Null-dereference READ in content::BrowserPluginEmbedder::OnAttach |
||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5740505559465984 Fuzzer: ipc_fuzzer_gen Job Type: linux_asan_chrome_ipc Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000000 Crash State: content::BrowserPluginEmbedder::OnAttach bool IPC::MessageT<BrowserPluginHostMsg_Attach_Meta, std::__1::tuple<int, Browse content::BrowserPluginEmbedder::OnMessageReceived Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_ipc&range=488146:488166 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5740505559465984 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Sep 14 2017
Unrelated to the IPC change.
,
Sep 14 2017
Nothing in the regression range looks very promising ... are we sure the bisect is correct? Also, I tried running the test case and didn't get a repro ... are the bots still reporting this as a failure?
,
Sep 14 2017
The renderer is sending an unexpected BrowserPluginHostMsg_Attach before we have a BrowserPluginGuestManager. We should kill the renderer via bad_message::ReceivedBadMessage if it does this. This is similar to the bug I fixed in https://chromium-review.googlesource.com/c/chromium/src/+/615474
,
Oct 1 2017
Automatically applying components based on information from OWNERS files. If this seems incorrect, please apply the Test-Predator-Wrong-Components label.
,
Oct 13 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/2a9513f5a7a74fac303c9be30957f16fa2285c67 commit 2a9513f5a7a74fac303c9be30957f16fa2285c67 Author: Kevin McNee <mcnee@chromium.org> Date: Fri Oct 13 21:09:07 2017 Kill a renderer if it sends an unexpected message before BPGM creation. If we receive a message from the renderer to BrowserPluginEmbedder::OnAttach before the creation of a BrowserPluginGuestManager, then the renderer is misbehaving. We now kill the renderer in this case. Following the termination of the renderer, there are a few more calls into BrowserPluginEmbedder where we just need to return due to the lack of a BrowserPluginGuestManager. Bug: 753719 Change-Id: I8a8638e1bb9006bc3b4b9dfdfb018c422f6f5509 Reviewed-on: https://chromium-review.googlesource.com/668037 Commit-Queue: Kevin McNee <mcnee@chromium.org> Reviewed-by: Ehsan Karamad <ekaramad@chromium.org> Reviewed-by: Nick Carter <nick@chromium.org> Cr-Commit-Position: refs/heads/master@{#508819} [modify] https://crrev.com/2a9513f5a7a74fac303c9be30957f16fa2285c67/content/browser/bad_message.h [modify] https://crrev.com/2a9513f5a7a74fac303c9be30957f16fa2285c67/content/browser/browser_plugin/browser_plugin_embedder.cc [modify] https://crrev.com/2a9513f5a7a74fac303c9be30957f16fa2285c67/tools/metrics/histograms/enums.xml
,
Oct 16 2017
,
Nov 7 2017
|
||||||
►
Sign in to add a comment |
||||||
Comment 1 by msrchandra@chromium.org
, Sep 13 2017Components: Internals>Core
Labels: Test-Predator-Wrong-CLs
Owner: tzik@chromium.org
Status: Assigned (was: Untriaged)