Incorrect-function-pointer-type in egl::Display::initialize |
||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5310399592529920 Fuzzer: libfuzzer_gpu_angle_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Incorrect-function-pointer-type Crash Address: Crash State: egl::Display::initialize egl::Display::initialize egl::Initialize Sanitizer: undefined (UBSAN) Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=452261:452420 Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94ggI2PQzyrf0xJC4qvekcgUSHLWsBIr5MTXFKTA3Pwf40MKm9MglR414IjMYsurXekRNQhhetIPMW3-W3wOgopvmC1OcEp91t956-hQ0JgHxkQ1wOjSUd9fhlk_DFDl_xQ_WQnab83MQNBNR0nIju_I0WkQMHljigC4qDb3b1PTppJX4Oa0FsNsyWLJ-EA5vyFrTl2DpM-n_z3y-cmerRge3ze8XsAYjZHdc1p7FMeCW9LSrEiD-m1Zmf_OwyIc9wiUMVaFtYR6GcxjvWpjixtK9KV51AIhOlHIRZqlnbViwTBdvqcBzpMqFoTpsu69QV2cqKXFtD4iFL4ML5FJ50Y1ZOAX6BqzPtgV5RnLT3fcMl5V-c?testcase_id=5310399592529920 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Feb 24 2017
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Feb 24 2017
,
Feb 24 2017
PTAL or send this to someone who can, thank you.
,
Feb 24 2017
,
Feb 24 2017
This is due to a limitation in clusterfuzz where it can't parse decltype declarations. I'm going to file an feature request for decltype support - but in the meantime I think this is not a security issue of any kind.
,
Feb 24 2017
Correction, this is a limitation in ASAN. Etienne said he could help me out here.
,
Feb 24 2017
,
Mar 3 2017
I said: It may be a UBSAN limitation (not ASAN). I'm gonna look to the exact case and try to repro.
,
Mar 3 2017
I tried to repro with this snippet, but with LLVM ToT it seems fine.
==== module.h ====
#include <iostream>
void problemMember() {
std::cout << "problemMember called!" << std::endl;
}
struct ProblemFns {
decltype(&problemMember) member = problemMember;
};
// needs export labels
extern "C" __declspec(dllexport) ProblemFns *GetProblemFns();
using GetProblemFnsType = decltype(GetProblemFns);
==== module.cc ====
#include <windows.h>
#include "module.h"
static ProblemFns g_problemFns;
ProblemFns *GetProblemFns() {
return &g_problemFns;
}
==== main.cc ====
#include <windows.h>
#include "module.h"
int main() {
HMODULE dll = ::LoadLibrary("module.dll");
auto getProblemFns = reinterpret_cast<GetProblemFnsType*>(
::GetProcAddress(dll, "GetProblemFns"));
// error 1:
auto problemFns = getProblemFns();
// error 2:
problemFns->member();
}
command-line:
d:\src\llvm\ninja64\bin\clang-cl.exe main.cc /Zi -fsanitize=undefined
d:\src\llvm\ninja64\bin\clang-cl.exe module.cc /LD /Zi -fsanitize=undefined
Running:
D:\src\llvm\examples>main.exe
problemMember called!
,
Jul 30 2017
Detailed report: https://clusterfuzz.com/testcase?key=4722871158177792 Fuzzer: gpu_angle_fuzzer Job Type: libfuzzer_chrome_ubsan Crash Type: Incorrect-function-pointer-type Crash Address: Crash State: egl::Display::initialize egl::Display::initialize egl::Initialize Sanitizer: undefined (UBSAN) Recommended Security Severity: Medium Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4722871158177792 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Jul 31 2017
Detailed report: https://clusterfuzz.com/testcase?key=4722871158177792 Fuzzer: gpu_angle_fuzzer Job Type: libfuzzer_chrome_ubsan Crash Type: Incorrect-function-pointer-type Crash Address: Crash State: egl::Display::initialize egl::Display::initialize egl::Initialize Sanitizer: undefined (UBSAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=452261:452420 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4722871158177792 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. A recommended severity was added to this bug. Please change the severity if it is inaccurate.
,
Sep 7 2017
ClusterFuzz has detected this issue as fixed in range 500168:500210. Detailed report: https://clusterfuzz.com/testcase?key=4722871158177792 Fuzzer: gpu_angle_fuzzer Job Type: libfuzzer_chrome_ubsan Crash Type: Incorrect-function-pointer-type Crash Address: Crash State: egl::Display::initialize egl::Display::initialize egl::Initialize Sanitizer: undefined (UBSAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=452261:452420 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=500168:500210 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4722871158177792 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Sep 7 2017
ClusterFuzz testcase 4722871158177792 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Sep 7 2017
,
Dec 14 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||||||||
►
Sign in to add a comment |
||||||||||||
Comment 1 by sheriffbot@chromium.org
, Feb 24 2017