New issue
Advanced search Search tips

Issue 760280 link

Starred by 2 users

Issue metadata

Status: WontFix
Owner:
Closed: Oct 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Crash in google::protobuf::EnumValueDescriptor::type

Project Member Reported by ClusterFuzz, Aug 29 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=6320375486218240

Fuzzer: libFuzzer_renderer_proto_tree_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x62180045c768
Crash State:
  google::protobuf::EnumValueDescriptor::type
  google::protobuf::internal::GeneratedMessageReflection::SetEnum
  void protobuf_mutator::CopyField::ForType<protobuf_mutator::ConstFieldInstance::
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6320375486218240

Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

Note: This crash might not be reproducible with the provided testcase. That said, for the past 14 days we've been seeing this crash frequently. If you are unable to reproduce this, please try a speculative fix based on the crash stacktrace in the report. The fix can be verified by looking at the crash statistics in the report, a day after the fix is deployed. If the fix resolved the issue, please close the bug by marking as Fixed.
 
Cc: aizatsky@chromium.org
Components: Tools>Stability>libFuzzer
Owner: vitalyb...@chromium.org
Status: Assigned (was: Untriaged)
This is in libprotobuf-mutator. Adding in folks from that project, PTAL to investigate if this is an issue.
Labels: Security_Impact-Stable
Status: Started (was: Assigned)
Project Member

Comment 4 by sheriffbot@chromium.org, Aug 30 2017

Labels: M-61
Project Member

Comment 5 by sheriffbot@chromium.org, Aug 30 2017

Labels: Pri-1
Project Member

Comment 6 by bugdroid1@chromium.org, Aug 30 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/1a8df4c7627e59b8116d766d28d65d2a4e1566e9

commit 1a8df4c7627e59b8116d766d28d65d2a4e1566e9
Author: Vitaly Buka <vitalybuka@chromium.org>
Date: Wed Aug 30 20:31:53 2017

Update src/third_party/libprotobuf-mutator b2c4fb591..b3323e24e

Bug:  760280 

Change-Id: Ib58b2acfebdf8bee712c1a7d0419874c2044cdfc
Reviewed-on: https://chromium-review.googlesource.com/642460
Reviewed-by: Max Moroz <mmoroz@chromium.org>
Commit-Queue: Vitaly Buka <vitalybuka@chromium.org>
Cr-Commit-Position: refs/heads/master@{#498592}
[modify] https://crrev.com/1a8df4c7627e59b8116d766d28d65d2a4e1566e9/DEPS
[modify] https://crrev.com/1a8df4c7627e59b8116d766d28d65d2a4e1566e9/content/test/fuzzer/renderer_proto_tree_fuzzer.cc
[modify] https://crrev.com/1a8df4c7627e59b8116d766d28d65d2a4e1566e9/third_party/libprotobuf-mutator/BUILD.gn

Comment 7 by raymes@chromium.org, Sep 19 2017

vitalybuka: is this fixed now?
Cc: -aizatsky@chromium.org
Labels: -Type-Bug-Security -Pri-1 -Security_Impact-Stable -M-61 M-63 Pri-2 Type-Bug
Nope. I hoped maybe roll will fix, but it didn't.
This does not look like a bug in Chromium, but rather in mutator library.
As crash rate is low, I am going to work on this in Oct.

Comment 9 by mmoroz@chromium.org, Sep 30 2017

Cc: mmoroz@chromium.org
Vitaly, we are going to temporarily disable renderer_proto_tree_fuzzer on ClusterFuzz side because it's very slow ( <1 exec/s) + in 50% of runs it crashes on this libprotobuf issue. Due to that, we probably won't see new stats from CF, but the target will stay in the repo for local reproducing and bug fixing.

Also, there are variant of this crash:

https://clusterfuzz.com/v2/testcase-detail/4719368222277632

https://clusterfuzz.com/v2/testcase-detail/5058591919964160

Project Member

Comment 10 by ClusterFuzz, Oct 1 2017

Components: Internals
Labels: Test-Predator-AutoComponents
Automatically applying components based on information from OWNERS files. If this seems incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 11 by ClusterFuzz, Oct 16 2017

Status: WontFix (was: Started)
ClusterFuzz testcase 6320375486218240 is flaky and no longer crashes, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Labels: -Test-Predator-AutoComponents Test-Predator-Auto-Components
Project Member

Comment 13 by sheriffbot@chromium.org, Jan 23 2018

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment