Null-dereference READ in device::U2fBleFrame::U2fBleFrame |
||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4505162046767104 Fuzzer: afl_u2f_ble_frames_fuzzer Job Type: afl_chrome_asan Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000000 Crash State: device::U2fBleFrame::U2fBleFrame Sanitizer: address (ASAN) Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4505162046767104 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information. Note: This crash might not be reproducible with the provided testcase. That said, for the past 14 days we've been seeing this crash frequently. If you are unable to reproduce this, please try a speculative fix based on the crash stacktrace in the report. The fix can be verified by looking at the crash statistics in the report, a day after the fix is deployed. We will auto-close the bug if the crash is not seen for 14 days.
,
Nov 1 2017
pkalinnikov knows this code better.
,
Nov 1 2017
Jan, Balazs, please take care of this. Thanks.
,
Nov 14 2017
This crash is caused because the fuzzer passes in a payload that extends 65536 bytes (i.e. it seems to disregard https://codesearch.chromium.org/chromium/src/device/u2f/BUILD.gn?l=111&rcl=d301cfc6b7aaf6b88738e16040534b5e8358aca2). Furthermore, DCHECKs are disabled, so https://codesearch.chromium.org/chromium/src/device/u2f/u2f_ble_frames.cc?l=53&rcl=473a6c9eed022eabe5b8029a7acad95988554a11 is a no-op. I'm not quite sure what exactly we should do here, I suppose in reality we can encounter payloads larger than 0xFFFF, so we should be able to handle this better. Maybe we can add a check for this to U2fBleFrame::IsValid()?
,
Nov 15 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/4f8e91ed40c3ded09cb109a257a9eafc58321cc4 commit 4f8e91ed40c3ded09cb109a257a9eafc58321cc4 Author: jdoerrie <jdoerrie@chromium.org> Date: Wed Nov 15 10:30:43 2017 Fix Fuzzer for U2F Ble Frames, support base::span Bug: 779098 Change-Id: I8d1137dbfa22f526a7e31857dccc98b0198d1b91 Reviewed-on: https://chromium-review.googlesource.com/768678 Commit-Queue: Jan Wilken Dörrie <jdoerrie@chromium.org> Reviewed-by: Reilly Grant <reillyg@chromium.org> Cr-Commit-Position: refs/heads/master@{#516658} [modify] https://crrev.com/4f8e91ed40c3ded09cb109a257a9eafc58321cc4/device/u2f/u2f_ble_frames.cc [modify] https://crrev.com/4f8e91ed40c3ded09cb109a257a9eafc58321cc4/device/u2f/u2f_ble_frames.h [modify] https://crrev.com/4f8e91ed40c3ded09cb109a257a9eafc58321cc4/device/u2f/u2f_ble_frames_fuzzer.cc [modify] https://crrev.com/4f8e91ed40c3ded09cb109a257a9eafc58321cc4/device/u2f/u2f_ble_frames_unittest.cc
,
Nov 16 2017
Looking at the crash statistics this appears to be fixed, but I will wait a few more days before I close this bug, just in case.
,
Nov 20 2017
As there have been no further crashes in the last seven days I will mark this as fixed now. |
||||
►
Sign in to add a comment |
||||
Comment 1 by pnangunoori@chromium.org
, Oct 30 2017Components: IO>Bluetooth
Labels: Test-Predator-Wrong
Owner: h...@chromium.org
Status: Assigned (was: Untriaged)