Open Bug 1450942 Opened 2 years ago Updated Last year

IPC: crash with Msg_ScriptErrorWithStack [@mozilla::ipc::PrincipalInfoToPrincipal]

Categories

(Core :: Security: CAPS, defect, critical)

defect
Not set
critical

Tracking

()

Tracking Status
firefox61 --- affected

People

(Reporter: posidron, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: crash)

Attachments

(3 files)

Attached file faulty.txt
The following message was identified to be responsible for this crash and got blacklisted from fuzzing until fixed.

Message: PContent::Msg_ScriptErrorWithStack


$ hexdiff message.20976.14972.{o,m}


See the attached file for further details.
Attached file messages.zip
Attached is a minimal reproducer, in the form of an input to my libFuzzer based IPC fuzzer:

osboxes@osboxes:~/mozilla-central$ (cd obj-x86_64-pc-linux-gnu/dist/bin/; MOZ_RUN_GTEST=1 LIBFUZZER=1 FUZZER=ContentParentIPC ./firefox -artifact_prefix=/home/osboxes/content-parent-artifacts/ /home/osboxes/content-parent-artifacts/minimized-from-e4b8ec1229b8ce478000312be763c62fa93107fc -rss_limit_mb=3192)
Running Fuzzer tests...
INFO: Seed: 923958958
INFO: Loaded 1 modules   (1622782 guards): 1622782 [0x7f7a394b774c, 0x7f7a39ae8344),
./firefox: Running 1 inputs 1 time(s) each.
Running: /home/osboxes/content-parent-artifacts/minimized-from-e4b8ec1229b8ce478000312be763c62fa93107fc
AddressSanitizer:DEADLYSIGNAL
=================================================================
==18624==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f7a2191e435 bp 0x7ffdee685a70 sp 0x7ffdee685820 T0)
==18624==The signal is caused by a WRITE memory access.
==18624==Hint: address points to the zero page.
    #0 0x7f7a2191e434 in Release /home/osboxes/mozilla-central/obj-x86_64-pc-linux-gnu/dist/include/mozilla/RefPtr.h:41:11
    #1 0x7f7a2191e434 in Release /home/osboxes/mozilla-central/obj-x86_64-pc-linux-gnu/dist/include/mozilla/RefPtr.h:398
    #2 0x7f7a2191e434 in ~RefPtr /home/osboxes/mozilla-central/obj-x86_64-pc-linux-gnu/dist/include/mozilla/RefPtr.h:79
    #3 0x7f7a2191e434 in mozilla::ipc::PrincipalInfoToPrincipal(mozilla::ipc::PrincipalInfo const&, nsresult*) /home/osboxes/mozilla-central/ipc/glue/BackgroundUtils.cpp:136
    #4 0x7f7a22f4875f in mozilla::docshell::OfflineCacheUpdateParent::Schedule(mozilla::ipc::URIParams const&, mozilla::ipc::URIParams const&, mozilla::ipc::PrincipalInfo const&, bool const&) /home/osboxes/mozilla-central/uriloader/prefetch/OfflineCacheUpdateParent.cpp:93:25
    #5 0x7f7a29b783ae in mozilla::dom::ContentParent::RecvPOfflineCacheUpdateConstructor(mozilla::docshell::POfflineCacheUpdateParent*, mozilla::ipc::URIParams const&, mozilla::ipc::URIParams const&, mozilla::ipc::PrincipalInfo const&, bool const&) /home/osboxes/mozilla-central/dom/ipc/ContentParent.cpp:4500:25
    #6 0x7f7a21c941a3 in mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&) /home/osboxes/mozilla-central/obj-x86_64-pc-linux-gnu/ipc/ipdl/PContentParent.cpp:6289:20
    #7 0x7f7a31298f68 in void mozilla::ipc::FuzzProtocol<mozilla::dom::ContentParent>(mozilla::dom::ContentParent*, unsigned char const*, unsigned long, std::unordered_set<unsigned int, std::hash<unsigned int>, std::equal_to<unsigned int>, std::allocator<unsigned int> >&) /home/osboxes/mozilla-central/obj-x86_64-pc-linux-gnu/dist/include/ProtocolFuzzer.h:48:18
    #8 0x7f7a31298266 in RunContentParentIPCFuzzing(unsigned char const*, unsigned long) /home/osboxes/mozilla-central/dom/ipc/fuzztest/content_parent_ipc_libfuzz.cpp:61:3
    #9 0x5b9d7d in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /home/osboxes/mozilla-central/tools/fuzzing/libfuzzer/FuzzerLoop.cpp:517:13
    #10 0x5ae5fe in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /home/osboxes/mozilla-central/tools/fuzzing/libfuzzer/FuzzerDriver.cpp:280:6
    #11 0x5b2601 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /home/osboxes/mozilla-central/tools/fuzzing/libfuzzer/FuzzerDriver.cpp:703:9
    #12 0x7f7a2f868981 in mozilla::FuzzerRunner::Run(int*, char***) /home/osboxes/mozilla-central/tools/fuzzing/interface/harness/FuzzerRunner.cpp:60:10
    #13 0x7f7a2f7789fe in XREMain::XRE_mainStartup(bool*) /home/osboxes/mozilla-central/toolkit/xre/nsAppRunner.cpp:3863:35
    #14 0x7f7a2f78e3d8 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/osboxes/mozilla-central/toolkit/xre/nsAppRunner.cpp:4799:12
    #15 0x7f7a2f79006d in XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/osboxes/mozilla-central/toolkit/xre/nsAppRunner.cpp:4906:21
    #16 0x51d34c in do_main /home/osboxes/mozilla-central/browser/app/nsBrowserApp.cpp:233:22
    #17 0x51d34c in main /home/osboxes/mozilla-central/browser/app/nsBrowserApp.cpp:306
    #18 0x7f7a46e50b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #19 0x420499 in _start (/home/osboxes/mozilla-central/obj-x86_64-pc-linux-gnu/dist/bin/firefox+0x420499)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/osboxes/mozilla-central/obj-x86_64-pc-linux-gnu/dist/include/mozilla/RefPtr.h:41:11 in Release
==18624==ABORTING


However if I run this input under GDB I get a much higher quality bug report:

/home/osboxes/mozilla-central/obj-x86_64-pc-linux-gnu/dist/bin/firefox: Running 1 inputs 1 time(s) each.
Running: /home/osboxes/content-parent-artifacts/minimized-from-e4b8ec1229b8ce478000312be763c62fa93107fc

Thread 1 "firefox" received signal SIGSEGV, Segmentation fault.
PrincipalInfoToPrincipal () at /home/osboxes/mozilla-central/ipc/glue/BackgroundUtils.cpp:106
106	        MOZ_CRASH("Origin must be available when deserialized");
(gdb) list
101	      // Origin must match what the_new_principal.getOrigin returns.
102	      nsAutoCString originNoSuffix;
103	      rv = principal->GetOriginNoSuffix(originNoSuffix);
104	      if (NS_WARN_IF(NS_FAILED(rv)) ||
105	          !info.originNoSuffix().Equals(originNoSuffix)) {
106	        MOZ_CRASH("Origin must be available when deserialized");
107	      }
108
109	      return principal.forget();
110	    }
(gdb) bt
#0  0x00007fffd161e435 in PrincipalInfoToPrincipal() () at /home/osboxes/mozilla-central/ipc/glue/BackgroundUtils.cpp:106
#1  0x00007fffd2c48760 in Schedule() () at /home/osboxes/mozilla-central/uriloader/prefetch/OfflineCacheUpdateParent.cpp:93
#2  0x00007fffd98783af in RecvPOfflineCacheUpdateConstructor() () at /home/osboxes/mozilla-central/dom/ipc/ContentParent.cpp:4500
#3  0x00007fffd19941a4 in OnMessageReceived() () at /home/osboxes/mozilla-central/obj-x86_64-pc-linux-gnu/ipc/ipdl/PContentParent.cpp:6289
#4  0x00007fffe0f98f69 in FuzzProtocol<mozilla::dom::ContentParent>() () at /home/osboxes/mozilla-central/obj-x86_64-pc-linux-gnu/dist/include/ProtocolFuzzer.h:48
#5  0x00007fffe0f98267 in RunContentParentIPCFuzzing() () at /home/osboxes/mozilla-central/dom/ipc/fuzztest/content_parent_ipc_libfuzz.cpp:61
#6  0x00000000005b9d7e in ExecuteCallback() () at /home/osboxes/mozilla-central/tools/fuzzing/libfuzzer/FuzzerLoop.cpp:517
#7  0x00000000005ae5ff in RunOneTest() () at /home/osboxes/mozilla-central/tools/fuzzing/libfuzzer/FuzzerDriver.cpp:280
#8  0x00000000005b2602 in FuzzerDriver() () at /home/osboxes/mozilla-central/tools/fuzzing/libfuzzer/FuzzerDriver.cpp:703
#9  0x00007fffdf568982 in Run() () at /home/osboxes/mozilla-central/tools/fuzzing/interface/harness/FuzzerRunner.cpp:60
#10 0x00007fffdf4789ff in XRE_mainStartup() () at /home/osboxes/mozilla-central/toolkit/xre/nsAppRunner.cpp:3863
#11 0x00007fffdf48e3d9 in XRE_main() () at /home/osboxes/mozilla-central/toolkit/xre/nsAppRunner.cpp:4799
#12 0x00007fffdf49006e in XRE_main() () at /home/osboxes/mozilla-central/toolkit/xre/nsAppRunner.cpp:4906
#13 0x000000000051d34d in do_main () at /home/osboxes/mozilla-central/browser/app/nsBrowserApp.cpp:233
#14 0x000000000051d34d in main() () at /home/osboxes/mozilla-central/browser/app/nsBrowserApp.cpp:306
(gdb)


Is it possible for us to make the function return an error instead of crash here, and propagate that error upwards? That'd be much friendlier to the fuzzers :-)
You need to log in before you can comment on or make changes to this bug.