1312248 - Crash in HTTP while fuzzing

Status: RESOLVED INCOMPLETE

(Core :: Networking: HTTP, defect)

Description

[Raymond Forbes[:rforbes]]

Attachment: request

I am not as familiar with fuzzing http but while doing it I got this crash. 

==9603==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000004e0f4e bp 0x7f1fc3645090 sp 0x7f1fc3645080 T2)

###!!! [Child][MessageChannel] Error: (msgtype=0x420003,name=PCompositable::Msg_Destroy) Channel error: cannot send/recv


###!!! [Child][MessageChannel] Error: (msgtype=0x420003,name=PCompositable::Msg_Destroy) Channel error: cannot send/recv

    #0 0x4e0f4d  (/home/rforbes/fuzzing/browser/firefox/firefox+0x4e0f4d)
    #1 0x7f1fc67a2255  (/home/rforbes/fuzzing/browser/firefox/libxul.so+0x1dda255)
    #2 0x7f1fc67a1ffc  (/home/rforbes/fuzzing/browser/firefox/libxul.so+0x1dd9ffc)
    #3 0x7f1fc767b85f  (/home/rforbes/fuzzing/browser/firefox/libxul.so+0x2cb385f)
    #4 0x7f1fc7680873  (/home/rforbes/fuzzing/browser/firefox/libxul.so+0x2cb8873)
    #5 0x7f1fc7639b9b  (/home/rforbes/fuzzing/browser/firefox/libxul.so+0x2c71b9b)
    #6 0x7f1fc75fb961  (/home/rforbes/fuzzing/browser/firefox/libxul.so+0x2c33961)
    #7 0x7f1fc75f5dc8  (/home/rforbes/fuzzing/browser/firefox/libxul.so+0x2c2ddc8)
    #8 0x7f1fc7613931  (/home/rforbes/fuzzing/browser/firefox/libxul.so+0x2c4b931)
    #9 0x7f1fc761448c  (/home/rforbes/fuzzing/browser/firefox/libxul.so+0x2c4c48c)
    #10 0x7f1fe2de86f9  (/lib/x86_64-linux-gnu/libpthread.so.0+0x76f9)
    #11 0x7f1fe1e71b5c  (/lib/x86_64-linux-gnu/libc.so.6+0x106b5c)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/home/rforbes/fuzzing/browser/firefox/firefox+0x4e0f4d) 
Thread T2 (Chrome_ChildThr) created by T0 (Web Content) here:
    #0 0x49a839  (/home/rforbes/fuzzing/browser/firefox/firefox+0x49a839)
    #1 0x7f1fc761354b  (/home/rforbes/fuzzing/browser/firefox/libxul.so+0x2c4b54b)
    #2 0x7f1fc7682947  (/home/rforbes/fuzzing/browser/firefox/libxul.so+0x2cba947)
    #3 0x7f1fcf1ee757  (/home/rforbes/fuzzing/browser/firefox/libxul.so+0xa826757)
    #4 0x4dfb2b  (/home/rforbes/fuzzing/browser/firefox/firefox+0x4dfb2b)
    #5 0x7f1fe1d8b82f  (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

==9603==ABORTING

Comment 1

[Raymond Forbes[:rforbes]]

Attachment: additional debug info

Comment 2

[Raymond Forbes[:rforbes]]

I have the response from the server that crashed firefox. Please contact me for it as it is too big to put on bugzilla.

also, most likely not a security bug but marking it as such for now and ccing jduell.

Comment 3

[Jason Duell]

Either Dragana or Daniel should take this, hopefully (email Raymond and get the HTTP response from him).

Comment 4

[Dragana Damjanovic [:dragana]]

Is this reproducible?

Comment 5

[Patrick McManus [:mcmanus]]

please add the decoded stack to the bug - every time :)

Comment 6

[Andrew McCreight [:mccr8]]

Unhiding, as this looks like a null deref.

Comment 7

[Dragana Damjanovic [:dragana]]

Any update here?

Comment 8

[Raymond Forbes[:rforbes]]

The response was too big to attach to bugzilla. Is there a different method I can get it to you? (i.e. dropbox)

Comment 9

[Dragana Damjanovic [:dragana]]

(In reply to Raymond Forbes[:rforbes] from comment #8)
> The response was too big to attach to bugzilla. Is there a different method
> I can get it to you? (i.e. dropbox)

You can send it via e-mail. gzip it first, or
you have mozilla address, you can use google drive.

Comment 10

[Dragana Damjanovic [:dragana]]

Can you add a decoded stack? Can you reproduce this and make http log?

Comment 11

[Dragana Damjanovic [:dragana]]

Any news

Comment 12

[Dragana Damjanovic [:dragana]]

please add the decoded stack to the bug. I cannot do anything here.