Upload crash reports when ExtensionFunctions generate bad messages.

extensions/browser/extension_function_dispatcher.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "extensions/browser/extension_function_dispatcher.h"
 
 #include <utility>
 
 #include "base/bind.h"
 #include "base/json/json_string_value_serializer.h"
@@ skipping 13 matching lines @@
 #include "content/public/browser/render_frame_host.h"
 #include "content/public/browser/render_process_host.h"
 #include "content/public/browser/render_process_host_observer.h"
 #include "content/public/browser/render_view_host.h"
 #include "content/public/browser/service_worker_context.h"
 #include "content/public/browser/user_metrics.h"
 #include "content/public/browser/web_contents.h"
 #include "content/public/browser/web_contents_observer.h"
 #include "content/public/common/result_codes.h"
 #include "extensions/browser/api_activity_monitor.h"
+#include "extensions/browser/bad_message.h"
 #include "extensions/browser/extension_function_registry.h"
 #include "extensions/browser/extension_registry.h"
 #include "extensions/browser/extension_system.h"
 #include "extensions/browser/extension_util.h"
 #include "extensions/browser/extensions_browser_client.h"
 #include "extensions/browser/io_thread_extension_message_filter.h"
 #include "extensions/browser/process_manager.h"
 #include "extensions/browser/process_map.h"
 #include "extensions/browser/quota_service.h"
 #include "extensions/common/constants.h"
@@ skipping 28 matching lines @@
 
 // Separate copy of ExtensionAPI used for IO thread extension functions. We need
 // this because ExtensionAPI has mutable data. It should be possible to remove
 // this once all the extension APIs are updated to the feature system.
 struct Static {
   Static() : api(ExtensionAPI::CreateWithDefaultConfiguration()) {}
   std::unique_ptr<ExtensionAPI> api;
 };
 base::LazyInstance<Static> g_global_io_data = LAZY_INSTANCE_INITIALIZER;
 
-// Kills the specified process because it sends us a malformed message.
-// Track the specific function's |histogram_value|, as this may indicate a bug
-// in that API's implementation on the renderer.
-void KillBadMessageSender(const base::Process& process,
-                          functions::HistogramValue histogram_value) {
-  // The renderer has done validation before sending extension api requests.
-  // Therefore, we should never receive a request that is invalid in a way
-  // that JSON validation in the renderer should have caught. It could be an
-  // attacker trying to exploit the browser, so we crash the renderer instead.

[Charlie Reis, 2017/01/13 21:22:25]

Is there somewhere you can preserve this comment?  I think it's useful for
understanding which kinds of validation we kill the renderer for.

[lazyboy, 2017/01/14 01:04:43]

Restored the comment.

-  LOG(ERROR) << "Terminating renderer because of malformed extension message.";
-  if (content::RenderProcessHost::run_renderer_in_process()) {
-    // In single process mode it is better if we don't suicide but just crash.
-    CHECK(false);
-    return;
-  }
-
-  NOTREACHED();
+void LogBadMessage(functions::HistogramValue histogram_value) {
   content::RecordAction(base::UserMetricsAction("BadMessageTerminate_EFD"));
+  // Track the specific function's |histogram_value|, as this may indicate a
+  // bug in that API's implementation.
   UMA_HISTOGRAM_ENUMERATION("Extensions.BadMessageFunctionName",
                             histogram_value, functions::ENUM_BOUNDARY);
-  if (process.IsValid())
-    process.Terminate(content::RESULT_CODE_KILLED_BAD_MESSAGE, false);
 }
 
-void KillBadMessageSenderRPH(content::RenderProcessHost* sender_process_host,
-                             functions::HistogramValue histogram_value) {
-  base::Process peer_process =
-      content::RenderProcessHost::run_renderer_in_process()
-          ? base::Process::Current()
-          : base::Process::DeprecatedGetProcessFromHandle(
-                sender_process_host->GetHandle());
-  KillBadMessageSender(peer_process, histogram_value);
-}
-
+template <class T>
 void CommonResponseCallback(IPC::Sender* ipc_sender,
                             int routing_id,
-                            const base::Process& peer_process,
+                            T bad_message_sender,

[Devlin, 2017/01/13 16:16:17]

nitty nit: Let's use T* (so that T is RenderProcessHost or BrowserMessageFilter,
rather than RenderProcessHost* or BrowserMessageFilter*)

[lazyboy, 2017/01/14 01:04:43]

Done.

