New issue
Advanced search Search tips

Issue 858905 link

Starred by 4 users

Issue metadata

Status: Assigned
Owner:
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 2
Type: Bug


Show other hotlists

Hotlists containing this issue:
Hotlist-1


Sign in to add a comment

Chrome_ChromeOS: crypto::SignatureVerifier::VerifyUpdate

Project Member Reported by sdantul...@chromium.org, Jun 29 2018

Issue description

Google Chrome	69.0.3475.0 (Official Build) dev (64-bit)
Revision	95ab095d962f25bee2255b45bc08707b683c821c-refs/branch-heads/3475@{#1}
Platform	10825.0.0 (Official Build) dev-channel eve

Magic Signature:- crypto::SignatureVerifier::VerifyUpdate

Thread 31 (id: 0xde7) CRASHED [SIGSEGV @ 0x00000000 ] MAGIC SIGNATURE THREAD
Stack Quality100%Show frame trust levels
0x00005be31f363021	(chrome -./../../../../../../../home/chrome-bot/chrome_root/src/third_party/boringssl/src/crypto/fipsmodule/digest/digest.c:201 )	crypto::SignatureVerifier::VerifyUpdate(base::span<unsigned char const, 18446744073709551615ul>)
0x00005be32054b974	(chrome -./../../../../../../../home/chrome-bot/chrome_root/src/components/crx_file/crx_verifier.cc:79 )	crx_file::Verify(base::FilePath const&, crx_file::VerifierFormat const&, std::__1::vector<std::__1::vector<unsigned char, std::__1::allocator<unsigned char> >, std::__1::allocator<std::__1::vector<unsigned char, std::__1::allocator<unsigned char> > > > const&, std::__1::vector<unsigned char, std::__1::allocator<unsigned char> > const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >*)
0x00005be31d733be3	(chrome -./../../../../../../../home/chrome-bot/chrome_root/src/extensions/browser/sandboxed_unpacker.cc:847 )	extensions::SandboxedUnpacker::StartWithCrx(extensions::CRXFileInfo const&)
0x00005be31c2064de	(chrome -./../../../../../../../home/chrome-bot/chrome_root/src/base/callback.h:99 )	base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*)
0x00005be31ee1960c	(chrome -./../../../../../../../home/chrome-bot/chrome_root/src/base/task_scheduler/task_tracker.cc:529 )	base::internal::TaskTracker::RunOrSkipTask(base::internal::Task, base::internal::Sequence*, bool)
0x00005be31ee53462	(chrome -./../../../../../../../home/chrome-bot/chrome_root/src/base/task_scheduler/task_tracker_posix.cc:23 )	base::internal::TaskTrackerPosix::RunOrSkipTask(base::internal::Task, base::internal::Sequence*, bool)
0x00005be31ee18eca	(chrome -./../../../../../../../home/chrome-bot/chrome_root/src/base/task_scheduler/task_tracker.cc:404 )	base::internal::TaskTracker::RunAndPopNextTask(scoped_refptr<base::internal::Sequence>, base::internal::CanScheduleSequenceObserver*)
0x00005be31ee653cb	(chrome -./../../../../../../../home/chrome-bot/chrome_root/src/base/task_scheduler/scheduler_worker.cc:330 )	base::internal::SchedulerWorker::RunWorker()
0x00005be31ee539a1	(chrome -./../../../../../../../home/chrome-bot/chrome_root/src/base/threading/platform_thread_posix.cc:76 )	base::(anonymous namespace)::ThreadFunc(void*)
0x00007856088ab2b7	(libpthread-2.23.so -pthread_create.c:333 )	start_thread
0x0000785607d5ffac	(libc-2.23.so + 0x000f6fac )
 
Components: Internals>Network>SSL
Components: -Internals>Network>SSL Platform>Extensions
-Internals>Network>SSL
+Platform>Extensions

A NPE meaning the input being provided is bunk.
I don't understand what I'm suppose to do
Cc: rdevlin....@chromium.org rsleevi@chromium.org
rsleevi@: can you elaborate on #2?  Why is this extensions-related?
@Comment 4: It's a null pointer exception while verifying CRXes. The crashing line - digest.c:201 - is just dereferencing a caller-supplied parameter. Thus, it's not an issue with the underlying library (BoringSSL), but with the caller (CRX verification) in supplying parameters. 
Owner: waff...@chromium.org
Status: Assigned (was: Untriaged)
waffles@, could you take a look?
Labels: -M-68 M-69
Hmm, the CRX verifier code is:

uint8_t buffer[1 << 12] = {};
size_t len = 0;
while ((len = ReadAndHashBuffer(buffer, arraysize(buffer), file, hash)) > 0) {
  for (auto& verifier : verifiers)
    verifier->VerifyUpdate(buffer, len);
}

I don't really understand how buffer can be null. I suspect verifier->verify_context_->ctx.get() returned null - is it possible for the bssl::ScopedEVP_MD_CTX in VerifyContext to be null?

This crash (58babe59c0d163d0) is infrequent, and there's only one other crash with the crx_verifier on the stack (5c181eeddfb403fe), which looks somewhat different.

Sign in to add a comment