This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

mmoroz@ and metzman@, do you know why we don't see a stacktrace in this case? 

(This can be reproduced on Goobuntu)

Wow :) I'll take a look.

The crash happens with libFuzzer as well. And it also doesn't provide a stacktrace:

$ out/Release/webcrypto_rsa_import_key_pkcs8_fuzzer ./clusterfuzz-testcase-5794309034213376 
INFO: Seed: 462506616
INFO: Loaded 2 modules   (1689004 guards): 27505 [0x7fccb9ef5520, 0x7fccb9f102e4), 1661499 [0xc7b31e0, 0xce09acc), 
/usr/local/google/home/mmoroz/Projects/new/chromium/src/out/Release/webcrypto_rsa_import_key_pkcs8_fuzzer: Running 1 inputs 1 time(s) each.
Running: ./clusterfuzz-testcase-5794309034213376
ASAN:DEADLYSIGNAL
=================================================================
==89784==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000000000 bp 0x7ffc9f98fe30 sp 0x7ffc9f98fd98 T0)
==89784==Hint: pc points to the zero page.
==89784==The signal is caused by a READ memory access.
==89784==Hint: address points to the zero page.

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (<unknown module>) 
==89784==ABORTING

There is a stacktrace available under gdb:

Program received signal SIGSEGV, Segmentation fault.
0x0000000000000000 in ?? ()
(gdb) bt
#0  0x0000000000000000 in ?? ()
#1  0x000000000531102a in CreateMessagePipe () at ../../mojo/public/cpp/system/message_pipe.h:54
#2  MessagePipe () at ../../mojo/public/cpp/system/message_pipe.h:133
#3  MakeRequest<service_manager::mojom::Connector> () at ../../mojo/public/cpp/bindings/interface_request.h:136
#4  Create () at ../../services/service_manager/public/cpp/connector.cc:30
#5  0x0000000005419c02 in DefaultConnector () at ../../third_party/WebKit/Source/platform/exported/Platform.cpp:76
#6  operator() () at ../../third_party/WebKit/Source/platform/exported/Platform.cpp:188
#7  InstanceStorage<(lambda at ../../third_party/WebKit/Source/platform/exported/Platform.cpp:188:3), (lambda at ../../third_party/WebKit/Source/platform/exported/Platform.cpp:188:3)> () at ../../third_party/WebKit/Source/platform/wtf/StdLibExtras.h:165
#8  StaticSingleton<(lambda at ../../third_party/WebKit/Source/platform/exported/Platform.cpp:188:3), (lambda at ../../third_party/WebKit/Source/platform/exported/Platform.cpp:188:3)> () at ../../third_party/WebKit/Source/platform/wtf/StdLibExtras.h:117
#9  GetConnector () at ../../third_party/WebKit/Source/platform/exported/Platform.cpp:188
#10 0x0000000002b87e55 in Initialize () at ../../third_party/WebKit/Source/platform/instrumentation/resource_coordinator/RendererResourceCoordinator.cpp:24
#11 0x00000000054194cb in Initialize () at ../../third_party/WebKit/Source/platform/exported/Platform.cpp:162
#12 0x00000000004fa794 in InitOnce () at ../../components/webcrypto/fuzzer_support.cc:26
#13 New () at ../../base/lazy_instance.h:60
#14 New () at ../../base/lazy_instance.h:109
#15 operator() () at ../../base/lazy_instance.h:197
#16 GetOrCreateLazyPointer<(lambda at ../../base/lazy_instance.h:197:9)> () at ../../base/lazy_instance.h:158
#17 Pointer () at ../../base/lazy_instance.h:195
#18 Get () at ../../base/lazy_instance.h:186
#19 EnsureInitialized () at ../../components/webcrypto/fuzzer_support.cc:34
#20 0x00000000004fa8af in ImportRsaKeyFromDerFuzzData () at ../../components/webcrypto/fuzzer_support.cc:149
#21 0x00000000004fa6d9 in LLVMFuzzerTestOneInput () at ../../components/webcrypto/rsa_import_key_pkcs8_fuzzer.cc:12
#22 0x000000000051967c in ExecuteCallback () at ../../third_party/libFuzzer/src/FuzzerLoop.cpp:494
#23 0x00000000004fcbfd in RunOneTest () at ../../third_party/libFuzzer/src/FuzzerDriver.cpp:273
#24 0x0000000000506ec0 in FuzzerDriver () at ../../third_party/libFuzzer/src/FuzzerDriver.cpp:690
#25 0x000000000052b1f9 in main () at ../../third_party/libFuzzer/src/FuzzerMain.cpp:20

Looks like something else is corrupted (in addition to PC), so ASan cannot Unwind the stack.

Eric, who could be a good owner for that?

Eric seems to be OOO, and the bug might be in mojo code, as per the stacktrace from c#10.

rockot@, mind taking a look? 

Thanks ochang@ for taking a look, it looks like there is missing mojo initialization, and due to that 

"
the function pointer table is initially all nulls: https://cs.chromium.org/chromium/src/mojo/public/c/system/thunks.cc?type=cs&sq=package:chromium&l=13
probably need to call mojo::edk::Init() once
"

I've tried the fix suggested by Oliver (https://chromium-review.googlesource.com/c/chromium/src/+/636120), but now it crashes on some mojo CHECK.



$ ASAN_OPTIONS=handle_segv=1 ~/Projects/new/chromium/src/out/Release/webcrypto_rsa_import_key_pkcs8_fuzzer ./clusterfuzz-testcase-5794309034213376 
INFO: Seed: 261127635
INFO: Loaded 2 modules   (1695786 guards): 27505 [0x7fd07c761520, 0x7fd07c77c2e4), 1668281 [0xc85f960, 0xcebcc44), 
/usr/local/google/home/mmoroz/Projects/new/chromium/src/out/Release/webcrypto_rsa_import_key_pkcs8_fuzzer: Running 1 inputs 1 time(s) each.
Running: ./clusterfuzz-testcase-5794309034213376
[0825/145936.133846:FATAL:sequenced_task_runner_handle.cc(57)] Check failed: pool. Error: This caller requires a sequenced context (i.e. the current task needs to run from a SequencedTaskRunner).
#0 0x000000478c71 <unknown>
#1 0x000002e30a6e <unknown>
#2 0x000002e533e5 <unknown>
#3 0x000002ef6278 <unknown>
#4 0x0000046fb3a3 <unknown>
#5 0x0000046d6803 <unknown>
#6 0x0000053ac072 <unknown>
#7 0x0000053aa35f <unknown>
#8 0x0000054b2e92 <unknown>
#9 0x000002baade5 <unknown>
#10 0x0000054b275b <unknown>
#11 0x0000004fa799 <unknown>
#12 0x0000004fa8af <unknown>
#13 0x0000004fa6d9 <unknown>
#14 0x00000051967c <unknown>
#15 0x0000004fcbfd <unknown>
#16 0x000000506ec0 <unknown>
#17 0x00000052b1f9 <unknown>
#18 0x7fd0767c7f45 <unknown>
#19 0x00000042dabb <unknown>

==155937== ERROR: libFuzzer: deadly signal
    #0 0x4d6f97 in __sanitizer_print_stack_trace (/usr/local/google/home/mmoroz/Projects/new/chromium/src/out/Release/webcrypto_rsa_import_key_pkcs8_fuzzer+0x4d6f97)
    #1 0x5161fa in fuzzer::Fuzzer::CrashCallback() third_party/libFuzzer/src/FuzzerLoop.cpp:196:5
    #2 0x516189 in fuzzer::Fuzzer::StaticCrashSignalCallback() third_party/libFuzzer/src/FuzzerLoop.cpp:175:6
    #3 0x7fd07c04332f  (/lib/x86_64-linux-gnu/libpthread.so.0+0x1032f)
    #4 0x2e53e9b in logging::LogMessage::~LogMessage() base/logging.cc:791:7
    #5 0x2ef6277 in base::SequencedTaskRunnerHandle::Get() base/threading/sequenced_task_runner_handle.cc:57:3
    #6 0x46fb3a2 in mojo::internal::GetTaskRunnerToUseFromUserProvidedTaskRunner(scoped_refptr<base::SingleThreadTaskRunner>) mojo/public/cpp/bindings/lib/task_runner_helper.cc:23:10
    #7 0x46d6802 in mojo::internal::InterfacePtrStateBase::Bind(mojo::ScopedHandleBase<mojo::MessagePipeHandle>, unsigned int, scoped_refptr<base::SingleThreadTaskRunner>) mojo/public/cpp/bindings/lib/interface_ptr_state.cc:59:7
    #8 0x53ac071 in Bind mojo/public/cpp/bindings/lib/interface_ptr_state.h:146:28
    #9 0x53ac071 in mojo::InterfacePtr<service_manager::mojom::Connector>::Bind(mojo::InterfacePtrInfo<service_manager::mojom::Connector>, scoped_refptr<base::SingleThreadTaskRunner>) mojo/public/cpp/bindings/interface_ptr.h:84
    #10 0x53aa35e in MakeRequest<service_manager::mojom::Connector> mojo/public/cpp/bindings/interface_request.h:137:8
    #11 0x53aa35e in service_manager::Connector::Create(mojo::InterfaceRequest<service_manager::mojom::Connector>*) services/service_manager/public/cpp/connector.cc:30
    #12 0x54b2e91 in DefaultConnector third_party/WebKit/Source/platform/exported/Platform.cpp:76:18
    #13 0x54b2e91 in operator() third_party/WebKit/Source/platform/exported/Platform.cpp:188
    #14 0x54b2e91 in InstanceStorage<(lambda at ../../third_party/WebKit/Source/platform/exported/Platform.cpp:188:3), (lambda at ../../third_party/WebKit/Source/platform/exported/Platform.cpp:188:3)> third_party/WebKit/Source/platform/wtf/StdLibExtras.h:165
    #15 0x54b2e91 in StaticSingleton<(lambda at ../../third_party/WebKit/Source/platform/exported/Platform.cpp:188:3), (lambda at ../../third_party/WebKit/Source/platform/exported/Platform.cpp:188:3)> third_party/WebKit/Source/platform/wtf/StdLibExtras.h:117
    #16 0x54b2e91 in blink::Platform::GetConnector() third_party/WebKit/Source/platform/exported/Platform.cpp:188
    #17 0x2baade4 in blink::RendererResourceCoordinator::Initialize() third_party/WebKit/Source/platform/instrumentation/resource_coordinator/RendererResourceCoordinator.cpp:24:17
    #18 0x54b275a in blink::Platform::Initialize(blink::Platform*) third_party/WebKit/Source/platform/exported/Platform.cpp:162:5
    #19 0x4fa798 in InitOnce components/webcrypto/fuzzer_support.cc:28:5
    #20 0x4fa798 in New base/lazy_instance.h:60
    #21 0x4fa798 in New base/lazy_instance.h:109
    #22 0x4fa798 in operator() base/lazy_instance.h:197
    #23 0x4fa798 in GetOrCreateLazyPointer<(lambda at ../../base/lazy_instance.h:197:9)> base/lazy_instance.h:158
    #24 0x4fa798 in Pointer base/lazy_instance.h:195
    #25 0x4fa798 in Get base/lazy_instance.h:186
    #26 0x4fa798 in webcrypto::(anonymous namespace)::EnsureInitialized() components/webcrypto/fuzzer_support.cc:36
    #27 0x4fa8ae in webcrypto::ImportRsaKeyFromDerFuzzData(unsigned char const*, unsigned long, blink::WebCryptoKeyFormat) components/webcrypto/fuzzer_support.cc:151:3
    #28 0x4fa6d8 in LLVMFuzzerTestOneInput components/webcrypto/rsa_import_key_pkcs8_fuzzer.cc:12:3
    #29 0x51967b in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) third_party/libFuzzer/src/FuzzerLoop.cpp:494:13
    #30 0x4fcbfc in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) third_party/libFuzzer/src/FuzzerDriver.cpp:273:6
    #31 0x506ebf in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) third_party/libFuzzer/src/FuzzerDriver.cpp:690:9
    #32 0x52b1f8 in main third_party/libFuzzer/src/FuzzerMain.cpp:20:10
    #33 0x7fd0767c7f44 in __libc_start_main /build/eglibc-SvCtMH/eglibc-2.19/csu/libc-start.c:287

NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/484fd0c2bcc4a5ea5c61d6f70da4a4695a8c60dd

commit 484fd0c2bcc4a5ea5c61d6f70da4a4695a8c60dd
Author: Max Moroz <mmoroz@chromium.org>
Date: Tue Aug 29 17:26:51 2017

[webcrypto] Add mojo initialization for fuzz targets.

R=eroman@chromium.org, ochang@chromium.org

Bug:  755854 
Change-Id: I1ffaebfd543ff6720b1c764a0afbdedc0d2b4fed
Reviewed-on: https://chromium-review.googlesource.com/636120
Reviewed-by: Ryan Sleevi <rsleevi@chromium.org>
Reviewed-by: John Abd-El-Malek <jam@chromium.org>
Commit-Queue: Max Moroz <mmoroz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#498152}
[modify] https://crrev.com/484fd0c2bcc4a5ea5c61d6f70da4a4695a8c60dd/components/webcrypto/BUILD.gn
[modify] https://crrev.com/484fd0c2bcc4a5ea5c61d6f70da4a4695a8c60dd/components/webcrypto/DEPS
[modify] https://crrev.com/484fd0c2bcc4a5ea5c61d6f70da4a4695a8c60dd/components/webcrypto/fuzzer_support.cc

ClusterFuzz testcase 6665262098284544 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

ClusterFuzz has detected this issue as fixed in range 498149:498213.

Detailed report: https://clusterfuzz.com/testcase?key=5794309034213376

Fuzzer: afl_webcrypto_rsa_import_key_pkcs8_fuzzer
Job Type: afl_chrome_asan
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000000
Crash State:
  NULL
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=afl_chrome_asan&range=494604:494666
Fixed: https://clusterfuzz.com/revisions?job=afl_chrome_asan&range=498149:498213

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5794309034213376

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot