Fix libfuzzer RELAY_EVENT_MESSAGE failures

This change passes in the handle policy to
Channel::Message::Deserialize() to facilitate testing mojo with
libfuzzer. To facilitate this, handle_policy() was moved from being
a protected method to being public in channel so it can be called
and passed into Deserialize().

Validated the fuzzer no longer crashes, instead we get:
[1015/100038.256:ERROR:channel.cc(391)] Rejecting message with
unexpected handle attachments.
[1015/100038.260:ERROR:node_channel.cc(789)] Dropping invalid relay
message.
[1015/100038.261:ERROR:node_channel.cc(863)] Received invalid
message type: 9 closing channel.

bug: 40241071
Change-Id: Ie7c6e0f11f5e30654a8a9baeb061c6318a583b77
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5932529
Reviewed-by: Alex Gough <ajgo@chromium.org>
Reviewed-by: Oksana Zhuravlova <oksamyt@chromium.org>
Commit-Queue: Emily Andrews <emiled@microsoft.com>
Cr-Commit-Position: refs/heads/main@{#1372495}

This commit is contained in:

Emily Andrews

2024-10-23 04:06:34 +00:00

committed by

Chromium LUCI CQ

parent 673e0a494c

commit c0b2de2201

2 changed files with 10 additions and 4 deletions

mojo/core

channel.h node_channel.cc

									
										6

mojo/core/channel.h
									
				@ -369,6 +369,9 @@ class MOJO_SYSTEM_IMPL_EXPORT Channel

				  // Allows the caller to change the Channel's HandlePolicy after construction.

				  void set_handle_policy(HandlePolicy policy) { handle_policy_ = policy; }

				  // Allows the caller to determine the current HandlePolicy.

				  HandlePolicy handle_policy() const { return handle_policy_; }

				  // Request that the channel be shut down. This should always be called before

				  // releasing the last reference to a Channel to ensure that it's cleaned up

				  // on its I/O task runner's thread.

				@ -411,9 +414,6 @@ class MOJO_SYSTEM_IMPL_EXPORT Channel

				  Delegate* delegate() const { return delegate_; }

				  // Allows the caller to determine the current HandlePolicy.

				  HandlePolicy handle_policy() const { return handle_policy_; }

				  // Called by the implementation when it wants somewhere to stick data.

				  // |*buffer_capacity| may be set by the caller to indicate the desired buffer

				  // size. If 0, a sane default size will be used instead.

									
										8

mojo/core/node_channel.cc
									
				@ -759,11 +759,17 @@ void NodeChannel::OnChannelMessage(

				        if (payload_size <= sizeof(Header) + sizeof(data))

				          break;

				        Channel::HandlePolicy handle_policy;

				        {

				          base::AutoLock lock(channel_lock_);

				          handle_policy = channel_->handle_policy();

				        }

				        const void* message_start = reinterpret_cast<const uint8_t*>(payload) +

				                                    sizeof(Header) + sizeof(data);

				        Channel::MessagePtr message = Channel::Message::Deserialize(

				            message_start, payload_size - sizeof(Header) - sizeof(data),

				            Channel::HandlePolicy::kAcceptHandles, from_process);

				            handle_policy, from_process);

				        if (!message) {

				          DLOG(ERROR) << "Dropping invalid relay message.";

				          break;

Fix libfuzzer RELAY_EVENT_MESSAGE failures

6 mojo/core/channel.h

8 mojo/core/node_channel.cc

6

mojo/core/channel.h

8

mojo/core/node_channel.cc