AddressSanitizer: stack-buffer-overflow, stack-use-after-scope, stack-buffer-underflow [@ NS_CopySegmentToBuffer] through [@ mozilla::net::nsHttpTransaction::ReadSegments]
Categories
(Core :: Networking: HTTP, defect)
Tracking
()
Tracking | Status | |
---|---|---|
firefox68 | --- | affected |
People
(Reporter: bc, Unassigned)
Details
Crash Data
Attachments
(5 files)
Bughunter began reporting a variety of AddressSanitizer: stack-buffer-overflow - stack-use-after-scope, stack-buffer-overflow, stack-buffer-underflow errors with mozilla::net::nsHttpTransaction on the stack.
These may be false positives since they also have the following hint:
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions are supported)
decoder: If you could help determine if these are real, that would be awesome.
I'll attach the urls first followed by logs. I could not reproduce locally after loading each url 5 times on Fedora 29. I resubmitted these several times and was able to reproduce on Bughunter but not reliably.
Reporter | ||
Updated•5 years ago
|
Reporter | ||
Comment 1•5 years ago
|
||
These include MOZ_LOG for nsHttp so they appear a bit messy.
Reporter | ||
Comment 2•5 years ago
|
||
Reporter | ||
Comment 3•5 years ago
|
||
Reporter | ||
Comment 4•5 years ago
|
||
Including a Windows report. There is also another "unknown" crash if that would help.
Comment 5•5 years ago
|
||
These do not look like false positives to me, especially not if they reproduce on Linux as well. The boilerplate you mentioned does not apply to Firefox.
Updated•5 years ago
|
Reporter | ||
Updated•5 years ago
|
Comment 6•5 years ago
|
||
Fwiw, I'm seeing the same reports in ASan Nightly now and with a fairly high frequency.
Dragana, can you assign someone to investigate this? It looks as if we are reading from a deallocated stack variable/buffer.
Comment 8•5 years ago
|
||
[Tracking Requested - why for this release]: new security looking issue that is showing up on Bughunter, ASan Nightly, and TreeHerder.
Comment 9•5 years ago
•
|
||
This signature first showed up on Nightly in the 20190321104132 build (Android-only). The changeset for that Nightly is: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=25398e555020fef80c7b2a06a0d4c667e861cd6f&tochange=b2f1edb41241d3da6ded54edf38cca1d2d08325b
I don't know if it is exactly the same issue, but the timing seems suspiciously similar. edit: on the other hand, Android PGO landed in that build, so it could just be a signature change.
Comment 10•5 years ago
|
||
This could be related to bug 1538098 that is on nightly in the wild now.
Comment 12•5 years ago
|
||
I think we can duplicate this.
Updated•5 years ago
|
Updated•5 months ago
|
Description
•