New issue
Advanced search Search tips
Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Jan 12
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Chrome
Pri: 1
Type: Bug



Sign in to add a comment
link

Issue 919264: Null-dereference WRITE in content::AppCacheEntry::add_types

Reported by ClusterFuzz, Jan 5 Project Member

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=6279847101595648

Fuzzer: libFuzzer_appcache_fuzzer
Fuzz target binary: appcache_fuzzer
Job Type: chromeos_libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Null-dereference WRITE
Crash Address: 0x000000000000
Crash State:
  content::AppCacheEntry::add_types
  content::AppCacheStorageImpl::StoreOrLoadTask::CreateCacheAndGroupFromRecords
  content::AppCacheStorageImpl::GroupLoadTask::RunCompleted
  
Sanitizer: address (ASAN)

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6279847101595648

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for instructions to reproduce this bug locally.
 

Comment 1 by ClusterFuzz, Jan 5

Project Member
Cc: mmoroz@chromium.org
Labels: ClusterFuzz-Auto-CC
Automatically adding ccs based on OWNERS file / target commit history.

If this is incorrect, please add ClusterFuzz-Wrong label.

Comment 2 by mmoroz@chromium.org, Jan 5

Cc: jsb...@chromium.org nedwill@google.com
Owner: pwnall@chromium.org
Status: Assigned (was: Untriaged)

Comment 3 by ClusterFuzz, Jan 7

Project Member
Labels: OS-Linux

Comment 4 by jsb...@chromium.org, Jan 7

Components: Blink>Storage>AppCache

Comment 5 by pwnall@chromium.org, Jan 11

Cc: pwnall@chromium.org
Owner: mek@chromium.org
mek@: Can you please investigate?

Comment 6 by mek@chromium.org, Jan 11

Status: Started (was: Assigned)

Comment 7 by bugdroid1@chromium.org, Jan 12

Project Member
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/a39e9ff8aa1474c6efc194224b00e0fbe59b4274

commit a39e9ff8aa1474c6efc194224b00e0fbe59b4274
Author: Marijn Kruisselbrink <mek@chromium.org>
Date: Sat Jan 12 01:56:00 2019

[AppCache] Don't use DCHECK to validate MarkAsForeignEntry parameters.

This is an IPC that comes from a potentially untrusted renderer, so
don't use DCHECK to make sure the entry it refers to exists, instead
just silently ignore invalid entries.

Bug:  919264 
Change-Id: If5addcecfcb5e2c56bd78f918f635269982635e7
Reviewed-on: https://chromium-review.googlesource.com/c/1407442
Commit-Queue: Marijn Kruisselbrink <mek@chromium.org>
Reviewed-by: Victor Costan <pwnall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#622260}
[modify] https://crrev.com/a39e9ff8aa1474c6efc194224b00e0fbe59b4274/content/browser/appcache/appcache_storage_impl.cc

Comment 8 by mek@chromium.org, Jan 12

Status: Fixed (was: Started)

Comment 9 by ClusterFuzz, Jan 12

Project Member
ClusterFuzz has detected this issue as fixed in range 622249:622267.

Detailed report: https://clusterfuzz.com/testcase?key=6279847101595648

Fuzzer: libFuzzer_appcache_fuzzer
Fuzz target binary: appcache_fuzzer
Job Type: chromeos_libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Null-dereference WRITE
Crash Address: 0x000000000000
Crash State:
  content::AppCacheEntry::add_types
  content::AppCacheStorageImpl::StoreOrLoadTask::CreateCacheAndGroupFromRecords
  content::AppCacheStorageImpl::GroupLoadTask::RunCompleted
  
Sanitizer: address (ASAN)

Fixed: https://clusterfuzz.com/revisions?job=chromeos_libfuzzer_chrome_asan&range=622249:622267

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6279847101595648

See https://github.com/google/clusterfuzz-tools for instructions to reproduce this bug locally.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 10 by ClusterFuzz, Jan 12

Project Member
Labels: ClusterFuzz-Verified
Status: Verified (was: Fixed)
ClusterFuzz testcase 6279847101595648 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment