New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 802377 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Jan 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Mac
Pri: 1
Type: Bug



Sign in to add a comment

Timeout in origin_trial_token_fuzzer

Project Member Reported by ClusterFuzz, Jan 16 2018

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5241025345093632

Fuzzer: libFuzzer_origin_trial_token_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Timeout (exceeds 25 secs)
Crash Address: 
Crash State:
  origin_trial_token_fuzzer
  
Sanitizer: address (ASAN)

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5241025345093632

Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

Note: This crash might not be reproducible with the provided testcase. That said, for the past 14 days we've been seeing this crash frequently. If you are unable to reproduce this, please try a speculative fix based on the crash stacktrace in the report. The fix can be verified by looking at the crash statistics in the report, a day after the fix is deployed. We will auto-close the bug if the crash is not seen for 14 days.
 
Cc: brajkumar@chromium.org
Components: Blink>Infra
Labels: Test-Predator-Wrong CF-NeedsTriage
Unable to find actual suspect through code search and also no regressed revision range is seen in the detailed report, hence adding appropriate label and marking it as untriaged.

Thanks!
Project Member

Comment 2 by ClusterFuzz, Jan 20 2018

Labels: OS-Mac

Comment 3 by foolip@chromium.org, Jan 24 2018

Components: -Blink>Infra Internals>OriginTrials
brajkumar@, Blink>Infra doesn't seem appropriate as a fallback label to me. While it has a lot to do with tests (especially LayoutTests), unless there's a suspicion that the infra itself is the cause of the problem, the component for the suspect feature seems better. Trying Internals>OriginTrials based on the test name alone.
Status: Available (was: Untriaged)
The test case contains a 500kb JSON string, of the form

{"origin": "https:<garbage>"}, where <garbage> is ~499kb of random characters, mostly (93%) 0x00, 0x04, 0x2e, 0x60, 0x68, 0x7f, and 0xdf, but with a smattering of other characters and fuzzer-seeded strings.

This exceeds the header size limit for Chrome, but conceivably a string this long could be generated in javascript and added in a <meta> element, so we should do some sanitizing in the TrialToken::Parse method.

Comment 5 by cha...@chromium.org, Jan 25 2018

Owner: cha...@chromium.org
Status: Started (was: Available)

Comment 6 by cha...@chromium.org, Jan 25 2018

Labels: -CF-NeedsTriage
Project Member

Comment 7 by bugdroid1@chromium.org, Jan 29 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/4f625a18fb7d5eea095762a5d8b9c7fa3501ffb7

commit 4f625a18fb7d5eea095762a5d8b9c7fa3501ffb7
Author: Jason Chase <chasej@chromium.org>
Date: Mon Jan 29 23:03:21 2018

Limit the size of origin trial tokens that will parsed

There is a fuzzer for parsing of origin trial tokens. In  bug 802377 , we
discovered that fuzzer was generating tokens > 500KB in size. This was
apparently causing sporadic timeouts in the fuzzer.

The token generation and parsing logic can support valid tokens of such
large sizes. Realistically, there's no need for such large tokens. In the
token contents, the origin is only portion that is user-supplied. While
there is no specified limit on the size of URLs or domains, there do seem
to be practical limits.

This CL limits token payloads to 4KB in size. That allows for the origin
to be ~4KB in size, which is 2x some practical limits for URLs.

Bug:  802377 
Change-Id: I80c31dcd6d0e02afe9cbc1c53479fea3b5821751
Reviewed-on: https://chromium-review.googlesource.com/886822
Commit-Queue: Jason Chase <chasej@chromium.org>
Reviewed-by: Ian Clelland <iclelland@chromium.org>
Cr-Commit-Position: refs/heads/master@{#532645}
[modify] https://crrev.com/4f625a18fb7d5eea095762a5d8b9c7fa3501ffb7/third_party/WebKit/common/origin_trials/trial_token.cc
[modify] https://crrev.com/4f625a18fb7d5eea095762a5d8b9c7fa3501ffb7/third_party/WebKit/common/origin_trials/trial_token_unittest.cc

Comment 8 by cha...@chromium.org, Jan 31 2018

Status: Fixed (was: Started)
The stats for the fuzzer show that the # of crashes decreased significantly after the CL in #6 were landed. Stats available here:
https://clusterfuzz.com/testcase?key=5241025345093632

Sign in to add a comment