1427673 - UBSan: null pointer passed as argument 2, which is declared to never be null [@ sslBuffer_AppendVariable]

Status: RESOLVED FIXED

(NSS :: Libraries, defect, P1)

Description

[Tyson Smith [:tsmith]]

I triggered this while browsing with a Firefox build built with: -fsanitize=nonnull-attribute

changeset: 397325:fe1794e607cc

/mozilla-central/security/nss/lib/ssl/sslencode.c:98:37: runtime error: null pointer passed as argument 2, which is declared to never be null
/usr/include/string.h:43:28: note: nonnull attribute specified here
    #0 0x7f94eb32170f in sslBuffer_AppendVariable /mozilla-central/security/nss/lib/ssl/sslencode.c:98:5
    #1 0x7f94eb36b3d7 in tls13_HkdfExpandLabel /mozilla-central/security/nss/lib/ssl/tls13hkdf.c:189:10
    #2 0x7f94eb34f209 in tls13_DeriveTrafficKeys /mozilla-central/security/nss/lib/ssl/tls13con.c:3170:10
    #3 0x7f94eb34f209 in tls13_SetCipherSpec /mozilla-central/security/nss/lib/ssl/tls13con.c:3332
    #4 0x7f94eb359ff7 in tls13_HandleServerHelloPart2 /mozilla-central/security/nss/lib/ssl/tls13con.c:2589:10
    #5 0x7f94eb2ea66e in ssl3_HandleServerHello /mozilla-central/security/nss/lib/ssl/ssl3con.c:6390:14
    #6 0x7f94eb2e54e9 in ssl3_HandleHandshakeMessage /mozilla-central/security/nss/lib/ssl/ssl3con.c:11330:18
    #7 0x7f94eb2f75ab in ssl3_HandleHandshake /mozilla-central/security/nss/lib/ssl/ssl3con.c:11515:18
    #8 0x7f94eb2f75ab in ssl3_HandleNonApplicationData /mozilla-central/security/nss/lib/ssl/ssl3con.c:12029
    #9 0x7f94eb2f2e7d in ssl3_HandleRecord /mozilla-central/security/nss/lib/ssl/ssl3con.c:12300:12
    #10 0x7f94eb31855b in ssl3_GatherCompleteHandshake /mozilla-central/security/nss/lib/ssl/ssl3gthr.c:504:22
    #11 0x7f94eb32b0a9 in SSL_ForceHandshake /mozilla-central/security/nss/lib/ssl/sslsecur.c:399:24
    #12 0x7f94cacbecc6 in nsNSSSocketInfo::DriveHandshake() /mozilla-central/security/manager/ssl/nsNSSIOLayer.cpp:423:18
    #13 0x7f94bfc78aa7 in mozilla::net::nsHttpConnection::EnsureNPNComplete(nsresult&, unsigned int&) /mozilla-central/netwerk/protocol/http/nsHttpConnection.cpp:477:19
    #14 0x7f94bfc7b3af in mozilla::net::nsHttpConnection::OnSocketWritable() /mozilla-central/netwerk/protocol/http/nsHttpConnection.cpp:1807:21
    #15 0x7f94bfc7f58e in mozilla::net::nsHttpConnection::OnOutputStreamReady(nsIAsyncOutputStream*) /mozilla-central/netwerk/protocol/http/nsHttpConnection.cpp:2338:19
    #16 0x7f94bfc8966c in non-virtual thunk to mozilla::net::nsHttpConnection::OnOutputStreamReady(nsIAsyncOutputStream*) /mozilla-central/netwerk/protocol/http/nsHttpConnection.cpp
    #17 0x7f94bf1c50fa in mozilla::net::nsSocketOutputStream::OnSocketReady(nsresult) /mozilla-central/netwerk/base/nsSocketTransport2.cpp:563:19
    #18 0x7f94bf1d05bd in mozilla::net::nsSocketTransport::OnSocketReady(PRFileDesc*, short) /mozilla-central/netwerk/base/nsSocketTransport2.cpp:2180:21
    #19 0x7f94bf1e0835 in mozilla::net::nsSocketTransportService::DoPollIteration(mozilla::BaseTimeDuration<mozilla::TimeDurationValueCalculator>*) /mozilla-central/netwerk/base/nsSocketTransportService2.cpp:1151:29
    #20 0x7f94bf1deea6 in mozilla::net::nsSocketTransportService::Run() /mozilla-central/netwerk/base/nsSocketTransportService2.cpp:921:13
    #21 0x7f94bf1e13fc in non-virtual thunk to mozilla::net::nsSocketTransportService::Run() /mozilla-central/netwerk/base/nsSocketTransportService2.cpp
    #22 0x7f94bef786bf in nsThread::ProcessNextEvent(bool, bool*) /mozilla-central/xpcom/threads/nsThread.cpp:1039:14
    #23 0x7f94befabf70 in NS_ProcessNextEvent(nsIThread*, bool) /mozilla-central/xpcom/threads/nsThreadUtils.cpp:510:10
    #24 0x7f94c01ca4d8 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /mozilla-central/ipc/glue/MessagePump.cpp:334:20
    #25 0x7f94c0051109 in RunHandler /mozilla-central/ipc/chromium/src/base/message_loop.cc:319:3
    #26 0x7f94c0051109 in MessageLoop::Run() /mozilla-central/ipc/chromium/src/base/message_loop.cc:299
    #27 0x7f94bef730a8 in nsThread::ThreadFunc(void*) /mozilla-central/xpcom/threads/nsThread.cpp:423:11
    #28 0x7f94ec37f84a in _pt_root /mozilla-central/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #29 0x7f94efc087fb in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x77fb)
    #30 0x7f94eec36b0e in clone /build/glibc-CxtIbX/glibc-2.26/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Comment 1

[Eric Rescorla (:ekr)]

https://phabricator.services.mozilla.com/D348

Comment 2

[Martin Thomson [:mt:]]

ekr, phabricator is somewhat busted right now and the automatic linking to bugzilla is not working.  Also, new CLs get marked as private (as a security feature), and the same process, which should make them public, doesn't.  I can't see that bug, even if I was marked as a reviewer.  Can you manually change visibility?

Comment 3

[Martin Thomson [:mt:]]

Clearing n-i.  The patch is OK to land.

Comment 4

[Phabricator Automation]

Attachment: Bug 1427673 - Fix NULL pointer to PORT_Memcpy()

Comment 5

[Phabricator Automation]

Comment on attachment 8945492 [details]
Bug 1427673 - Fix NULL pointer to PORT_Memcpy()

Martin Thomson [:mt:] has approved the revision.

https://phabricator.services.mozilla.com/D348

Comment 6

[Tyson Smith [:tsmith]]

Is possible to get this landed? We are hoping to enable -fsanitize=nonnull-attribute by default in ASan+UBSan builds soon.

Comment 7

[Martin Thomson [:mt:]]

It was already landed apparently in 39c74bc63a1e.

Comment 8

[Tyson Smith [:tsmith]]

That was easy, thank you :)