Issue 846827 link

Starred by 1 user

Issue metadata

Status:	Verified
Owner:	█ pilgrim@chromium.org Last visit > 30 days ago
Closed:	May 2018
Cc:	█ loonyb...@chromium.org █ puzzo...@gmail.com
Components:	UI>Browser>Mobile>TouchToSearch
EstimatedDays:	----
NextAction:	----
OS:	Linux
Pri:	1
Type:	Bug-Security
Reproducible External-Fuzzer-Contribution reward-0 Security_Severity-Medium Security_Impact-Head Stability-Memory-MemorySanitizer allpublic Clusterfuzz ClusterFuzz-Verified M-69 Test-Predator-Auto-Owner Fuzz-Blocker

Use-of-uninitialized-value in assist_ranker::RankerURLFetcher::Request

Project Member Reported by ClusterFuzz, May 25 2018

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5499697909989376

Fuzzer: puzzor
Job Type: linux_msan_chrome
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  assist_ranker::RankerURLFetcher::Request
  assist_ranker::RankerModelLoaderImpl::StartLoadFromURL
  assist_ranker::RankerModelLoaderImpl::OnFileLoaded
  
Sanitizer: memory (MSAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=linux_msan_chrome&range=561844:561853

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5499697909989376

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.

Project Member

Comment 1 by ClusterFuzz, May 25 2018

Labels: M-68 Fuzz-Blocker ReleaseBlock-Beta

This crash occurs very frequently on linux platform and is likely preventing the fuzzer puzzor from making much progress. Fixing this will allow more bugs to be found.

Marking this bug as a blocker for next Beta release.

If this is incorrect, please add ClusterFuzz-Wrong label and remove the ReleaseBlock-Beta label.

Project Member

Comment 2 by ClusterFuzz, May 25 2018

Labels: Test-Predator-Auto-Owner
Owner: pilgrim@chromium.org
Status: Assigned (was: Untriaged)

Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/a15597069fc893827d4507d54731af461ab369b4 (Migrate AssistRanker to SimpleURLLoader).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

Project Member

Comment 3 by ClusterFuzz, May 26 2018

ClusterFuzz has detected this issue as fixed in range 561965:561968.

Detailed report: https://clusterfuzz.com/testcase?key=5499697909989376

Fuzzer: puzzor
Job Type: linux_msan_chrome
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  assist_ranker::RankerURLFetcher::Request
  assist_ranker::RankerModelLoaderImpl::StartLoadFromURL
  assist_ranker::RankerModelLoaderImpl::OnFileLoaded
  
Sanitizer: memory (MSAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=linux_msan_chrome&range=561844:561853
Fixed: https://clusterfuzz.com/revisions?job=linux_msan_chrome&range=561965:561968

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5499697909989376

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Project Member

Comment 4 by ClusterFuzz, May 26 2018

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)

ClusterFuzz testcase 5499697909989376 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Project Member

Comment 5 by sheriffbot@chromium.org, May 26 2018

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 6 by mmoroz@chromium.org, May 27 2018

Cc: loonyb...@chromium.org

Seems to be fixed by https://chromium.googlesource.com/chromium/src/+/2bfb7d64f0119093521d68128f1a8ef08f0ceb67

Comment 7 by awhalley@chromium.org, Jun 4 2018

Labels: -reward-topanel reward-0

I'm afraid this was found by our internal fuzzers at the same time.

Comment 8 by awhalley@chromium.org, Jun 5 2018

Labels: -M-68 M-69

Comment 9 by awhalley@google.com, Jul 27

Labels: -ReleaseBlock-Beta

Comment 10 by mbarbe...@chromium.org, Jul 27

Components: UI>Browser>Mobile>TouchToSearch

Project Member

Comment 11 by sheriffbot@chromium.org, Jul 28

Labels: Pri-1

Project Member

Comment 12 by sheriffbot@chromium.org, Sep 1

Labels: -Restrict-View-SecurityNotify allpublic

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

►

Issue 846827 link

Issue metadata

Use-of-uninitialized-value in assist_ranker::RankerURLFetcher::Request

Issue description

Comment 1 by ClusterFuzz, May 25 2018

Comment 1 Deleted

Comment 2 by ClusterFuzz, May 25 2018

Comment 2 Deleted

Comment 3 by ClusterFuzz, May 26 2018

Comment 3 Deleted

Comment 4 by ClusterFuzz, May 26 2018

Comment 4 Deleted

Comment 5 by sheriffbot@chromium.org, May 26 2018

Comment 5 Deleted

Comment 6 by mmoroz@chromium.org, May 27 2018

Comment 6 Deleted

Comment 7 by awhalley@chromium.org, Jun 4 2018

Comment 7 Deleted

Comment 8 by awhalley@chromium.org, Jun 5 2018

Comment 8 Deleted

Comment 9 by awhalley@google.com, Jul 27

Comment 9 Deleted

Comment 10 by mbarbe...@chromium.org, Jul 27

Comment 10 Deleted

Comment 11 by sheriffbot@chromium.org, Jul 28

Comment 11 Deleted

Comment 12 by sheriffbot@chromium.org, Sep 1

Comment 12 Deleted

Sign in to add a comment