Issue metadata
Sign in to add a comment
|
Use-of-uninitialized-value in gpu::CommonDecoder::Bucket::GetAsStrings |
||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4648966810238976 Fuzzer: inferno_twister Job Type: linux_msan_chrome Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: gpu::CommonDecoder::Bucket::GetAsStrings gpu::gles2::GLES2DecoderImpl::HandleShaderSourceBucket gpu::error::Error gpu::gles2::GLES2DecoderImpl::DoCommandsImpl<false> Sanitizer: memory (MSAN) Recommended Security Severity: Medium Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4648966810238976 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Jul 24
,
Jul 27
,
Jul 27
piman: Any idea who a good owner for this would be? I wasn't able to repro it locally and it's hard to tell from the stack. Feel free to pass it back to me for re-triage if not.
,
Jul 27
The "buckets" generally get their data by copying from shared memory (CommonDecoder::Bucket::SetData), I wonder if it's possible that msan doesn't treat the shared memory as initialized, as I believe it doesn't track it cross process.
,
Aug 11
piman: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 14
ClusterFuzz has detected this issue as fixed in range 582653:582655. Detailed report: https://clusterfuzz.com/testcase?key=4648966810238976 Fuzzer: inferno_twister Job Type: linux_msan_chrome Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: gpu::CommonDecoder::Bucket::GetAsStrings gpu::gles2::GLES2DecoderImpl::HandleShaderSourceBucket gpu::error::Error gpu::gles2::GLES2DecoderImpl::DoCommandsImpl<false> Sanitizer: memory (MSAN) Recommended Security Severity: Medium Fixed: https://clusterfuzz.com/revisions?job=linux_msan_chrome&range=582653:582655 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4648966810238976 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 14
ClusterFuzz testcase 4648966810238976 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Aug 14
,
Nov 20
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by sheriffbot@chromium.org
, Jul 24