Null-dereference READ in extensions::ExecuteCodeInTabFunction::Init |
|||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6436951276912640 Fuzzer: ipc_fuzzer_mut Job Type: linux_asan_chrome_ipc Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000198 Crash State: extensions::ExecuteCodeInTabFunction::Init extensions::ExecuteCodeInTabFunction::HasPermission extensions::ExtensionFunctionDispatcher::CheckPermissions Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_ipc&range=518663:518666 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6436951276912640 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Sep 7
I'll take a look.
,
Sep 8
The test case makes extension function call with ExecuteCodeInTabFunction::extension_ = nullptr, and it is crashing here: https://cs.chromium.org/chromium/src/chrome/browser/extensions/api/tabs/tabs_api.cc?rcl=320ee4295eb7fabaa112f08d1aacc88efd1444e5&l=1959
,
Sep 13
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/26ad9f4f1c687d7a5a9e1b9e1659afd46b7ddc14 commit 26ad9f4f1c687d7a5a9e1b9e1659afd46b7ddc14 Author: Istiaque Ahmed <lazyboy@chromium.org> Date: Thu Sep 13 16:47:56 2018 [Extensions] Remove executeScript specific permission check. This isn't necessary as mentioned in a previous TODO. Further, this creates a potential null-access hazard to ExtensionFunction::extension_. Remove it. Bug: 879842 Test: Fuzzer test case, see bug. Change-Id: I080933300b9eca894b30aef1301818faa6fe3d9c Reviewed-on: https://chromium-review.googlesource.com/1220099 Reviewed-by: Devlin <rdevlin.cronin@chromium.org> Commit-Queue: Istiaque Ahmed <lazyboy@chromium.org> Cr-Commit-Position: refs/heads/master@{#591045} [modify] https://crrev.com/26ad9f4f1c687d7a5a9e1b9e1659afd46b7ddc14/chrome/browser/extensions/api/tabs/tabs_api.cc [modify] https://crrev.com/26ad9f4f1c687d7a5a9e1b9e1659afd46b7ddc14/chrome/browser/extensions/api/tabs/tabs_api.h [modify] https://crrev.com/26ad9f4f1c687d7a5a9e1b9e1659afd46b7ddc14/extensions/browser/api/execute_code_function.cc [modify] https://crrev.com/26ad9f4f1c687d7a5a9e1b9e1659afd46b7ddc14/extensions/browser/api/execute_code_function.h
,
Sep 13
,
Sep 14
ClusterFuzz has detected this issue as fixed in range 591041:591046. Detailed report: https://clusterfuzz.com/testcase?key=6436951276912640 Fuzzer: ipc_fuzzer_mut Job Type: linux_asan_chrome_ipc Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000198 Crash State: extensions::ExecuteCodeInTabFunction::Init extensions::ExecuteCodeInTabFunction::HasPermission extensions::ExtensionFunctionDispatcher::CheckPermissions Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_ipc&range=518663:518666 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_ipc&range=591041:591046 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6436951276912640 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Sep 14
ClusterFuzz testcase 6436951276912640 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by ClusterFuzz
, Sep 1Labels: Test-Predator-Auto-Components