New issue
Advanced search Search tips

Issue 896594 link

Starred by 0 users
Status: WontFix
Owner: ----
Closed: Oct 18
Cc:
dvadym@chromium.org
mmoroz@chromium.org
rogerm@chromium.org
ios-bugs@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: iOS
Pri: 3
Type: Task



Sign in to add a comment

iOS-specific parts of PasswordForm parsing cannot be fuzzed.

Project Member Reported by vabr@chromium.org, Oct 18 
//components/password_manager/core/browser/form_parsing/form_parser.cc contains #ifdefs for OS_IOS, and after https://crrev.com/c/1279202 there is likely going to be differences in how FormFieldData looks on iOS compared to the rest.

We do have fuzzers for PasswordForm parsing, but the fuzzing infrastructure does not run on iOS, so the fuzzers need to run on Linux.

This means that the iOS-specific parts of the parsing never get fuzzed.

This affects both the iOS-specific parts of form_parser.cc, and the ios_form_parser.cc. The latter is going away soon, though, so this is mainly about the former.

The possible steps forward include:
 (1) Removing the differences in what FormFieldData is and how it is used on iOS vs. the rest.
 (2) Have fuzzers compiled on iOS.
 (3) Accept this issue and do nothing.

Notes:
(1) Seems unlikely: for example, outside of iOS, where we can use Blink, Chrome makes use of Blink-assigned unique renderer IDs to fill values into forms. On iOS, the (modified) ID attribute is used instead (this is the above mentioned difference), and this will not change as long as WKWebView will not support the unique renderer IDs (highly unlikely).

(2) I have no idea how likely this is, but I have not heard of any plans in this direction.

(3) The actual difference is so small that the missing fuzzing is unlikely to have significant consequences.


[1] https://chromium.googlesource.com/chromium/src/+/HEAD/components/password_manager/core/browser/form_parsing/form_parser.cc#524

Comment 1 by vabr@chromium.org, Oct 18

Cc: mmoroz@chromium.org
Roger, Vadym -- my vote is for (3) (and closing this as WontFix as a documentation of this decision). What do you think?

Also adding Max, the fuzzing expert, in case he has any comments.

Comment 2 by dvadym@chromium.org, Oct 18 

I agree that the 3rd option (do nothing) is the best: the difference is very small and it unlikely have some differences for fuzzing.

Comment 3 by rogerm@chromium.org, Oct 18 

+1 to the 3rd option.


I've updated ios_form_parser.cc to use the same GetPlatformSpecificIdentifier() logic to resolve the identifier on iOS vs the other build configurations.

Comment 4 by mmoroz@chromium.org, Oct 18 

We also run fuzz targets on Mac. If there is a way we can build a version which would run on Mac, that might work.

Sometimes you can also try to hack certain things and even make it work on Linux (we had one case https://chromium-review.googlesource.com/c/chromium/src/+/701407), but I guess it's not worth trying based on your comments above.

Comment 5 by vabr@chromium.org, Oct 18

Status: WontFix (was: Available)
Thanks, Vadym, Roger and Max!

I'm afraid Mac won't help here, and the effort to provide the iOS-specific version of the supporting data structures (FormFillData) to the fuzzer is likely to exceed the benefits.

So let's go with (3).

Sign in to add a comment