Chrome_ChromeOS: crypto::SignatureVerifier::VerifyUpdate |
|||||
Issue descriptionGoogle Chrome 69.0.3475.0 (Official Build) dev (64-bit) Revision 95ab095d962f25bee2255b45bc08707b683c821c-refs/branch-heads/3475@{#1} Platform 10825.0.0 (Official Build) dev-channel eve Magic Signature:- crypto::SignatureVerifier::VerifyUpdate Thread 31 (id: 0xde7) CRASHED [SIGSEGV @ 0x00000000 ] MAGIC SIGNATURE THREAD Stack Quality100%Show frame trust levels 0x00005be31f363021 (chrome -./../../../../../../../home/chrome-bot/chrome_root/src/third_party/boringssl/src/crypto/fipsmodule/digest/digest.c:201 ) crypto::SignatureVerifier::VerifyUpdate(base::span<unsigned char const, 18446744073709551615ul>) 0x00005be32054b974 (chrome -./../../../../../../../home/chrome-bot/chrome_root/src/components/crx_file/crx_verifier.cc:79 ) crx_file::Verify(base::FilePath const&, crx_file::VerifierFormat const&, std::__1::vector<std::__1::vector<unsigned char, std::__1::allocator<unsigned char> >, std::__1::allocator<std::__1::vector<unsigned char, std::__1::allocator<unsigned char> > > > const&, std::__1::vector<unsigned char, std::__1::allocator<unsigned char> > const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >*) 0x00005be31d733be3 (chrome -./../../../../../../../home/chrome-bot/chrome_root/src/extensions/browser/sandboxed_unpacker.cc:847 ) extensions::SandboxedUnpacker::StartWithCrx(extensions::CRXFileInfo const&) 0x00005be31c2064de (chrome -./../../../../../../../home/chrome-bot/chrome_root/src/base/callback.h:99 ) base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) 0x00005be31ee1960c (chrome -./../../../../../../../home/chrome-bot/chrome_root/src/base/task_scheduler/task_tracker.cc:529 ) base::internal::TaskTracker::RunOrSkipTask(base::internal::Task, base::internal::Sequence*, bool) 0x00005be31ee53462 (chrome -./../../../../../../../home/chrome-bot/chrome_root/src/base/task_scheduler/task_tracker_posix.cc:23 ) base::internal::TaskTrackerPosix::RunOrSkipTask(base::internal::Task, base::internal::Sequence*, bool) 0x00005be31ee18eca (chrome -./../../../../../../../home/chrome-bot/chrome_root/src/base/task_scheduler/task_tracker.cc:404 ) base::internal::TaskTracker::RunAndPopNextTask(scoped_refptr<base::internal::Sequence>, base::internal::CanScheduleSequenceObserver*) 0x00005be31ee653cb (chrome -./../../../../../../../home/chrome-bot/chrome_root/src/base/task_scheduler/scheduler_worker.cc:330 ) base::internal::SchedulerWorker::RunWorker() 0x00005be31ee539a1 (chrome -./../../../../../../../home/chrome-bot/chrome_root/src/base/threading/platform_thread_posix.cc:76 ) base::(anonymous namespace)::ThreadFunc(void*) 0x00007856088ab2b7 (libpthread-2.23.so -pthread_create.c:333 ) start_thread 0x0000785607d5ffac (libc-2.23.so + 0x000f6fac )
,
Jun 29 2018
-Internals>Network>SSL +Platform>Extensions A NPE meaning the input being provided is bunk.
,
Jun 29 2018
I don't understand what I'm suppose to do
,
Jun 29 2018
rsleevi@: can you elaborate on #2? Why is this extensions-related?
,
Jun 30 2018
@Comment 4: It's a null pointer exception while verifying CRXes. The crashing line - digest.c:201 - is just dereferencing a caller-supplied parameter. Thus, it's not an issue with the underlying library (BoringSSL), but with the caller (CRX verification) in supplying parameters.
,
Jul 2
waffles@, could you take a look?
,
Jul 11
Hmm, the CRX verifier code is:
uint8_t buffer[1 << 12] = {};
size_t len = 0;
while ((len = ReadAndHashBuffer(buffer, arraysize(buffer), file, hash)) > 0) {
for (auto& verifier : verifiers)
verifier->VerifyUpdate(buffer, len);
}
I don't really understand how buffer can be null. I suspect verifier->verify_context_->ctx.get() returned null - is it possible for the bssl::ScopedEVP_MD_CTX in VerifyContext to be null?
This crash (58babe59c0d163d0) is infrequent, and there's only one other crash with the crx_verifier on the stack (5c181eeddfb403fe), which looks somewhat different.
|
|||||
►
Sign in to add a comment |
|||||
Comment 1 by afakhry@chromium.org
, Jun 29 2018