Null-dereference READ in navigation_metrics::RecordMainFrameNavigation |
|||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5614535728955392 Fuzzer: ipc_fuzzer_mut Job Type: linux_asan_chrome_ipc Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000000 Crash State: navigation_metrics::RecordMainFrameNavigation NavigationMetricsRecorder::DidFinishNavigation content::WebContentsImpl::DidFinishNavigation Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_ipc&range=495992:496058 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5614535728955392 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Aug 28 2017
bcwhite@: Might you know what's going on here?
The faulting line is:
UMA_HISTOGRAM_ENUMERATION("Navigation.MainFrameScheme", scheme, SCHEME_MAX);
... and hasn't changed in a long time. That macro expands to:
define UMA_HISTOGRAM_ENUMERATION(name, sample, enum_max) \
INTERNAL_HISTOGRAM_ENUMERATION_WITH_FLAG( \
name, sample, enum_max, base::HistogramBase::kUmaTargetedHistogramFlag)
... which itself invokes other macros.
However, within the regression range, we find https://chromium.googlesource.com/chromium/src/+/82027ff5dafbb3fbafe44fede998a33667ea2bd1%5E%21/#F0 which changed some of the histogram serialization to return a nullptr, in scenarios where "a compromised renderer manages to send an invalid serialized histogram" (per https://bugs.chromium.org/p/chromium/issues/detail?id=753222#c7)
What's less clear to me is how the browser is "protected" from that invalid histogram, since it's going to operate on that nullptr and crash anyway?
,
Aug 28 2017
Serialization is for handling histograms passed via IPC from a subprocess like the Renderer. That's not the case here. Any chance this metric could have been previously created with different parameters?
,
Aug 28 2017
Re #3: Interesting. When you say "with different parameters", can you help me understand what you mean? The CL in #1 added new values to the 'scheme' enumeration and increased the value of 'SCHEME_MAX' accordingly, but no other changes were made.
,
Sep 26 2017
ClusterFuzz testcase 5614535728955392 is flaky and no longer crashes, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||
►
Sign in to add a comment |
|||
Comment 1 by msrchandra@chromium.org
, Aug 28 2017Components: Internals>Network
Labels: Test-Predator-Wrong-CLs
Owner: elawrence@chromium.org
Status: Assigned (was: Untriaged)