clusterfuzz icon indicating copy to clipboard operation
clusterfuzz copied to clipboard
verified publisher icon google

MiraclePtr label tagging (chromium)

Open oliverchang opened this issue 3 years ago • 0 comments

Given:

SUMMARY: AddressSanitizer: heap-use-after-free buildtools/third_party/libc++/trunk/include/__utility/swap.h:36:9

Shadow bytes around the buggy address:

  0x0c1680046160: fa fa f7 fa fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c1680046170: fd fa fa fa fa fa fa fa f7 fa fd fd fd fd fd fd

=>0x0c1680046180: fd fd fd fd fd[fd]fd fa fa fa fa fa fa fa f7 fa

  0x0c1680046190: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa

  0x0c16800461a0: fa fa fa fa f7 fa fd fd fd fd fd fd fd fd fd fd

Shadow byte legend (one shadow byte represents 8 application bytes):

  Addressable:           00

  Partially addressable: 01 02 03 04 05 06 07

  ...

  Right alloca redzone:    cb


MiraclePtr Status: PROTECTED

The crash occurred while a raw_ptr<T> object containing a dangling pointer was being dereferenced.

MiraclePtr should make this crash non-exploitable in regular builds.

Refer to https://chromium.googlesource.com/chromium/src/+/main/base/memory/raw_ptr.md for details.

==3196407==ABORTING

Turn the MiraclePtr Status line in ASan splat into the MiraclePtr_Status bug label and apply it whenever CF files or updates a bug tracker issue, using the following mapping:

MiraclePtr Status: PROTECTED => MiraclePtr-Protected MiraclePtr Status: MANUAL ANALYSIS REQUIRED => MiraclePtr-ManualAnalysisRequired MiraclePtr Status: NOT PROTECTED => MiraclePtr-NotProtected

oliverchang avatar Jun 28 '22 00:06 oliverchang