Issue metadata
Sign in to add a comment
|
Use-of-uninitialized-value in sk_store_a8 |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5838339717726208 Fuzzer: inferno_twister Job Type: linux_msan_chrome Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: sk_store_a8 sk_start_pipeline SkScan::FillIRect Sanitizer: memory (MSAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=linux_msan_chrome&range=503435:503455 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5838339717726208 Additional requirements: Requires HTTP Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Nov 16 2017
,
Nov 16 2017
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 16 2017
,
Nov 16 2017
,
Nov 16 2017
+awhalley@ (Security TPM) M63 Stable promotion is coming VERY soon. Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and request a merge into the release branch ASAP. Thank you.
,
Nov 16 2017
,
Nov 16 2017
Given the stack in Skia, this does look plausibly like a change in FreeType could cause this MSAN error. We're copying a bitmap from FreeType into a glyph cache, and that round() (float -> int) operation at the top of the stack is what MSAN counts as "use". The data that's being "used" there is the bitmap from FreeType. Looks like we picked this up with that FreeType roll.
,
Nov 16 2017
Given that the uninitialized data is rooted in the font, I don't think we're risking any user data or going to cause any trouble beyond drawing wrong if Skia works with this data. I don't think we need to block Stable on this.
,
Nov 17 2017
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 17 2017
,
Nov 18 2017
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 18 2017
Cc: wl@gnu.org
,
Nov 20 2017
Removing "RBS" per comments #9 & #11. awhalley@, sheriffbot keeps adding "RBS" for M63. Is there any way we can stop this?
,
Nov 20 2017
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 20 2017
,
Nov 21 2017
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 21 2017
,
Nov 22 2017
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 27 2017
Maybe we need to tweak the Security_* labels too?
,
Nov 27 2017
You need to CC correct people. Werner Lemberg does not even have access to this bug report. Fix this before bot-spaming.
,
Nov 30 2017
ClusterFuzz testcase 5838339717726208 is flaky and no longer crashes, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Mar 9 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by ClusterFuzz
, Nov 16 2017Labels: Test-Predator-Auto-CC