Closed Bug 1538237 Opened 5 years ago Closed 5 years ago

AddressSanitizer: stack-buffer-overflow, stack-use-after-scope, stack-buffer-underflow [@ NS_CopySegmentToBuffer] through [@ mozilla::net::nsHttpTransaction::ReadSegments]

Categories

(Core :: Networking: HTTP, defect)

67 Branch
defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 1538621
Tracking Status
firefox68 --- affected

People

(Reporter: bc, Unassigned)

Details

Crash Data

Attachments

(5 files)

Attached file urls

Bughunter began reporting a variety of AddressSanitizer: stack-buffer-overflow - stack-use-after-scope, stack-buffer-overflow, stack-buffer-underflow errors with mozilla::net::nsHttpTransaction on the stack.

These may be false positives since they also have the following hint:

HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions are supported)

decoder: If you could help determine if these are real, that would be awesome.

I'll attach the urls first followed by logs. I could not reproduce locally after loading each url 5 times on Fedora 29. I resubmitted these several times and was able to reproduce on Bughunter but not reliably.

Flags: needinfo?
Flags: needinfo? → needinfo?(choller)

These include MOZ_LOG for nsHttp so they appear a bit messy.

Including a Windows report. There is also another "unknown" crash if that would help.

These do not look like false positives to me, especially not if they reproduce on Linux as well. The boilerplate you mentioned does not apply to Firefox.

Flags: needinfo?(choller)
Group: core-security → network-core-security
Summary: AddressSanitizer: stack-buffer-overflow - stack-use-after-scope, stack-buffer-overflow, stack-buffer-underflow → AddressSanitizer: stack-buffer-overflow, stack-use-after-scope, stack-buffer-underflow

Fwiw, I'm seeing the same reports in ASan Nightly now and with a fairly high frequency.

Dragana, can you assign someone to investigate this? It looks as if we are reading from a deallocated stack variable/buffer.

Crash Signature: [@ NS_CopySegmentToBuffer]
Flags: needinfo?(dd.mozilla)
Summary: AddressSanitizer: stack-buffer-overflow, stack-use-after-scope, stack-buffer-underflow → AddressSanitizer: stack-buffer-overflow, stack-use-after-scope, stack-buffer-underflow [@ NS_CopySegmentToBuffer] through [@ mozilla::net::nsHttpTransaction::ReadSegments]

It looks like this is happening on TreeHerder, too.

Blocks: 1538621

[Tracking Requested - why for this release]: new security looking issue that is showing up on Bughunter, ASan Nightly, and TreeHerder.

This signature first showed up on Nightly in the 20190321104132 build (Android-only). The changeset for that Nightly is: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=25398e555020fef80c7b2a06a0d4c667e861cd6f&tochange=b2f1edb41241d3da6ded54edf38cca1d2d08325b

I don't know if it is exactly the same issue, but the timing seems suspiciously similar. edit: on the other hand, Android PGO landed in that build, so it could just be a signature change.

This could be related to bug 1538098 that is on nightly in the wild now.

Flags: needinfo?(dd.mozilla)

Yeah, that looks like the same thing.

Depends on: 1538098
No longer blocks: 1538621

I think we can duplicate this.

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
No longer depends on: 1538098
Group: network-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: