mojo_js_in_process_fuzzer: CHECK failure: web_contents->GetLastCommittedURL().scheme() == content::kChromeUIScheme in disp [399696822]

Assigned

Bug

Reproducible

ClusterFuzz

Stability-Memory-AddressSanitizer

Stability-LibFuzzer

Stability-Crash

Test-Predator-Auto-Components

Test-Predator-Wrong

Status Update

No update yet.

Description

24...@project.gserviceaccount.com

created issue #1

Feb 28, 2025 07:31PM

Detailed Report:

https://clusterfuzz.com/testcase?key=6215305487384576

Fuzzing Engine: libFuzzer
Fuzz Target: mojo_js_in_process_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: CHECK failure
Crash Address:
Crash State:
web_contents->GetLastCommittedURL().scheme() == content::kChromeUIScheme in disp
DisplayMediaAccessHandler::BypassMediaSelectionDialog
DisplayMediaAccessHandler::HandleRequest

Sanitizer: address (ASAN)

Regressed:

https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=1422786:1422796

Reproducer Testcase:

https://clusterfuzz.com/download?testcase_id=6215305487384576

Issue filed automatically.

See

https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for instructions on reproducing this bug locally.

Comments

24...@project.gserviceaccount.com <24...@project.gserviceaccount.com> #2Feb 28, 2025 07:37PM

Project: platform/frameworks/support
Branch: androidx-main
Author: Radha Nakade <radhanakade@google.com>
Link: https://android-review.googlesource.com/3510337

Migrate traffic from pixel2 to mediumphone on FTL emulators.

Expand for full commit details

Migrate traffic from pixel2 to mediumphone on FTL emulators. 
 
Bug: 396715333 
 
Test: ./gradlew emoji2:emoji2-emojipicker:ftlmediumphoneapi33 
Change-Id: If5555443ca1a91479128e1bd6f4f909154c40ba2

Files:

M buildSrc/private/src/main/kotlin/androidx/build/FtlRunner.kt

Hash: c76f8094154101867327912e659ae47509755957
Date: Wed Feb 26 11:27:46 2025

na...@chromium.org <na...@chromium.org> #3Mar 7, 2025 01:07PM

Assigned to mf...@chromium.org.

Predator and CL could not provide any possible suspects.

Using Code Search for the file, “display_media_access_handler.cc” suspecting the below Cl might have caused this issue

Suspect CL :

https://source.chromium.org/chromium/chromium/src/+/e5de7f01b4bfba05c414689b27af74b2abdea594

@Mark Foltz -- Could you please check whether this is caused with respect to your change, if not please help us in assigning it to the right owner.

Thanks!

al...@chromium.org <al...@chromium.org> #4Mar 7, 2025 06:02PM

Reassigned to wt...@chromium.org.

Mark's change was just a cleanup. Looking at git blame, the relevant CHECK was added: https://chromium-review.googlesource.com/c/chromium/src/+/5519954. @wtlee, it seems that something is violating the CHECK, not sure if something changed in the underlying way this is called or if this was just always lurking.

wt...@google.com <wt...@google.com> #5Mar 10, 2025 03:22AM

Reassigned to pi...@google.com.

Hmm, the content settings type "DISPLAY_MEDIA_SYSTEM_AUDIO" is designed for WebUI pages only.
So it seems the fuzzer somehow triggers this path with an unexpected URL.
Maybe we can reject the request instead of using a CHECK when it violates the assumption to avoid such crash. [Code Search].
Pi-Hsun, could you help on the fix?
Thanks.

al...@chromium.org <al...@chromium.org> #6Mar 10, 2025 07:45PM

I think the fuzzer assumes a compromised renderer, so if the renderer is the source of truth for when a DISPLAY_MEDIA_SYSTEM_AUDIO request is sent, that seems reasonable that the fuzzer could trigger it.

IssueTracker

This issue is a part of the Chromium tracker.