New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 780499 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Nov 2017
Cc:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Null-dereference READ in device::U2fMessage::AddContinuationPacket

Project Member Reported by ClusterFuzz, Nov 1 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=6365159533838336

Fuzzer: afl_u2f_message_fuzzer
Job Type: afl_chrome_asan
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000018
Crash State:
  device::U2fMessage::AddContinuationPacket
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=afl_chrome_asan&range=513103:513107

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6365159533838336

Additional requirements: Requires Gestures

Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.
 
Project Member

Comment 1 by ClusterFuzz, Nov 1 2017

Labels: Test-Predator-AutoOwner
Owner: donna...@intel.com
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/0ab6283157101b68bc63606a5d399ebe438d3a09 (Update U2fPacket::GetSerializedData() to get rid of report_id.).

If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.

Comment 2 by ke...@intel.com, Nov 2 2017

Cc: reillyg@chromium.org ke...@intel.com
See https://chromium-review.googlesource.com/c/chromium/src/+/751102
Project Member

Comment 3 by bugdroid1@chromium.org, Nov 2 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/43b90283ba527dc5ac9707c67bae608aba61006f

commit 43b90283ba527dc5ac9707c67bae608aba61006f
Author: Ke He <ke.he@intel.com>
Date: Thu Nov 02 16:22:20 2017

Fix null-dereference in u2f_message_fuzzer.cc

After r513104, the 'packet_size' in u2f_message_fuzzer.cc should be 64,
not 65.

BUG= 780499 

Change-Id: I983c76599d599be53950b4a5d77bb5b5ec4bc0bd
Reviewed-on: https://chromium-review.googlesource.com/751102
Commit-Queue: Ke He <ke.he@intel.com>
Reviewed-by: Reilly Grant <reillyg@chromium.org>
Cr-Commit-Position: refs/heads/master@{#513508}
[modify] https://crrev.com/43b90283ba527dc5ac9707c67bae608aba61006f/device/u2f/u2f_message_fuzzer.cc

Comment 4 by ke...@intel.com, Nov 3 2017

Status: Fixed (was: Assigned)
Project Member

Comment 5 by ClusterFuzz, Nov 3 2017

ClusterFuzz has detected this issue as fixed in range 513502:513538.

Detailed report: https://clusterfuzz.com/testcase?key=6365159533838336

Fuzzer: afl_u2f_message_fuzzer
Job Type: afl_chrome_asan
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000018
Crash State:
  device::U2fMessage::AddContinuationPacket
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=afl_chrome_asan&range=513103:513107
Fixed: https://clusterfuzz.com/revisions?job=afl_chrome_asan&range=513502:513538

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6365159533838336

Additional requirements: Requires Gestures

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 6 by ClusterFuzz, Nov 3 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Fixed)
ClusterFuzz testcase 6365159533838336 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Labels: -Test-Predator-AutoOwner Test-Predator-Auto-Owner

Sign in to add a comment