Issue metadata
Sign in to add a comment
|
Stack-buffer-overflow in uloc_setKeywordValue_58 |
||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6013791688196096 Fuzzer: bj_broddelwerk Job Type: linux_asan_content_shell_drt Platform Id: linux Crash Type: Stack-buffer-overflow WRITE 1 Crash Address: 0x7f6e06433d5f Crash State: uloc_setKeywordValue_58 blink::LayoutLocale::localeWithBreakKeyword blink::localeForLineBreakIterator Sanitizer: address (ASAN) Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=453791:453840 Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv979SiSmtwI8mSijbc5If0X9z_mS_gsL1Araxba8pysCltzv9MmcUjXdNkc34JuY8RQHkvJ7g45zNsDEzyseecsw8Nw78Azo6JpnZF-0eeZg2a94szbMWToiGIw1iV-iKaca0r5mSBcUPb_YR6DYKbq7Yc2W0gd9AOz1WSEdwebQsEESo75gF2fAVu9uayGRzks1xX0lGioq9iaV66woo0_1BClX9mKdi4VLhngE6GX3cvOsVH3TckG0dGahNHwptcRqJmfxKTVDdjA1wespoRzR-JdRbRZbIkAi-hWPghVNd5FY-xSaedvfSsuC4xYhsTCdE6QGcS2n2YkQ9xrUGp-MnoMd3Ycs4qvTlRiLTk3jDgp37m0?testcase_id=6013791688196096 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Mar 2 2017
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 2 2017
,
Mar 2 2017
,
Mar 2 2017
,
Mar 3 2017
It looks like ICU has problem to deal with this string. I'll put a workaround and report to ICU.
,
Mar 3 2017
,
Mar 3 2017
Sent an e-mail to ICU contact. WIP for workaround: https://codereview.chromium.org/2725243003
,
Mar 3 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/156a9b90ac5612a39b1be4ee1e80042093df0c5a commit 156a9b90ac5612a39b1be4ee1e80042093df0c5a Author: kojii <kojii@chromium.org> Date: Fri Mar 03 05:56:18 2017 Avoid uloc_setKeywordValue if the locale contains "@" This patch avoids calling ICU uloc_setKeywordValue if the locale string contains "@". This looks like a bug in ICU, I will report to ICU separately. BUG= 697859 Review-Url: https://codereview.chromium.org/2725243003 Cr-Commit-Position: refs/heads/master@{#454523} [modify] https://crrev.com/156a9b90ac5612a39b1be4ee1e80042093df0c5a/third_party/WebKit/Source/platform/LayoutLocale.cpp [modify] https://crrev.com/156a9b90ac5612a39b1be4ee1e80042093df0c5a/third_party/WebKit/Source/platform/LayoutLocaleTest.cpp
,
Mar 3 2017
,
Mar 3 2017
,
Mar 4 2017
ClusterFuzz has detected this issue as fixed in range 454515:454545. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6013791688196096 Fuzzer: bj_broddelwerk Job Type: linux_asan_content_shell_drt Platform Id: linux Crash Type: Stack-buffer-overflow WRITE 1 Crash Address: 0x7f6e06433d5f Crash State: uloc_setKeywordValue_58 blink::LayoutLocale::localeWithBreakKeyword blink::localeForLineBreakIterator Sanitizer: address (ASAN) Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=453791:453840 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=454515:454545 Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv979SiSmtwI8mSijbc5If0X9z_mS_gsL1Araxba8pysCltzv9MmcUjXdNkc34JuY8RQHkvJ7g45zNsDEzyseecsw8Nw78Azo6JpnZF-0eeZg2a94szbMWToiGIw1iV-iKaca0r5mSBcUPb_YR6DYKbq7Yc2W0gd9AOz1WSEdwebQsEESo75gF2fAVu9uayGRzks1xX0lGioq9iaV66woo0_1BClX9mKdi4VLhngE6GX3cvOsVH3TckG0dGahNHwptcRqJmfxKTVDdjA1wespoRzR-JdRbRZbIkAi-hWPghVNd5FY-xSaedvfSsuC4xYhsTCdE6QGcS2n2YkQ9xrUGp-MnoMd3Ycs4qvTlRiLTk3jDgp37m0?testcase_id=6013791688196096 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Mar 6 2017
I just submitted a corresponding ICU bug: http://bugs.icu-project.org/trac/ticket/13018
,
Mar 7 2017
,
Mar 13 2017
,
Mar 13 2017
Your change meets the bar and is auto-approved for M58. Please go ahead and merge the CL to branch 3029 manually. Please contact milestone owner if you have questions. Owners: amineer@(clank), cmasso@(bling), bhthompson@(cros), govind@(desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 14 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/ed9223e54fedd9aabcd753e9e715bd5d87e1518b commit ed9223e54fedd9aabcd753e9e715bd5d87e1518b Author: Koji Ishii <kojii@chromium.org> Date: Tue Mar 14 03:48:34 2017 Merge 3029: Avoid uloc_setKeywordValue if the locale contains "@" This patch avoids calling ICU uloc_setKeywordValue if the locale string contains "@". This looks like a bug in ICU, I will report to ICU separately. BUG= 697859 Review-Url: https://codereview.chromium.org/2725243003 Cr-Commit-Position: refs/heads/master@{#454523} (cherry picked from commit 156a9b90ac5612a39b1be4ee1e80042093df0c5a) Review-Url: https://codereview.chromium.org/2753493002 . Cr-Commit-Position: refs/branch-heads/3029@{#180} Cr-Branched-From: 939b32ee5ba05c396eef3fd992822fcca9a2e262-refs/heads/master@{#454471} [modify] https://crrev.com/ed9223e54fedd9aabcd753e9e715bd5d87e1518b/third_party/WebKit/Source/platform/LayoutLocale.cpp [modify] https://crrev.com/ed9223e54fedd9aabcd753e9e715bd5d87e1518b/third_party/WebKit/Source/platform/LayoutLocaleTest.cpp
,
Mar 14 2017
Is this require a merge to M57?
,
Mar 14 2017
+awhalley@, is this require a merge to M57?
,
Mar 14 2017
govind@ - nope, the original regression was in 58
,
Jun 9 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by sheriffbot@chromium.org
, Mar 2 2017