Closed Bug 1579466 Opened 5 years ago Closed 5 years ago

UndefinedBehaviorSanitizer: netwerk/protocol/http/nsHttpConnection.cpp:710:10: runtime error: load of value 3, which is not a valid value for type 'bool'

Categories

(Core :: Networking: HTTP, defect)

x86_64
Linux
defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla71
Tracking Status
firefox-esr60 --- unaffected
firefox-esr68 --- wontfix
firefox69 --- wontfix
firefox70 --- wontfix
firefox71 --- fixed

People

(Reporter: decoder, Assigned: decoder)

References

(Regression)

Details

(Keywords: crash, regression, testcase)

Attachments

(3 files)

The attached testcase crashes on mozilla-central revision 3bfc0e27d038 (build with --enable-tests --enable-address-sanitizer --disable-jemalloc --enable-optimize=-O2 --enable-fuzzing --disable-debug).

For detailed crash information, see attachment.

To reproduce the issue, perform the following steps:

  1. Download the attached testcase, save as "test.bin".
    2a. Build with --enable-fuzzing (requires Clang and ASan, also build gtests using ./mach gtest dontruntests).
    2b. Alternatively you can download builds from TC using python -mfuzzfetch -a --fuzzing --tests gtest (see https://github.com/MozillaSecurity/fuzzfetch).
  2. Run MOZ_RUN_GTEST=1 LIBFUZZER=1 FUZZER=NetworkHttp2ProxyHttp2 objdir/dist/bin/firefox test.bin
Attached file Testcase

Not s-s, I already investigated it and have a patch.

The problem is this code in nsHttpConnection:

 mSocketTransport->GetEsniUsed(&esni);
 Telemetry::Accumulate(
     Telemetry::ESNI_NOESNI_TLS_SUCCESS_RATE,
     (esni) ? ((handshakeSucceeded) ? ESNI_SUCCESSFUL : ESNI_FAILED)
            : ((handshakeSucceeded) ? NO_ESNI_SUCCESSFUL : NO_ESNI_FAILED));

which ignores the return value of GetEsniUsed. In the HTTP2 over HTTP2 proxy case, this method is implemented in TunnelUtils.cpp and returns NS_ERROR_NOT_IMPLEMENTED, so this code is reading uninitialized memory for the esni variable.

The only impact this probably has is that the data for Telemetry::ESNI_NOESNI_TLS_SUCCESS_RATE is probably bogus now in cases where an HTTP2 proxy is used.

Pushed by choller@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/1652b2de0b9a
Check GetEsniUsed return value in nsHttpConnection. r=mayhemer
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla71
Assignee: nobody → choller
Keywords: regression
Flags: qe-verify+
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: