Closed Bug 1459961 Opened 6 years ago Closed 6 years ago

AddressSanitizer: SEGV on unknown address 0x7f32422961bf in IPC URI deserialization

Categories

(Core :: Networking, defect)

Product:
Core
Component:
Networking
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1392739
Tracking Flags:
Tracking Status
firefox62 --- affected

People

(Reporter: Alex_Gaynor, Assigned: valentin)

References

(Blocks 1 open bug)

Details

(Whiteboard: [necko-triaged])

Attachments

(1 file)

minimized-from-49bf89b45ecf881cf561260b3bd13588e24d3187
160 bytes, application/octet-stream
Details 
Found at revision f877359308b1.

osboxes@osboxes:~/mozilla-central$ (cd obj-x86_64-pc-linux-gnu/dist/bin/; MOZ_RUN_GTEST=1 LIBFUZZER=1 FUZZER=ContentParentIPC ./firefox -artifact_prefix=/home/osboxes/content-parent/artifacts ~/content-parent-artifacts/minimized-from-49bf89b45ecf881cf561260b3bd13588e24d3187 )
Running Fuzzer tests...
INFO: Seed: 1476400753
INFO: Loaded 1 modules   (1630287 guards): 1630287 [0x7f3146519d80, 0x7f3146b51ebc),
./firefox: Running 1 inputs 1 time(s) each.
Running: /home/osboxes/content-parent-artifacts/minimized-from-49bf89b45ecf881cf561260b3bd13588e24d3187
AddressSanitizer:DEADLYSIGNAL
=================================================================
==3395==ERROR: AddressSanitizer: SEGV on unknown address 0x7f32422961bf (pc 0x7f312da148bc bp 0x7ffd1dbe6c30 sp 0x7ffd1dbe6aa0 T0)
==3395==The signal is caused by a READ memory access.
    #0 0x7f312da148bb in CharAt /home/osboxes/mozilla-central/obj-x86_64-pc-linux-gnu/dist/include/nsTString.h:211:12
    #1 0x7f312da148bb in Host /home/osboxes/mozilla-central/netwerk/base/nsStandardURL.h:566
    #2 0x7f312da148bb in mozilla::net::nsStandardURL::CheckIfHostIsAscii() /home/osboxes/mozilla-central/netwerk/base/nsStandardURL.cpp:1287
    #3 0x7f312da3a971 in mozilla::net::nsStandardURL::Deserialize(mozilla::ipc::URIParams const&) /home/osboxes/mozilla-central/netwerk/base/nsStandardURL.cpp:3645:19
    #4 0x7f312da522b9 in InitFromIPCParams /home/osboxes/mozilla-central/obj-x86_64-pc-linux-gnu/dist/include/nsIURIMutator.h:69:21
    #5 0x7f312da522b9 in mozilla::net::nsStandardURL::TemplatedMutator<mozilla::net::nsStandardURL>::Deserialize(mozilla::ipc::URIParams const&) /home/osboxes/mozilla-central/netwerk/base/nsStandardURL.h:339
    #6 0x7f312eba372c in mozilla::ipc::DeserializeURI(mozilla::ipc::URIParams const&) /home/osboxes/mozilla-central/ipc/glue/URIUtils.cpp:121:26
    #7 0x7f3136d1d016 in mozilla::dom::ContentParent::RecvPLoginReputationConstructor(mozilla::dom::PLoginReputationParent*, mozilla::ipc::URIParams const&) /home/osboxes/mozilla-central/dom/ipc/ContentParent.cpp:5550:26
    #8 0x7f312eea2734 in mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&) /home/osboxes/mozilla-central/obj-x86_64-pc-linux-gnu/ipc/ipdl/PContentParent.cpp:4341:20
    #9 0x7f313e41ded8 in void mozilla::ipc::FuzzProtocol<mozilla::dom::ContentParent>(mozilla::dom::ContentParent*, unsigned char const*, unsigned long, std::unordered_set<unsigned int, std::hash<unsigned int>, std::equal_to<unsigned int>, std::allocator<unsigned int> >&) /home/osboxes/mozilla-central/obj-x86_64-pc-linux-gnu/dist/include/ProtocolFuzzer.h:48:18
    #10 0x7f313e41d1d6 in RunContentParentIPCFuzzing(unsigned char const*, unsigned long) /home/osboxes/mozilla-central/dom/ipc/fuzztest/content_parent_ipc_libfuzz.cpp:61:3
    #11 0x5e7184 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /home/osboxes/mozilla-central/tools/fuzzing/libfuzzer/FuzzerLoop.cpp:517:13
    #12 0x5bfb3f in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /home/osboxes/mozilla-central/tools/fuzzing/libfuzzer/FuzzerDriver.cpp:280:6
    #13 0x5cbc81 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /home/osboxes/mozilla-central/tools/fuzzing/libfuzzer/FuzzerDriver.cpp:703:9
    #14 0x7f313ca077a1 in mozilla::FuzzerRunner::Run(int*, char***) /home/osboxes/mozilla-central/tools/fuzzing/interface/harness/FuzzerRunner.cpp:60:10
    #15 0x7f313c91a398 in XREMain::XRE_mainStartup(bool*) /home/osboxes/mozilla-central/toolkit/xre/nsAppRunner.cpp:4023:35
    #16 0x7f313c92ef98 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/osboxes/mozilla-central/toolkit/xre/nsAppRunner.cpp:4959:12
    #17 0x7f313c930c2d in XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/osboxes/mozilla-central/toolkit/xre/nsAppRunner.cpp:5066:21
    #18 0x51eaac in do_main /home/osboxes/mozilla-central/browser/app/nsBrowserApp.cpp:231:22
    #19 0x51eaac in main /home/osboxes/mozilla-central/browser/app/nsBrowserApp.cpp:304
    #20 0x7f3152806b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #21 0x421bc9 in _start (/home/osboxes/mozilla-central/obj-x86_64-pc-linux-gnu/dist/bin/firefox+0x421bc9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/osboxes/mozilla-central/obj-x86_64-pc-linux-gnu/dist/include/nsTString.h:211:12 in CharAt
==3395==ABORTING
See Also: → 1392739
Assignee: nobody → valentin.gosu
Whiteboard: [necko-triaged]
Group: core-security → network-core-security
What format is the attachment? Is that a testcase or a log?
Flags: needinfo?(agaynor)
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
The attachment is an input to the fuzzer.
Flags: needinfo?(agaynor)
Blocks: libfuzzer-ipc
Group: network-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: