Closed Bug 1566465 Opened 5 years ago Closed 5 years ago

Crash [@ get] through [@ mozilla::net::Http2Session::RecvAltSvc]

Categories

(Core :: Networking: HTTP, --, P1)

Product:
Core
Component:
Networking: HTTP
Platform:
x86_64
Linux
Type:
--

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla70
Tracking Flags:
Tracking Status
firefox-esr60 --- wontfix
firefox-esr68 --- wontfix
firefox68 --- wontfix
firefox69 --- wontfix
firefox70 --- verified

People

(Reporter: decoder, Assigned: decoder)

References

(Regression)

Details

(4 keywords, Whiteboard: [adv-main70+][adv-main70+r])

Crash Data

Attachments

(4 files)

Detailed Crash Information
9.35 KB, text/plain
Details
Testcase
64 bytes, application/octet-stream
Details
Full log with nsFuzzing:5,nsFuzzingNecko:5,nsHttp:5,nsSocketTransport:5,sync
66.75 KB, text/plain
Details
Bug 1566465 - Fix crash in Http2Session::RecvAltSvc. r?dragana
47 bytes, text/x-phabricator-request
Details | Review

The attached testcase crashes on mozilla-central revision 38aa0201f645+ (build with --enable-tests --enable-address-sanitizer --disable-jemalloc --enable-optimize=-O2 --enable-fuzzing --disable-debug).

For detailed crash information, see attachment.

To reproduce the issue, perform the following steps:

  1. Download the attached testcase, save as "test.bin".
  2. Apply the patch from bug 1566342 to get the required fuzzing target.
  3. Build with --enable-fuzzing (requires Clang and ASan, also build gtests using ./mach gtest dontruntests).
  4. Run MOZ_RUN_GTEST=1 LIBFUZZER=1 FUZZER=NetworkHttp2 objdir/dist/bin/firefox test.bin

This crash is not s-s but I am marking the bug s-s so we don't draw attention to this fuzzing initiative (there might be more bugs to shake out before landing the actual fuzzing target).

Also, for this crash, I do have a simple patch that fixes it, I just need confirmation that this is the right fix. Will push the patch soon after.

Attached file Testcase 

    
    

    
  


  
Assignee: nobody → choller
Status: NEW → ASSIGNED

    
    

    
  
According to my debugging, the fuzzer managed to reach a state where self->mInputFrameDataStream is NULL and the deref for getting the transaction fails. Adding the NULL check and handling that error seems to work.


Priority: -- → P1
Whiteboard: [necko-triaged]

    
    

    
  
:decoder, since this bug is a regression, could you fill (if possible) the regressed_by field?

For more information, please visit auto_nag documentation.


Flags: needinfo?(choller)

    
  
Flags: needinfo?(choller)
Regressed by: 1429973

    
  
Regressed by: 1130874
No longer regressed by: 1429973

    
    

    
  
Given the age of the bug and the lack of reports from in the wild, I'm assuming we can let this fix ride the trains.



          status-firefox68:
          --- → wontfix

          status-firefox69:
          --- → wontfix

          status-firefox-esr60:
          --- → wontfix

          status-firefox-esr68:
          --- → wontfix
Flags: qe-verify+
Whiteboard: [necko-triaged] → [necko-triaged][post-critsmash-triage]

    
    

    
  
Hi Decoder, I want to verify this fix but I need more details and some help. Please let me know what OSes should I use, what build is required and all other info that you think are necessary to be able to confirm the fix. Thanks in advance.


Flags: needinfo?(choller)

    
    

    
  
(In reply to ovidiu boca[:Ovidiu] from comment #9)




Hi Decoder, I want to verify this fix but I need more details and some help. Please let me know what OSes should I use, what build is required and all other info that you think are necessary to be able to confirm the fix. Thanks in advance.




The steps to reproduce are in comment 0, however, instead of step 2+3 (building yourself), you can download the required build using fuzzfetch [1] on the command line: python -mfuzzfetch -a --fuzzing --tests gtest


Doing it with fuzzfetch is easier because it properly unpacks everything for you (including the gtests libxul).


[1] https://github.com/MozillaSecurity/fuzzfetch


Flags: needinfo?(choller)

    
  
Group: core-security-release

    
    

    
  
This is my output after following the steps:


~/Desktop$ MOZ_RUN_GTEST=1 LIBFUZZER=1 FUZZER=NetworkHttp2 /home/svuser/m-c-20190903094847-fuzzing-asan-opt/firefox test.bin

Running Fuzzer tests...

INFO: Seed: 281788861

INFO: Loaded 1 modules   (519354 inline 8-bit counters): 519354 [0x7fdbb9b94340, 0x7fdbb9c12ffa),

INFO: Loaded 1 PC tables (519354 PCs): 519354 [0x7fdbb9c13000,0x7fdbba3ffba0),

/home/svuser/m-c-20190903094847-fuzzing-asan-opt/firefox: Running 1 inputs 1 time(s) each.

Running: test.bin

Executed test.bin in 1220 ms




*** NOTE: fuzzing was not performed, you have only

***       executed the target code on a fixed set of inputs.


Please let me know if this is the expected result in order to mark this as verified.


Flags: needinfo?(choller)

    
    

    
  
This is the expected result, thanks for checking :)


Status: RESOLVED → VERIFIED
Flags: needinfo?(choller)
Flags: qe-verify+
Whiteboard: [necko-triaged][post-critsmash-triage]
Whiteboard: [adv-main70+][adv-main70-rollup]
Whiteboard: [adv-main70+][adv-main70-rollup] → [adv-main70+][adv-main70+r]
Has Regression Range: --- → yes

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: