New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 759098 link

Starred by 2 users
Status: WontFix
Owner:
elawrence@chromium.org
Closed: Sep 2017
Cc:
bcwh...@chromium.org
msrchandra@chromium.org
skare@chromium.org
isherman@chromium.org
asvitk...@chromium.org
rkaplow@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Null-dereference READ in navigation_metrics::RecordMainFrameNavigation

Project Member Reported by ClusterFuzz, Aug 25 2017 
Detailed report: https://clusterfuzz.com/testcase?key=5614535728955392

Fuzzer: ipc_fuzzer_mut
Job Type: linux_asan_chrome_ipc
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000000
Crash State:
  navigation_metrics::RecordMainFrameNavigation
  NavigationMetricsRecorder::DidFinishNavigation
  content::WebContentsImpl::DidFinishNavigation
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_ipc&range=495992:496058

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5614535728955392

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.

Comment 1 by msrchandra@chromium.org, Aug 28 2017

Cc: msrchandra@chromium.org
Components: Internals>Network
Labels: Test-Predator-Wrong-CLs
Owner: elawrence@chromium.org
Status: Assigned (was: Untriaged)
Predator and CL could not provide any possible suspects.
Using Code Search for the file, "navigation_metrics.cc" assigning to the concern owner.

Suspecting Commit#
https://chromium.googlesource.com/chromium/src/+/7c451e21433ae47ea740b116d6095bb824781d86

@elawrence -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

Comment 2 by elawrence@chromium.org, Aug 28 2017

Cc: bcwh...@chromium.org
Components: -Internals>Network Internals>Metrics>UMA
bcwhite@: Might you know what's going on here?

The faulting line is:

  UMA_HISTOGRAM_ENUMERATION("Navigation.MainFrameScheme", scheme, SCHEME_MAX);

... and hasn't changed in a long time. That macro expands to:

  define UMA_HISTOGRAM_ENUMERATION(name, sample, enum_max) \
  INTERNAL_HISTOGRAM_ENUMERATION_WITH_FLAG(               \
      name, sample, enum_max, base::HistogramBase::kUmaTargetedHistogramFlag)

... which itself invokes other macros.

However, within the regression range, we find https://chromium.googlesource.com/chromium/src/+/82027ff5dafbb3fbafe44fede998a33667ea2bd1%5E%21/#F0 which changed some of the histogram serialization to return a nullptr, in scenarios where "a compromised renderer manages to send an invalid serialized histogram" (per https://bugs.chromium.org/p/chromium/issues/detail?id=753222#c7) 

What's less clear to me is how the browser is "protected" from that invalid histogram, since it's going to operate on that nullptr and crash anyway?

Comment 3 by bcwh...@chromium.org, Aug 28 2017 

Serialization is for handling histograms passed via IPC from a subprocess like the Renderer.  That's not the case here.

Any chance this metric could have been previously created with different parameters?

Comment 4 by elawrence@chromium.org, Aug 28 2017 

Re #3: Interesting. 

When you say "with different parameters", can you help me understand what you mean? The CL in #1 added new values to the 'scheme' enumeration and increased the value of 'SCHEME_MAX' accordingly, but no other changes were made.
Project Member

Comment 5 by ClusterFuzz, Sep 26 2017

Status: WontFix (was: Assigned)
ClusterFuzz testcase 5614535728955392 is flaky and no longer crashes, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment