Closed Bug 1312548 Opened 3 years ago Closed 3 years ago

AddressSanitizer: heap-buffer-overflow in HTTP [@in _Z21net_RFindCharNotInSetPKcS0_S0_]

Categories

(Core :: Networking: HTTP, defect)

x86_64
Linux
defect
Not set

Tracking

()

RESOLVED FIXED
mozilla53
Tracking Status
firefox-esr45 50+ fixed
firefox50 + fixed
firefox51 + fixed
firefox52 + fixed
firefox53 + fixed

People

(Reporter: rforbes, Assigned: bagder)

Details

(Keywords: csectype-bounds, sec-high, Whiteboard: [necko-active][adv-main50.1+][adv-esr45.6+])

Attachments

(3 files, 2 obsolete files)

Attached file initial request
==18344==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60700004b8b5 at pc 0x7fd4441d1dcf bp 0x7fd4368457e0 sp 0x7fd4368457d8
READ of size 1 at 0x60700004b8b5 thread T8 (Socket Thread)
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
    #0 0x7fd4441d1dce in _Z21net_RFindCharNotInSetPKcS0_S0_ /builds/slave/m-in-l64-asan-0000000000000000/build/src/netwerk/base/nsURLHelper.cpp:720
    #1 0x7fd4441d1dce in ?? ??:0
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
    #2 0x7fd44496ad9f in _ZN7mozilla3net17nsHttpHeaderArray15ParseHeaderLineERK19nsACString_internalPNS0_10nsHttpAtomEPS2_ /builds/slave/m-in-l64-asan-0000000000000000/build/src/netwerk/protocol/http/nsHttpHeaderArray.cpp:358 (discriminator 2)
    #3 0x7fd44496ad9f in ?? ??:0
    #4 0x7fd444969f0d in _ZN7mozilla3net20nsHttpChunkedDecoder19ParseChunkRemainingEPcjPj /builds/slave/m-in-l64-asan-0000000000000000/build/src/netwerk/protocol/http/nsHttpChunkedDecoder.cpp:116 (discriminator 1)
    #5 0x7fd444969f0d in ?? ??:0
    #6 0x7fd444969905 in _ZN7mozilla3net20nsHttpChunkedDecoder20HandleChunkedContentEPcjPjS3_ /builds/slave/m-in-l64-asan-0000000000000000/build/src/netwerk/protocol/http/nsHttpChunkedDecoder.cpp:66 (discriminator 1)
    #7 0x7fd444969905 in ?? ??:0
    #8 0x7fd4449e4df8 in _ZN7mozilla3net17nsHttpTransaction13HandleContentEPcjPjS3_ /builds/slave/m-in-l64-asan-0000000000000000/build/src/netwerk/protocol/http/nsHttpTransaction.cpp:1707
    #9 0x7fd4449e4df8 in ?? ??:0
    #10 0x7fd4449dba3f in _ZN7mozilla3net17nsHttpTransaction11ProcessDataEPcjPj /builds/slave/m-in-l64-asan-0000000000000000/build/src/netwerk/protocol/http/nsHttpTransaction.cpp:1859
    #11 0x7fd4449dba3f in ?? ??:0
    #12 0x7fd4449db47e in _ZN7mozilla3net17nsHttpTransaction16WritePipeSegmentEP15nsIOutputStreamPvPcjjPj /builds/slave/m-in-l64-asan-0000000000000000/build/src/netwerk/protocol/http/nsHttpTransaction.cpp:785
    #13 0x7fd4449db47e in ?? ??:0
    #14 0x7fd443ee575e in _ZN18nsPipeOutputStream13WriteSegmentsEPF8nsresultP15nsIOutputStreamPvPcjjPjES3_jS5_ /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/io/nsPipe3.cpp:1696
    #15 0x7fd443ee575e in ?? ??:0
    #16 0x7fd4449de291 in _ZN7mozilla3net17nsHttpTransaction13WriteSegmentsEPNS0_20nsAHttpSegmentWriterEjPj /builds/slave/m-in-l64-asan-0000000000000000/build/src/netwerk/protocol/http/nsHttpTransaction.cpp:821 (discriminator 2)
    #17 0x7fd4449de291 in ?? ??:0
    #18 0x7fd444980fbb in _ZN7mozilla3net16nsHttpConnection16OnSocketReadableEv /builds/slave/m-in-l64-asan-0000000000000000/build/src/netwerk/protocol/http/nsHttpConnection.cpp:1782 (discriminator 1)
    #19 0x7fd444980fbb in ?? ??:0
    #20 0x7fd444982836 in _ZN7mozilla3net16nsHttpConnection18OnInputStreamReadyEP19nsIAsyncInputStream /builds/slave/m-in-l64-asan-0000000000000000/build/src/netwerk/protocol/http/nsHttpConnection.cpp:2098 (discriminator 1)
    #21 0x7fd444982836 in ?? ??:0
    #22 0x7fd44498306c in _ZThn16_N7mozilla3net16nsHttpConnection18OnInputStreamReadyEP19nsIAsyncInputStream /builds/slave/m-in-l64-asan-0000000000000000/build/src/netwerk/protocol/http/nsHttpConnection.cpp:2068
    #23 0x7fd44498306c in ?? ??:0
    #24 0x7fd4441688f6 in _ZN7mozilla3net19nsSocketInputStream13OnSocketReadyE8nsresult /builds/slave/m-in-l64-asan-0000000000000000/build/src/netwerk/base/nsSocketTransport2.cpp:289 (discriminator 1)
    #25 0x7fd4441688f6 in ?? ??:0
    #26 0x7fd444176cd3 in _ZN7mozilla3net17nsSocketTransport13OnSocketReadyEP10PRFileDescs /builds/slave/m-in-l64-asan-0000000000000000/build/src/netwerk/base/nsSocketTransport2.cpp:1968
    #27 0x7fd444176cd3 in ?? ??:0
    #28 0x7fd444186737 in _ZN7mozilla3net24nsSocketTransportService15DoPollIterationEPNS_16BaseTimeDurationINS_27TimeDurationValueCalculatorEEE /builds/slave/m-in-l64-asan-0000000000000000/build/src/netwerk/base/nsSocketTransportService2.cpp:1081
    #29 0x7fd444186737 in ?? ??:0
    #30 0x7fd444184b78 in _ZN7mozilla3net24nsSocketTransportService3RunEv /builds/slave/m-in-l64-asan-0000000000000000/build/src/netwerk/base/nsSocketTransportService2.cpp:865
    #31 0x7fd444184b78 in ?? ??:0
    #32 0x7fd44418772c in _ZThn24_N7mozilla3net24nsSocketTransportService3RunEv /builds/slave/m-in-l64-asan-0000000000000000/build/src/netwerk/base/nsSocketTransportService2.cpp:787
    #33 0x7fd44418772c in ?? ??:0
    #34 0x7fd443f3a736 in _ZN8nsThread16ProcessNextEventEbPb /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThread.cpp:1058 (discriminator 1)
    #35 0x7fd443f3a736 in ?? ??:0
    #36 0x7fd443fb86cc in _Z19NS_ProcessNextEventP9nsIThreadb /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:290
    #37 0x7fd443fb86cc in ?? ??:0
    #38 0x7fd444cd845a in _ZN7mozilla3ipc28MessagePumpForNonMainThreads3RunEPN4base11MessagePump8DelegateE /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/glue/MessagePump.cpp:338 (discriminator 1)
    #39 0x7fd444cd845a in ?? ??:0
    #40 0x7fd444c4bdc8 in RunInternal /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:232 (discriminator 1)
    #41 0x7fd444c4bdc8 in RunHandler /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:225 (discriminator 1)
    #42 0x7fd444c4bdc8 in Run /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:205 (discriminator 1)
    #43 0x7fd444c4bdc8 in ?? ??:0
    #44 0x7fd443f35a51 in _ZN8nsThread10ThreadFuncEPv /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThread.cpp:459
    #45 0x7fd443f35a51 in ?? ??:0
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
    #46 0x7fd45ce48378 in _pt_root /builds/slave/m-in-l64-asan-0000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:216
    #47 0x7fd45ce48378 in ?? ??:0
    #48 0x7fd46043e6f9 in start_thread ??:?
    #49 0x7fd46043e6f9 in ?? ??:0
    #50 0x7fd45f4c7b5c in clone /build/glibc-GKVZIf/glibc-2.23/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:109
    #51 0x7fd45f4c7b5c in ?? ??:0

AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/rforbes/fuzzing/browser/firefox/libxul.so+0x21b3dce)
Shadow bytes around the buggy address:
  0x0c0e800016c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e800016d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e800016e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e800016f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e80001700: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c0e80001710: fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa fa
  0x0c0e80001720: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e80001730: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e80001740: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e80001750: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e80001760: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
Thread T8 (Socket Thread) created by T0 here:
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
    #0 0x49a839 in __interceptor_pthread_create _asan_rtl_ (discriminator 2)
    #1 0x49a839 in ?? ??:0
    #2 0x7fd45ce44f3f in _PR_CreateThread /builds/slave/m-in-l64-asan-0000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:457
    #3 0x7fd45ce44f3f in ?? ??:0
    #4 0x7fd45ce44b4a in PR_CreateThread /builds/slave/m-in-l64-asan-0000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:548
    #5 0x7fd45ce44b4a in ?? ??:0
    #6 0x7fd443f371db in _ZN8nsThread4InitEv /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThread.cpp:630
    #7 0x7fd443f371db in ?? ??:0
    #8 0x7fd443f3e8ff in _ZN15nsThreadManager9NewThreadEjjPP9nsIThread /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThreadManager.cpp:253 (discriminator 2)
    #9 0x7fd443f3e8ff in ?? ??:0
    #10 0x7fd443fb76be in _Z12NS_NewThreadPP9nsIThreadP11nsIRunnablej /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:64
    #11 0x7fd443fb76be in ?? ??:0
    #12 0x7fd4441823f8 in _Z17NS_NewNamedThreadILm14EE8nsresultRAT__KcPP9nsIThreadP11nsIRunnablej /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/dist/include/nsThreadUtils.h:79 (discriminator 3)
    #13 0x7fd4441823f8 in ?? ??:0
    #14 0x7fd444181aff in _ZN7mozilla3net24nsSocketTransportService4InitEv /builds/slave/m-in-l64-asan-0000000000000000/build/src/netwerk/base/nsSocketTransportService2.cpp:523 (discriminator 3)
    #15 0x7fd444181aff in ?? ??:0
    #16 0x7fd444c20c8c in _ZL35nsSocketTransportServiceConstructorP11nsISupportsRK4nsIDPPv /builds/slave/m-in-l64-asan-0000000000000000/build/src/netwerk/build/nsNetModule.cpp:80 (discriminator 11)
    #17 0x7fd444c20c8c in ?? ??:0
    #18 0x7fd443f0b781 in _ZN22nsComponentManagerImpl26CreateInstanceByContractIDEPKcP11nsISupportsRK4nsIDPPv /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/components/nsComponentManager.cpp:1160 (discriminator 1)
    #19 0x7fd443f0b781 in ?? ??:0
    #20 0x7fd443f02b92 in _ZN22nsComponentManagerImpl22GetServiceByContractIDEPKcRK4nsIDPPv /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/components/nsComponentManager.cpp:1516
    #21 0x7fd443f02b92 in ?? ??:0
    #22 0x7fd443fa2daa in CallGetService /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/glue/nsComponentManagerUtils.cpp:67
    #23 0x7fd443fa2daa in operator() /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/glue/nsComponentManagerUtils.cpp:292
    #24 0x7fd443fa2daa in ?? ??:0
    #25 0x7fd443f991f0 in _ZN13nsCOMPtr_base36assign_from_gs_contractid_with_errorERK33nsGetServiceByContractIDWithErrorRK4nsID /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/glue/nsCOMPtr.cpp:106
    #26 0x7fd443f991f0 in ?? ??:0
    #27 0x7fd4440e759f in operator= /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/dist/include/nsCOMPtr.h:644
    #28 0x7fd4440e759f in InitializeSocketTransportService /builds/slave/m-in-l64-asan-0000000000000000/build/src/netwerk/base/nsIOService.cpp:297
    #29 0x7fd4440e759f in SetOffline /builds/slave/m-in-l64-asan-0000000000000000/build/src/netwerk/base/nsIOService.cpp:1076
    #30 0x7fd4440e759f in ?? ??:0
    #31 0x7fd4440e644d in _ZN7mozilla3net11nsIOService4InitEv /builds/slave/m-in-l64-asan-0000000000000000/build/src/netwerk/base/nsIOService.cpp:264
    #32 0x7fd4440e644d in ?? ??:0
    #33 0x7fd4440e8d13 in _ZN7mozilla3net11nsIOService11GetInstanceEv /builds/slave/m-in-l64-asan-0000000000000000/build/src/netwerk/base/nsIOService.cpp:349 (discriminator 1)
    #34 0x7fd4440e8d13 in ?? ??:0
    #35 0x7fd444c209f7 in _ZL22nsIOServiceConstructorP11nsISupportsRK4nsIDPPv /builds/slave/m-in-l64-asan-0000000000000000/build/src/netwerk/build/nsNetModule.cpp:62 (discriminator 2)
    #36 0x7fd444c209f7 in ?? ??:0
    #37 0x7fd443f0b781 in _ZN22nsComponentManagerImpl26CreateInstanceByContractIDEPKcP11nsISupportsRK4nsIDPPv /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/components/nsComponentManager.cpp:1160 (discriminator 1)
