New issue
Advanced search Search tips

Issue 910835 link

Starred by 1 user
Status: Duplicate
Owner:
pwnall@chromium.org
Closed: Dec 7
Cc:
nedwill@google.com
jsb...@chromium.org
mmoroz@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

CHECK failure: !first_party_url_.is_empty() in appcache_host.cc

Project Member Reported by ClusterFuzz, Dec 1 
Detailed report: https://clusterfuzz.com/testcase?key=4514780016279552

Fuzzer: libFuzzer_appcache_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  !first_party_url_.is_empty() in appcache_host.cc
  content::AppCacheHost::SelectCache
  content::AppCacheBackendImpl::SelectCache
  
Sanitizer: address (ASAN)

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4514780016279552

Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

Note: This crash might not be reproducible with the provided testcase. That said, for the past 14 days we've been seeing this crash frequently. If you are unable to reproduce this, please try a speculative fix based on the crash stacktrace in the report. The fix can be verified by looking at the crash statistics in the report, a day after the fix is deployed. We will auto-close the bug if the crash is not seen for 14 days.
Project Member

Comment 1 by ClusterFuzz, Dec 1

Components: Blink>Storage>AppCache
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 2 by ClusterFuzz, Dec 1

Cc: mmoroz@chromium.org
Labels: ClusterFuzz-Auto-CC
Automatically adding ccs based on OWNERS file / target commit history.

If this is incorrect, please add ClusterFuzz-Wrong label.

Comment 3 by mmoroz@chromium.org, Dec 2

Owner: pwnall@chromium.org

Comment 4 by mmoroz@chromium.org, Dec 2

Cc: jsb...@chromium.org

Comment 5 by kkaluri@chromium.org, Dec 5

Labels: M-73 Test-Predator-Wrong CF-NeedsTriage
Unable to provide possible suspect using predator, CL and Code Search.
Could someone please look into the issue.

Thanks...

Comment 6 by jsb...@chromium.org, Dec 7 

Are we certain that the fuzzer calls AppCacheHost::CreateRequestHandler before any AppCacheHost::SelectCache calls are made?

If not that would produce this crash. It could be that the fuzzer doesn't maintain the same invariants as the real code.

Comment 7 by pwnall@chromium.org, Dec 7

Mergedinto: 843797
Status: Duplicate (was: Untriaged)

Comment 8 by pwnall@chromium.org, Dec 7 

FWIW, I don't think we should trust the renderer to make the right calls. If this comes down to the wrong call sequence, the browser should deny the call / terminate the renderer. The duplicated bug shows the DCHECK fires in production, so the browser code has is a real bug somewhere.

Comment 9 by mmoroz@chromium.org, Dec 8

Cc: nedwill@google.com
Yes, Victor is totally right in c#8. When fuzzing the browser-side code, we should never trust the renderer. That's how nedwill@ made a sandbox escape out of one of the AppCache bugs, which combined with a renderer code execution led to a full chain exploit.

Comment 10 by nedwill@google.com, Dec 8 

Yeah perhaps the renderer can be killed and we return early in this case? It should be handled though since the renderer can do anything when compromised and we don't want to hide a vulnerability behind this assumption.

Sign in to add a comment