Automatically adding ccs based on OWNERS file / target commit history.

If this is incorrect, please add ClusterFuzz-Wrong label.

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Feel free to reassign if there is someone better suited to resolve this bug.

Hi Amin, can you confirm reception of this bug?

Hi Jorge, Yes, I have this bug on my bucket list. Actually trying to get a build with fuzzer profile but getting into different issues. Hopefully, will get there soon.
Thanks.

FYI, still looking at the cause, but haven't found an explicit issue. It may be a false positive, but don't have prove of it yet.

Amin are you having trouble reproducing? I can reproduce it locally.
Or do you think the crash is spurious?

Well, in order to reproduce it, it need to build a board with --profile=fuzzer. That will start to build a lot of code from source and it fails all the time. I haven't been able to build one yet successfully. 
But the issue is not that. The issue is that based on information and example on https://github.com/google/sanitizers/wiki/AddressSanitizerExampleUseAfterScope I don't see an example of this situation in the code that is addressed by the fuzzer. Either I'm not looking carefully, or there is a different situation that I don't understand. Or it is just a false positive, but I don't want to imply that since I don't have an evidence yet.

Sen, Do you see anything suspicious in the code?

I suspect it might be related to how we use a const reference to std::function, but I'm not sure how to reproduce this to debug it further.
The bsdiff patch in the test case seems to need a very large input file.

>Well, in order to reproduce it, it need to build a board with --profile=fuzzer. That will start to build a lot of code from source and it fails all the time. I haven't been able to build one yet successfully. 

Sorry you have this issue building (even if this isn't the main problem).
I was able to build and repro using these commands:
USE="asan fuzzer" ./build_packages --board=amd64-generic --skip_chroot_upgrade bsdiff
USE="asan fuzzer" emerge-amd64-generic bsdiff
ASAN_OPTIONS=log_path=stderr /build/amd64-generic/usr/libexec/fuzzers/bspatch_fuzzer /clusterfuzz-testcase-minimized-bspatch_fuzzer-5673050675347456

Please let me know if these don't work for you.

Yeah, Thanks Sen, Confirmed, it was the issue with the sink file, sent the following CL, let me know if it is correct solution.

https://android-review.googlesource.com/c/platform/external/bsdiff/+/712475

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/00027511fd8e08525bc4cf049a372a8e152e56e0

commit 00027511fd8e08525bc4cf049a372a8e152e56e0
Author: Amin Hassani <ahassani@google.com>
Date: Wed Jul 11 12:24:11 2018

Marking 9999 ebuild for dev-util/bsdiff as stable.

Brings CL:
https://android-review.googlesource.com/c/platform/external/bsdiff/+/712475

BUG= chromium:849192 
TEST=unittests pass; fuzzer test pass

Change-Id: I399198f2d1a55f956d4c34a3080974cbe658507f
Reviewed-on: https://chromium-review.googlesource.com/1123298
Commit-Ready: Amin Hassani <ahassani@chromium.org>
Tested-by: Amin Hassani <ahassani@chromium.org>
Reviewed-by: Nicolas Norvez <norvez@chromium.org>

[rename] https://crrev.com/00027511fd8e08525bc4cf049a372a8e152e56e0/dev-util/bsdiff/bsdiff-4.3.1-r15.ebuild

ClusterFuzz has detected this issue as fixed in range 2739422:2739649.

Detailed report: https://clusterfuzz.com/testcase?key=5673050675347456

Fuzzer: libFuzzer_chromeos_bspatch_fuzzer
Job Type: libfuzzer_asan_chromeos
Platform Id: linux

Crash Type: Stack-use-after-scope READ 8
Crash Address: 0x7f19a5e6f8c0
Crash State:
  bsdiff::SinkFile::Write
  bsdiff::WriteAll
  ReadStreamAndWriteAll
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_asan_chromeos&range=2505488:2505565
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_asan_chromeos&range=2739422:2739649

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5673050675347456

See https://chromium.googlesource.com/chromiumos/docs/+/master/fuzzing.md#Reproducing-crashes-from-ClusterFuzz for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5673050675347456 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug requires manual review: M69 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: amineer@(Android), kariahda@(iOS), cindyb@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

There is no need for cherrypick. it is not a serious problem. Also cherry-picking bsdiff is a bit tricky and can cause problems if not done right.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot