Closed Bug 1566465 Opened 1 year ago Closed 1 year ago

Crash [@ get] through [@ mozilla::net::Http2Session::RecvAltSvc]

Categories

(Core :: Networking: HTTP, --, P1)

x86_64
Linux
--

Tracking

()

VERIFIED FIXED
mozilla70
Tracking Status
firefox-esr60 --- wontfix
firefox-esr68 --- wontfix
firefox68 --- wontfix
firefox69 --- wontfix
firefox70 --- verified

People

(Reporter: decoder, Assigned: decoder)

References

(Regression)

Details

(4 keywords, Whiteboard: [adv-main70+][adv-main70+r])

Crash Data

Attachments

(4 files)

The attached testcase crashes on mozilla-central revision 38aa0201f645+ (build with --enable-tests --enable-address-sanitizer --disable-jemalloc --enable-optimize=-O2 --enable-fuzzing --disable-debug).

For detailed crash information, see attachment.

To reproduce the issue, perform the following steps:

  1. Download the attached testcase, save as "test.bin".
  2. Apply the patch from bug 1566342 to get the required fuzzing target.
  3. Build with --enable-fuzzing (requires Clang and ASan, also build gtests using ./mach gtest dontruntests).
  4. Run MOZ_RUN_GTEST=1 LIBFUZZER=1 FUZZER=NetworkHttp2 objdir/dist/bin/firefox test.bin

This crash is not s-s but I am marking the bug s-s so we don't draw attention to this fuzzing initiative (there might be more bugs to shake out before landing the actual fuzzing target).

Also, for this crash, I do have a simple patch that fixes it, I just need confirmation that this is the right fix. Will push the patch soon after.

Attached file Testcase
Assignee: nobody → choller
Status: NEW → ASSIGNED

According to my debugging, the fuzzer managed to reach a state where self->mInputFrameDataStream is NULL and the deref for getting the transaction fails. Adding the NULL check and handling that error seems to work.

Priority: -- → P1
Whiteboard: [necko-triaged]

:decoder, since this bug is a regression, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.

Flags: needinfo?(choller)
Flags: needinfo?(choller)
Regressed by: 1429973
Regressed by: 1130874
No longer regressed by: 1429973

Given the age of the bug and the lack of reports from in the wild, I'm assuming we can let this fix ride the trains.

Flags: qe-verify+
Whiteboard: [necko-triaged] → [necko-triaged][post-critsmash-triage]

Hi Decoder, I want to verify this fix but I need more details and some help. Please let me know what OSes should I use, what build is required and all other info that you think are necessary to be able to confirm the fix. Thanks in advance.

Flags: needinfo?(choller)

(In reply to ovidiu boca[:Ovidiu] from comment #9)

Hi Decoder, I want to verify this fix but I need more details and some help. Please let me know what OSes should I use, what build is required and all other info that you think are necessary to be able to confirm the fix. Thanks in advance.

The steps to reproduce are in comment 0, however, instead of step 2+3 (building yourself), you can download the required build using fuzzfetch [1] on the command line: python -mfuzzfetch -a --fuzzing --tests gtest

Doing it with fuzzfetch is easier because it properly unpacks everything for you (including the gtests libxul).

[1] https://github.com/MozillaSecurity/fuzzfetch

Flags: needinfo?(choller)
Group: core-security-release

This is my output after following the steps:

~/Desktop$ MOZ_RUN_GTEST=1 LIBFUZZER=1 FUZZER=NetworkHttp2 /home/svuser/m-c-20190903094847-fuzzing-asan-opt/firefox test.bin
Running Fuzzer tests...
INFO: Seed: 281788861
INFO: Loaded 1 modules (519354 inline 8-bit counters): 519354 [0x7fdbb9b94340, 0x7fdbb9c12ffa),
INFO: Loaded 1 PC tables (519354 PCs): 519354 [0x7fdbb9c13000,0x7fdbba3ffba0),
/home/svuser/m-c-20190903094847-fuzzing-asan-opt/firefox: Running 1 inputs 1 time(s) each.
Running: test.bin
Executed test.bin in 1220 ms


*** NOTE: fuzzing was not performed, you have only
*** executed the target code on a fixed set of inputs.

Please let me know if this is the expected result in order to mark this as verified.

Flags: needinfo?(choller)

This is the expected result, thanks for checking :)

Status: RESOLVED → VERIFIED
Flags: needinfo?(choller)
Flags: qe-verify+
Whiteboard: [necko-triaged][post-critsmash-triage]
Whiteboard: [adv-main70+][adv-main70-rollup]
Whiteboard: [adv-main70+][adv-main70-rollup] → [adv-main70+][adv-main70+r]
You need to log in before you can comment on or make changes to this bug.