Closed
Bug 1475235
Opened 6 years ago
Closed 6 years ago
null ptr deref in nsGlobalWindowInner::SaveFirstPartyStorageAccessGrantedForOriginOnParentProcess
Categories
(Firefox :: Security, defect)
Firefox
Security
Tracking
()
RESOLVED
FIXED
Firefox 63
Tracking | Status | |
---|---|---|
firefox63 | --- | fixed |
People
(Reporter: Alex_Gaynor, Assigned: baku)
References
(Blocks 1 open bug)
Details
Attachments
(1 file)
1.23 KB,
patch
|
Alex_Gaynor
:
review+
|
Details | Diff | Splinter Review |
This was found by the IPC fuzzer. I don't believe this is a security issue, just a fuzzer efficiency issue. ==34==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f7ede98230e bp 0x7ffe42637800 sp 0x7ffe42637580 T0) ==34==The signal is caused by a READ memory access. ==34==Hint: address points to the zero page. SCARINESS: 10 (null-deref) #0 0x7f7ede98230d in nsGlobalWindowInner::SaveFirstPartyStorageAccessGrantedForOriginOnParentProcess(nsIPrincipal*, nsTString<char> const&, nsTString<char> const&) dom/base/nsGlobalWindowInner.cpp:8218:29 #1 0x7f7ee3f1ee79 in mozilla::dom::ContentParent::RecvFirstPartyStorageAccessGrantedForOrigin(IPC::Principal const&, nsTString<char> const&, nsTString<char> const&) dom/ipc/ContentParent.cpp:5761:3 #2 0x7f7edc27d5c7 in mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&) obj-firefox/ipc/ipdl/PContentParent.cpp:7980:20 #3 0x7f7eeb0687a8 in void mozilla::ipc::FuzzProtocol<mozilla::dom::ContentParent>(mozilla::dom::ContentParent*, unsigned char const*, unsigned long, nsTArray<nsTString<char> > const&) obj-firefox/dist/include/ProtocolFuzzer.h:49:18 #4 0x7f7eeb0682ca in RunContentParentIPCFuzzing(unsigned char const*, unsigned long) dom/ipc/fuzztest/content_parent_ipc_libfuzz.cpp:33:3 #5 0x5927bd in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) tools/fuzzing/libfuzzer/FuzzerLoop.cpp:517:13 #6 0x59203b in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) tools/fuzzing/libfuzzer/FuzzerLoop.cpp:442:3 #7 0x59352d in fuzzer::Fuzzer::MutateAndTestOne() tools/fuzzing/libfuzzer/FuzzerLoop.cpp:650:19 #8 0x593ee5 in fuzzer::Fuzzer::Loop(std::vector<std::string, fuzzer::fuzzer_allocator<std::string> > const&) tools/fuzzing/libfuzzer/FuzzerLoop.cpp:773:5 #9 0x58b585 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) tools/fuzzing/libfuzzer/FuzzerDriver.cpp:754:6 #10 0x7f7ee92ed9b6 in mozilla::FuzzerRunner::Run(int*, char***) tools/fuzzing/interface/harness/FuzzerRunner.cpp:60:10 #11 0x7f7ee920a9aa in XREMain::XRE_mainStartup(bool*) toolkit/xre/nsAppRunner.cpp:3935:35 #12 0x7f7ee921f573 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) toolkit/xre/nsAppRunner.cpp:4891:12 #13 0x7f7ee92210ee in XRE_main(int, char**, mozilla::BootstrapConfig const&) toolkit/xre/nsAppRunner.cpp:4998:21 #14 0x4f532c in do_main browser/app/nsBrowserApp.cpp:233:22 #15 0x4f532c in main browser/app/nsBrowserApp.cpp:311 #16 0x7f7f029601c0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x211c0) #17 0x4248fc in _start (/home/worker/firefox/firefox+0x4248fc) DEDUP_TOKEN: nsGlobalWindowInner::SaveFirstPartyStorageAccessGrantedForOriginOnParentProcess(nsIPrincipal*, nsTString<char> const&, nsTString<char> const&) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV dom/base/nsGlobalWindowInner.cpp:8218:29 in nsGlobalWindowInner::SaveFirstPartyStorageAccessGrantedForOriginOnParentProcess(nsIPrincipal*, nsTString<char> const&, nsTString<char> const&)
Assignee | ||
Updated•6 years ago
|
Assignee: nobody → amarchesini
Assignee | ||
Comment 1•6 years ago
|
||
Attachment #8991614 -
Flags: review?(agaynor)
Reporter | ||
Updated•6 years ago
|
Attachment #8991614 -
Flags: review?(agaynor) → review+
Pushed by amarchesini@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/8d82ddedfa25 Check if the parameters are null in nsGlobalWindowInner::SaveFirstPartyStorageAccessGrantedForOriginOnParentProcess, r=Alex_Gaynor
Comment 3•6 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/8d82ddedfa25
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 63
You need to log in
before you can comment on or make changes to this bug.
Description
•