Crash in HTTP while fuzzing

RESOLVED INCOMPLETE

Status

()

Core
Networking: HTTP
RESOLVED INCOMPLETE
2 years ago
10 months ago

People

(Reporter: rforbes, Assigned: dragana, NeedInfo)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [necko-active])

Attachments

(2 attachments)

(Reporter)

Description

2 years ago
Created attachment 8803675 [details]
request

I am not as familiar with fuzzing http but while doing it I got this crash. 

==9603==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000004e0f4e bp 0x7f1fc3645090 sp 0x7f1fc3645080 T2)

###!!! [Child][MessageChannel] Error: (msgtype=0x420003,name=PCompositable::Msg_Destroy) Channel error: cannot send/recv


###!!! [Child][MessageChannel] Error: (msgtype=0x420003,name=PCompositable::Msg_Destroy) Channel error: cannot send/recv

    #0 0x4e0f4d  (/home/rforbes/fuzzing/browser/firefox/firefox+0x4e0f4d)
    #1 0x7f1fc67a2255  (/home/rforbes/fuzzing/browser/firefox/libxul.so+0x1dda255)
    #2 0x7f1fc67a1ffc  (/home/rforbes/fuzzing/browser/firefox/libxul.so+0x1dd9ffc)
    #3 0x7f1fc767b85f  (/home/rforbes/fuzzing/browser/firefox/libxul.so+0x2cb385f)
    #4 0x7f1fc7680873  (/home/rforbes/fuzzing/browser/firefox/libxul.so+0x2cb8873)
    #5 0x7f1fc7639b9b  (/home/rforbes/fuzzing/browser/firefox/libxul.so+0x2c71b9b)
    #6 0x7f1fc75fb961  (/home/rforbes/fuzzing/browser/firefox/libxul.so+0x2c33961)
    #7 0x7f1fc75f5dc8  (/home/rforbes/fuzzing/browser/firefox/libxul.so+0x2c2ddc8)
    #8 0x7f1fc7613931  (/home/rforbes/fuzzing/browser/firefox/libxul.so+0x2c4b931)
    #9 0x7f1fc761448c  (/home/rforbes/fuzzing/browser/firefox/libxul.so+0x2c4c48c)
    #10 0x7f1fe2de86f9  (/lib/x86_64-linux-gnu/libpthread.so.0+0x76f9)
    #11 0x7f1fe1e71b5c  (/lib/x86_64-linux-gnu/libc.so.6+0x106b5c)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/home/rforbes/fuzzing/browser/firefox/firefox+0x4e0f4d) 
Thread T2 (Chrome_ChildThr) created by T0 (Web Content) here:
    #0 0x49a839  (/home/rforbes/fuzzing/browser/firefox/firefox+0x49a839)
    #1 0x7f1fc761354b  (/home/rforbes/fuzzing/browser/firefox/libxul.so+0x2c4b54b)
    #2 0x7f1fc7682947  (/home/rforbes/fuzzing/browser/firefox/libxul.so+0x2cba947)
    #3 0x7f1fcf1ee757  (/home/rforbes/fuzzing/browser/firefox/libxul.so+0xa826757)
    #4 0x4dfb2b  (/home/rforbes/fuzzing/browser/firefox/firefox+0x4dfb2b)
    #5 0x7f1fe1d8b82f  (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

==9603==ABORTING
(Reporter)

Comment 1

2 years ago
Created attachment 8803676 [details]
additional debug info
(Reporter)

Comment 2

2 years ago
I have the response from the server that crashed firefox. Please contact me for it as it is too big to put on bugzilla.

also, most likely not a security bug but marking it as such for now and ccing jduell.
Group: network-core-security
Flags: needinfo?(jduell.mcbugs)
Flags: needinfo?(jduell.mcbugs)
Either Dragana or Daniel should take this, hopefully (email Raymond and get the HTTP response from him).
Flags: needinfo?(dd.mozilla)
Flags: needinfo?(daniel)
(Assignee)

Comment 4

2 years ago
Is this reproducible?
Flags: needinfo?(dd.mozilla)
Flags: needinfo?(daniel)
(Assignee)

Updated

2 years ago
Flags: needinfo?(rforbes)
please add the decoded stack to the bug - every time :)
Unhiding, as this looks like a null deref.
Group: network-core-security
Assignee: nobody → dd.mozilla
Whiteboard: [necko-active]
(Assignee)

Comment 7

2 years ago
Any update here?
(Reporter)

Comment 8

2 years ago
The response was too big to attach to bugzilla. Is there a different method I can get it to you? (i.e. dropbox)
Flags: needinfo?(rforbes)
(Assignee)

Comment 9

2 years ago
(In reply to Raymond Forbes[:rforbes] from comment #8)
> The response was too big to attach to bugzilla. Is there a different method
> I can get it to you? (i.e. dropbox)

You can send it via e-mail. gzip it first, or
you have mozilla address, you can use google drive.
(Assignee)

Comment 10

2 years ago
Can you add a decoded stack? Can you reproduce this and make http log?
Flags: needinfo?(rforbes)
(Assignee)

Comment 11

a year ago
Any news
(Assignee)

Comment 12

a year ago
please add the decoded stack to the bug. I cannot do anything here.
(Assignee)

Updated

10 months ago
Status: NEW → RESOLVED
Last Resolved: 10 months ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.