                             int request_id,
                             ExtensionFunction::ResponseType type,
                             const base::ListValue& results,
                             const std::string& error,
                             functions::HistogramValue histogram_value) {
   DCHECK(ipc_sender);
 
   if (type == ExtensionFunction::BAD_MESSAGE) {
-    KillBadMessageSender(peer_process, histogram_value);
+    LogBadMessage(histogram_value);
+    bad_message::ReceivedBadMessage(bad_message_sender,
+                                    bad_message::EFD_BAD_MESSAGE);
     return;
   }
 
   ipc_sender->Send(new ExtensionMsg_Response(
       routing_id, request_id, type == ExtensionFunction::SUCCEEDED, results,
       error));
 }
 
 void IOThreadResponseCallback(
     const base::WeakPtr<IOThreadExtensionMessageFilter>& ipc_sender,
     int routing_id,
     int request_id,
     ExtensionFunction::ResponseType type,
     const base::ListValue& results,
     const std::string& error,
     functions::HistogramValue histogram_value) {
   if (!ipc_sender.get())
     return;
 
-  base::Process peer_process =
-      base::Process::DeprecatedGetProcessFromHandle(ipc_sender->PeerHandle());
-  CommonResponseCallback(ipc_sender.get(), routing_id, peer_process, request_id,
-                         type, results, error, histogram_value);
+  CommonResponseCallback(ipc_sender.get(), routing_id, ipc_sender.get(),
+                         request_id, type, results, error, histogram_value);
 }
 
 }  // namespace
 
 class ExtensionFunctionDispatcher::UIThreadResponseCallbackWrapper
     : public content::WebContentsObserver {
  public:
   UIThreadResponseCallbackWrapper(
       const base::WeakPtr<ExtensionFunctionDispatcher>& dispatcher,
       content::RenderFrameHost* render_frame_host)
@@ skipping 27 matching lines @@
         weak_ptr_factory_.GetWeakPtr(),
         request_id);
   }
 
  private:
   void OnExtensionFunctionCompleted(int request_id,
                                     ExtensionFunction::ResponseType type,
                                     const base::ListValue& results,
                                     const std::string& error,
                                     functions::HistogramValue histogram_value) {
-    base::Process process =
-        content::RenderProcessHost::run_renderer_in_process()
-            ? base::Process::Current()
-            : base::Process::DeprecatedGetProcessFromHandle(
-                  render_frame_host_->GetProcess()->GetHandle());
     CommonResponseCallback(render_frame_host_,
                            render_frame_host_->GetRoutingID(),
-                           process, request_id, type, results, error,
-                           histogram_value);
+                           render_frame_host_->GetProcess(), request_id, type,
+                           results, error, histogram_value);
   }
 
   base::WeakPtr<ExtensionFunctionDispatcher> dispatcher_;
   content::RenderFrameHost* render_frame_host_;
   base::WeakPtrFactory<UIThreadResponseCallbackWrapper> weak_ptr_factory_;
 
   DISALLOW_COPY_AND_ASSIGN(UIThreadResponseCallbackWrapper);
 };
 
 class ExtensionFunctionDispatcher::UIThreadWorkerResponseCallbackWrapper
@@ skipping 42 matching lines @@
   }
 
   void OnExtensionFunctionCompleted(int request_id,
                                     ExtensionFunction::ResponseType type,
                                     const base::ListValue& results,
                                     const std::string& error,
                                     functions::HistogramValue histogram_value) {
     content::RenderProcessHost* sender =
         content::RenderProcessHost::FromID(render_process_id_);
     if (type == ExtensionFunction::BAD_MESSAGE) {
-      KillBadMessageSenderRPH(sender, histogram_value);
+      LogBadMessage(histogram_value);
+      bad_message::ReceivedBadMessage(sender, bad_message::EFD_BAD_MESSAGE);

[Charlie Reis, 2017/01/13 21:22:25]

Please use a unique BadMessageReason in each ReceivedBadMessage callsite. 
Otherwise you can't tell which kill we're hitting in the wild without looking at
the crash stack of each crash.

[lazyboy, 2017/01/14 01:04:43]

Done.

       return;
     }
     DCHECK(sender);
     sender->Send(new ExtensionMsg_ResponseWorker(
         worker_thread_id_, request_id, type == ExtensionFunction::SUCCEEDED,
         results, error));
   }
 
   base::WeakPtr<ExtensionFunctionDispatcher> dispatcher_;
   ScopedObserver<content::RenderProcessHost,
@@ skipping 370 matching lines @@
 // static
 void ExtensionFunctionDispatcher::SendAccessDenied(
     const ExtensionFunction::ResponseCallback& callback,
     functions::HistogramValue histogram_value) {
   base::ListValue empty_list;
   callback.Run(ExtensionFunction::FAILED, empty_list,
                "Access to extension API denied.", histogram_value);
 }
 
 }  // namespace extensions