Issue metadata
Sign in to add a comment
|
Heap-buffer-overflow in _ZNSt3__16vectorIhNS_9allocatorIhEEE18__construct_at_endIPKhEENS_9enable_ifIXsr2 |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6674550495117312 Fuzzer: libFuzzer_chromeos_rtnl_handler_fuzzer Job Type: libfuzzer_asan_chromeos Platform Id: linux Crash Type: Heap-buffer-overflow READ 1 Crash Address: 0x606000000178 Crash State: _ZNSt3__16vectorIhNS_9allocatorIhEEE18__construct_at_endIPKhEENS_9enable_ifIXsr2 _ZNSt3__16vectorIhNS_9allocatorIhEEEC2IPKhEET_NS_9enable_ifIXaasr21__is_forward_ shill::RTNLMessage::ParseRdnssOption Sanitizer: address (ASAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_asan_chromeos&range=2703126:2703548 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6674550495117312 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.
,
Jun 28 2018
Brian, Who should own this bug?
,
Jun 28 2018
I've a quick fix.
,
Jun 28 2018
,
Jun 28 2018
I wonder why kirtika@ and ejcaruso@ weren't auto-CC'd? Not that we necessarily need all OWNERS involved, but I'm just curious if this is a reporting logic bug. And I'm updating OWNERS: https://chromium-review.googlesource.com/c/aosp/platform/system/connectivity/shill/+/1118917
,
Jun 28 2018
benchan@ Fuzzing documentation is here: https://chromium.googlesource.com/chromiumos/docs/+/master/fuzzing.md To build and test the fuzzer you should do: Inside the chroot: $ ./setup_board --board=amd64-generic (or any other amd64 board). $ USE="asan fuzzer" ./build_packages --board=${BOARD} --skip_chroot_upgrade <your-package> $ cp testcase /build/${BOARD}/tmp/ Outside the chroot but inside the chromeos checkout: $ /path-to-chroot/chromite/bin/cros_fuzz_test_env --board=${BOARD} $ sudo chroot /path-to-chroot/chroot/build/${BOARD} $ ASAN_OPTIONS="log_path=stderr" /usr/libexec/fuzzers/<your_fuzzer> /tmp/testcase
,
Jun 28 2018
We pick three random people from owners file to cc. This avoids too many people to spam.
,
Jun 29 2018
,
Jun 29 2018
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 29 2018
,
Jun 29 2018
We don't expect this to handle untrusted data; it only receives responses directly from the kernel. While it's nice to improve the parsing code, it doesn't seem stable-critical or even "medium" severity. Anyway, Ben uploaded this: https://chromium-review.googlesource.com/c/1119248/
,
Jun 30 2018
The following revision refers to this bug: https://chromium.googlesource.com/aosp/platform/system/connectivity/shill/+/c125996293a9daaafd5c2586f3fbaf96c60c1a8c commit c125996293a9daaafd5c2586f3fbaf96c60c1a8c Author: Ben Chan <benchan@chromium.org> Date: Sat Jun 30 09:14:22 2018 shill: add missing length check for NDUSEROPT message This CL adds a missing length check for the NDUSEROPT message in RTNLMessage::DecodeNdUserOption() to make sure that the RTNL message carries the entire option data in the payload. BUG= chromium:857500 TEST=Run unit tests. TEST=Run fuzzer tests. Change-Id: I1282516c8a45047d483045610189b966ae72d4d3 Reviewed-on: https://chromium-review.googlesource.com/1119248 Commit-Ready: Ben Chan <benchan@chromium.org> Tested-by: Ben Chan <benchan@chromium.org> Reviewed-by: Kirtika Ruchandani <kirtika@chromium.org> Reviewed-by: Brian Norris <briannorris@chromium.org> [modify] https://crrev.com/c125996293a9daaafd5c2586f3fbaf96c60c1a8c/net/rtnl_message.cc
,
Jul 1
ClusterFuzz has detected this issue as fixed in range 2710643:2711318. Detailed report: https://clusterfuzz.com/testcase?key=6674550495117312 Fuzzer: libFuzzer_chromeos_rtnl_handler_fuzzer Job Type: libfuzzer_asan_chromeos Platform Id: linux Crash Type: Heap-buffer-overflow READ 1 Crash Address: 0x606000000178 Crash State: _ZNSt3__16vectorIhNS_9allocatorIhEEE18__construct_at_endIPKhEENS_9enable_ifIXsr2 _ZNSt3__16vectorIhNS_9allocatorIhEEEC2IPKhEET_NS_9enable_ifIXaasr21__is_forward_ shill::RTNLMessage::ParseRdnssOption Sanitizer: address (ASAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_asan_chromeos&range=2703126:2703548 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_asan_chromeos&range=2710643:2711318 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6674550495117312 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 2
,
Jul 3
,
Oct 9
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by ClusterFuzz
, Jun 28 2018Labels: ClusterFuzz-Auto-CC