New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 878728 link

Starred by 3 users

Issue metadata

Status: Verified
Owner:
Closed: Nov 28
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 1
Type: Bug



Sign in to add a comment

Misaligned-address in ReadHuffmanCode

Project Member Reported by ClusterFuzz, Aug 29

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5251259880439808

Fuzzer: libFuzzer_chromeos_bspatch_fuzzer
Job Type: libfuzzer_ubsan_chromeos
Platform Id: linux

Crash Type: Misaligned-address
Crash Address: 
Crash State:
  ReadHuffmanCode
  DecodeContextMap
  BrotliDecoderDecompressStream
  
Sanitizer: undefined (UBSAN)

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5251259880439808

Issue filed automatically.

See https://chromium.googlesource.com/chromiumos/docs/+/master/fuzzing.md#Reproducing-crashes-from-ClusterFuzz for more information.
 
Project Member

Comment 1 by ClusterFuzz, Aug 29

Cc: tbao@google.com senj@google.com de...@google.com
Labels: ClusterFuzz-Auto-CC
Automatically adding ccs based on OWNERS file / target commit history.

If this is incorrect, please add ClusterFuzz-Wrong label.
Components: Internals>Network>Filters
Components: -Internals>Network>Filters OS>Systems
Labels: ClusterFuzz-Wrong
Owner: ahass...@chromium.org
This should probably be assigned to Amin.
I think this has been fixed in internal piper repo but needs to be ported to OSS version.
Owner: senj@chromium.org
Amin is OOO so assigning to senj@
Cc: -de...@google.com -tbao@google.com -senj@google.com senj@chromium.org
Owner: ahass...@chromium.org
Cc: de...@google.com tbao@google.com senj@google.com
 Issue 878731  has been merged into this issue.
Cc: -de...@google.com -tbao@google.com -senj@google.com
Components: -OS>Systems Internals>Installer
@senj: There was an upstream fix for some related bug a while ago! Was it for fixing this one?
Yes this commit should fix the issue: https://github.com/google/brotli/commit/2216a0dd63e0142b78abe97bba8be52f6bc972c7
However I'm not sure why they haven't tag a new release even though the version number has been increased, we could uprev to ToT if we need this fixed asap or wait for them to release 1.0.6 and uprev to that.
We have to update gentoo's brotli anyway since that is the upstream for us. So I would say let's wait them release the new version.
Talked to eustas@, we had other changes we wanted to include in this release, but we can do a 1.0.6 release tag today if that helps and then include the other changes in 1.0.7. These are not critical anyway (there's no misaligned-address access in brotli, it is just asan who is confused about it).
....aaaaaand there's your 1.0.6 release https://github.com/google/brotli/releases
Thanks Deymo :). I'll try to uprev the upstream gentoo for this.
Project Member

Comment 16 by bugdroid1@chromium.org, Oct 15

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/965e1d26f2fa46598dde694e12b1adb13fb67618

commit 965e1d26f2fa46598dde694e12b1adb13fb67618
Author: Amin Hassani <ahassani@chromium.org>
Date: Mon Oct 15 23:01:28 2018

bsdiff: block brotli-1.0.1

brotli-1.0.1 has API incompatibility with bsdiff. This patch adds a version
dependency to use only brotli version 1.0.6 and newer.

BUG=chromium:893677
BUG= chromium:878728 
TEST=sudo FEATURES=test bsdiff
CQ-DEPEND=CL:1238974

Change-Id: Ia216005a56bd6c3921641a82cbbfbf1da512daad
Reviewed-on: https://chromium-review.googlesource.com/1272156
Commit-Ready: Amin Hassani <ahassani@chromium.org>
Tested-by: Amin Hassani <ahassani@chromium.org>
Reviewed-by: Chirantan Ekbote <chirantan@chromium.org>

[modify] https://crrev.com/965e1d26f2fa46598dde694e12b1adb13fb67618/dev-util/bsdiff/bsdiff-9999.ebuild
[rename] https://crrev.com/965e1d26f2fa46598dde694e12b1adb13fb67618/dev-util/bsdiff/bsdiff-4.3.1-r18.ebuild

Cc: de...@chromium.org
deymo@ It is not fixed yet since brotli does not check for UNDEFINED_BEHAVIOR_SANITIZER (https://github.com/google/brotli/blob/master/c/common/platform.h#L311 ).
But given that brotli already takes care of alignment issues, maybe I should just disable alignment sanitizer check for it.
Cc: eustas@chromium.org
Amin, can you comment what is the incompatibility issue between 1.0.1 and 1.0.6? They should be compatible and I don't see anything weird being used in the bsdiff wrappers.
Project Member

Comment 22 by bugdroid1@chromium.org, Nov 2

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/bf19ce8a13b15172c9e0c1fc6ba40783a9d262ab

commit bf19ce8a13b15172c9e0c1fc6ba40783a9d262ab
Author: Manoj Gupta <manojgupta@google.com>
Date: Fri Nov 02 11:26:46 2018

brotli: Disable alignment sanitization.

Disable alignment sanitization since brotli takes care that the
memory accesses are alignment safe.

BUG= chromium:878728 
TEST=pre-cq passes.

Change-Id: Idfd41a8e6652883c180f458a1a6c06b72210fe6f
Reviewed-on: https://chromium-review.googlesource.com/c/1313387
Reviewed-by: Manoj Gupta <manojgupta@chromium.org>
Tested-by: Manoj Gupta <manojgupta@chromium.org>

[add] https://crrev.com/bf19ce8a13b15172c9e0c1fc6ba40783a9d262ab/chromeos/config/env/app-arch/brotli

re #21: Sorry, I don't know why I defined it as API incompatibility. There was two problems: I needed a blocker to block against brotli 1.0.1 because we upreved brotli to 1.0.6 but the sdk was using an older update_engine in the builders and it would fail the precq, examples are in crbug.com/893677.

I don't remember the details of the second problem, but for some reason after switching bsdiff/puffin to static libraries, I couldn't build  puffin/update_engine with brotli 1.0.1 anymore. Unfortunately I don't exactly remember the details but I used to get undefined reference errors. It was coming from bsdiff. I looked through failed pre-cq builds, but couldn't find an example of it. It was just something that was failing to build locally. And it was something that got fixed after upreving brotli to 1.0.6.
Project Member

Comment 24 by ClusterFuzz, Nov 3

ClusterFuzz has detected this issue as fixed in range 3096287:3096731.

Detailed report: https://clusterfuzz.com/testcase?key=5251259880439808

Fuzzer: libFuzzer_chromeos_bspatch_fuzzer
Job Type: libfuzzer_ubsan_chromeos
Platform Id: linux

Crash Type: Misaligned-address
Crash Address: 
Crash State:
  ReadHuffmanCode
  DecodeContextMap
  BrotliDecoderDecompressStream
  
Sanitizer: undefined (UBSAN)

Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_ubsan_chromeos&range=3096287:3096731

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5251259880439808

See https://chromium.googlesource.com/chromiumos/docs/+/master/fuzzing.md#Reproducing-crashes-from-ClusterFuzz for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Status: Verified (was: Untriaged)

Sign in to add a comment