CHECK failure: view_it != guest_view_registry_.end(). Invalid GuestView created of type "?u i |
||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4503972110139392 Fuzzer: ipc_fuzzer_gen Job Type: windows_asan_chrome_ipc Platform Id: windows Crash Type: CHECK failure Crash Address: Crash State: view_it != guest_view_registry_.end(). Invalid GuestView created of type "?u i guest_view::GuestViewManager::ViewCreated guest_view::GuestViewMessageFilter::OnViewCreated Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=windows_asan_chrome_ipc&range=491035:491089 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4503972110139392 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Aug 2 2017
I'm not the owner for guest_view_manager.cc.
,
Aug 2 2017
,
Aug 3 2017
Issue 751836 has been merged into this issue.
,
Aug 3 2017
Issue 751794 has been merged into this issue.
,
Aug 3 2017
Issue 751778 has been merged into this issue.
,
Aug 3 2017
,
Aug 3 2017
I just looked into this, this is not an issue. The IPC sent contains a string, and the CHECK that the browser process is hitting already enforces the validity of the message. This issue is probably due to https://chromium.googlesource.com/chromium/src/+/4ec751610d0f687db6fff1046ae7b799466a9354. tsepez@, is there anything we need to do on the clusterfuzz side to mark this as not being a problem? The fuzzer can keep creating new crashes by changing the string being passed.
,
Aug 3 2017
Given that the view_type string comes from a renderer, should we really be crashing the browser if it's invalid? Wouldn't it be better to just drop the message as is done here https://cs.chromium.org/chromium/src/components/guest_view/browser/guest_view_manager.cc?rcl=b85c8ec80f2137eed964d998d725db4ea8b72391&l=370 or kill the renderer instead as is done here https://cs.chromium.org/chromium/src/components/guest_view/browser/guest_view_manager.cc?rcl=b85c8ec80f2137eed964d998d725db4ea8b72391&l=425 ?
,
Aug 3 2017
I don't think we want to just drop the message -- at this point the renderer is guaranteed to be compromised. Killing the renderer is reasonable. If we go that route, we should use ReceivedBadMessage() in https://cs.chromium.org/chromium/src/content/browser/bad_message.h?l=213. I'll mark the bug as available and decrease priority.
,
Aug 3 2017
Adding kenrb to get your take on this. Does killing the renderer sound good?
,
Aug 4 2017
components/guest_view/browser/ doesn't have bad_message.h yet. I'll need to add that.
,
Aug 7 2017
Issue 752804 has been merged into this issue.
,
Aug 9 2017
Can you please remove the bad type name from check failure message. That blocks us from reenabling the fuzzer.
,
Aug 9 2017
,
Aug 14 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/36cc7b8f04a674c4ecfaa587477d73bd78531abb commit 36cc7b8f04a674c4ecfaa587477d73bd78531abb Author: Kevin McNee <mcnee@chromium.org> Date: Mon Aug 14 16:27:21 2017 Kill a renderer if it creates a GuestView of a nonsense type. A renderer sends a GuestViewHostMsg_ViewCreated message to the browser upon creation of a GuestView and specifies the GuestView type as a string. A misbehaving renderer can send a nonsense GuestView type causing the browser to crash when it CHECKs that the type is valid. We now kill the renderer for sending the bad message instead of crashing the browser. Bug: 751376 Change-Id: I7527bb4f47119e689a10f8ad40aa90f2d0778575 Reviewed-on: https://chromium-review.googlesource.com/612159 Reviewed-by: Lucas Gadani <lfg@chromium.org> Commit-Queue: Kevin McNee <mcnee@chromium.org> Cr-Commit-Position: refs/heads/master@{#494068} [modify] https://crrev.com/36cc7b8f04a674c4ecfaa587477d73bd78531abb/components/guest_view/browser/bad_message.h [modify] https://crrev.com/36cc7b8f04a674c4ecfaa587477d73bd78531abb/components/guest_view/browser/guest_view_manager.cc [modify] https://crrev.com/36cc7b8f04a674c4ecfaa587477d73bd78531abb/tools/metrics/histograms/enums.xml
,
Aug 14 2017
,
Aug 15 2017
ClusterFuzz testcase 4595343512829952 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
||||||||||||
►
Sign in to add a comment |
||||||||||||
Comment 1 by msrchandra@chromium.org
, Aug 2 2017Labels: M-62 Test-Predator-Wrong
Owner: thestig@chromium.org
Status: Assigned (was: Untriaged)