6e7731549e6f09dadff4cab65bd

In this patch I'm disabling LIBXML_VALID_ENABLED which should shrink the attack surface fuzzers find.

Local patches we're no longer applying now:

 Issue 623378  Comment 7 has been fixed upstream:
https://git.gnome.org/browse/libxml2/commit/?id=9ab01a277d71f54d3143c2cf333c5c2e9aaedd9e

d31995076e55f1aac2f935c53b585a90ece27a11 / timsort.h:
https://git.gnome.org/browse/libxml2/commit/?id=c2545cbb6d9a87e3e0bce167eabcb8f3c9153edc

 Issue 624011  was fixed upstream:
https://git.gnome.org/browse/libxml2/commit/?id=c1d1f7121194036608bf555f08d3062a36fd344b

BUG= 705938 , 692731 

Review-Url: https://codereview.chromium.org/2781843002
Cr-Commit-Position: refs/heads/master@{#460360}

[modify] https://crrev.com/aa1586759de407c9631115b3de0ea85acb5b622f/third_party/libxml/README.chromium
[modify] https://crrev.com/aa1586759de407c9631115b3de0ea85acb5b622f/third_party/libxml/linux/include/libxml/xmlversion.h
[modify] https://crrev.com/aa1586759de407c9631115b3de0ea85acb5b622f/third_party/libxml/src/libxml2.spec
[modify] https://crrev.com/aa1586759de407c9631115b3de0ea85acb5b622f/third_party/libxml/src/runtest.c
[modify] https://crrev.com/aa1586759de407c9631115b3de0ea85acb5b622f/third_party/libxml/src/testlimits.c
[modify] https://crrev.com/aa1586759de407c9631115b3de0ea85acb5b622f/third_party/libxml/src/timsort.h
[modify] https://crrev.com/aa1586759de407c9631115b3de0ea85acb5b622f/third_party/libxml/src/xmlIO.c
[modify] https://crrev.com/aa1586759de407c9631115b3de0ea85acb5b622f/third_party/libxml/src/xpath.c
[modify] https://crrev.com/aa1586759de407c9631115b3de0ea85acb5b622f/third_party/libxml/src/xpointer.c
[modify] https://crrev.com/aa1586759de407c9631115b3de0ea85acb5b622f/third_party/libxml/win32/xmlversion.h

ClusterFuzz has detected this issue as fixed in range 460354:460361.

Detailed report: https://clusterfuzz.com/testcase?key=5610393478365184

Fuzzer: libfuzzer_libxml_xml_read_memory_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: Heap-use-after-free WRITE 4
Crash Address: 0x6050000090d0
Crash State:
  xmlAddID
  xmlValidateOneNamespace
  xmlSAX2AttributeInternal
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=450685:450714
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=460354:460361

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv955q114YhCKZUd0bLDxbGy-4E7l__r4wfkj-PCLYPgpR13LCDsoOsLGJ1cHdHjVE_kjqCVu_FoLQdFzhKQuUMGY5pw_r0B6vO7_Itj2CddT-F4CBWNajeUFF6FJAyeT10GEGdYYWsuyJzheu5EMv1od2guylbFISfV9KowDXH7VzjlSGsb-HbNBuXX17yym3ReOtxnHTf2W9nJS9KL5q2rk9s14Ul0_rucmuGwCueRKTcU84Vhr6ap-FB0L5vYTu1LokUEy9xYXsuksc7mTFRbLFx-tbk2R5nPPIFvGMn0ICUoa3Pq_rZ6Rf9zyw5gnXzHJeJaleXLPoXf3__51kKSnF3kM6WzT-O7eV3673MKLKNasKAzXUF6z3O-WtOdVZ1jy_KxInxT3lWR2UxNf3BgRPgRvNA?testcase_id=5610393478365184


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

I just realized LIBXML_VALID_ENABLED might still be defined on Mac. I'm experimenting with disabling more stuff in https://codereview.chromium.org/2789473002

ClusterFuzz testcase 5610393478365184 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

ClusterFuzz has detected this issue as fixed in range 460354:460361.

Detailed report: https://clusterfuzz.com/testcase?key=5610393478365184

Fuzzer: libfuzzer_libxml_xml_read_memory_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: Heap-use-after-free WRITE 4
Crash Address: 0x6050000090d0
Crash State:
  xmlAddID
  xmlValidateOneNamespace
  xmlSAX2AttributeInternal
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=450685:450714
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=460354:460361

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv955q114YhCKZUd0bLDxbGy-4E7l__r4wfkj-PCLYPgpR13LCDsoOsLGJ1cHdHjVE_kjqCVu_FoLQdFzhKQuUMGY5pw_r0B6vO7_Itj2CddT-F4CBWNajeUFF6FJAyeT10GEGdYYWsuyJzheu5EMv1od2guylbFISfV9KowDXH7VzjlSGsb-HbNBuXX17yym3ReOtxnHTf2W9nJS9KL5q2rk9s14Ul0_rucmuGwCueRKTcU84Vhr6ap-FB0L5vYTu1LokUEy9xYXsuksc7mTFRbLFx-tbk2R5nPPIFvGMn0ICUoa3Pq_rZ6Rf9zyw5gnXzHJeJaleXLPoXf3__51kKSnF3kM6WzT-O7eV3673MKLKNasKAzXUF6z3O-WtOdVZ1jy_KxInxT3lWR2UxNf3BgRPgRvNA?testcase_id=5610393478365184


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Reopening this because I didn't configure it right on OS X apparently.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/ec4a8e3a9d0000eaaefe7a02bd2a405bf510d49d

commit ec4a8e3a9d0000eaaefe7a02bd2a405bf510d49d
Author: dominicc <dominicc@chromium.org>
Date: Fri Mar 31 01:20:35 2017

libxml2: Disable unused XINCLUDE and SCHEMAS, and missing VALID on Mac.

LIBXML_VALID_ENABLED should have been undefined in r460360, but it
looks like I missed it.

BUG= 692731 

Review-Url: https://codereview.chromium.org/2789473002
Cr-Commit-Position: refs/heads/master@{#460977}

[modify] https://crrev.com/ec4a8e3a9d0000eaaefe7a02bd2a405bf510d49d/third_party/libxml/README.chromium
[modify] https://crrev.com/ec4a8e3a9d0000eaaefe7a02bd2a405bf510d49d/third_party/libxml/linux/include/libxml/xmlversion.h
[modify] https://crrev.com/ec4a8e3a9d0000eaaefe7a02bd2a405bf510d49d/third_party/libxml/mac/include/libxml/xmlversion.h
[modify] https://crrev.com/ec4a8e3a9d0000eaaefe7a02bd2a405bf510d49d/third_party/libxml/win32/xmlversion.h

OK, now I think we're done.

Your change meets the bar and is auto-approved for M58. Please go ahead and merge the CL to branch 3029 manually. Please contact milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), bhthompson@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/0026287ba46f964b29a39c2171177da22ba33834

commit 0026287ba46f964b29a39c2171177da22ba33834
Author: Dominic Cooney <dominicc@chromium.org>
Date: Mon Apr 03 01:46:16 2017

Roll libxml to e905f08123e4a6e7731549e6f09dadff4cab65bd

In this patch I'm disabling LIBXML_VALID_ENABLED which should shrink the attack surface fuzzers find.

Local patches we're no longer applying now:

 Issue 623378  Comment 7 has been fixed upstream:
https://git.gnome.org/browse/libxml2/commit/?id=9ab01a277d71f54d3143c2cf333c5c2e9aaedd9e

d31995076e55f1aac2f935c53b585a90ece27a11 / timsort.h:
https://git.gnome.org/browse/libxml2/commit/?id=c2545cbb6d9a87e3e0bce167eabcb8f3c9153edc

 Issue 624011  was fixed upstream:
https://git.gnome.org/browse/libxml2/commit/?id=c1d1f7121194036608bf555f08d3062a36fd344b

BUG= 705938 , 692731 

Review-Url: https://codereview.chromium.org/2781843002
Cr-Commit-Position: refs/heads/master@{#460360}
(cherry picked from commit aa1586759de407c9631115b3de0ea85acb5b622f)

Review-Url: https://codereview.chromium.org/2792873002 .
Cr-Commit-Position: refs/branch-heads/3029@{#535}
Cr-Branched-From: 939b32ee5ba05c396eef3fd992822fcca9a2e262-refs/heads/master@{#454471}

[modify] https://crrev.com/0026287ba46f964b29a39c2171177da22ba33834/third_party/libxml/README.chromium
[modify] https://crrev.com/0026287ba46f964b29a39c2171177da22ba33834/third_party/libxml/linux/include/libxml/xmlversion.h
[modify] https://crrev.com/0026287ba46f964b29a39c2171177da22ba33834/third_party/libxml/src/libxml2.spec
[modify] https://crrev.com/0026287ba46f964b29a39c2171177da22ba33834/third_party/libxml/src/runtest.c
[modify] https://crrev.com/0026287ba46f964b29a39c2171177da22ba33834/third_party/libxml/src/testlimits.c
[modify] https://crrev.com/0026287ba46f964b29a39c2171177da22ba33834/third_party/libxml/src/timsort.h
[modify] https://crrev.com/0026287ba46f964b29a39c2171177da22ba33834/third_party/libxml/src/xmlIO.c
[modify] https://crrev.com/0026287ba46f964b29a39c2171177da22ba33834/third_party/libxml/src/xpath.c
[modify] https://crrev.com/0026287ba46f964b29a39c2171177da22ba33834/third_party/libxml/src/xpointer.c
[modify] https://crrev.com/0026287ba46f964b29a39c2171177da22ba33834/third_party/libxml/win32/xmlversion.h

