New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 753719 link

Starred by 1 user
Status: Fixed
Owner:
mcnee@chromium.org
Closed: Oct 2017
Cc:
msrchandra@chromium.org
lfg@chromium.org
wjmaclean@chromium.org
mcnee@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Null-dereference READ in content::BrowserPluginEmbedder::OnAttach

Project Member Reported by ClusterFuzz, Aug 9 2017 
Detailed report: https://clusterfuzz.com/testcase?key=5740505559465984

Fuzzer: ipc_fuzzer_gen
Job Type: linux_asan_chrome_ipc
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000000
Crash State:
  content::BrowserPluginEmbedder::OnAttach
  bool IPC::MessageT<BrowserPluginHostMsg_Attach_Meta, std::__1::tuple<int, Browse
  content::BrowserPluginEmbedder::OnMessageReceived
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_ipc&range=488146:488166

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5740505559465984


Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.

Comment 1 by msrchandra@chromium.org, Sep 13 2017

Cc: msrchandra@chromium.org
Components: Internals>Core
Labels: Test-Predator-Wrong-CLs
Owner: tzik@chromium.org
Status: Assigned (was: Untriaged)
Predator and CL did not provide any possible suspects.
Using Code Search for the file, "ipc_message_templates.h" assigning to the concern owner using GIT Blame.

Suspecting Commit#
https://chromium.googlesource.com/chromium/src/+/88707f978273e82c8d497cbf95255272c6286ceb

@tzik -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

Comment 2 by tzik@chromium.org, Sep 14 2017

Components: -Internals>Core Platform>Apps>BrowserTag
Labels: QA-Triage-Wrong
Owner: ----
Status: Untriaged (was: Assigned)
Unrelated to the IPC change.

Comment 3 by wjmaclean@chromium.org, Sep 14 2017 

Nothing in the regression range looks very promising ... are we sure the bisect is correct?

Also, I tried running the test case and didn't get a repro ... are the bots still reporting this as a failure?

Comment 4 by mcnee@chromium.org, Sep 14 2017

Owner: mcnee@chromium.org
Status: Assigned (was: Untriaged)
The renderer is sending an unexpected BrowserPluginHostMsg_Attach before we have a BrowserPluginGuestManager. We should kill the renderer via bad_message::ReceivedBadMessage if it does this.

This is similar to the bug I fixed in https://chromium-review.googlesource.com/c/chromium/src/+/615474
Project Member

Comment 5 by ClusterFuzz, Oct 1 2017

Components: Internals>Core
Labels: Test-Predator-AutoComponents
Automatically applying components based on information from OWNERS files. If this seems incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 6 by bugdroid1@chromium.org, Oct 13 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/2a9513f5a7a74fac303c9be30957f16fa2285c67

commit 2a9513f5a7a74fac303c9be30957f16fa2285c67
Author: Kevin McNee <mcnee@chromium.org>
Date: Fri Oct 13 21:09:07 2017

Kill a renderer if it sends an unexpected message before BPGM creation.

If we receive a message from the renderer to
BrowserPluginEmbedder::OnAttach before the creation of a
BrowserPluginGuestManager, then the renderer is misbehaving.

We now kill the renderer in this case.

Following the termination of the renderer, there are a few more calls
into BrowserPluginEmbedder where we just need to return due to the lack
of a BrowserPluginGuestManager.

Bug:  753719 
Change-Id: I8a8638e1bb9006bc3b4b9dfdfb018c422f6f5509
Reviewed-on: https://chromium-review.googlesource.com/668037
Commit-Queue: Kevin McNee <mcnee@chromium.org>
Reviewed-by: Ehsan Karamad <ekaramad@chromium.org>
Reviewed-by: Nick Carter <nick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#508819}
[modify] https://crrev.com/2a9513f5a7a74fac303c9be30957f16fa2285c67/content/browser/bad_message.h
[modify] https://crrev.com/2a9513f5a7a74fac303c9be30957f16fa2285c67/content/browser/browser_plugin/browser_plugin_embedder.cc
[modify] https://crrev.com/2a9513f5a7a74fac303c9be30957f16fa2285c67/tools/metrics/histograms/enums.xml

Comment 7 by mcnee@chromium.org, Oct 16 2017

Status: Fixed (was: Assigned)

Comment 8 by mbarbe...@chromium.org, Nov 7 2017

Labels: -Test-Predator-AutoComponents Test-Predator-Auto-Components

Sign in to add a comment