Closed Bug 1445472 Opened 2 years ago Closed 2 years ago

IPC: heap-buffer-overflow crash [@net_CoalesceDirs]

Categories

(Core :: Networking, defect, critical)

defect
Not set
critical

Tracking

()

RESOLVED WORKSFORME
Tracking Status
firefox61 --- affected

People

(Reporter: posidron, Unassigned)

References

(Blocks 1 open bug)

Details

(4 keywords)

Attachments

(1 file)

Attached file session.txt
INFO: This is an IPC crash found by the fuzzer faulty - there is no test-case available which leads to an immediate crash for reproduction.

The attached session.txt contains a trace of IPC messages which were sent and received during a session of visiting  https://html5test.com

*** Possible reproduction scenario:

pip install git+https://github.com/mozillasecurity/fuzzfetch
fuzzfetch -a --fuzzing -n firefox -o /tmp

export FAULTY_PROBABILITY=50000
export FAULTY_LARGE_VALUES=1
export FAULTY_PARENT=1
export FAULTY_ENABLE_LOGGING=1
export FAULTY_PICKLE=1
export MOZ_IPC_MESSAGE_LOG=1



==17290==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6030002d7016 at pc 0x7fbf482746ca bp 0x7fff98d52da0 sp 0x7fff98d52d98
READ of size 1 at 0x6030002d7016 thread T0
    #0 0x7fbf482746c9 in net_CoalesceDirs(netCoalesceFlags, char*) /builds/worker/workspace/build/src/netwerk/base/nsURLHelper.cpp:262:12
    #1 0x7fbf4823aa37 in mozilla::net::nsStandardURL::Resolve(nsTSubstring<char> const&, nsTSubstring<char>&) /builds/worker/workspace/build/src/netwerk/base/nsStandardURL.cpp
    #2 0x7fbf4824499e in mozilla::net::nsStandardURL::Init(unsigned int, int, nsTSubstring<char> const&, char const*, nsIURI*) /builds/worker/workspace/build/src/netwerk/base/nsStandardURL.cpp:3337:28
    #3 0x7fbf48253603 in mozilla::net::nsStandardURL::TemplatedMutator<mozilla::net::nsStandardURL>::Init(unsigned int, int, nsTSubstring<char> const&, char const*, nsIURI*, nsIURIMutator**) /builds/worker/workspace/build/src/netwerk/base/nsStandardURL.h:398:32
    #4 0x7fbf4801b77a in operator() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIURIMutator.h:428:10
    #5 0x7fbf4801b77a in std::_Function_handler<nsresult (nsIURIMutator*), std::function<nsresult (nsIURIMutator*)> const NS_MutatorMethod<nsresult (nsIStandardURLMutator::*)(unsigned int, int, nsTSubstring<char> const&, char const*, nsIURI*, nsIURIMutator**), nsIStandardURL::{unnamed type#1}, int, nsTString<char>, char const*, nsCOMPtr<nsIURI>, decltype(nullptr)>(nsresult (nsIStandardURLMutator::*)(unsigned int, int, nsTSubstring<char> const&, char const*, nsIURI*, nsIURIMutator**), nsIStandardURL::{unnamed type#1}, int, nsTString<char>, char const*, nsCOMPtr<nsIURI>, decltype(nullptr))::{lambda(nsIURIMutator*)#1}>::_M_invoke(std::_Any_data const&, nsIURIMutator*) /builds/worker/workspace/build/src/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/4.9.4/../../../../include/c++/4.9.4/functional:2024
    #6 0x7fbf4898bd3c in operator() /builds/worker/workspace/build/src/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/4.9.4/../../../../include/c++/4.9.4/functional:2440:14
    #7 0x7fbf4898bd3c in Apply /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIURIMutator.h:583
    #8 0x7fbf4898bd3c in mozilla::net::NewURI(nsTSubstring<char> const&, char const*, nsIURI*, int, nsIURI**) /builds/worker/workspace/build/src/netwerk/protocol/http/nsHttpHandler.cpp:141
    #9 0x7fbf48177a5b in mozilla::net::nsIOService::NewURI(nsTSubstring<char> const&, char const*, nsIURI*, nsIURI**) /builds/worker/workspace/build/src/netwerk/base/nsIOService.cpp:703:21
    #10 0x7fbf48b079bf in mozilla::net::nsHttpChannel::CreateNewURI(char const*, nsIURI**) /builds/worker/workspace/build/src/netwerk/protocol/http/nsHttpChannel.cpp:8336:23
    #11 0x7fbf48ade4d3 in mozilla::net::nsHttpChannel::AsyncProcessRedirection(unsigned int) /builds/worker/workspace/build/src/netwerk/protocol/http/nsHttpChannel.cpp:5547:19
    #12 0x7fbf48aecfa6 in mozilla::net::nsHttpChannel::ContinueProcessResponse2(nsresult) /builds/worker/workspace/build/src/netwerk/protocol/http/nsHttpChannel.cpp:2424:14
    #13 0x7fbf48aec63b in mozilla::net::nsHttpChannel::ContinueProcessResponse1() /builds/worker/workspace/build/src/netwerk/protocol/http/nsHttpChannel.cpp:2357:12
    #14 0x7fbf48aebeac in mozilla::net::nsHttpChannel::ProcessResponse() /builds/worker/workspace/build/src/netwerk/protocol/http/nsHttpChannel.cpp:2258:12
    #15 0x7fbf48b164ac in mozilla::net::nsHttpChannel::OnStartRequest(nsIRequest*, nsISupports*) /builds/worker/workspace/build/src/netwerk/protocol/http/nsHttpChannel.cpp:6927:20
    #16 0x7fbf48192c43 in nsInputStreamPump::OnStateStart() /builds/worker/workspace/build/src/netwerk/base/nsInputStreamPump.cpp:526:25
    #17 0x7fbf481922b9 in nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) /builds/worker/workspace/build/src/netwerk/base/nsInputStreamPump.cpp:429:25
    #18 0x7fbf47f64f22 in nsInputStreamReadyEvent::Run() /builds/worker/workspace/build/src/xpcom/io/nsStreamUtils.cpp:102:20
    #19 0x7fbf47fd2b96 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1040:14
    #20 0x7fbf47fee130 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:517:10
    #21 0x7fbf48ea583a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #22 0x7fbf48df40d9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #23 0x7fbf48df40d9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #24 0x7fbf48df40d9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #25 0x7fbf4fb8effa in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:157:27
    #26 0x7fbf53e2c59b in nsAppStartup::Run() /builds/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:290:30
    #27 0x7fbf54040b3c in XREMain::XRE_mainRun() /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4724:22
    #28 0x7fbf54043b08 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4869:8
    #29 0x7fbf540451e4 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4961:21
    #30 0x4f6d45 in do_main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:231:22
    #31 0x4f6d45 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:304
    #32 0x7fbf685a31c0 in __libc_start_main /build/glibc-itYbWN/glibc-2.26/csu/../csu/libc-start.c:308
    #33 0x4265bc in _start (/home/worker/firefox/firefox+0x4265bc)

0x6030002d7016 is located 1 bytes to the right of 21-byte region [0x6030002d7000,0x6030002d7015)
allocated by thread T0 here:
    #0 0x4c7303 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3
    #1 0x4f7dcd in moz_xmalloc /builds/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:70:17
    #2 0x7fbf4823af80 in AppendToSubstring /builds/worker/workspace/build/src/netwerk/base/nsStandardURL.cpp:1138:29
    #3 0x7fbf4823af80 in mozilla::net::nsStandardURL::Resolve(nsTSubstring<char> const&, nsTSubstring<char>&) /builds/worker/workspace/build/src/netwerk/base/nsStandardURL.cpp:2599
    #4 0x7fbf4824499e in mozilla::net::nsStandardURL::Init(unsigned int, int, nsTSubstring<char> const&, char const*, nsIURI*) /builds/worker/workspace/build/src/netwerk/base/nsStandardURL.cpp:3337:28
    #5 0x7fbf48253603 in mozilla::net::nsStandardURL::TemplatedMutator<mozilla::net::nsStandardURL>::Init(unsigned int, int, nsTSubstring<char> const&, char const*, nsIURI*, nsIURIMutator**) /builds/worker/workspace/build/src/netwerk/base/nsStandardURL.h:398:32
    #6 0x7fbf4801b77a in operator() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIURIMutator.h:428:10
    #7 0x7fbf4801b77a in std::_Function_handler<nsresult (nsIURIMutator*), std::function<nsresult (nsIURIMutator*)> const NS_MutatorMethod<nsresult (nsIStandardURLMutator::*)(unsigned int, int, nsTSubstring<char> const&, char const*, nsIURI*, nsIURIMutator**), nsIStandardURL::{unnamed type#1}, int, nsTString<char>, char const*, nsCOMPtr<nsIURI>, decltype(nullptr)>(nsresult (nsIStandardURLMutator::*)(unsigned int, int, nsTSubstring<char> const&, char const*, nsIURI*, nsIURIMutator**), nsIStandardURL::{unnamed type#1}, int, nsTString<char>, char const*, nsCOMPtr<nsIURI>, decltype(nullptr))::{lambda(nsIURIMutator*)#1}>::_M_invoke(std::_Any_data const&, nsIURIMutator*) /builds/worker/workspace/build/src/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/4.9.4/../../../../include/c++/4.9.4/functional:2024
    #8 0x7fbf4898bd3c in operator() /builds/worker/workspace/build/src/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/4.9.4/../../../../include/c++/4.9.4/functional:2440:14
    #9 0x7fbf4898bd3c in Apply /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIURIMutator.h:583
    #10 0x7fbf4898bd3c in mozilla::net::NewURI(nsTSubstring<char> const&, char const*, nsIURI*, int, nsIURI**) /builds/worker/workspace/build/src/netwerk/protocol/http/nsHttpHandler.cpp:141
    #11 0x7fbf48177a5b in mozilla::net::nsIOService::NewURI(nsTSubstring<char> const&, char const*, nsIURI*, nsIURI**) /builds/worker/workspace/build/src/netwerk/base/nsIOService.cpp:703:21
    #12 0x7fbf48b079bf in mozilla::net::nsHttpChannel::CreateNewURI(char const*, nsIURI**) /builds/worker/workspace/build/src/netwerk/protocol/http/nsHttpChannel.cpp:8336:23
    #13 0x7fbf48ade4d3 in mozilla::net::nsHttpChannel::AsyncProcessRedirection(unsigned int) /builds/worker/workspace/build/src/netwerk/protocol/http/nsHttpChannel.cpp:5547:19
    #14 0x7fbf48aecfa6 in mozilla::net::nsHttpChannel::ContinueProcessResponse2(nsresult) /builds/worker/workspace/build/src/netwerk/protocol/http/nsHttpChannel.cpp:2424:14
    #15 0x7fbf48aec63b in mozilla::net::nsHttpChannel::ContinueProcessResponse1() /builds/worker/workspace/build/src/netwerk/protocol/http/nsHttpChannel.cpp:2357:12
    #16 0x7fbf48aebeac in mozilla::net::nsHttpChannel::ProcessResponse() /builds/worker/workspace/build/src/netwerk/protocol/http/nsHttpChannel.cpp:2258:12
    #17 0x7fbf48b164ac in mozilla::net::nsHttpChannel::OnStartRequest(nsIRequest*, nsISupports*) /builds/worker/workspace/build/src/netwerk/protocol/http/nsHttpChannel.cpp:6927:20
    #18 0x7fbf48192c43 in nsInputStreamPump::OnStateStart() /builds/worker/workspace/build/src/netwerk/base/nsInputStreamPump.cpp:526:25
    #19 0x7fbf481922b9 in nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) /builds/worker/workspace/build/src/netwerk/base/nsInputStreamPump.cpp:429:25
    #20 0x7fbf47f64f22 in nsInputStreamReadyEvent::Run() /builds/worker/workspace/build/src/xpcom/io/nsStreamUtils.cpp:102:20
    #21 0x7fbf47fd2b96 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1040:14
    #22 0x7fbf47fee130 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:517:10
    #23 0x7fbf48ea583a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #24 0x7fbf48df40d9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #25 0x7fbf48df40d9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #26 0x7fbf48df40d9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #27 0x7fbf4fb8effa in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:157:27
    #28 0x7fbf53e2c59b in nsAppStartup::Run() /builds/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:290:30
    #29 0x7fbf54040b3c in XREMain::XRE_mainRun() /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4724:22
    #30 0x7fbf54043b08 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4869:8
    #31 0x7fbf540451e4 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4961:21
    #32 0x4f6d45 in do_main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:231:22
    #33 0x4f6d45 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:304
    #34 0x7fbf685a31c0 in __libc_start_main /build/glibc-itYbWN/glibc-2.26/csu/../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-buffer-overflow /builds/worker/workspace/build/src/netwerk/base/nsURLHelper.cpp:262:12 in net_CoalesceDirs(netCoalesceFlags, char*)
Shadow bytes around the buggy address:
  0x0c0680052db0: fa fa fa fa fa fa fa fa fd fd fd fa fa fa fa fa
  0x0c0680052dc0: fa fa fa fa fd fd fd fd fa fa fd fd fd fa fa fa
  0x0c0680052dd0: fa fa fa fa fa fa fd fd fd fa fa fa fd fd fd fd
  0x0c0680052de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 00 00
  0x0c0680052df0: 00 00 fa fa 00 00 00 fa fa fa fa fa fa fa fa fa
=>0x0c0680052e00: 00 00[05]fa fa fa 00 00 00 00 fa fa fd fd fd fd
  0x0c0680052e10: fa fa 00 00 00 00 fa fa fd fd fd fa fa fa fd fd
  0x0c0680052e20: fd fa fa fa 00 00 00 00 fa fa fd fd fd fd fa fa
  0x0c0680052e30: fd fd fd fa fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c0680052e40: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x0c0680052e50: fd fd fa fa 00 00 00 00 fa fa fd fd fd fd fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==17290==ABORTING
Summary: IPC: heap-overflow-crash [@net_CoalesceDirs] → IPC: heap-buffer-overflow crash [@net_CoalesceDirs]
net_CoalesceDirs assumes a null terminated char*, so maybe it doesn't get one here[1] - would that cause ASAN to trigger? From looking at the trace, there is a HTTP channel created shortly before the crash:

time: 1520977352109424][17290<-17404] [PNeckoParent] Received  PNecko::Msg_PHttpChannelConstructor

So maybe some bogus data passed to the PHttpChannel constructor[2]? 
That's a pretty wild guess though, that constructor code is pretty complicated, need someone who is familiar with it. 


[1] https://searchfox.org/mozilla-central/source/netwerk/base/nsURLHelper.cpp#262
[2] https://searchfox.org/mozilla-central/source/netwerk/ipc/NeckoParent.cpp#320
There's also this:

[Faulty] pickle field {UInt32} of value: 22 changed to: 0
[time: 1520977352073010][17404->17290] [PNeckoChild] Sending  PNecko::Msg_PHttpChannelConstructor

Skimming through the definition of what's in that constructor message, my guess is this uint32_t is somewhere in the HttpChannelCreationArgs: https://searchfox.org/mozilla-central/rev/8fa0b32c84f9/netwerk/ipc/NeckoChannelParams.ipdlh#156-223
Group: core-security → network-core-security
This looks possibility related to bug 1433609, which is also around issues in serializing URLs.
See Also: → 1433609
Can the crash still be reproduced since bug 1433609 landed?
Flags: needinfo?(cdiehl)
I have not seen this signature again but the one in 1433609. I made recently some bigger changes to the fuzzer and will be able to provide you the exact message which caused the crash and then re-open the other bug.
Flags: needinfo?(cdiehl)
(In reply to Christoph Diehl [:posidron] from comment #5)
> I have not seen this signature again but the one in 1433609. I made recently
> some bigger changes to the fuzzer and will be able to provide you the exact
> message which caused the crash and then re-open the other bug.

Thanks Christoph. I would maybe open a separate bug, rather than reopening bug 1433609 - but it's your call if it's the same bug or just a different variant of it.
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → WORKSFORME
Group: network-core-security
You need to log in before you can comment on or make changes to this bug.