    #38 0x7fd443f0b781 in ?? ??:0
    #39 0x7fd443f02b92 in _ZN22nsComponentManagerImpl22GetServiceByContractIDEPKcRK4nsIDPPv /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/components/nsComponentManager.cpp:1516
    #40 0x7fd443f02b92 in ?? ??:0
    #41 0x7fd443fa2d11 in CallGetService /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/glue/nsComponentManagerUtils.cpp:67
    #42 0x7fd443fa2d11 in operator() /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/glue/nsComponentManagerUtils.cpp:280
    #43 0x7fd443fa2d11 in ?? ??:0
    #44 0x7fd443f88383 in assign_from_gs_contractid /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/glue/nsCOMPtr.cpp:95
    #45 0x7fd443f88383 in nsCOMPtr /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/glue/nsCOMPtr.h:539
    #46 0x7fd443f88383 in GetIOService /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/build/ServiceList.h:16
    #47 0x7fd443f88383 in ?? ??:0
    #48 0x7fd44411af45 in _Z15do_GetIOServiceP8nsresult /builds/slave/m-in-l64-asan-0000000000000000/build/src/netwerk/base/nsNetUtilInlines.h:46 (discriminator 1)
    #49 0x7fd44411af45 in ?? ??:0
    #50 0x7fd44411b56f in net_EnsureIOService /builds/slave/m-in-l64-asan-0000000000000000/build/src/netwerk/base/nsNetUtilInlines.h:86
    #51 0x7fd44411b56f in NS_NewURI /builds/slave/m-in-l64-asan-0000000000000000/build/src/netwerk/base/nsNetUtilInlines.h:113
    #52 0x7fd44411b56f in ?? ??:0
    #53 0x7fd443f73a16 in GetManifestURI /builds/slave/m-in-l64-asan-0000000000000000/build/src/chrome/nsChromeRegistryChrome.cpp:675 (discriminator 2)
    #54 0x7fd443f73a16 in ResolveURI /builds/slave/m-in-l64-asan-0000000000000000/build/src/chrome/nsChromeRegistryChrome.cpp:692 (discriminator 2)
    #55 0x7fd443f73a16 in ?? ??:0
    #56 0x7fd443f74f93 in _ZN22nsChromeRegistryChrome14ManifestLocaleERN16nsChromeRegistry25ManifestProcessingContextEiPKPci /builds/slave/m-in-l64-asan-0000000000000000/build/src/chrome/nsChromeRegistryChrome.cpp:773 (discriminator 1)
    #57 0x7fd443f74f93 in ?? ??:0
    #58 0x7fd443f15334 in _Z13ParseManifest14NSLocationTypeRN7mozilla12FileLocationEPcbb /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/components/ManifestParser.cpp:771 (discriminator 3)
    #59 0x7fd443f15334 in ?? ??:0
    #60 0x7fd443f06849 in DoRegisterManifest /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/components/nsComponentManager.cpp:595 (discriminator 1)
    #61 0x7fd443f06849 in RegisterManifest /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/components/nsComponentManager.cpp:608 (discriminator 1)
    #62 0x7fd443f06849 in ?? ??:0
    #63 0x7fd443f06bc3 in _ZN22nsComponentManagerImpl16ManifestManifestERNS_25ManifestProcessingContextEiPKPc /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/components/nsComponentManager.cpp:617
    #64 0x7fd443f06bc3 in ?? ??:0
    #65 0x7fd443f155fd in _Z13ParseManifest14NSLocationTypeRN7mozilla12FileLocationEPcbb /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/components/ManifestParser.cpp:780 (discriminator 3)
    #66 0x7fd443f155fd in ?? ??:0
    #67 0x7fd443f06849 in DoRegisterManifest /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/components/nsComponentManager.cpp:595 (discriminator 1)
    #68 0x7fd443f06849 in RegisterManifest /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/components/nsComponentManager.cpp:608 (discriminator 1)
    #69 0x7fd443f06849 in ?? ??:0
    #70 0x7fd443f0451c in RereadChromeManifests /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/components/nsComponentManager.cpp:794
    #71 0x7fd443f0451c in Init /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/components/nsComponentManager.cpp:398
    #72 0x7fd443f0451c in ?? ??:0
    #73 0x7fd443f8cc39 in NS_InitXPCOM2 /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/build/XPCOMInit.cpp:713
    #74 0x7fd443f8cc39 in ?? ??:0
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
    #75 0x7fd44c83effb in Initialize /builds/slave/m-in-l64-asan-0000000000000000/build/src/toolkit/xre/nsAppRunner.cpp:1399 (discriminator 1)
    #76 0x7fd44c83effb in XRE_main /builds/slave/m-in-l64-asan-0000000000000000/build/src/toolkit/xre/nsAppRunner.cpp:4402 (discriminator 1)
    #77 0x7fd44c83effb in ?? ??:0
    #78 0x7fd44c83ff6a in XRE_main /builds/slave/m-in-l64-asan-0000000000000000/build/src/toolkit/xre/nsAppRunner.cpp:4497 (discriminator 1)
    #79 0x7fd44c83ff6a in ?? ??:0
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
    #80 0x4df89a in do_main /builds/slave/m-in-l64-asan-0000000000000000/build/src/browser/app/nsBrowserApp.cpp:247
    #81 0x4df89a in main /builds/slave/m-in-l64-asan-0000000000000000/build/src/browser/app/nsBrowserApp.cpp:380
    #82 0x4df89a in ?? ??:0
    #83 0x7fd45f3e182f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291
    #84 0x7fd45f3e182f in ?? ??:0

==18344==ABORTING

###!!! [Child][MessageChannel] Error: (msgtype=0x420003,name=PCompositable::Msg_Destroy) Channel error: cannot send/recv


###!!! [Child][MessageChannel] Error: (msgtype=0x1040003,name=PTexture::Msg_Destroy) Channel error: cannot send/recv


###!!! [Child][MessageChannel] Error: (msgtype=0x420003,name=PCompositable::Msg_Destroy) Channel error: cannot send/recv

[Child 18382] WARNING: pipe error (3): Connection reset by peer: file /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 320
[Child 18382] ###!!! ABORT: Aborting on channel error.: file /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/glue/MessageChannel.cpp, line 2057
[Child 18382] ###!!! ABORT: Aborting on channel error.: file /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/glue/MessageChannel.cpp, line 2057
ASAN:DEADLYSIGNAL
=================================================================
==18382==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000004e0f4e bp 0x7f3fc20c2090 sp 0x7f3fc20c2080 T2)
addr2line: Dwarf Error: Info pointer extends beyond end of attributes
    #0 0x4e0f4d in _Z14mozalloc_abortPKc /builds/slave/m-in-l64-asan-0000000000000000/build/src/memory/mozalloc/mozalloc_abort.cpp:33 (discriminator 4)
    #1 0x4e0f4d in ?? ??:0
    #2 0x7f3fc521f255 in _ZL5AbortPKc /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/base/nsDebugImpl.cpp:449
    #3 0x7f3fc521f255 in ?? ??:0
    #4 0x7f3fc521effc in NS_DebugBreak /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/base/nsDebugImpl.cpp:405
    #5 0x7f3fc521effc in ?? ??:0
    #6 0x7f3fc60f885f in _ZN7mozilla3ipc14MessageChannel22OnChannelErrorFromLinkEv /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/glue/MessageChannel.cpp:2057
    #7 0x7f3fc60f885f in ?? ??:0
    #8 0x7f3fc60fd873 in OnChannelError /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/glue/MessageLink.cpp:351
    #9 0x7f3fc60fd873 in ?? ??:0
    #10 0x7f3fc60b6b9b in ?? ??:0
    #11 0x7f3fc60b6b9b in event_process_active_single_queue /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/third_party/libevent/event.c:1350
    #12 0x7f3fc60b6b9b in event_process_active /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/third_party/libevent/event.c:1420
    #13 0x7f3fc60b6b9b in event_base_loop /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/third_party/libevent/event.c:1621
    #14 0x7f3fc60b6b9b in ?? ??:0
    #15 0x7f3fc6078961 in _ZN4base19MessagePumpLibevent3RunEPNS_11MessagePump8DelegateE /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_pump_libevent.cc:364
    #16 0x7f3fc6078961 in ?? ??:0
    #17 0x7f3fc6072dc8 in RunInternal /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:232 (discriminator 1)
    #18 0x7f3fc6072dc8 in RunHandler /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:225 (discriminator 1)
    #19 0x7f3fc6072dc8 in Run /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:205 (discriminator 1)
    #20 0x7f3fc6072dc8 in ?? ??:0
    #21 0x7f3fc6090931 in _ZN4base6Thread10ThreadMainEv /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/thread.cc:180
    #22 0x7f3fc6090931 in ?? ??:0
    #23 0x7f3fc609148c in _ZL10ThreadFuncPv /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/platform_thread_posix.cc:38
    #24 0x7f3fc609148c in ?? ??:0
    #25 0x7f3fe18656f9 in start_thread ??:?
    #26 0x7f3fe18656f9 in ?? ??:0
    #27 0x7f3fe08eeb5c in clone /build/glibc-GKVZIf/glibc-2.23/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:109
    #28 0x7f3fe08eeb5c in ?? ??:0