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/43f289d5f98665b6ec4a9c531203f416dfdd98b2

commit 43f289d5f98665b6ec4a9c531203f416dfdd98b2
Author: Dominic Cooney <dominicc@chromium.org>
Date: Mon Apr 03 01:48:18 2017

libxml2: Disable unused XINCLUDE and SCHEMAS, and missing VALID on Mac.

LIBXML_VALID_ENABLED should have been undefined in r460360, but it
looks like I missed it.

BUG= 692731 

Review-Url: https://codereview.chromium.org/2789473002
Cr-Commit-Position: refs/heads/master@{#460977}
(cherry picked from commit ec4a8e3a9d0000eaaefe7a02bd2a405bf510d49d)

Review-Url: https://codereview.chromium.org/2791143002 .
Cr-Commit-Position: refs/branch-heads/3029@{#536}
Cr-Branched-From: 939b32ee5ba05c396eef3fd992822fcca9a2e262-refs/heads/master@{#454471}

[modify] https://crrev.com/43f289d5f98665b6ec4a9c531203f416dfdd98b2/third_party/libxml/README.chromium
[modify] https://crrev.com/43f289d5f98665b6ec4a9c531203f416dfdd98b2/third_party/libxml/linux/include/libxml/xmlversion.h
[modify] https://crrev.com/43f289d5f98665b6ec4a9c531203f416dfdd98b2/third_party/libxml/mac/include/libxml/xmlversion.h
[modify] https://crrev.com/43f289d5f98665b6ec4a9c531203f416dfdd98b2/third_party/libxml/win32/xmlversion.h

Have to reopen this, for it turns out we have two xmlversion.h header files in the win32 folder, and it looks like we may have been using the out of date one. See https://codereview.chromium.org/2792903002

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f1f078d5f56503e5cf8b5490875e1e1ec9c252ba

commit f1f078d5f56503e5cf8b5490875e1e1ec9c252ba
Author: dominicc <dominicc@chromium.org>
Date: Mon Apr 03 06:53:05 2017

Delete duplicate win32 xmlversion.h header file.

It's unclear which configuration of libxml2 we're using on Windows.

BUG= 692731 ,604167

Review-Url: https://codereview.chromium.org/2792903002
Cr-Commit-Position: refs/heads/master@{#461377}

[modify] https://crrev.com/f1f078d5f56503e5cf8b5490875e1e1ec9c252ba/third_party/libxml/README.chromium
[modify] https://crrev.com/f1f078d5f56503e5cf8b5490875e1e1ec9c252ba/third_party/libxml/win32/include/libxml/xmlversion.h
[delete] https://crrev.com/c86b1f8a0db09846e20cf28a43cd4ead737e8c3c/third_party/libxml/win32/xmlversion.h

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c3c1eab11e66eb19a716c1b0bc1f3a3a784d9740

commit c3c1eab11e66eb19a716c1b0bc1f3a3a784d9740
Author: Dominic Cooney <dominicc@chromium.org>
Date: Mon Apr 03 07:46:12 2017

Delete duplicate win32 xmlversion.h header file.

It's unclear which configuration of libxml2 we're using on Windows.

BUG= 692731 ,604167

Review-Url: https://codereview.chromium.org/2792903002
Cr-Commit-Position: refs/heads/master@{#461377}
(cherry picked from commit f1f078d5f56503e5cf8b5490875e1e1ec9c252ba)

Review-Url: https://codereview.chromium.org/2794853003 .
Cr-Commit-Position: refs/branch-heads/3029@{#539}
Cr-Branched-From: 939b32ee5ba05c396eef3fd992822fcca9a2e262-refs/heads/master@{#454471}

[modify] https://crrev.com/c3c1eab11e66eb19a716c1b0bc1f3a3a784d9740/third_party/libxml/README.chromium
[modify] https://crrev.com/c3c1eab11e66eb19a716c1b0bc1f3a3a784d9740/third_party/libxml/win32/include/libxml/xmlversion.h
[delete] https://crrev.com/03873abfe51c7da3dd502d3addd309c1c1a74697/third_party/libxml/win32/xmlversion.h

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot