Issue metadata
Sign in to add a comment
|
Bad-cast to std::__1::locale::__imp from std::__1::locale::__imp;call_init;call_init |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6235109664751616 Fuzzer: ifratric-browserfuzzer-v3 Job Type: linux_ubsan_vptr_chrome Platform Id: linux Crash Type: Bad-cast Crash Address: 0x7fe321279bb0 Crash State: Bad-cast to std::__1::locale::__imp from std::__1::locale::__imp call_init call_init Sanitizer: undefined (UBSAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_chrome&range=485795:485862 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6235109664751616 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 12 2017
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 12 2017
,
Jul 12 2017
Looks like this change misses ubsan, broke ubsan vptr completely. https://chromium.googlesource.com/chromium/buildtools/+/3d2d34dde457f07ca410d1c06f4f3b9063c28643%5E%21/#F0
,
Jul 12 2017
Missing ubsan was deliberate. ubsan does not override the allocator, so I would have imagined that there would be no need to link libc++ dynamically. I don't understand how we're seeing that error though unless there is some problem with symbol visibility. Taking a closer look, and in the meantime I'll revert.
,
Jul 12 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/58964133c03142920fa2c4c121c6046e001567db commit 58964133c03142920fa2c4c121c6046e001567db Author: Peter Collingbourne <pcc@chromium.org> Date: Wed Jul 12 22:14:09 2017 Revert "Roll buildtools to 3d2d34" This reverts commit 5ddcccf75207535ba00de46982baff6af8f926d6. Reason for revert: Breaks ubsan on clusterfuzz. Original change's description: > Roll buildtools to 3d2d34 > > This roll includes only a single revision: > https://chromium.googlesource.com/chromium/buildtools/+/3d2d34dde457f07ca410d1c06f4f3b9063c28643 > > TBR=michaelpg@chromium.org > > Bug: 701919 > Change-Id: I2924e4db1cad21ce8aa4c99f5090dea69d53a720 > Reviewed-on: https://chromium-review.googlesource.com/567777 > Commit-Queue: Peter Collingbourne <pcc@chromium.org> > Reviewed-by: Nico Weber <thakis@chromium.org> > Reviewed-by: Thomas Anderson <thomasanderson@chromium.org> > Cr-Commit-Position: refs/heads/master@{#485860} TBR=thakis@chromium.org,michaelpg@chromium.org,pcc@chromium.org,thomasanderson@chromium.org Change-Id: I51fd086f9f486b24727549f385c1238b8d4c39fe No-Presubmit: true No-Tree-Checks: true No-Try: true Bug: 701919 , 741604 Reviewed-on: https://chromium-review.googlesource.com/568414 Reviewed-by: Peter Collingbourne <pcc@chromium.org> Commit-Queue: Peter Collingbourne <pcc@chromium.org> Cr-Commit-Position: refs/heads/master@{#486132} [modify] https://crrev.com/58964133c03142920fa2c4c121c6046e001567db/DEPS [modify] https://crrev.com/58964133c03142920fa2c4c121c6046e001567db/chrome/installer/linux/BUILD.gn [modify] https://crrev.com/58964133c03142920fa2c4c121c6046e001567db/extensions/shell/installer/linux/BUILD.gn
,
Jul 13 2017
The problem is that -fsanitize=vptr does in fact require dynamic libc++ because the ubsan runtime library that implements -fsanitize=vptr calls dynamic_cast with the ABI type info classes: http://llvm-cs.pcc.me.uk/projects/compiler-rt/lib/ubsan/ubsan_type_hash_itanium.cc#233 With static libc++ each DSO will have its own copy of the RTTI for those classes, which means that calling dynamic_cast in ubsan won't return the right answer if the object was created in a DSO and therefore contains pointers to the DSO's own RTTI, which won't match the RTTI from the main executable. That was what was happening in clusterfuzz. -fsanitize=vptr is implied by is_ubsan, is_ubsan_security and is_ubsan_vptr. So we need to add all of those to the condition in third_party/libc++/BUILD.gn.
,
Jul 13 2017
,
Jul 13 2017
I don't have access to issue 741663 .
,
Jul 13 2017
Just assigned it to you tentatively under the assumption that we can probably dedupe them.
,
Jul 13 2017
ClusterFuzz has detected this issue as fixed in range 486088:486149. Detailed report: https://clusterfuzz.com/testcase?key=6235109664751616 Fuzzer: ifratric-browserfuzzer-v3 Job Type: linux_ubsan_vptr_chrome Platform Id: linux Crash Type: Bad-cast Crash Address: 0x7fe321279bb0 Crash State: Bad-cast to std::__1::locale::__imp from std::__1::locale::__imp call_init call_init Sanitizer: undefined (UBSAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_chrome&range=485795:485862 Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_chrome&range=486088:486149 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6235109664751616 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 13 2017
ClusterFuzz testcase 4841370429947904 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jul 13 2017
,
Jul 26 2017
,
Oct 19 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by sheriffbot@chromium.org
, Jul 12 2017