Use-of-uninitialized-value in libglib-2.0.so.0 |
|||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6190693403066368 Fuzzer: libfuzzer_stylesheet_contents_fuzzer Job Type: libfuzzer_chrome_msan Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: libglib-2.0.so.0 g_main_context_new g_main_context_default Sanitizer: memory (MSAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=474161:474211 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6190693403066368 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
May 24 2017
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
May 24 2017
,
May 24 2017
mmoroz@: The repro case on this is a single byte, and it is flagging initialization of the message pump. Is this an issue with the fuzzing setup?
,
May 24 2017
We've figured out the root cause. I uploaded the testcase manually, so that it would work with the reproduce tool (though only with the download build). See: https://clusterfuzz.com/v2/testcase-detail/5820193367654400 `/google/data/ro/teams/clusterfuzz-tools/releases/clusterfuzz reproduce 5820193367654400 --build download` reproduces. But `/google/data/ro/teams/clusterfuzz-tools/releases/clusterfuzz reproduce 5820193367654400` doesn't reproduce. ------ ochang@ found that, for the downloaded build, the prebuilt instrumented libs are not linked properly, e.g. `libglib-2.0.so.0 => /lib/x86_64-linux-gnu/libglib-2.0.so.0 (0x00007f55f7674000)` But, on the locally built build, the libs seem to be linked correctly, e.g. `libglib-2.0.so.0 => /usr/local/google/home/tanin/projects/chromium/src/out/clusterfuzz_5820193367654400_d8955f1c68c20bc97db9d800be8a13bcc6631b38/instrumented_libraries_prebuilt/msan/lib/libglib-2.0.so.0 (0x00007f876edc8000)` This means that we need to file a bug to the buildbot team to make sure that the folder `msan/lib` is included in the zip file.
,
May 24 2017
,
May 26 2017
ClusterFuzz has detected this issue as fixed in range 474419:474818. Detailed report: https://clusterfuzz.com/testcase?key=6190693403066368 Fuzzer: libfuzzer_stylesheet_contents_fuzzer Job Type: libfuzzer_chrome_msan Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: libglib-2.0.so.0 g_main_context_new g_main_context_default Sanitizer: memory (MSAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=474161:474211 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=474419:474818 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6190693403066368 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
May 26 2017
ClusterFuzz testcase 6190693403066368 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
May 29 2017
Issue 727096 has been merged into this issue.
,
May 30 2017
Thanks for the investigation, folks! Tanin, did you or Oliver file a bug as per c#5?
,
Jun 1 2017
|
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by sheriffbot@chromium.org
, May 24 2017