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/home/rforbes/fuzzing/browser/firefox/firefox+0x4e0f4d)
Thread T2 (Chrome_ChildThr) created by T0 (Web Content) here:
    #0 0x49a839 in __interceptor_pthread_create _asan_rtl_ (discriminator 2)
    #1 0x49a839 in ?? ??:0
    #2 0x7f3fc609054b in CreateThread /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/platform_thread_posix.cc:137
    #3 0x7f3fc609054b in Create /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/platform_thread_posix.cc:148
    #4 0x7f3fc609054b in StartWithOptions /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/thread.cc:98
    #5 0x7f3fc609054b in ?? ??:0
    #6 0x7f3fc60ff947 in _ZN7mozilla3ipc12ProcessChildC2Ei /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/glue/ProcessChild.cpp:24 (discriminator 2)
    #7 0x7f3fc60ff947 in ?? ??:0
    #8 0x7f3fcdc6b757 in ContentProcess /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/dist/include/mozilla/dom/ContentProcess.h:31
    #9 0x7f3fcdc6b757 in XRE_InitChildProcess /builds/slave/m-in-l64-asan-0000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:609
    #10 0x7f3fcdc6b757 in ?? ??:0
    #11 0x4dfb2b in content_process_main /builds/slave/m-in-l64-asan-0000000000000000/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:197 (discriminator 1)
    #12 0x4dfb2b in main /builds/slave/m-in-l64-asan-0000000000000000/build/src/browser/app/nsBrowserApp.cpp:357 (discriminator 1)
    #13 0x4dfb2b in ?? ??:0
    #14 0x7f3fe080882f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291
    #15 0x7f3fe080882f in ?? ??:0

==18382==ABORTING
Attached file HTTP response
Flags: needinfo?(jduell.mcbugs)
Keywords: sec-high
Version: unspecified → Trunk
Group: network-core-security
Daniel/Dragana: either of you got time for this one?
Flags: needinfo?(jduell.mcbugs) → needinfo?(dd.mozilla)
Flags: needinfo?(daniel)
I've managed to reproduce and get a segfault with gdb running. Looking into this.
Assignee: nobody → daniel
Flags: needinfo?(daniel)
I caught it once in gdb and recorded some observations, it seems not trigger very easily. Probably need some pushing. Here's the bits I have so far:

The crash happens in net_RFindCharNotInSet() on line 720 when it reads outside of its buffer:

   717  
   718  repeat:
   719      for (const char *s = set; *s; ++s) {
   720          if (*iter == *s) {                     <<<<<<<<<<<<<<<
   721              if (--iter == stop)
   722                  break;
   723              goto repeat;
   724          }
   725      }
   726      return (char *) iter;
   727  }

Here's some basic info from the call path immediately before.

(gdb) fr 2

(gdb) list
111                     LOG(("got trailer: %s\n", buf));
112                     // allocate a header array for the trailers on demand
113                     if (!mTrailers) {
114                         mTrailers = new nsHttpHeaderArray();
115                     }
116 >>>>>>>>>           mTrailers->ParseHeaderLine(nsDependentCSubstring(buf, count));
117                 }
118                 else {
119                     mWaitEOF = false;
120                     mReachedEOF = true;
(gdb) p buf
$13 = 0x7fffbe4fbd88 "Date: Tue, 15 Nov 1994 08:12:31 GMT"
(gdb) p count
$14 = 32750
(gdb) 


(gdb) fr 1
#1  0x00007fffe4073844 in mozilla::net::nsHttpHeaderArray::ParseHeaderLine (line=..., hdr=0x0, val=0x0)
    at /home/daniel/src/gecko-dev/netwerk/protocol/http/nsHttpHeaderArray.cpp:358
358         char *p2 = net_RFindCharNotInSet(p, sub2.EndReading(), HTTP_LWS);
(gdb) list
353         // skip over whitespace
354         char *p = net_FindCharNotInSet(
355             sub2.BeginReading(), sub2.EndReading(), HTTP_LWS);
356
357         // trim trailing whitespace - bug 86608
358 >>>>>   char *p2 = net_RFindCharNotInSet(p, sub2.EndReading(), HTTP_LWS);
359
360         // assign return values
361         if (hdr) *hdr = atom;
362         if (val) val->Assign(p, p2 - p + 1);

