Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/c24c3e90012a5a3135900014fad664c439224053 (Save TTL to cache if in SOA of NXDOMAIN or NODATA results).

If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

 Issue 788288  has been merged into this issue.

Is this a Critical? The network service is not yet running in a sandboxed process. I think memory corruption in a privileged process is always Critical. (https://chromium.googlesource.com/chromium/src/+/master/docs/security/severity-guidelines.md#Critical-severity)

If there is a reason why this is only High, feel free to downgrade it again. But I don't see a special reason.

This should affect all platforms that use net/, right?

If that's commit range I'd agree that https://chromium.googlesource.com/chromium/src/+/c24c3e90012a5a3135900014fad664c439224053 is likely culprit and should probably easily be backed out (it was introduced to address a behavior edge case that had been in code base for a while).

This wouldn't impact all platforms that use net/, but would impact all that use asyncresolver i believe. mgersh+lassey would know more.

I'm not sure why it's not showing up here, but  issue 787854  is a duplicate of this.

Okay, it's definitely another case of issue 779589 but I think this particular one only became a security bug with the CL linked above. Let's revert for now, and I'll follow up to make sure that's true.

Sounds like it's past time to fix that bug for real.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/66024d7a5eac05d612ebfd2ee70414ad0c0acb0a

commit 66024d7a5eac05d612ebfd2ee70414ad0c0acb0a
Author: Miriam Gershenson <mgersh@chromium.org>
Date: Tue Dec 05 04:30:32 2017

Revert "Save TTL to cache if in SOA of NXDOMAIN or NODATA results"

This reverts commit c24c3e90012a5a3135900014fad664c439224053.

Reason for revert: Turned a functional bug into a security bug

Bug:  788131 

Original change's description:
> Save TTL to cache if in SOA of NXDOMAIN or NODATA results
> 
> When we get an NXDOMAIN results, this will look at the last result
> processed and extract the TTL from the SOA record if it exists (possilbe
> TODO: look at all the results and get the shortest TTL). For NODATA
> results with an rcode of NOERROR and zero answers, again record a cache
> entry with the TTL of the SOA if present.
> 
> R=​mgersh@chromium.org
> 
> Bug: 115051
> Cq-Include-Trybots: master.tryserver.chromium.android:android_cronet_tester;master.tryserver.chromium.mac:ios-simulator-cronet
> Change-Id: I6fe029760f4ecfd3b3a91667e95b403a9f37a228
> Reviewed-on: https://chromium-review.googlesource.com/562037
> Commit-Queue: Brad Lassey <lassey@chromium.org>
> Reviewed-by: Miriam Gershenson <mgersh@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#518461}

TBR=mgersh@chromium.org,lassey@chromium.org

# Not skipping CQ checks because original CL landed > 1 day ago.

Bug: 115051
Change-Id: I791068c205931c25f4aa9fd6f073476dbb034f7f
Cq-Include-Trybots: master.tryserver.chromium.android:android_cronet_tester;master.tryserver.chromium.mac:ios-simulator-cronet
Reviewed-on: https://chromium-review.googlesource.com/807149
Reviewed-by: Miriam Gershenson <mgersh@chromium.org>
Commit-Queue: Miriam Gershenson <mgersh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#521616}
[modify] https://crrev.com/66024d7a5eac05d612ebfd2ee70414ad0c0acb0a/net/dns/dns_protocol.h
[modify] https://crrev.com/66024d7a5eac05d612ebfd2ee70414ad0c0acb0a/net/dns/dns_response.cc
[modify] https://crrev.com/66024d7a5eac05d612ebfd2ee70414ad0c0acb0a/net/dns/dns_test_util.cc
[modify] https://crrev.com/66024d7a5eac05d612ebfd2ee70414ad0c0acb0a/net/dns/dns_test_util.h
[modify] https://crrev.com/66024d7a5eac05d612ebfd2ee70414ad0c0acb0a/net/dns/dns_transaction.cc
[modify] https://crrev.com/66024d7a5eac05d612ebfd2ee70414ad0c0acb0a/net/dns/host_resolver_impl.cc
[modify] https://crrev.com/66024d7a5eac05d612ebfd2ee70414ad0c0acb0a/net/dns/host_resolver_impl_unittest.cc

ClusterFuzz testcase 6123939071000576 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

ClusterFuzz has detected this issue as fixed in range 521600:521617.

