Open Bug 1449405 Opened 2 years ago Updated Last year

IPC: crash [@mozilla::RemoteSpellcheckEngineChild::RecvNotifyOfCurrentDictionary]

Categories

(Core :: Spelling checker, defect, P2, critical)

defect

Tracking

()

Tracking Status
firefox61 --- affected

People

(Reporter: posidron, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase)

The following message was identified to be responsible for this crash and got blacklisted from fuzzing until fixed.

$ hexdump -C /tmp/faulty/message.12962.1359
00000000  48 00 00 00 ed ff ff ff  09 00 6c 00 01 00 00 00  |H.........l.....|
00000010  00 00 00 00 ff ff ff ff  ff ff ff ff 00 00 00 00  |................|
00000020  03 00 00 00 00 00 3a 00  05 00 00 00 65 00 6e 00  |......:.....e.n.|
00000030  2d 02 55 00 53 00 bf bf  00 00 00 00 05 00 00 00  |-.U.S...........|
00000040  65 b7 6e 00 2d 00 55 00  53 00 bf bf 00 00 00 00  |e.n.-.U.S.......|
00000050  05 e5 00 00 65 00 6e 00  2d 00 55 00 53 00 bf bf  |....e.n.-.U.S...|
00000060  10 48 26 00 20 60 00 00                           |.H&. `..|
00000068

[...]
[Faulty] (12962) FUZZING (4 bytes): PRemoteSpellcheckEngine::Msg_SetDictionaryFromList
[Faulty] (12962) Process: 2 | Size:        104 | message.12962.1359   | Channel::ChannelImpl::Send => PRemoteSpellcheckEngine::Msg_SetDictionaryFromList
[Faulty] (12962) Process: 2 | Size:         48 | message.12962.1360   | Channel::ChannelImpl::Send => PLayerTransaction::Msg_NewCompositable
[Faulty] (12962) Process: 2 | Size:         48 | message.12962.1361   | Channel::ChannelImpl::Send => PLayerTransaction::Msg_NewCompositable
[Faulty] (12962) Process: 2 | Size:         56 | message.12962.1362   | Channel::ChannelImpl::Send => SHMEM_CREATED_MESSAGE
[Faulty] (12962) Process: 2 | Size:        104 | message.12962.1363   | Channel::ChannelImpl::Send => PCompositorBridge::Msg_PTextureConstructor
[Faulty] (12962) Process: 2 | Size:         48 | message.12962.1364   | Channel::ChannelImpl::Send => PLayerTransaction::Msg_NewCompositable
[Faulty] (12962) Process: 2 | Size:         56 | message.12962.1365   | Channel::ChannelImpl::Send => SHMEM_CREATED_MESSAGE
[Faulty] (12962) Process: 2 | Size:        104 | message.12962.1366   | Channel::ChannelImpl::Send => PCompositorBridge::Msg_PTextureConstructor
[Faulty] (12962) Process: 2 | Size:         48 | message.12962.1367   | Channel::ChannelImpl::Send => PLayerTransaction::Msg_NewCompositable
[Faulty] (12962) BLACKLISTED: SHMEM_CREATED_MESSAGE
[Faulty] (12962) Process: 2 | Size:         56 | message.12962.1368   | Channel::ChannelImpl::Send => SHMEM_CREATED_MESSAGE
[Faulty] (12962) Process: 2 | Size:        104 | message.12962.1369   | Channel::ChannelImpl::Send => PCompositorBridge::Msg_PTextureConstructor
[Faulty] (12962) Process: 2 | Size:         96 | message.12962.1370   | Channel::ChannelImpl::Send => PLayerTransaction::Msg_InitReadLocks
[Faulty] (12962) Process: 2 | Size:       5128 | message.12962.1371   | Channel::ChannelImpl::Send => PLayerTransaction::Msg_Update
[Faulty] (12962) Process: 2 | Size:         40 | message.12962.1372   | Channel::ChannelImpl::Send => PLayerTransaction::Msg_ReleaseCompositable
[Faulty] (12962) Process: 2 | Size:         40 | message.12962.1373   | Channel::ChannelImpl::Send => PLayerTransaction::Msg_ReleaseLayer
ASAN:DEADLYSIGNAL
=================================================================
==12962==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f5535bf236f bp 0x7ffc0d936ef0 sp 0x7ffc0d936e40 T0)
    #0 0x7f5535bf236e in operator! /home/posidron/dev/mozilla/mozilla-inbound/obj/ff-asan-release/dist/include/mozilla/RefPtr.h:312:36
    #1 0x7f5535bf236e in IsEmpty /home/posidron/dev/mozilla/mozilla-inbound/obj/ff-asan-release/dist/include/mozilla/MozPromise.h:1200
    #2 0x7f5535bf236e in RejectIfExists /home/posidron/dev/mozilla/mozilla-inbound/obj/ff-asan-release/dist/include/mozilla/MozPromise.h:1274
    #3 0x7f5535bf236e in mozilla::RemoteSpellcheckEngineChild::RecvNotifyOfCurrentDictionary(nsTString<char16_t> const&, long const&) /home/posidron/dev/mozilla/mozilla-inbound/extensions/spellcheck/hunspell/glue/RemoteSpellCheckEngineChild.cpp:47
    #4 0x7f552a9ad7c4 in mozilla::PRemoteSpellcheckEngineChild::OnMessageReceived(IPC::Message const&) /home/posidron/dev/mozilla/mozilla-inbound/obj/ff-asan-release/ipc/ipdl/PRemoteSpellcheckEngineChild.cpp:297:20
    #5 0x7f552adc3183 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /home/posidron/dev/mozilla/mozilla-inbound/obj/ff-asan-release/ipc/ipdl/PContentChild.cpp:5049:28
    #6 0x7f552a3d5a69 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /home/posidron/dev/mozilla/mozilla-inbound/ipc/glue/MessageChannel.cpp:2133:25
    #7 0x7f552a3d2357 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /home/posidron/dev/mozilla/mozilla-inbound/ipc/glue/MessageChannel.cpp:2063:17
    #8 0x7f552a3d3ee9 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /home/posidron/dev/mozilla/mozilla-inbound/ipc/glue/MessageChannel.cpp:1909:5
    #9 0x7f552a3d4838 in mozilla::ipc::MessageChannel::MessageTask::Run() /home/posidron/dev/mozilla/mozilla-inbound/ipc/glue/MessageChannel.cpp:1942:15
    #10 0x7f55291cf526 in nsThread::ProcessNextEvent(bool, bool*) /home/posidron/dev/mozilla/mozilla-inbound/xpcom/threads/nsThread.cpp:1040:14
    #11 0x7f55291f5d80 in NS_ProcessNextEvent(nsIThread*, bool) /home/posidron/dev/mozilla/mozilla-inbound/xpcom/threads/nsThreadUtils.cpp:517:10
    #12 0x7f552a3de06a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/posidron/dev/mozilla/mozilla-inbound/ipc/glue/MessagePump.cpp:97:21
    #13 0x7f552a290cc8 in RunInternal /home/posidron/dev/mozilla/mozilla-inbound/ipc/chromium/src/base/message_loop.cc:326:10
    #14 0x7f552a290cc8 in RunHandler /home/posidron/dev/mozilla/mozilla-inbound/ipc/chromium/src/base/message_loop.cc:319
    #15 0x7f552a290cc8 in MessageLoop::Run() /home/posidron/dev/mozilla/mozilla-inbound/ipc/chromium/src/base/message_loop.cc:299
    #16 0x7f5531717f3a in nsBaseAppShell::Run() /home/posidron/dev/mozilla/mozilla-inbound/widget/nsBaseAppShell.cpp:157:27
    #17 0x7f553644ce3b in XRE_RunAppShell() /home/posidron/dev/mozilla/mozilla-inbound/toolkit/xre/nsEmbedFunctions.cpp:892:22
    #18 0x7f552a290cc8 in RunInternal /home/posidron/dev/mozilla/mozilla-inbound/ipc/chromium/src/base/message_loop.cc:326:10
    #19 0x7f552a290cc8 in RunHandler /home/posidron/dev/mozilla/mozilla-inbound/ipc/chromium/src/base/message_loop.cc:319
    #20 0x7f552a290cc8 in MessageLoop::Run() /home/posidron/dev/mozilla/mozilla-inbound/ipc/chromium/src/base/message_loop.cc:299
    #21 0x7f553644c2dd in XRE_InitChildProcess(int, char**, XREChildData const*) /home/posidron/dev/mozilla/mozilla-inbound/toolkit/xre/nsEmbedFunctions.cpp:718:34
    #22 0x51bdb8 in content_process_main /home/posidron/dev/mozilla/mozilla-inbound/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #23 0x51bdb8 in main /home/posidron/dev/mozilla/mozilla-inbound/browser/app/nsBrowserApp.cpp:280
    #24 0x7f5549cce1c0 in __libc_start_main /build/glibc-itYbWN/glibc-2.26/csu/../csu/libc-start.c:308
    #25 0x424409 in _start (/home/posidron/dev/mozilla/mozilla-inbound/obj/ff-asan-release/dist/bin/firefox+0x424409)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/posidron/dev/mozilla/mozilla-inbound/obj/ff-asan-release/dist/include/mozilla/RefPtr.h:312:36 in operator!
==12962==ABORTING
FWIW the memory management here looks pretty unsafe: https://searchfox.org/mozilla-central/source/extensions/spellcheck/hunspell/glue/RemoteSpellCheckEngineChild.cpp#28-44

The child sends pointer addresses up the parent, and then casts the parent's value back to a MozPromiseHolder. It's not a security issue since the parent is more privledged than the child, but it's definitely the sort of thing that the fuzzer will have a field day with.
p2 for blocking fuzzing
Priority: -- → P2
(In reply to Alex Gaynor [:Alex_Gaynor] from comment #1)
> The child sends pointer addresses up the parent, and then casts the parent's
> value back to a MozPromiseHolder. It's not a security issue since the parent
> is more privledged than the child, but it's definitely the sort of thing
> that the fuzzer will have a field day with.

From a quick look at the code, this seems like a good candidate for promise-returning async messages (bug 1313200).
You need to log in before you can comment on or make changes to this bug.