null ptr deref in nsGlobalWindowInner::SaveFirstPartyStorageAccessGrantedForOriginOnParentProcess

RESOLVED FIXED in Firefox 63

Status

()

defect
RESOLVED FIXED
10 months ago
10 months ago

People

(Reporter: Alex_Gaynor, Assigned: baku)

Tracking

(Blocks 1 bug)

Trunk
Firefox 63
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox63 fixed)

Details

Attachments

(1 attachment)

Reporter

Description

10 months ago
This was found by the IPC fuzzer.

I don't believe this is a security issue, just a fuzzer efficiency issue.

==34==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f7ede98230e bp 0x7ffe42637800 sp 0x7ffe42637580 T0)
==34==The signal is caused by a READ memory access.
==34==Hint: address points to the zero page.
SCARINESS: 10 (null-deref)
    #0 0x7f7ede98230d in nsGlobalWindowInner::SaveFirstPartyStorageAccessGrantedForOriginOnParentProcess(nsIPrincipal*, nsTString<char> const&, nsTString<char> const&) dom/base/nsGlobalWindowInner.cpp:8218:29
    #1 0x7f7ee3f1ee79 in mozilla::dom::ContentParent::RecvFirstPartyStorageAccessGrantedForOrigin(IPC::Principal const&, nsTString<char> const&, nsTString<char> const&) dom/ipc/ContentParent.cpp:5761:3
    #2 0x7f7edc27d5c7 in mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&) obj-firefox/ipc/ipdl/PContentParent.cpp:7980:20
    #3 0x7f7eeb0687a8 in void mozilla::ipc::FuzzProtocol<mozilla::dom::ContentParent>(mozilla::dom::ContentParent*, unsigned char const*, unsigned long, nsTArray<nsTString<char> > const&) obj-firefox/dist/include/ProtocolFuzzer.h:49:18
    #4 0x7f7eeb0682ca in RunContentParentIPCFuzzing(unsigned char const*, unsigned long) dom/ipc/fuzztest/content_parent_ipc_libfuzz.cpp:33:3
    #5 0x5927bd in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) tools/fuzzing/libfuzzer/FuzzerLoop.cpp:517:13
    #6 0x59203b in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) tools/fuzzing/libfuzzer/FuzzerLoop.cpp:442:3
    #7 0x59352d in fuzzer::Fuzzer::MutateAndTestOne() tools/fuzzing/libfuzzer/FuzzerLoop.cpp:650:19
    #8 0x593ee5 in fuzzer::Fuzzer::Loop(std::vector<std::string, fuzzer::fuzzer_allocator<std::string> > const&) tools/fuzzing/libfuzzer/FuzzerLoop.cpp:773:5
    #9 0x58b585 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) tools/fuzzing/libfuzzer/FuzzerDriver.cpp:754:6
    #10 0x7f7ee92ed9b6 in mozilla::FuzzerRunner::Run(int*, char***) tools/fuzzing/interface/harness/FuzzerRunner.cpp:60:10
    #11 0x7f7ee920a9aa in XREMain::XRE_mainStartup(bool*) toolkit/xre/nsAppRunner.cpp:3935:35
    #12 0x7f7ee921f573 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) toolkit/xre/nsAppRunner.cpp:4891:12
    #13 0x7f7ee92210ee in XRE_main(int, char**, mozilla::BootstrapConfig const&) toolkit/xre/nsAppRunner.cpp:4998:21
    #14 0x4f532c in do_main browser/app/nsBrowserApp.cpp:233:22
    #15 0x4f532c in main browser/app/nsBrowserApp.cpp:311
    #16 0x7f7f029601c0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x211c0)
    #17 0x4248fc in _start (/home/worker/firefox/firefox+0x4248fc)

DEDUP_TOKEN: nsGlobalWindowInner::SaveFirstPartyStorageAccessGrantedForOriginOnParentProcess(nsIPrincipal*, nsTString<char> const&, nsTString<char> const&)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV dom/base/nsGlobalWindowInner.cpp:8218:29 in nsGlobalWindowInner::SaveFirstPartyStorageAccessGrantedForOriginOnParentProcess(nsIPrincipal*, nsTString<char> const&, nsTString<char> const&)
Assignee

Updated

10 months ago
Assignee: nobody → amarchesini
Assignee

Comment 1

10 months ago
Posted patch crash.patchSplinter Review
Attachment #8991614 - Flags: review?(agaynor)
Reporter

Updated

10 months ago
Attachment #8991614 - Flags: review?(agaynor) → review+

Comment 2

10 months ago
Pushed by amarchesini@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/8d82ddedfa25
Check if the parameters are null in nsGlobalWindowInner::SaveFirstPartyStorageAccessGrantedForOriginOnParentProcess, r=Alex_Gaynor

Comment 3

10 months ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/8d82ddedfa25
Status: NEW → RESOLVED
Last Resolved: 10 months ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 63
You need to log in before you can comment on or make changes to this bug.