Abrt in FX_Free |
||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4762530965356544 Fuzzer: libFuzzer_pdf_codec_jpeg_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Abrt Crash Address: 0x05390015f37a Crash State: FX_Free CFX_CodecMemory::~CFX_CodecMemory CCodec_ProgressiveDecoder::~CCodec_ProgressiveDecoder Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=598482:598508 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4762530965356544 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.
,
Oct 22
Automatically adding ccs based on OWNERS file / target commit history. If this is incorrect, please add ClusterFuzz-Wrong label.
,
Oct 22
Automatically assigning owner based on suspected regression changelist https://pdfium.googlesource.com/pdfium/+/8d8d3bc54593d2d86054d59669b86a959ec0b602 (Fix dangling reference in CFX_CodecMemory.). If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
,
Oct 22
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/ed74612835a82e24e4ff4276c34d10889b945c86 commit ed74612835a82e24e4ff4276c34d10889b945c86 Author: chromium-autoroll <chromium-autoroll@skia-public.iam.gserviceaccount.com> Date: Mon Oct 22 18:21:39 2018 Roll src/third_party/pdfium af3d6cc8910f..8298d25cf3ac (1 commits) https://pdfium.googlesource.com/pdfium.git/+log/af3d6cc8910f..8298d25cf3ac git log af3d6cc8910f..8298d25cf3ac --date=short --no-merges --format='%ad %ae %s' 2018-10-22 tsepez@chromium.org Speculative fix for bad FX_Free() under fuzzer. Created with: gclient setdep -r src/third_party/pdfium@8298d25cf3ac The AutoRoll server is located here: https://autoroll.skia.org/r/pdfium-autoroll Documentation for the AutoRoller is here: https://skia.googlesource.com/buildbot/+/master/autoroll/README.md If the roll is causing failures, please contact the current sheriff, who should be CC'd on the roll, and stop the roller if necessary. BUG= chromium:897585 TBR=dsinclair@chromium.org Change-Id: Ibc89b68fa8df0a1ea3c93b90268bc1f11d89eecd Reviewed-on: https://chromium-review.googlesource.com/c/1294215 Reviewed-by: chromium-autoroll <chromium-autoroll@skia-public.iam.gserviceaccount.com> Commit-Queue: chromium-autoroll <chromium-autoroll@skia-public.iam.gserviceaccount.com> Cr-Commit-Position: refs/heads/master@{#601657} [modify] https://crrev.com/ed74612835a82e24e4ff4276c34d10889b945c86/DEPS
,
Oct 22
Ah, this is a longstanding bug in partition_alloc cookie tracking. When the early return is taken at https://cs.chromium.org/chromium/src/base/allocator/partition_allocator/partition_alloc.cc?rcl=17abfac6e2571e9cba320ad9a20449ad6114d2aa&l=211 no new cookie is written, and the old cookie location may well become part of the usable buffer space to which the caller is entitled. Nor is the size updated, so when it is time to free the memory, we check the old cookie location.
,
Oct 22
,
Oct 22
,
Oct 23
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/26c94f4e77eca64e282862d2025319f6acf921ad commit 26c94f4e77eca64e282862d2025319f6acf921ad Author: Tom Sepez <tsepez@chromium.org> Date: Tue Oct 23 19:10:44 2018 [PartitionAlloc] fix cookie tracking for large no-op reallocs The new test case will trip an assert under debug builds prior to the patch: *cookie_ptr == kCookieValue[i] because a new cookie is not written, and the old location now is part of the space made available to the caller. Bug: 897585 Change-Id: I9cb0a0378bd692445580f7b8b796200154bc15c6 Reviewed-on: https://chromium-review.googlesource.com/c/1294724 Reviewed-by: Kentaro Hara <haraken@chromium.org> Reviewed-by: Chris Palmer <palmer@chromium.org> Commit-Queue: Tom Sepez <tsepez@chromium.org> Cr-Commit-Position: refs/heads/master@{#602042} [modify] https://crrev.com/26c94f4e77eca64e282862d2025319f6acf921ad/base/allocator/partition_allocator/partition_alloc.cc [modify] https://crrev.com/26c94f4e77eca64e282862d2025319f6acf921ad/base/allocator/partition_allocator/partition_alloc_unittest.cc
,
Oct 23
Shall we apply r602042 to PDFium as well?
,
Oct 23
Yes, yes, I'll make a PDFium patch once we know this is safe.
,
Oct 24
ClusterFuzz has detected this issue as fixed in range 602232:602243. Detailed report: https://clusterfuzz.com/testcase?key=4762530965356544 Fuzzer: libFuzzer_pdf_codec_jpeg_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Abrt Crash Address: 0x05390015f37a Crash State: FX_Free CFX_CodecMemory::~CFX_CodecMemory CCodec_ProgressiveDecoder::~CCodec_ProgressiveDecoder Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=598482:598508 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=602232:602243 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4762530965356544 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Oct 24
ClusterFuzz testcase 4762530965356544 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by ClusterFuzz
, Oct 22Labels: Test-Predator-Auto-Components