Undefined-shift in net::HpackVarintDecoder::Resume |
||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4797240725209088 Fuzzer: libfuzzer_net_spdy_session_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Undefined-shift Crash Address: Crash State: net::HpackVarintDecoder::Resume bool net::HpackStringDecoder::StartDecodingLength<net::ValueDecoderListener> net::DecodeStatus net::HpackStringDecoder::Resume<net::ValueDecoderListener> Sanitizer: undefined (UBSAN) Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95fj3y8qa44vyGNbHtL1j7r-8AsAlDPifUBns0zSOYRlLUtvDpGHdTMFrBtuLWFZXEG0b6bQ6VX2nnE6utqMKAcM7cXAAlcz_Ednw43jdeqClX0ZXhLGtVU520Bivz4nkUwY0DuwsLjPy0rMWnnnef3MQUUB105ZrKLvdJ862-43jkjB374ZOAwpxD2y_2eWl7LQiKLgmu3COdnaV_-6_Eq7nyT5obzmJiubqP8Nr4SGUoG80OzQoMVDWFGjPFTqj9nFn0jJFAAhi6JYwjevLqllvr-iVJQwhJM0mtNaMGrjQbUt2laeBSsbK-YRTi6VwvauGDQDwt8pXo87ApFG_R0lvZrdx1gZJwNM1Xx7xWO_Z8Gs5s?testcase_id=4797240725209088 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Apr 14 2017
Suspect named in comment #1 is correct. Working on it. Kudos for the clusterfuzz team for making it such a breeze to locally reproduce and verify the fix.
,
Apr 18 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/0b38727639f5a7846099709654d065ab4c90239d commit 0b38727639f5a7846099709654d065ab4c90239d Author: bnc <bnc@chromium.org> Date: Tue Apr 18 14:52:48 2017 Avoid overflow on left shift in HpackVarintDecoder::Resume(). This CL only changes functionality if |offset_ == MaxOffset()| and |byte != 0| in the last execution of the do loop. In this case, the final value of |offset_| will be different, but this is a private member with no accessor, and has no effect visible to consumers. Also, |value_| will not be incremented in the last cycle, in order to avoid the runtime error that Clusterfuzz filed this bug for. However, in this case decoding fails with kDecodeError, and |value_| is considered invalid anyway. BUG= 698698 Review-Url: https://codereview.chromium.org/2819873002 Cr-Commit-Position: refs/heads/master@{#465235} [modify] https://crrev.com/0b38727639f5a7846099709654d065ab4c90239d/net/http2/hpack/decoder/hpack_varint_decoder.h
,
Apr 19 2017
ClusterFuzz has detected this issue as fixed in range 465234:465256. Detailed report: https://clusterfuzz.com/testcase?key=4797240725209088 Fuzzer: libfuzzer_net_spdy_session_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Undefined-shift Crash Address: Crash State: net::HpackVarintDecoder::Resume bool net::HpackStringDecoder::StartDecodingLength<net::ValueDecoderListener> net::DecodeStatus net::HpackStringDecoder::Resume<net::ValueDecoderListener> Sanitizer: undefined (UBSAN) Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=465234:465256 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv95fj3y8qa44vyGNbHtL1j7r-8AsAlDPifUBns0zSOYRlLUtvDpGHdTMFrBtuLWFZXEG0b6bQ6VX2nnE6utqMKAcM7cXAAlcz_Ednw43jdeqClX0ZXhLGtVU520Bivz4nkUwY0DuwsLjPy0rMWnnnef3MQUUB105ZrKLvdJ862-43jkjB374ZOAwpxD2y_2eWl7LQiKLgmu3COdnaV_-6_Eq7nyT5obzmJiubqP8Nr4SGUoG80OzQoMVDWFGjPFTqj9nFn0jJFAAhi6JYwjevLqllvr-iVJQwhJM0mtNaMGrjQbUt2laeBSsbK-YRTi6VwvauGDQDwt8pXo87ApFG_R0lvZrdx1gZJwNM1Xx7xWO_Z8Gs5s?testcase_id=4797240725209088 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Apr 19 2017
ClusterFuzz testcase 4797240725209088 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Apr 19 2017
Issue 691214 has been merged into this issue. |
||||
►
Sign in to add a comment |
||||
Comment 1 by durga.behera@chromium.org
, Mar 6 2017Labels: Test-Predator-Correct-CLs M-59
Owner: b...@chromium.org
Status: Assigned (was: Untriaged)