New issue
Advanced search Search tips

Issue 793560 link

Starred by 1 user
Status: WontFix
Owner:
mmoroz@chromium.org
Closed: Dec 2017
Cc:
kkaluri@chromium.org
p...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Sanitizer CHECK failure in ((data_.proc_self_maps.len)) > ((0)) (0, 0)

Project Member Reported by ClusterFuzz, Dec 9 2017 
Detailed report: https://clusterfuzz.com/testcase?key=6543663038726144

Fuzzer: inferno_flicker
Job Type: linux_cfi_chrome
Platform Id: linux

Crash Type: Sanitizer CHECK failure
Crash Address: 
Crash State:
  ((data_.proc_self_maps.len)) > ((0)) (0, 0)
  
Sanitizer: cfi (CFI)

Regressed: https://clusterfuzz.com/revisions?job=linux_cfi_chrome&range=513689:513705

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6543663038726144

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.

Comment 1 by kkaluri@chromium.org, Dec 11 2017

Cc: kkaluri@chromium.org
Components: Internals>Media>Video
Labels: M-65 Test-Predator-Wrong
Owner: p...@chromium.org
Status: Assigned (was: Untriaged)
with reference to the  Issue 791877 , adding component and assigning it to the concern owner.

@pcc -- Could you please look into this issue.

Comment 2 by p...@chromium.org, Dec 11 2017

Cc: p...@chromium.org
Owner: mmoroz@chromium.org
There are two problems here. The first one is the cause of this crash, and it appears before the stack trace.

tcmalloc: large alloc 1813299200 bytes == 0x32ba383fd000 @  0x7f9f18187821 0x7f9f18185b54 0x7f9f18187ad8 0x7f9f1ab61c6e 0x7f9f1b7ab092 0x7f9f1b797987 0x7f9f1b791716 0x7f9f1b78e387 0x7f9f1b78e387 0x7f9f1b78e387 0x7f9f1b78e387 0x7f9f1b7947e6 0x7f9f1b78e387 0x7f9f1b792e4f 0x7f9f1b78e387 0x7f9f1b78eab3 0x7f9f1b776e7d 0x7f9f184852d6 0x7f9f184818c1 0x7f9f18482035 0x7f9f18481dae 0x7f9f18481f05 0x7f9f182af545 0x7f9f1ab17299 0x7f9f1ab173f1 0x7f9f182af545 0x7f9f1aa86499 0x7f9f1ab10f4d 0x7f9f1ab123f3 0x7f9f1ab10598 0x7f9f1ab0a291
[1:6:1206/084433.839422:FATAL:memory_linux.cc(35)] Out of memory.

I don't know anything about that. Maybe mmoroz does.

The second problem is presumably that we are not calling __sanitizer_sandbox_on_notify before entering the sandbox when CFI diagnostics are enabled, which prevents the ubsan runtime from reading /proc/self/maps from within the sandbox. I will send a fix for that.
Project Member

Comment 3 by bugdroid1@chromium.org, Dec 11 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/edde828364fa125e24f4d80c5df94c7464ab4286

commit edde828364fa125e24f4d80c5df94c7464ab4286
Author: Peter Collingbourne <pcc@chromium.org>
Date: Mon Dec 11 20:58:07 2017

sandbox: Initialize sanitizer library for sandbox if using_sanitizer is set.

This variable is set to true in the build system if a sanitizer
runtime is being linked. Since these are the exact circumstances
in which we need to initialize the runtime library for sandboxing,
have the sandbox initialization be controlled by this variable.

This fixes an issue where we were failing to initialize the runtime
for sandboxing if CFI diagnostics are enabled.

Bug:  793560 
Change-Id: I0c2fb922d2debe39a9bd0d6cc8ebf1b440e3ed63
Reviewed-on: https://chromium-review.googlesource.com/820450
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Peter Collingbourne <pcc@chromium.org>
Cr-Commit-Position: refs/heads/master@{#523202}
[modify] https://crrev.com/edde828364fa125e24f4d80c5df94c7464ab4286/services/service_manager/sandbox/BUILD.gn
[modify] https://crrev.com/edde828364fa125e24f4d80c5df94c7464ab4286/services/service_manager/sandbox/linux/sandbox_linux.cc
[modify] https://crrev.com/edde828364fa125e24f4d80c5df94c7464ab4286/services/service_manager/sandbox/linux/sandbox_linux.h

Comment 4 by mmoroz@chromium.org, Dec 12 2017

Status: WontFix (was: Assigned)
Thank you Peter! Regarding the crash itself, it seems to be an OOM with a bad stack.

Sign in to add a comment