New issue
Advanced search Search tips

Issue 817733 link

Starred by 1 user
Status: Fixed
Owner:
ahass...@chromium.org
Closed: Mar 2018
Cc:
manojgupta@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 1
Type: Bug-Security



Sign in to add a comment

Heap-buffer-overflow in puffin::BufferPuffReader::GetNext

Project Member Reported by ClusterFuzz, Mar 1 2018 
Detailed report: https://clusterfuzz.com/testcase?key=6066852514758656

Fuzzer: libFuzzer_puffin_fuzzer
Job Type: chromeos-test
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 1
Crash Address: 0x60600000011e
Crash State:
  puffin::BufferPuffReader::GetNext
  puffin::Huffer::HuffDeflate
  FuzzHuff
  
Sanitizer: address (ASAN)

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6066852514758656

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
Project Member

Comment 1 by sheriffbot@chromium.org, Mar 1 2018

Labels: M-64
Project Member

Comment 2 by sheriffbot@chromium.org, Mar 1 2018

Labels: Pri-1

Comment 3 by kenrb@chromium.org, Mar 1 2018

Components: Internals>Installer
Labels: -M-64 M-65
Owner: ahass...@chromium.org
Status: Assigned (was: Untriaged)
Another Puffer fuzzer hit.

Comment 4 by jorgelo@chromium.org, Mar 1 2018

Labels: -OS-Linux OS-Chrome
Project Member

Comment 5 by ClusterFuzz, Mar 1 2018

Labels: OS-Linux

Comment 6 by kenrb@chromium.org, Mar 1 2018

Labels: -OS-Linux ClusterFuzz-Wrong
Project Member

Comment 7 by ClusterFuzz, Mar 1 2018

Labels: OS-Linux

Comment 8 by kenrb@chromium.org, Mar 1 2018

Labels: -OS-Linux -ClusterFuzz-Wrong ClusterFuzz-Ignore
Project Member

Comment 9 by ClusterFuzz, Mar 1 2018

Labels: OS-Linux
Project Member

Comment 10 by ClusterFuzz, Mar 2 2018 

Detailed report: https://clusterfuzz.com/testcase?key=5678678303047680

Fuzzer: libFuzzer_puffin_fuzzer
Job Type: libfuzzer_asan_chromeos
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 1
Crash Address: 0x6020000000f3
Crash State:
  puffin::BufferPuffReader::GetNext
  puffin::Huffer::HuffDeflate
  fuzzer.cc
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5678678303047680

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

Comment 11 by infe...@chromium.org, Mar 2 2018 

Follow c#10 testcase, this uses the libfuzzer_asan_chromeos job type. chromeos-test job type is going away, so c#1 wont be verified. But c#10 will get verified. I have marked c#1 testcase as non-reproducible since chromeos-test job type will be removed soon.

Comment 13 by infe...@chromium.org, Mar 3 2018

Labels: -OS-Linux

Comment 15 by ahass...@chromium.org, Mar 7 2018 

Both CLs are landed now. Please, let us know what happens next!
Project Member

Comment 16 by ClusterFuzz, Mar 16 2018 

ClusterFuzz has detected this issue as fixed in range 231:234.

Detailed report: https://clusterfuzz.com/testcase?key=5678678303047680

Fuzzer: libFuzzer_puffin_fuzzer
Job Type: libfuzzer_asan_chromeos
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 1
Crash Address: 0x6020000000f3
Crash State:
  puffin::BufferPuffReader::GetNext
  puffin::Huffer::HuffDeflate
  fuzzer.cc
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_asan_chromeos&range=231:234

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5678678303047680

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 17 by ahass...@chromium.org, Mar 16 2018

Status: Fixed (was: Assigned)
Project Member

Comment 18 by sheriffbot@chromium.org, Mar 17 2018

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 19 by sheriffbot@chromium.org, Mar 19 2018

Labels: Merge-Request-66
Project Member

Comment 20 by sheriffbot@chromium.org, Mar 19 2018

Labels: -Merge-Request-66 Merge-Review-66 Hotlist-Merge-Review
This bug requires manual review: M66 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), josafat@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 21 by ahass...@chromium.org, Mar 19 2018

Labels: -Hotlist-Merge-Review -Merge-Review-66
Merge is not needed as Puffin was disabled in M65 and M66.
Project Member

Comment 22 by sheriffbot@chromium.org, Jun 23 2018

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 23 by manojgupta@chromium.org, Aug 13

Cc: -manojgupta@google.com manojgupta@chromium.org

Sign in to add a comment