Closed Bug 1442716 Opened 2 years ago Closed 2 years ago

Assertion failure: !originNoSuffix.IsEmpty(), at /srv/repos/mozilla-central/caps/nsJSPrincipals.cpp:228

Categories

(Core :: Security: CAPS, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla60
Tracking Status
firefox-esr52 --- unaffected
firefox58 --- unaffected
firefox59 --- wontfix
firefox60 --- fixed

People

(Reporter: decoder, Assigned: decoder)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, sec-other, testcase, Whiteboard: [adv-main60-][post-critsmash-triage])

Attachments

(2 files)

I've prototyped a new libfuzzer-based fuzzing target that uses dom::ipc::StructuredCloneData as its entry point to cover the StructuredCloneReader code that is browser-only. The target code has not landed on mozilla-central yet, if you need it to reproduce (in case stack + test attached do not suffice), please let me know.

The attached testcase crashes on mozilla-central revision 8a2584063e19+:

Backtrace:

==16290==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f3637aea9f1 bp 0x7ffe8ad1c890 sp 0x7ffe8ad1c320 T0)
==16290==The signal is caused by a WRITE memory access.
==16290==Hint: address points to the zero page.
    #0 0x7f3637aea9f0 in ClearAndRetainStorage objdir-ff-libfuzzer/dist/include/nsTArray.h:1294:16
    #1 0x7f3637aea9f0 in ~nsTArray_Impl objdir-ff-libfuzzer/dist/include/nsTArray.h:864
    #2 0x7f3637aea9f0 in ~ExpandedPrincipalInfo objdir-ff-libfuzzer/ipc/ipdl/_ipdlheaders/mozilla/ipc/PBackgroundSharedTypes.h:467
    #3 0x7f3637aea9f0 in ReadPrincipalInfo(JSStructuredCloneReader*, unsigned int, mozilla::ipc::PrincipalInfo&) caps/nsJSPrincipals.cpp:214
    #4 0x7f3637ae9223 in nsJSPrincipals::ReadKnownPrincipalType(JSContext*, JSStructuredCloneReader*, unsigned int, JSPrincipals**) caps/nsJSPrincipals.cpp:259:10
    #5 0x7f3638eeaee9 in mozilla::dom::StructuredCloneHolder::ReadFullySerializableObjects(JSContext*, JSStructuredCloneReader*, unsigned int) dom/base/StructuredCloneHolder.cpp:394:10
    #6 0x7f3638eed96c in mozilla::dom::StructuredCloneHolder::CustomReadHandler(JSContext*, JSStructuredCloneReader*, unsigned int, unsigned int) dom/base/StructuredCloneHolder.cpp:1032:10
    #7 0x7f364771714c in JSStructuredCloneReader::startRead(JS::MutableHandle<JS::Value>) js/src/vm/StructuredClone.cpp:2358:25
    #8 0x7f3647700221 in JSStructuredCloneReader::read(JS::MutableHandle<JS::Value>) js/src/vm/StructuredClone.cpp:2631:14
    #9 0x7f36476ff97c in ReadStructuredClone(JSContext*, JSStructuredCloneData&, JS::StructuredCloneScope, JS::MutableHandle<JS::Value>, JSStructuredCloneCallbacks const*, void*) js/src/vm/StructuredClone.cpp:632:14
    #10 0x7f3638eea969 in ReadFromBuffer dom/base/StructuredCloneHolder.cpp:344:8
    #11 0x7f3638eea969 in mozilla::dom::StructuredCloneHolder::ReadFromBuffer(nsISupports*, JSContext*, JSStructuredCloneData&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) dom/base/StructuredCloneHolder.cpp:324
    #12 0x7f36455fc34b in FuzzingRunDomSC(unsigned char const*, unsigned long) dom/base/fuzztest/FuzzStructuredClone.cpp:53:10
    #13 0x5c0b67 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) tools/fuzzing/libfuzzer/FuzzerLoop.cpp:458:13
    #14 0x5c0d83 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long) tools/fuzzing/libfuzzer/FuzzerLoop.cpp:397:3
    #15 0x5c09d1 in RunOne tools/fuzzing/libfuzzer/FuzzerInternal.h:98:41
    #16 0x5c09d1 in fuzzer::Fuzzer::ShuffleAndMinimize(std::vector<std::vector<unsigned char, std::allocator<unsigned char> >, std::allocator<std::vector<unsigned char, std::allocator<unsigned char> > > >*) tools/fuzzing/libfuzzer/FuzzerLoop.cpp:378
    #17 0x5baf98 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) tools/fuzzing/libfuzzer/FuzzerDriver.cpp:742:6
    #18 0x7f3644313daa in mozilla::FuzzerRunner::Run(int*, char***) tools/fuzzing/interface/harness/FuzzerRunner.cpp:60:10
    #19 0x7f3644253fa4 in XREMain::XRE_mainStartup(bool*) toolkit/xre/nsAppRunner.cpp:3865:35
    #20 0x7f3644263bae in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) toolkit/xre/nsAppRunner.cpp:4793:12
    #21 0x7f36442652e2 in XRE_main(int, char**, mozilla::BootstrapConfig const&) toolkit/xre/nsAppRunner.cpp:4900:21
    #22 0x519f50 in do_main browser/app/nsBrowserApp.cpp:231:22
    #23 0x519f50 in main browser/app/nsBrowserApp.cpp:304
    #24 0x7f36594f682f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
    #25 0x4235d8 in _start (objdir-ff-libfuzzer/dist/bin/firefox+0x4235d8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV objdir-ff-libfuzzer/dist/include/nsTArray.h:1294:16 in ClearAndRetainStorage
==16290==ABORTING


This bug itself is not security-sensitive, but the fuzzing efforts around this target in general are, until we have found and fixed the most common bugs, so I would request to keep this concealed for the moment.
Attached file Testcase
Attached patch bug1442716.patchSplinter Review
baku, is this what you had in mind for this assertion?
Assignee: nobody → choller
Status: NEW → ASSIGNED
Attachment #8955610 - Flags: review?(amarchesini)
Attachment #8955610 - Flags: review?(amarchesini) → review+
Keywords: sec-other
Whiteboard: [adv-main60-]
Flags: qe-verify-
Whiteboard: [adv-main60-] → [adv-main60-][post-critsmash-triage]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.