Crash [@ CharAt] through [@ mozilla::net::nsHttpTransaction::SetHttpTrailers] with invalid read
Categories
(Core :: Networking: HTTP, defect, P1)
Tracking
()
People
(Reporter: decoder, Assigned: decoder)
References
(Regression)
Details
(4 keywords, Whiteboard: [necko-triaged][post-critsmash-triage][adv-main70+][adv-main70+r])
Crash Data
Attachments
(4 files)
The attached testcase crashes on mozilla-central revision 38aa0201f645+ (build with --enable-tests --enable-address-sanitizer --disable-jemalloc --enable-optimize=-O2 --enable-fuzzing --disable-debug).
For detailed crash information, see attachment.
To reproduce the issue, perform the following steps:
- Download the attached testcase, save as "test.bin".
- Apply the patch from bug 1566342 to get the required fuzzing target.
- Build with --enable-fuzzing (requires Clang and ASan, also build gtests using ./mach gtest dontruntests).
- Run MOZ_RUN_GTEST=1 LIBFUZZER=1 FUZZER=NetworkHttp2 objdir/dist/bin/firefox test.bin
This issue looks like an actional invalid/out-of-bounds read. I have not investigated yet what is going on, but I will attach a full log as a start. Marking sec-high based on the assumption that this is an invalid read of some sort.
Assignee | ||
Comment 1•5 years ago
|
||
Assignee | ||
Comment 2•5 years ago
|
||
Assignee | ||
Comment 3•5 years ago
|
||
Assignee | ||
Updated•5 years ago
|
Updated•5 years ago
|
Assignee | ||
Comment 4•5 years ago
|
||
Assignee | ||
Comment 5•5 years ago
|
||
So the problem here is the out-of-bounds access aTrailers[newline - 1]
while newline
is 0
. This looks like an easy fix, confirmed that the patch attached fixes the problem.
I also think this might not be exploitable because end
only flows into the creation of an nsDependentCSubstring
and nsTDependentSubstring<T>::Rebind
checks that start and end are within bounds of the string's length (this would otherwise be a problem if an attacker could get the \r
condition right and set end to -1
).
Assignee | ||
Updated•5 years ago
|
Comment 6•5 years ago
|
||
:decoder, since this bug is a regression, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.
Updated•5 years ago
|
Updated•5 years ago
|
Comment 7•5 years ago
|
||
https://hg.mozilla.org/integration/autoland/rev/6c522d98565a3b9829be1e79c0a9fc5cdd777cd9
https://hg.mozilla.org/mozilla-central/rev/6c522d98565a
Comment 8•5 years ago
|
||
Given the age of the bug and the lack of reports from in the wild, I'm assuming we can let this fix ride the trains.
Updated•5 years ago
|
Updated•5 years ago
|
Updated•5 years ago
|
Updated•3 years ago
|
Updated•2 years ago
|
Description
•