... here it is clear that 'sub2' has been set the wrong data and wrongly claims that the string is longer than it actually is:

(gdb) p p
$15 = 0x7fffbe4fbd8e "Tue, 15 Nov 1994 08:12:31 GMT"
(gdb) p sub2
$16 = (const nsACString_internal &) @0x7fffde8fc410: {mData = 0x7fffbe4fbd8d " Tue, 15 Nov 1994 08:12:31 GMT", mLength = 32745, mFlags = 0}
(gdb) p sub2.mData[32744]
Cannot access memory at address 0x7fffbe503d75
(gdb) p sub2.mData[17011]
Cannot access memory at address 0x7fffbe500000
(gdb) p sub2.mData[17010]
$23 = 0 '\000'
Here's my suggested fix. I've had a hard time to reproduce this reliably so there's a risk I just haven't managed to trigger the problem again after this fix, although I think the (single line!) change is logical and makes perfect sense.

Raymond, are you able to run your test again with this patch applied to see if I'm right or wrong on this?
Flags: needinfo?(dd.mozilla) → needinfo?(rforbes)
Attachment #8804914 - Flags: review?(dd.mozilla)
Comment on attachment 8804914 [details] [diff] [review]
0001-bug-1312548-when-changing-buffer-get-the-new-buffer-.patch

Review of attachment 8804914 [details] [diff] [review]:
-----------------------------------------------------------------

The patch makes sense.
Hopefully Raymond can reproduce this more reliably and test it as well.
Attachment #8804914 - Flags: review?(dd.mozilla) → review+
hey all - interesting bug.

I think there is a little more to this.

While I agree that count needs to be updated after the append(), I would be expecting that it would only be getting bigger.. because you're appending buf (which is count bytes long) to a non-empty mLineBuf.. so that should only make it bigger.

But this is an overflow based on count being too big for the new mLineBuf (not too little, which would be some kind of parser error, but not an overflow).

My guess is that mLineBuf.Append(buf) is not appending all count bytes of buf to mLineBuf.. probably because it has a null in it due to the fuzzing. I think that part needs to use append(buf, count) and also update count as this patch does..
(In reply to Patrick McManus [:mcmanus] from comment #7)
> hey all - interesting bug.
> 
> I think there is a little more to this.
> 
> While I agree that count needs to be updated after the append(), I would be
> expecting that it would only be getting bigger.. because you're appending
> buf (which is count bytes long) to a non-empty mLineBuf.. so that should
> only make it bigger.
> 
> But this is an overflow based on count being too big for the new mLineBuf
> (not too little, which would be some kind of parser error, but not an
> overflow).
> 
> My guess is that mLineBuf.Append(buf) is not appending all count bytes of
> buf to mLineBuf.. probably because it has a null in it due to the fuzzing. I
> think that part needs to use append(buf, count) and also update count as
> this patch does..

couple of lines above, buf is changed by changing '\n\r' into 0. So append will append less. 'count' (probably)could be changed even if it is not appended to mLineBuf, but that will not cause an overflow.
thanks. I agree count should be updated in both places.

what happens if there is a null in between buf and p? Seems like that append still needs to have a length argument.
I am holding off on testing until this gets worked out.
Flags: needinfo?(rforbes)
Whiteboard: [necko-active]
Agreed. And in fact, even *bytesConsumed isn't properly skipping the CR if present. I'll submit an updated take.
Update 'count' and '*bytesConsumed' according to detected newlines.
Attachment #8804914 - Attachment is obsolete: true
Attachment #8811633 - Flags: review?(mcmanus)
Attachment #8811633 - Flags: review?(dd.mozilla)
Comment on attachment 8811633 [details] [diff] [review]
v2-0001-bug-1312548-when-changing-buffer-get-the-new-buff.patch

Review of attachment 8811633 [details] [diff] [review]:
-----------------------------------------------------------------

We should deal with '\0' in the array as well. Currently the case mLineBuf.IsEmpty() and not empty will behave differently. I have not looked into function that consumes this array.

::: netwerk/protocol/http/nsHttpChunkedDecoder.cpp
@@ +102,3 @@
>              *(p-1) = 0;
> +            count--;
> +            (*bytesConsumed)++;

bytesConsumed should not change here.
> bytesConsumed should not change here.

You're right, and the patch actually causes test failures when done like that. For that reason.
Attachment #8811633 - Flags: review?(mcmanus)
Attachment #8811633 - Flags: review?(dd.mozilla)
Ok, I fixed the *bytesConsumed mistake I added in v2 and I made mLineBuf.Append() pass in count even in the !mLineBuf.IsEmpty() case, just so that they work the same in both Append cases.

