Crash [@ get] through [@ mozilla::net::Http2Session::RecvAltSvc]
Categories
(Core :: Networking: HTTP, --, P1)
Tracking
()
People
(Reporter: decoder, Assigned: decoder)
References
(Regression)
Details
(4 keywords, Whiteboard: [adv-main70+][adv-main70+r])
Crash Data
Attachments
(4 files)
The attached testcase crashes on mozilla-central revision 38aa0201f645+ (build with --enable-tests --enable-address-sanitizer --disable-jemalloc --enable-optimize=-O2 --enable-fuzzing --disable-debug).
For detailed crash information, see attachment.
To reproduce the issue, perform the following steps:
- Download the attached testcase, save as "test.bin".
- Apply the patch from bug 1566342 to get the required fuzzing target.
- Build with --enable-fuzzing (requires Clang and ASan, also build gtests using
./mach gtest dontruntests
). - Run MOZ_RUN_GTEST=1 LIBFUZZER=1 FUZZER=NetworkHttp2 objdir/dist/bin/firefox test.bin
This crash is not s-s but I am marking the bug s-s so we don't draw attention to this fuzzing initiative (there might be more bugs to shake out before landing the actual fuzzing target).
Also, for this crash, I do have a simple patch that fixes it, I just need confirmation that this is the right fix. Will push the patch soon after.
Assignee | ||
Comment 1•5 years ago
|
||
Assignee | ||
Comment 2•5 years ago
|
||
Assignee | ||
Comment 3•5 years ago
|
||
Assignee | ||
Comment 4•5 years ago
|
||
Assignee | ||
Comment 5•5 years ago
|
||
According to my debugging, the fuzzer managed to reach a state where self->mInputFrameDataStream
is NULL
and the deref for getting the transaction fails. Adding the NULL
check and handling that error seems to work.
Updated•5 years ago
|
Comment 6•5 years ago
|
||
:decoder, since this bug is a regression, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.
Assignee | ||
Updated•5 years ago
|
Comment 7•5 years ago
|
||
https://hg.mozilla.org/integration/autoland/rev/3c6c96c10ba41a91b8ea9130c05ebfbe9730e803
https://hg.mozilla.org/mozilla-central/rev/3c6c96c10ba4
Comment 8•5 years ago
|
||
Given the age of the bug and the lack of reports from in the wild, I'm assuming we can let this fix ride the trains.
Updated•5 years ago
|
Comment 9•5 years ago
|
||
Hi Decoder, I want to verify this fix but I need more details and some help. Please let me know what OSes should I use, what build is required and all other info that you think are necessary to be able to confirm the fix. Thanks in advance.
Assignee | ||
Comment 10•5 years ago
|
||
(In reply to ovidiu boca[:Ovidiu] from comment #9)
Hi Decoder, I want to verify this fix but I need more details and some help. Please let me know what OSes should I use, what build is required and all other info that you think are necessary to be able to confirm the fix. Thanks in advance.
The steps to reproduce are in comment 0, however, instead of step 2+3 (building yourself), you can download the required build using fuzzfetch [1] on the command line: python -mfuzzfetch -a --fuzzing --tests gtest
Doing it with fuzzfetch is easier because it properly unpacks everything for you (including the gtests libxul).
Assignee | ||
Updated•5 years ago
|
Comment 11•5 years ago
|
||
This is my output after following the steps:
~/Desktop$ MOZ_RUN_GTEST=1 LIBFUZZER=1 FUZZER=NetworkHttp2 /home/svuser/m-c-20190903094847-fuzzing-asan-opt/firefox test.bin
Running Fuzzer tests...
INFO: Seed: 281788861
INFO: Loaded 1 modules (519354 inline 8-bit counters): 519354 [0x7fdbb9b94340, 0x7fdbb9c12ffa),
INFO: Loaded 1 PC tables (519354 PCs): 519354 [0x7fdbb9c13000,0x7fdbba3ffba0),
/home/svuser/m-c-20190903094847-fuzzing-asan-opt/firefox: Running 1 inputs 1 time(s) each.
Running: test.bin
Executed test.bin in 1220 ms
*** NOTE: fuzzing was not performed, you have only
*** executed the target code on a fixed set of inputs.
Please let me know if this is the expected result in order to mark this as verified.
Assignee | ||
Comment 12•5 years ago
|
||
This is the expected result, thanks for checking :)
Updated•5 years ago
|
Updated•5 years ago
|
Updated•5 years ago
|
Updated•5 years ago
|
Updated•2 years ago
|
Description
•