Closed Bug 1475235 Opened 6 years ago Closed 6 years ago

null ptr deref in nsGlobalWindowInner::SaveFirstPartyStorageAccessGrantedForOriginOnParentProcess

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Firefox 63
Tracking Flags:
Tracking Status
firefox63 --- fixed

People

(Reporter: Alex_Gaynor, Assigned: baku)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

crash.patch
1.23 KB, patch
Alex_Gaynor
: review+
Details | Diff | Splinter Review 
This was found by the IPC fuzzer.

I don't believe this is a security issue, just a fuzzer efficiency issue.

==34==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f7ede98230e bp 0x7ffe42637800 sp 0x7ffe42637580 T0)
==34==The signal is caused by a READ memory access.
==34==Hint: address points to the zero page.
SCARINESS: 10 (null-deref)
    #0 0x7f7ede98230d in nsGlobalWindowInner::SaveFirstPartyStorageAccessGrantedForOriginOnParentProcess(nsIPrincipal*, nsTString<char> const&, nsTString<char> const&) dom/base/nsGlobalWindowInner.cpp:8218:29
    #1 0x7f7ee3f1ee79 in mozilla::dom::ContentParent::RecvFirstPartyStorageAccessGrantedForOrigin(IPC::Principal const&, nsTString<char> const&, nsTString<char> const&) dom/ipc/ContentParent.cpp:5761:3
    #2 0x7f7edc27d5c7 in mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&) obj-firefox/ipc/ipdl/PContentParent.cpp:7980:20
    #3 0x7f7eeb0687a8 in void mozilla::ipc::FuzzProtocol<mozilla::dom::ContentParent>(mozilla::dom::ContentParent*, unsigned char const*, unsigned long, nsTArray<nsTString<char> > const&) obj-firefox/dist/include/ProtocolFuzzer.h:49:18
    #4 0x7f7eeb0682ca in RunContentParentIPCFuzzing(unsigned char const*, unsigned long) dom/ipc/fuzztest/content_parent_ipc_libfuzz.cpp:33:3
    #5 0x5927bd in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) tools/fuzzing/libfuzzer/FuzzerLoop.cpp:517:13
    #6 0x59203b in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) tools/fuzzing/libfuzzer/FuzzerLoop.cpp:442:3
    #7 0x59352d in fuzzer::Fuzzer::MutateAndTestOne() tools/fuzzing/libfuzzer/FuzzerLoop.cpp:650:19
    #8 0x593ee5 in fuzzer::Fuzzer::Loop(std::vector<std::string, fuzzer::fuzzer_allocator<std::string> > const&) tools/fuzzing/libfuzzer/FuzzerLoop.cpp:773:5
    #9 0x58b585 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) tools/fuzzing/libfuzzer/FuzzerDriver.cpp:754:6
    #10 0x7f7ee92ed9b6 in mozilla::FuzzerRunner::Run(int*, char***) tools/fuzzing/interface/harness/FuzzerRunner.cpp:60:10
    #11 0x7f7ee920a9aa in XREMain::XRE_mainStartup(bool*) toolkit/xre/nsAppRunner.cpp:3935:35
    #12 0x7f7ee921f573 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) toolkit/xre/nsAppRunner.cpp:4891:12
    #13 0x7f7ee92210ee in XRE_main(int, char**, mozilla::BootstrapConfig const&) toolkit/xre/nsAppRunner.cpp:4998:21
    #14 0x4f532c in do_main browser/app/nsBrowserApp.cpp:233:22
    #15 0x4f532c in main browser/app/nsBrowserApp.cpp:311
    #16 0x7f7f029601c0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x211c0)
    #17 0x4248fc in _start (/home/worker/firefox/firefox+0x4248fc)

DEDUP_TOKEN: nsGlobalWindowInner::SaveFirstPartyStorageAccessGrantedForOriginOnParentProcess(nsIPrincipal*, nsTString<char> const&, nsTString<char> const&)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV dom/base/nsGlobalWindowInner.cpp:8218:29 in nsGlobalWindowInner::SaveFirstPartyStorageAccessGrantedForOriginOnParentProcess(nsIPrincipal*, nsTString<char> const&, nsTString<char> const&)
Assignee: nobody → amarchesini
Attached patch crash.patchSplinter Review 

        Attachment #8991614 -
        Flags: review?(agaynor)

    
  

        Attachment #8991614 -
        Flags: review?(agaynor) → review+

    
    

    
  
Pushed by amarchesini@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/8d82ddedfa25
Check if the parameters are null in nsGlobalWindowInner::SaveFirstPartyStorageAccessGrantedForOriginOnParentProcess, r=Alex_Gaynor

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/8d82ddedfa25
Status: NEW → RESOLVED
Closed: 6 years ago

          status-firefox63:
          affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → Firefox 63

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: