Timeout in payment_method_manifest_fuzzer |
||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6308749518831616 Fuzzer: libFuzzer_payment_method_manifest_fuzzer Job Type: libfuzzer_chrome_msan Platform Id: linux Crash Type: Timeout (exceeds 25 secs) Crash Address: Crash State: payment_method_manifest_fuzzer Sanitizer: memory (MSAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=532892:532913 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6308749518831616 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.
,
Feb 14 2018
Predator could not provide any possible suspects. From the below CL observing some changes related to payment_method_manifest_fuzzer, hence suspecting the same https://chromium.googlesource.com/chromium/src/+log/b3b8f6c1ae8b8e080c83a6421dd9ef5541552927..7f933e075d2c44dc0a52df1774a69c91850bf9de?pretty=fuller&n=10000 Suspect CL: https://chromium.googlesource.com/chromium/src/+/c5698b5c9d00bc9f9e9960995f6def95c714a41d jshin@ -- Could you please check whether this is caused with respect to your change, if not please help us in assigning it to the right owner. Thanks!
,
Feb 19 2018
This is not a regression but just a latent issue was exposed when the fuzzer was made to initialize ICU properly.
,
Feb 19 2018
A large input (~ 600k ) was passed to icu::UTS46::nameToASCII. memmove() timed out while processing the input.
,
Feb 28 2018
Given that the max length of a domain name is 253 octets. nameToASCII may as well return early with an invalid input error if given an input longer than 253 Unicode characters. 253 Unicode characters will be no shorter than 253 octets when encoded in ACE.
,
Mar 9 2018
,
Mar 9 2018
We can also put the length limit on GURL. ########### net_mime_sniffer_fuzzer ######################## Samples: 108K of event 'cycles', Event count (approx.): 99285977081 Children Self Command Shared Object Symbol + 99.84% 0.00% net_mime_sniffe liburl.so [.] GURL::InitCanonical<std::__1::basic_string<char, std::__1::char_traits<char>, + 99.84% 0.00% net_mime_sniffe liburl.so [.] GURL::GURL + 99.82% 0.00% net_mime_sniffe liburl.so [.] url::(anonymous namespace)::DoHostSubstring<char, unsigned char> + 99.82% 0.00% net_mime_sniffe liburl.so [.] url::(anonymous namespace)::DoHost<char, unsigned char> + 99.82% 0.00% net_mime_sniffe liburl.so [.] url::CanonicalizeHost + 99.82% 0.00% net_mime_sniffe liburl.so [.] url::(anonymous namespace)::DoCanonicalizeStandardURL<char, unsigned char> + 99.82% 0.00% net_mime_sniffe liburl.so [.] url::CanonicalizeStandardURL + 99.82% 0.00% net_mime_sniffe liburl.so [.] url::(anonymous namespace)::DoComplexHost + 99.79% 0.00% net_mime_sniffe liburl.so [.] url::(anonymous namespace)::DoIDNHost + 99.78% 0.00% net_mime_sniffe libicuuc.so [.] icu_60::UTS46::process + 99.78% 0.00% net_mime_sniffe libicuuc.so [.] icu_60::UTS46::nameToASCII + 99.78% 0.00% net_mime_sniffe libicuuc.so [.] uidna_nameToASCII_60 + 99.78% 0.00% net_mime_sniffe liburl.so [.] url::IDNToASCII + 99.78% 0.00% net_mime_sniffe libicuuc.so [.] icu_60::UTS46::processUnicode + 99.77% 0.00% net_mime_sniffe libicuuc.so [.] icu_60::UTS46::processLabel + 93.90% 38.17% net_mime_sniffe libicuuc.so [.] u_strFromPunycode_60 + 61.30% 61.13% net_mime_sniffe net_mime_sniffe[.] __sanitizer_cov_trace_pc_guard ###### net_http_security_headers_hpkp_fuzzer ############## Samples: 17K of event 'cycles', Event count (approx.): 15099080743 Children Self Command Shared Object Symbol + 96.28% 0.00% net_http_securi liburl.so [.] GURL::InitCanonical<std::__1::basic_string<char, std::__1::char_t + 96.28% 0.00% net_http_securi liburl.so [.] GURL::GURL + 95.06% 0.00% net_http_securi liburl.so [.] url::(anonymous namespace)::DoHostSubstring<char, unsigned char> + 95.06% 0.00% net_http_securi liburl.so [.] url::(anonymous namespace)::DoHost<char, unsigned char> + 95.06% 0.00% net_http_securi liburl.so [.] url::CanonicalizeHost + 95.06% 0.00% net_http_securi liburl.so [.] url::(anonymous namespace)::DoCanonicalizeStandardURL<char, unsig + 95.06% 0.00% net_http_securi liburl.so [.] url::CanonicalizeStandardURL + 94.91% 0.00% net_http_securi liburl.so [.] url::(anonymous namespace)::DoComplexHost + 93.60% 0.00% net_http_securi liburl.so [.] url::(anonymous namespace)::DoIDNHost + 92.71% 0.00% net_http_securi libicuuc.so [.] icu_60::UTS46::nameToASCII + 92.71% 0.00% net_http_securi libicuuc.so [.] uidna_nameToASCII_60 + 92.71% 0.00% net_http_securi liburl.so [.] url::IDNToASCII + 92.67% 0.00% net_http_securi libicuuc.so [.] icu_60::UTS46::process + 92.60% 0.16% net_http_securi libicuuc.so [.] icu_60::UTS46::processUnicode + 91.82% 0.16% net_http_securi libicuuc.so [.] icu_60::UTS46::processLabel + 87.53% 0.02% net_http_securi libicuuc.so [.] icu_60::replaceLabel + 87.38% 0.00% net_http_securi libicuuc.so [.] icu_60::UnicodeString::replace + 87.16% 0.01% net_http_securi libicuuc.so [.] icu_60::UnicodeString::doReplace + 86.97% 0.06% net_http_securi libicuuc.so [.] icu_60::UnicodeString::doReplace + 85.68% 85.47% net_http_securi libc-2.24.so [.] __memmove_sse2_unaligned_erms + 8.69% 8.67% net_http_securi net_http_securit[.] __sanitizer_cov_trace_pc_guard
,
Mar 9 2018
I'll file a bug against the ICU to put a length limit on the input. BTW, the above perf breakdown came from bug 802258 .
,
Mar 20 2018
,
Mar 20 2018
There's related discussion on Issue 804462 .
,
Apr 13 2018
,
Apr 13 2018
Thank you for the pointer.
,
Apr 13 2018
https://chromium-review.googlesource.com/1012919 is not for merge but just a test CL to see how it goes. (Down the road, ICU API set an error flag for IDN but does not set U_Error to a failure value for an overlong input).
,
Apr 24 2018
Issue 834838 has been merged into this issue.
,
Apr 24 2018
A test from bug 834838 has xN--s--se3uWeffffff followed by thousands of 'a's. Ws:%d8%83rl..xN--s--se3uWefffffffaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa .... a lot 'a's The top of the stack is: #0 0x41b6b7 in __sanitizer_print_stack_trace third_party/llvm/compiler-rt/lib/asan/asan_stack.cc:38:3 #1 0x4bcc2a in fuzzer::Fuzzer::AlarmCallback() third_party/libFuzzer/src/FuzzerLoop.cpp:292:7 #2 0x4bbed6 in fuzzer::Fuzzer::StaticAlarmCallback() third_party/libFuzzer/src/FuzzerLoop.cpp:201:6 #3 0x5923d7 in fuzzer::AlarmHandler(int, siginfo_t*, void*) third_party/libFuzzer/src/FuzzerUtilPosix.cpp:32:3 #0 0x7fbd0926c38f in libpthread.so.0 #5 0x5851a3 in __sanitizer_cov_trace_pc_guard third_party/libFuzzer/src/FuzzerTracePC.cpp:380:30 #6 0x7fbd111b93e0 in u_strFromPunycode_60 third_party/icu/source/common/punycode.cpp:549:17 #7 0x7fbd1150e474 in icu_60::UTS46::processLabel(icu_60::UnicodeString&, int, int, signed char, icu_60::IDNAInfo&, UErrorCode&) const third_party/icu/source/common/uts46.cpp:725:27 #8 0x7fbd1150d141 in icu_60::UTS46::processUnicode(icu_60::UnicodeString const&, int, int, signed char, signed char, icu_60::UnicodeString&, icu_60::IDNAInfo&, UErrorCode&) const third_party/icu/source/common/uts46.cpp:582:9 #9 0x7fbd11508d28 in icu_60::UTS46::process(icu_60::UnicodeString const&, signed char, signed char, icu_60::UnicodeString&, icu_60::IDNAInfo&, UErrorCode&) const third_party/icu/source/common/uts46.cpp:396:5 #10 0x7fbd11509129 in icu_60::UTS46::nameToASCII(icu_60::UnicodeString const&, icu_60::UnicodeString&, icu_60::IDNAInfo&, UErrorCode&) const third_party/icu/source/common/uts46.cpp:239:5 #11 0x7fbd115155ce in uidna_nameToASCII_60 third_party/icu/source/common/uts46.cpp:1389:43 #12 0x7fbd11f1268d in url::IDNToASCII(unsigned short const*, int, url::CanonOutputT<unsigned short>*) url/url_canon_icu.cc:177:25 #13 0x7fbd11ecf826 in url::(anonymous namespace)::DoIDNHost(unsigned short const*, int, url::CanonOutputT<char>*) url/url_canon_host.cc:177:8
,
Apr 24 2018
,
Apr 24 2018
Issue 834622 has been merged into this issue.
,
Apr 25 2018
Actually, this and bug 834622 are different. The minimized test case attached here has an IDN in Unicode (as opposed to ACE) while bug 834622 has an IDN in ACE(xn--<punycode>). I'll de-dupe it. The ICU bug in comment 16 is for bug 834622 .
,
Apr 25 2018
> The ICU bug in comment 16 is for bug 834622 Well, I morphed the bug to be applicable to both bugs.
,
Apr 25 2018
Well, I mixed up bug 834622 and bug 834838 . Anyway, let's just deal with all three here. Either we can get protected from a CL being worked on for bug 804462 (limit the length in net/) or we can change ICU to limit the input length. With this CL in ICU (https://chromium-review.googlesource.com/1012919), I verified that all three minimized tests do not crash (do not time-out) any more.
,
May 17 2018
Let's just dupe it to bug 804462 (sharing the same root cause). |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by ClusterFuzz
, Feb 14 2018