New issue
Advanced search Search tips

Issue 897585 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Oct 24
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Abrt in FX_Free

Project Member Reported by ClusterFuzz, Oct 22

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=4762530965356544

Fuzzer: libFuzzer_pdf_codec_jpeg_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Abrt
Crash Address: 0x05390015f37a
Crash State:
  FX_Free
  CFX_CodecMemory::~CFX_CodecMemory
  CCodec_ProgressiveDecoder::~CCodec_ProgressiveDecoder
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=598482:598508

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4762530965356544

Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.
 
Project Member

Comment 1 by ClusterFuzz, Oct 22

Components: Internals>Plugins>PDF
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 2 by ClusterFuzz, Oct 22

Cc: dsinclair@chromium.org jam@chromium.org brucedaw...@chromium.org
Labels: ClusterFuzz-Auto-CC
Automatically adding ccs based on OWNERS file / target commit history.

If this is incorrect, please add ClusterFuzz-Wrong label.
Project Member

Comment 3 by ClusterFuzz, Oct 22

Labels: Test-Predator-Auto-Owner
Owner: tsepez@chromium.org
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://pdfium.googlesource.com/pdfium/+/8d8d3bc54593d2d86054d59669b86a959ec0b602 (Fix dangling reference in CFX_CodecMemory.).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
Project Member

Comment 4 by bugdroid1@chromium.org, Oct 22

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/ed74612835a82e24e4ff4276c34d10889b945c86

commit ed74612835a82e24e4ff4276c34d10889b945c86
Author: chromium-autoroll <chromium-autoroll@skia-public.iam.gserviceaccount.com>
Date: Mon Oct 22 18:21:39 2018

Roll src/third_party/pdfium af3d6cc8910f..8298d25cf3ac (1 commits)

https://pdfium.googlesource.com/pdfium.git/+log/af3d6cc8910f..8298d25cf3ac


git log af3d6cc8910f..8298d25cf3ac --date=short --no-merges --format='%ad %ae %s'
2018-10-22 tsepez@chromium.org Speculative fix for bad FX_Free() under fuzzer.


Created with:
  gclient setdep -r src/third_party/pdfium@8298d25cf3ac

The AutoRoll server is located here: https://autoroll.skia.org/r/pdfium-autoroll

Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+/master/autoroll/README.md

If the roll is causing failures, please contact the current sheriff, who should
be CC'd on the roll, and stop the roller if necessary.



BUG= chromium:897585 
TBR=dsinclair@chromium.org

Change-Id: Ibc89b68fa8df0a1ea3c93b90268bc1f11d89eecd
Reviewed-on: https://chromium-review.googlesource.com/c/1294215
Reviewed-by: chromium-autoroll <chromium-autoroll@skia-public.iam.gserviceaccount.com>
Commit-Queue: chromium-autoroll <chromium-autoroll@skia-public.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#601657}
[modify] https://crrev.com/ed74612835a82e24e4ff4276c34d10889b945c86/DEPS

Ah, this is a longstanding bug in partition_alloc cookie tracking.

When the early return is taken at

https://cs.chromium.org/chromium/src/base/allocator/partition_allocator/partition_alloc.cc?rcl=17abfac6e2571e9cba320ad9a20449ad6114d2aa&l=211

no new cookie is written, and the old cookie location may well become part of
the usable buffer space to which the caller is entitled.  Nor is the size
updated, so when it is time to free the memory, we check the old cookie location.
Components: Blink>MemoryAllocator>Partition
Cc: thestig@chromium.org
Project Member

Comment 8 by bugdroid1@chromium.org, Oct 23

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/26c94f4e77eca64e282862d2025319f6acf921ad

commit 26c94f4e77eca64e282862d2025319f6acf921ad
Author: Tom Sepez <tsepez@chromium.org>
Date: Tue Oct 23 19:10:44 2018

[PartitionAlloc] fix cookie tracking for large no-op reallocs

The new test case will trip an assert under debug builds
prior to the patch: *cookie_ptr == kCookieValue[i] because
a new cookie is not written, and the old location now is part
of the space made available to the caller.

Bug:  897585 
Change-Id: I9cb0a0378bd692445580f7b8b796200154bc15c6
Reviewed-on: https://chromium-review.googlesource.com/c/1294724
Reviewed-by: Kentaro Hara <haraken@chromium.org>
Reviewed-by: Chris Palmer <palmer@chromium.org>
Commit-Queue: Tom Sepez <tsepez@chromium.org>
Cr-Commit-Position: refs/heads/master@{#602042}
[modify] https://crrev.com/26c94f4e77eca64e282862d2025319f6acf921ad/base/allocator/partition_allocator/partition_alloc.cc
[modify] https://crrev.com/26c94f4e77eca64e282862d2025319f6acf921ad/base/allocator/partition_allocator/partition_alloc_unittest.cc

Shall we apply r602042 to PDFium as well?
Yes, yes, I'll make a PDFium patch once we know this is safe.
Project Member

Comment 11 by ClusterFuzz, Oct 24

ClusterFuzz has detected this issue as fixed in range 602232:602243.

Detailed report: https://clusterfuzz.com/testcase?key=4762530965356544

Fuzzer: libFuzzer_pdf_codec_jpeg_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Abrt
Crash Address: 0x05390015f37a
Crash State:
  FX_Free
  CFX_CodecMemory::~CFX_CodecMemory
  CCodec_ProgressiveDecoder::~CCodec_ProgressiveDecoder
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=598482:598508
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=602232:602243

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4762530965356544

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 12 by ClusterFuzz, Oct 24

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 4762530965356544 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment