Closed Bug 1548822 Opened 2 years ago Closed 2 years ago

AddressSanitizer: heap-use-after-free [@ HashStringKnownLength<const unsigned char *>] with READ of size 1


(Core :: Networking: HTTP, defect, P1)




Tracking Status
firefox-esr60 68+ fixed
firefox67 --- wontfix
firefox68 + fixed


(Reporter: decoder, Assigned: mayhemer)


(Blocks 2 open bugs, Regression)


(4 keywords, Whiteboard: [necko-triaged][post-critsmash-triage][adv-main68+][adv-esr60.8+])


(3 files, 1 obsolete file)

The attached use-after-free keeps getting triggered by libfuzzer on mozilla-central revision 4bc31addf415+ (with the not yet landed HTTP target).

I was so far not able to reproduce any of these crashes (probably because they depend on one of the prior tests in the target). However, since the crash is a use-after-free with a full ASan trace, I guess we should be able to figure out what is going on even without steps to reproduce.

Group: core-security → network-core-security
Priority: -- → P1
Whiteboard: [necko-triaged]
Assignee: nobody → honzab.moz
Attached file Bug 1548822, r=kershaw
Duplicate of this bug: 1550341
Duplicate of this bug: 1547958

Comment on attachment 9063495 [details]
Bug 1548822, r=kershaw

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: there is a long path of indirection to actually find the crash we deal with from the code change, so, really not easily
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
  • Which older supported branches are affected by this flaw?: I think all
  • If not all supported branches, which bug introduced the flaw?: Bug 855185
  • Do you have backports for the affected branches?: No
  • If not, how different, hard to create, and risky will they be?: this is very simple to backport, probably will apply cleanly to this very old code
  • How likely is this patch to cause regressions; how much testing does it need?: zero and automated testing will cover this well.
Attachment #9063495 - Flags: sec-approval?
Keywords: regression
Regressed by: 855185

Comment on attachment 9063495 [details]
Bug 1548822, r=kershaw

sec-approval+ for trunk.

Attachment #9063495 - Flags: sec-approval? → sec-approval+
Keywords: checkin-needed
Group: network-core-security → core-security-release
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla68

Please rebase this for ESR60 and nominate it for approval when you get a chance.

Flags: needinfo?(honzab.moz)

Will do, this one is trivial.

Flags: needinfo?(honzab.moz)
Flags: qe-verify-
Whiteboard: [necko-triaged] → [necko-triaged][post-critsmash-triage]

Please rebase and nominate this for ESR60 soon :)

Flags: needinfo?(honzab.moz)
Attached patch esr60 (obsolete) — Splinter Review

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration:
  • User impact if declined: UAF
  • Fix Landed on Version: 68
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): trivial patch
  • String or UUID changes made by this patch:
Flags: needinfo?(honzab.moz)
Attachment #9075166 - Flags: approval-mozilla-esr60?
Attached patch esr60Splinter Review

Beta/Release Uplift Approval Request

  • User impact if declined: comment 13
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: Yes
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky):
  • String changes made/needed:
Attachment #9075166 - Attachment is obsolete: true
Attachment #9075166 - Flags: approval-mozilla-esr60?
Attachment #9075216 - Flags: approval-mozilla-beta?
Comment on attachment 9075216 [details] [diff] [review]

Fixes a Necko sec bug. Approved for 60.8esr.
Attachment #9075216 - Flags: approval-mozilla-beta? → approval-mozilla-esr60+
Whiteboard: [necko-triaged][post-critsmash-triage] → [necko-triaged][post-critsmash-triage][adv-main68+][adv-esr60.8+]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.