Closed
Bug 1459666
Opened 7 years ago
Closed 7 years ago
Browser crashes via FTP
Categories
(Core Graveyard :: Networking: FTP, defect, P2)
Tracking
(firefox-esr52 wontfix, firefox-esr60 wontfix, firefox60 wontfix, firefox61 wontfix, firefox62 verified, firefox63 verified)
VERIFIED
FIXED
mozilla62
People
(Reporter: vdnpp, Assigned: valentin)
Details
(Keywords: crash, csectype-dos, testcase, Whiteboard: [necko-triaged][sg:dos])
Crash Data
Attachments
(2 files, 1 obsolete file)
|
170.00 KB,
application/gzip
|
Details | |
|
3.89 KB,
patch
|
Details | Diff | Splinter Review |
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0
Build ID: 20180323154952
Steps to reproduce:
OS: Debian 9
Browser: 59.0.2 64bit and 52.7.4 ESR 64bit
1. Open in tab ftp://cyberghost.pro:80/pro.php (any exec file which not on server)
2. After a while all the tabs crashed in 52.7.4 ESR version and only active tabs crashed in 59.0.2 version
For example, may be use redirect for reproduction - https://cyberghost.pro/tor/r.php
Actual results:
After try open FTP link on non default port and with the indication of certain types of files such as php, doc, xls (any exec type file) there is a crashed browser.
Expected results:
Browser must inform you that ftp is not used at this address.
|
Reporter | |
Updated•7 years ago
|
status-firefox-esr52:
--- → ?
tracking-firefox-esr52:
--- → ?
|
||
Comment 1•7 years ago
|
||
This reproduces for me on Linux, but not Win10. Valentin, can you please take a look? It's also unclear to me why this was filed as a security-sensitive bug?
Group: core-security → network-core-security
Crash Signature: [@ IPCError-content | PFTPChannel::Msg_FlushedForDiversion Route error: message sent to unknown actor ID ]
status-firefox60:
--- → wontfix
status-firefox61:
--- → affected
status-firefox62:
--- → affected
status-firefox-esr60:
--- → affected
tracking-firefox-esr52:
? → ---
Flags: needinfo?(vdnpp)
Flags: needinfo?(valentin.gosu)
|
||
Comment 2•7 years ago
|
||
(In reply to Ryan VanderMeulen [:RyanVM] from comment #1)
> It's also unclear to me why this was filed as a
> security-sensitive bug?
That's been my suggestion as I did not have time to look into this yesterday and was not sure about the severity of this issue. It seems we hit
Assertion failure: ((bool)(__builtin_expect(!!(!NS_FAILED_impl(rv)), 1))) || rv == NS_ERROR_NOT_AVAILABLE, at /var/tmp/build/firefox-deaa82b4f8ab/netwerk/protocol/ftp/FTPChannelParent.cpp:646
|
Assignee | |
Updated•7 years ago
|
Assignee: nobody → valentin.gosu
Flags: needinfo?(valentin.gosu)
Whiteboard: [necko-triaged]
|
|
||
Updated•7 years ago
|
Flags: needinfo?(vdnpp)
|
|
Assignee | |
Comment 3•7 years ago
|
||
Good news: with the latest nightly this doesn't crash anymore. (bug 1436311)
Bad news: infinite loop :)
|
|
Assignee | |
Comment 4•7 years ago
|
||
The bug is indeed caused by the tcp connection not sending back any data, and just being closed right away.
So we get something like this:
FTPChannelChild::DoOnStartRequest
FTPChannelChild::DoOnStopRequest -> nsUnknownDecoder::OnStopRequest -> (data is empty) -> nsUnknownDecoder::FireListenerNotifications -> nsDocumentOpenInfo::OnStartRequest -> ExternalHelperAppChild::OnStartRequest -> ExternalHelperAppChild::DivertToParent -> FTPChannelChild::DivertToParent.
However, in nsIDivertableChannel.idl the description for divertToParent() is "divertToParent is called in the child process. It can only be called during OnStartRequest()."
Enforcing this condition seems to be enough to avoid an infinite loop. The crash was fixed by bug 1436311.
|
|
Assignee | |
Comment 5•7 years ago
|
||
Attachment #8979355 -
Flags: review?(dd.mozilla)
|
||
Updated•7 years ago
|
Group: network-core-security
Whiteboard: [necko-triaged] → [necko-triaged][sg:dos]
|
||
Updated•7 years ago
|
Priority: -- → P2
|
||
Comment 6•7 years ago
|
||
Comment on attachment 8979355 [details] [diff] [review]
Ensure that DivertToParent is only called during OnStartRequest
Review of attachment 8979355 [details] [diff] [review]:
-----------------------------------------------------------------
thanks.
Attachment #8979355 -
Flags: review?(dd.mozilla) → review+
|
|
Assignee | |
Updated•7 years ago
|
Keywords: checkin-needed
Pushed by btara@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/6cb4b8d4daad
Ensure that DivertToParent is only called during OnStartRequest r=dragana
Keywords: checkin-needed
|
||
Comment 8•7 years ago
|
||
Backed out changeset 6cb4b8d4daad (bug 1459666) for build bustages on /netwerk/protocol/ftp/FTPChannelChild.cpp
Backout link: https://hg.mozilla.org/integration/mozilla-inbound/rev/104f1728e3bcb12d677effe725a58f92e1709074
Push with failures: https://treeherder.mozilla.org/#/jobs?repo=mozilla-inbound&revision=898c5c1920bd221336841f74857fce2fe9c3e8cb
Failure log: https://treeherder.mozilla.org/logviewer.html#?job_id=180241949&repo=mozilla-inbound&lineNumber=16676
Flags: needinfo?(valentin.gosu)
|
|
Assignee | |
Comment 9•7 years ago
|
||
|
|
Assignee | |
Comment 10•7 years ago
|
||
The bug was caused by the tcp connection not sending back any data, and just being closed right away.
So we get something like this:
FTPChannelChild::DoOnStartRequest
FTPChannelChild::DoOnStopRequest -> nsUnknownDecoder::OnStopRequest -> (data is empty) -> nsUnknownDecoder::FireListenerNotifications -> nsDocumentOpenInfo::OnStartRequest -> ExternalHelperAppChild::OnStartRequest -> ExternalHelperAppChild::DivertToParent -> FTPChannelChild::DivertToParent.
However, in nsIDivertableChannel.idl the description for divertToParent() is "divertToParent is called in the child process. It can only be called during OnStartRequest()."
Enforcing this condition seems to be enough to avoid an infinite loop. The crash was fixed by bug 1436311.
|
|
Assignee | |
Updated•7 years ago
|
Attachment #8979355 -
Attachment is obsolete: true
|
|
Assignee | |
Comment 11•7 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/8303c9587a1445920ea4c99937f995bc2d7c72df
Bug 1459666 - Ensure that DivertToParent is only called during OnStartRequest r=dragana
|
|
||
Comment 12•7 years ago
|
||
| bugherder | ||
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla62
|
|
Assignee | |
Updated•7 years ago
|
Flags: needinfo?(valentin.gosu)
|
|
||
Comment 13•7 years ago
|
||
I think we should let this ride the trains given where we are in the cycle. If you feel strongly otherwise, feel free to nominate the patch for uplift with your reasoning for why.
|
||
Updated•7 years ago
|
Flags: qe-verify+
|
||
Comment 14•7 years ago
|
||
I managed to reproduce the issue using a older version of Nightly (2018-05-07) on Ubuntu 16.04 x64. As soon as the page was loaded, the tab crashed.
I tried again using the latest Nightly and Beta 62.0b7 on the same platform and the tab didn't crash anymore. However, I didn't get any warnings that the ftp is not used at this address either. Is that expected behaviour?
|
|
Assignee | |
Comment 15•7 years ago
|
||
If you tested with ftp://cyberghost.pro:80/pro.php then all you should see is a blank page and no crashes.
|
|
||
Comment 16•7 years ago
|
||
According to comment 14 and comment 15, I will mark this bug as verified.
|
|
||
Updated•7 years ago
|
Flags: qe-verify+
|
|
||
Updated•7 years ago
|
Flags: qe-verify+
|
||
Updated•1 year ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•