Closed
Bug 1125503
Opened 11 years ago
Closed 11 years ago
SEGV in nsSiteSecurityService::GetHost
Categories
(Core :: Security: PSM, defect)
Tracking
()
RESOLVED
FIXED
mozilla38
Tracking | Status | |
---|---|---|
firefox35 | --- | unaffected |
firefox36 | --- | fixed |
firefox37 | --- | fixed |
firefox38 | --- | fixed |
firefox-esr31 | --- | unaffected |
b2g-v1.4 | --- | unaffected |
b2g-v2.0 | --- | unaffected |
b2g-v2.0M | --- | unaffected |
b2g-v2.1 | --- | fixed |
b2g-v2.2 | --- | fixed |
b2g-master | --- | fixed |
People
(Reporter: attekett, Assigned: keeler)
References
Details
(Keywords: crash, csectype-bounds, sec-low)
Attachments
(2 files)
77 bytes,
text/html
|
Details | |
3.10 KB,
patch
|
mmc
:
review+
Sylvestre
:
approval-mozilla-aurora+
Sylvestre
:
approval-mozilla-beta+
bajaj
:
approval-mozilla-b2g34+
|
Details | Diff | Splinter Review |
Tested on:
OS: Ubuntu 14.04
Firefox: ASAN build from https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-asan/1422098911/
This crash looks like a fairly new regression, I have seen it on my cluster for couple of weeks now.
Not sure about the security impact, but set restricted just to be on the safe side.
ASAN-trace:
==21785==ERROR: AddressSanitizer: SEGV on unknown address 0x7f81c1e2399f (pc 0x7f80bf5a3d77 sp 0x7fffb8ce3aa0 bp 0x7fffb8ce3c90 T0)
#0 0x7f80bf5a3d76 in Last /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/security/manager/boot/src/../../../../dist/include/nsTSubstring.h:280
#1 0x7f80bf5a3d76 in get /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/security/manager/boot/src/PublicKeyPinningService.cpp:378
#2 0x7f80bf5a3d76 in nsSiteSecurityService::GetHost(nsIURI*, nsACString_internal&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/security/manager/boot/src/nsSiteSecurityService.cpp:287
#3 0x7f80bf5a8f17 in nsSiteSecurityService::IsSecureURI(unsigned int, nsIURI*, unsigned int, bool*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/security/manager/boot/src/nsSiteSecurityService.cpp:804
#4 0x7f80b94c58b5 in mozilla::net::nsHttpChannel::Connect() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/netwerk/protocol/http/nsHttpChannel.cpp:309
#5 0x7f80b94f49dd in mozilla::net::nsHttpChannel::ContinueBeginConnect() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/netwerk/protocol/http/nsHttpChannel.cpp:5036
#6 0x7f80b94f3b48 in mozilla::net::nsHttpChannel::BeginConnect() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/netwerk/protocol/http/nsHttpChannel.cpp:4977
#7 0x7f80b94f5274 in mozilla::net::nsHttpChannel::OnProxyAvailable(nsICancelable*, nsIChannel*, nsIProxyInfo*, tag_nsresult) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/netwerk/protocol/http/nsHttpChannel.cpp:5098
#8 0x7f80b915e600 in nsAsyncResolveRequest::DoCallback() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/netwerk/base/nsProtocolProxyService.cpp:280
#9 0x7f80b912d182 in Run /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/netwerk/base/nsProtocolProxyService.cpp:167
#10 0x7f80b912d182 in nsProtocolProxyService::AsyncResolveInternal(nsIChannel*, unsigned int, nsIProtocolProxyCallback*, nsICancelable**, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/netwerk/base/nsProtocolProxyService.cpp:1246
.
.
.
Updated•11 years ago
|
![]() |
Assignee | |
Comment 1•11 years ago
|
||
Turns out, we need to check Length() > 0 before calling Last() on strings.
Assignee: nobody → dkeeler
Status: NEW → ASSIGNED
![]() |
Assignee | |
Updated•11 years ago
|
Attachment #8554743 -
Flags: review?(mmc)
Comment 2•11 years ago
|
||
Comment on attachment 8554743 [details] [diff] [review]
patch
Review of attachment 8554743 [details] [diff] [review]:
-----------------------------------------------------------------
::: security/manager/ssl/tests/unit/test_sts_fqdn.js
@@ +44,5 @@
> "example.com..", 0));
> +
> + // Somehow creating this malformed URI succeeds - we need to handle it
> + // gracefully.
> + uri = Services.io.newURI("https://../foo", null, null);
We should probably file bugs on not being able to create malformed URIs like this.
Attachment #8554743 -
Flags: review?(mmc) → review+
![]() |
Assignee | |
Comment 3•11 years ago
|
||
Thanks for the quick review.
For the record, this was introduced by bug 1065909. In most cases this is a simple read-out-of-bounds by 1, and I think the worst that can happen is a crash.
Blocks: CVE-2015-0832
status-b2g-v1.4:
--- → unaffected
status-b2g-v2.0:
--- → unaffected
status-b2g-v2.0M:
--- → unaffected
status-b2g-v2.1:
--- → affected
status-b2g-v2.2:
--- → affected
status-firefox35:
--- → unaffected
status-firefox36:
--- → affected
status-firefox37:
--- → affected
status-firefox38:
--- → affected
status-firefox-esr31:
--- → unaffected
Keywords: csectype-bounds,
sec-low
![]() |
Assignee | |
Comment 4•11 years ago
|
||
Comment 5•11 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla38
Comment 6•11 years ago
|
||
Please request Aurora/Beta/b2g34 approval on this when you get a chance :)
status-b2g-master:
--- → fixed
Flags: needinfo?(dkeeler)
![]() |
Assignee | |
Comment 7•11 years ago
|
||
Comment on attachment 8554743 [details] [diff] [review]
patch
Approval Request Comment
[Feature/regressing bug #]: bug 1065909
[User impact if declined]: crashes
[Describe test coverage new/current, TreeHerder]: good test coverage (also added a new test)
[Risks and why]: low - this is a simple fix
[String/UUID change made/needed]: none
Flags: needinfo?(dkeeler)
Attachment #8554743 -
Flags: approval-mozilla-beta?
Attachment #8554743 -
Flags: approval-mozilla-b2g34?
Attachment #8554743 -
Flags: approval-mozilla-aurora?
Updated•11 years ago
|
Attachment #8554743 -
Flags: approval-mozilla-beta?
Attachment #8554743 -
Flags: approval-mozilla-beta+
Attachment #8554743 -
Flags: approval-mozilla-aurora?
Attachment #8554743 -
Flags: approval-mozilla-aurora+
Comment 8•11 years ago
|
||
Updated•11 years ago
|
Attachment #8554743 -
Flags: approval-mozilla-b2g34? → approval-mozilla-b2g34+
Comment 9•11 years ago
|
||
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•