Detailed report: https://clusterfuzz.com/testcase?key=6129601985380352

Fuzzer: libFuzzer_net_host_resolver_impl_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x606000017420
Crash State:
  net::DnsTransactionImpl::DoCallback
  base::debug::TaskAnnotator::RunTask
  base::MessageLoop::RunTask
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=518431:518474
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=521600:521617

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6129601985380352

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Requesting merge to M64 for a security fix. It's a clean revert of a CL from two weeks ago.

This bug requires manual review: Reverts referenced in bugdroid comments after merge request.
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), kbleicher@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Approving merge to M64. Branch:3282

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c0172e5b68c7e59a99be3dd43a01e421faa70733

commit c0172e5b68c7e59a99be3dd43a01e421faa70733
Author: Miriam Gershenson <mgersh@chromium.org>
Date: Thu Dec 07 15:01:42 2017

Revert "Save TTL to cache if in SOA of NXDOMAIN or NODATA results"

This reverts commit c24c3e90012a5a3135900014fad664c439224053.

Reason for revert: Turned a functional bug into a security bug

Bug:  788131 

Original change's description:
> Save TTL to cache if in SOA of NXDOMAIN or NODATA results
> 
> When we get an NXDOMAIN results, this will look at the last result
> processed and extract the TTL from the SOA record if it exists (possilbe
> TODO: look at all the results and get the shortest TTL). For NODATA
> results with an rcode of NOERROR and zero answers, again record a cache
> entry with the TTL of the SOA if present.
> 
> R=​mgersh@chromium.org
> 
> Bug: 115051
> Cq-Include-Trybots: master.tryserver.chromium.android:android_cronet_tester;master.tryserver.chromium.mac:ios-simulator-cronet
> Change-Id: I6fe029760f4ecfd3b3a91667e95b403a9f37a228
> Reviewed-on: https://chromium-review.googlesource.com/562037
> Commit-Queue: Brad Lassey <lassey@chromium.org>
> Reviewed-by: Miriam Gershenson <mgersh@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#518461}

TBR=mgersh@chromium.org,lassey@chromium.org

# Not skipping CQ checks because original CL landed > 1 day ago.

Bug: 115051
Change-Id: I791068c205931c25f4aa9fd6f073476dbb034f7f
Cq-Include-Trybots: master.tryserver.chromium.android:android_cronet_tester;master.tryserver.chromium.mac:ios-simulator-cronet
Reviewed-on: https://chromium-review.googlesource.com/807149
Reviewed-by: Miriam Gershenson <mgersh@chromium.org>
Commit-Queue: Miriam Gershenson <mgersh@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#521616}(cherry picked from commit 66024d7a5eac05d612ebfd2ee70414ad0c0acb0a)
Reviewed-on: https://chromium-review.googlesource.com/814374
Cr-Commit-Position: refs/branch-heads/3282@{#74}
Cr-Branched-From: 5fdc0fab22ce7efd32532ee989b223fa12f8171e-refs/heads/master@{#520840}
[modify] https://crrev.com/c0172e5b68c7e59a99be3dd43a01e421faa70733/net/dns/dns_protocol.h
[modify] https://crrev.com/c0172e5b68c7e59a99be3dd43a01e421faa70733/net/dns/dns_response.cc
[modify] https://crrev.com/c0172e5b68c7e59a99be3dd43a01e421faa70733/net/dns/dns_test_util.cc
[modify] https://crrev.com/c0172e5b68c7e59a99be3dd43a01e421faa70733/net/dns/dns_test_util.h
[modify] https://crrev.com/c0172e5b68c7e59a99be3dd43a01e421faa70733/net/dns/dns_transaction.cc
[modify] https://crrev.com/c0172e5b68c7e59a99be3dd43a01e421faa70733/net/dns/host_resolver_impl.cc
[modify] https://crrev.com/c0172e5b68c7e59a99be3dd43a01e421faa70733/net/dns/host_resolver_impl_unittest.cc

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/9069772b10e2796e4a09d6248a81b3c4ea4506d5

commit 9069772b10e2796e4a09d6248a81b3c4ea4506d5
Author: Miriam Gershenson <mgersh@chromium.org>
Date: Fri Dec 08 21:43:05 2017

Don't clear DnsAttempts that have received a response

When a DnsTransaction finishes synchronously, it posts a task to run its
callback. In the meantime, DnsAttempts can keep running, and if a TCP
attempt starts, it will delete all the previous attempts. Then the
callback will run and use an attempt which was just deleted.

This fix is designed to be easy to merge to branches.

Bug:  788131 ,  793099 
Change-Id: I6b695fb0f7ff7a7bf1257a3c6baea881478eaa16
Reviewed-on: https://chromium-review.googlesource.com/817681
Reviewed-by: Julia Tuttle <juliatuttle@chromium.org>
Commit-Queue: Miriam Gershenson <mgersh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#522883}
[modify] https://crrev.com/9069772b10e2796e4a09d6248a81b3c4ea4506d5/net/dns/dns_transaction.cc
[modify] https://crrev.com/9069772b10e2796e4a09d6248a81b3c4ea4506d5/net/dns/dns_transaction_unittest.cc

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/8b056cf36e38ee7070509596153a717e87a33353

commit 8b056cf36e38ee7070509596153a717e87a33353
Author: Miriam Gershenson <mgersh@chromium.org>
Date: Mon Dec 11 18:09:03 2017

Don't clear DnsAttempts that have received a response

When a DnsTransaction finishes synchronously, it posts a task to run its
callback. In the meantime, DnsAttempts can keep running, and if a TCP
attempt starts, it will delete all the previous attempts. Then the
callback will run and use an attempt which was just deleted.

This fix is designed to be easy to merge to branches.

Bug:  788131 ,  793099 
Change-Id: I6b695fb0f7ff7a7bf1257a3c6baea881478eaa16
Reviewed-on: https://chromium-review.googlesource.com/817681
Reviewed-by: Julia Tuttle <juliatuttle@chromium.org>
Commit-Queue: Miriam Gershenson <mgersh@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#522883}(cherry picked from commit 9069772b10e2796e4a09d6248a81b3c4ea4506d5)
Reviewed-on: https://chromium-review.googlesource.com/820190
Reviewed-by: Miriam Gershenson <mgersh@chromium.org>
Cr-Commit-Position: refs/branch-heads/3282@{#132}
Cr-Branched-From: 5fdc0fab22ce7efd32532ee989b223fa12f8171e-refs/heads/master@{#520840}
[modify] https://crrev.com/8b056cf36e38ee7070509596153a717e87a33353/net/dns/dns_transaction.cc
[modify] https://crrev.com/8b056cf36e38ee7070509596153a717e87a33353/net/dns/dns_transaction_unittest.cc

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/28127157132dc40808c4ec4037884ddbc4600b2e

commit 28127157132dc40808c4ec4037884ddbc4600b2e
Author: Miriam Gershenson <mgersh@chromium.org>
Date: Tue Dec 12 19:38:09 2017

Don't clear DnsAttempts that have received a response

When a DnsTransaction finishes synchronously, it posts a task to run its
callback. In the meantime, DnsAttempts can keep running, and if a TCP
attempt starts, it will delete all the previous attempts. Then the
callback will run and use an attempt which was just deleted.

This fix is designed to be easy to merge to branches.

Bug:  788131 ,  793099 
Change-Id: I6b695fb0f7ff7a7bf1257a3c6baea881478eaa16
Reviewed-on: https://chromium-review.googlesource.com/817681
Reviewed-by: Julia Tuttle <juliatuttle@chromium.org>
Commit-Queue: Miriam Gershenson <mgersh@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#522883}(cherry picked from commit 9069772b10e2796e4a09d6248a81b3c4ea4506d5)
Reviewed-on: https://chromium-review.googlesource.com/822891
Reviewed-by: Miriam Gershenson <mgersh@chromium.org>
Cr-Commit-Position: refs/branch-heads/3239@{#664}
Cr-Branched-From: adb61db19020ed8ecee5e91b1a0ea4c924ae2988-refs/heads/master@{#508578}
[modify] https://crrev.com/28127157132dc40808c4ec4037884ddbc4600b2e/net/dns/dns_transaction.cc
[modify] https://crrev.com/28127157132dc40808c4ec4037884ddbc4600b2e/net/dns/dns_transaction_unittest.cc

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot