CHECK failure: false in scoped_handle_verifier.cc |
|||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5072299541397504 Fuzzer: libFuzzer_mojo_core_channel_fuzzer Job Type: windows_libfuzzer_chrome_asan Platform Id: windows Crash Type: CHECK failure Crash Address: Crash State: false in scoped_handle_verifier.cc base::win::internal::ScopedHandleVerifier::CloseHandle base::win::GenericScopedHandle<base::win::HandleTraits,base::win::VerifierTraits Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=windows_libfuzzer_chrome_asan&range=611580:611589 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5072299541397504 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing_on_windows.md for more information.
,
Nov 30
,
Dec 1
ClusterFuzz testcase 5072299541397504 appears to be flaky, updating reproducibility label.
,
Dec 1
Please ignore the last comment about testcase being unreproducible. The testcase is still reproducible. This happened due to a code refactoring on ClusterFuzz side, and the underlying root cause is now fixed. Resetting the label back to Reproducible. Sorry about the inconvenience caused from these incorrect notifications.
,
Dec 2
This crash occurs very frequently on windows platform and is likely preventing the fuzzer mojo_core_channel_fuzzer from making much progress. Fixing this will allow more bugs to be found. Marking this bug as a blocker for next Beta release. If this is incorrect, please add ClusterFuzz-Wrong label and remove the ReleaseBlock-Beta label.
,
Dec 4
,
Dec 10
Friendly ping for an update on this.
,
Dec 10
A fix is WIP.
,
Dec 11
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/fada5812d8c5cfd49fb05cdefe77c703997a687e commit fada5812d8c5cfd49fb05cdefe77c703997a687e Author: Ken Rockot <rockot@chromium.org> Date: Tue Dec 11 16:49:54 2018 [mojo-core] Don't accept HANDLEs from non-brokers On Windows, non-broker processes should only accept HANDLEs in messages coming from the broker and/or inviter process. This is because a non-broker or invitee receiver has to assume the sender has already duplicated sent HANDLEs into the receiver's process, and making that assumption requires a level of trust that should not be granted to arbitrary peers. This constraint is already met today under normal circumstances, but a malicious or misbehaving process could easily violate it, tricking an unassuming receiver into attempting double-ownership of an existing handle or closure of an invalid handle value, both of which can result in a crash (though thankfully nothing worse, because of ScopedHandleVerifier). This adds an option to Channel which allows it to reject incoming platform handles and essentially treat them as malformed messages. The option is set on Windows for any non-broker process's receiving Channel endpoint which is not connected directly to a broker process or to the process which invited that client. The Channel fuzzer also sets this option to avoid a crash since it exercises only the non-broker receiving path today. A follow-up CL will extend fuzzer coverage to include broker receivers as well. Bug: 909713 Change-Id: Ie0fece347fcf23d6f8111be4e41398f22d617531 Reviewed-on: https://chromium-review.googlesource.com/c/1363649 Commit-Queue: Ken Rockot <rockot@google.com> Reviewed-by: Reilly Grant <reillyg@chromium.org> Cr-Commit-Position: refs/heads/master@{#615555} [modify] https://crrev.com/fada5812d8c5cfd49fb05cdefe77c703997a687e/mojo/core/broker_host.cc [modify] https://crrev.com/fada5812d8c5cfd49fb05cdefe77c703997a687e/mojo/core/channel.cc [modify] https://crrev.com/fada5812d8c5cfd49fb05cdefe77c703997a687e/mojo/core/channel.h [modify] https://crrev.com/fada5812d8c5cfd49fb05cdefe77c703997a687e/mojo/core/channel_fuchsia.cc [modify] https://crrev.com/fada5812d8c5cfd49fb05cdefe77c703997a687e/mojo/core/channel_fuzzer.cc [modify] https://crrev.com/fada5812d8c5cfd49fb05cdefe77c703997a687e/mojo/core/channel_posix.cc [modify] https://crrev.com/fada5812d8c5cfd49fb05cdefe77c703997a687e/mojo/core/channel_unittest.cc [modify] https://crrev.com/fada5812d8c5cfd49fb05cdefe77c703997a687e/mojo/core/channel_win.cc [modify] https://crrev.com/fada5812d8c5cfd49fb05cdefe77c703997a687e/mojo/core/node_channel.cc [modify] https://crrev.com/fada5812d8c5cfd49fb05cdefe77c703997a687e/mojo/core/node_channel.h [modify] https://crrev.com/fada5812d8c5cfd49fb05cdefe77c703997a687e/mojo/core/node_channel_fuzzer.cc [modify] https://crrev.com/fada5812d8c5cfd49fb05cdefe77c703997a687e/mojo/core/node_controller.cc [modify] https://crrev.com/fada5812d8c5cfd49fb05cdefe77c703997a687e/mojo/core/test/run_all_unittests.cc [modify] https://crrev.com/fada5812d8c5cfd49fb05cdefe77c703997a687e/services/test/run_all_unittests.cc
,
Dec 12
ClusterFuzz has detected this issue as fixed in range 615538:615555. Detailed report: https://clusterfuzz.com/testcase?key=5072299541397504 Fuzzer: libFuzzer_mojo_core_channel_fuzzer Fuzz target binary: mojo_core_channel_fuzzer Job Type: windows_libfuzzer_chrome_asan Platform Id: windows Crash Type: CHECK failure Crash Address: Crash State: false in scoped_handle_verifier.cc base::win::internal::ScopedHandleVerifier::CloseHandle base::win::GenericScopedHandle<base::win::HandleTraits,base::win::VerifierTraits Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=windows_libfuzzer_chrome_asan&range=611580:611589 Fixed: https://clusterfuzz.com/revisions?job=windows_libfuzzer_chrome_asan&range=615538:615555 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5072299541397504 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing_on_windows.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Dec 12
ClusterFuzz testcase 5072299541397504 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Dec 14
ClusterFuzz has detected this issue as fixed in range 615538:615555. Detailed report: https://clusterfuzz.com/testcase?key=5072299541397504 Fuzzer: libFuzzer_mojo_core_channel_fuzzer Fuzz target binary: mojo_core_channel_fuzzer Job Type: windows_libfuzzer_chrome_asan Platform Id: windows Crash Type: CHECK failure Crash Address: Crash State: false in scoped_handle_verifier.cc base::win::internal::ScopedHandleVerifier::CloseHandle base::win::GenericScopedHandle<base::win::HandleTraits,base::win::VerifierTraits Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=windows_libfuzzer_chrome_asan&range=611580:611589 Fixed: https://clusterfuzz.com/revisions?job=windows_libfuzzer_chrome_asan&range=615538:615555 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5072299541397504 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing_on_windows.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Dec 14
The documentation for reproducing bugs on Windows was moved to: https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by ClusterFuzz
, Nov 28Labels: Test-Predator-Auto-Components