I did not spot any obvious problems with zero bytes in ParseHeaderLine(), and I have a feeling we would have had bigger and earlier problem if so.
Attachment #8811633 - Attachment is obsolete: true
Attachment #8811928 - Flags: review?(dd.mozilla)
Comment on attachment 8811928 [details] [diff] [review]
v3-0001-bug-1312548-when-changing-buffer-get-the-new-buff.patch

Review of attachment 8811928 [details] [diff] [review]:
-----------------------------------------------------------------

I have one question. Do you know what does the function consuming this array does in case of a '\0' present? Probably it does the  correct thing.
Attachment #8811928 - Flags: review?(dd.mozilla) → review+
That's what I tried to describe above. nsHttpHeaderArray::ParseHeaderLine() is the function that handles the header in this case and surely the fuzzing would've hit problems in that if it indeed had problems with zero byte occurrences? I did review that code looking for obvious faults when it comes to zero byte handling but I could not detect any.

Additionally: for all I can tell, this patch should be easy enough to backport basically as far back as we want as it is very small and isolated in an area of the code that hasn't changed much in a long time. This fixes code from 2001!

Try-run with this patch: 

https://treeherder.mozilla.org/#/jobs?repo=try&revision=edad999779cc1e801e938cf2aac3fdc148e633ae&selectedJob=31336810
Patrick, you chimed in earlier. Do you see a need to do a bigger take here or you think is this good enough?
Flags: needinfo?(mcmanus)
I think we're good. thanks!
Flags: needinfo?(mcmanus)
Comment on attachment 8811928 [details] [diff] [review]
v3-0001-bug-1312548-when-changing-buffer-get-the-new-buff.patch

[Security approval request comment]
How easily could an exploit be constructed based on the patch?

I'd say it is still hard. You can see what you could do to cause a bug but from that to making an exploit is a pretty large step.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?

No. The commit message focuses on the specific fix of the logical mistake.

Which older supported branches are affected by this flaw?

Every branch and release since at some time in 2001.

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?

I would expect it to backport easily to all existing branches as this part of the code hasn't changed much over recent years.

How likely is this patch to cause regressions; how much testing does it need?

It is fairly small and isolated so I consider the risk to be low and I would probably suggest that if it causes no problems in nightly for a limited period of time it should be considered fine for wider use.
Attachment #8811928 - Flags: sec-approval?
sec-approval+ for trunk. We should consider backporting this to Aurora, Beta, and ESR45.
Attachment #8811928 - Flags: sec-approval? → sec-approval+
Keywords: checkin-needed
Comment on attachment 8811928 [details] [diff] [review]
v3-0001-bug-1312548-when-changing-buffer-get-the-new-buff.patch

Approval Request Comment
[Feature/regressing bug #]: 1312548
[User impact if declined]: buffer overflow/crash remains
[Describe test coverage new/current, TreeHerder]: there's no test case for this
[Risks and why]: very low risk due to size and readability of the change
[String/UUID change made/needed]: none
Attachment #8811928 - Flags: approval-mozilla-beta?
Attachment #8811928 - Flags: approval-mozilla-aurora?
This got merged to m-c awhile ago.
https://hg.mozilla.org/mozilla-central/rev/54f07489d3c0b282d407ad437b72d030df981fa6
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla53
Comment on attachment 8811928 [details] [diff] [review]
v3-0001-bug-1312548-when-changing-buffer-get-the-new-buff.patch

Requesting approval for the other affected branches as well.
Attachment #8811928 - Flags: approval-mozilla-release?
Attachment #8811928 - Flags: approval-mozilla-esr45?
Comment on attachment 8811928 [details] [diff] [review]
v3-0001-bug-1312548-when-changing-buffer-get-the-new-buff.patch

Sec-high, approved for all branches
Attachment #8811928 - Flags: approval-mozilla-release?
Attachment #8811928 - Flags: approval-mozilla-release+
Attachment #8811928 - Flags: approval-mozilla-esr45?
Attachment #8811928 - Flags: approval-mozilla-esr45+
Attachment #8811928 - Flags: approval-mozilla-beta?
Attachment #8811928 - Flags: approval-mozilla-beta+
Attachment #8811928 - Flags: approval-mozilla-aurora?
Attachment #8811928 - Flags: approval-mozilla-aurora+
Whiteboard: [necko-active] → [necko-active][adv-main50.1+]
Whiteboard: [necko-active][adv-main50.1+] → [necko-active][adv-main50.1+][adv-esr45.6+]
Group: network-core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.