1585774 - MOZ_Crash [@ mozilla::dom::PWebAuthnTransactionChild::OnMessageReceived]

Status: RESOLVED WORKSFORME

(Core :: DOM: Web Authentication, defect, P3)

Description

[Jason Kratzer [:jkratzer]]

Attachment: harness.html

Testcase found while fuzzing mozilla-central rev cb9bbf38fa45. Testcase must be served via a local webserver in order to reproduce. Furthermore, use harness.html as the starting point which loads part1.html and part2.html.

==107019==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7fcb73737b12 bp 0x7ffdb290d6b0 sp 0x7ffdb290d5a0 T0)
==107019==The signal is caused by a WRITE memory access.
==107019==Hint: address points to the zero page.
    #0 0x7fcb73737b11 in MOZ_Crash /src/obj-firefox/dist/include/mozilla/Assertions.h:313:3
    #1 0x7fcb73737b11 in mozilla::ipc::BackgroundChildImpl::ProcessingError(mozilla::ipc::HasResultCodes::Result, char const*) /src/ipc/glue/BackgroundChildImpl.cpp:157
    #2 0x7fcb737e9374 in mozilla::ipc::IPCResult::Fail(mozilla::NotNull<mozilla::ipc::IProtocol*>, char const*, char const*) /src/ipc/glue/ProtocolUtils.cpp:64:39
    #3 0x7fcb74497078 in mozilla::dom::PWebAuthnTransactionChild::OnMessageReceived(IPC::Message const&) /src/obj-firefox/ipc/ipdl/PWebAuthnTransactionChild.cpp:337:68
    #4 0x7fcb73f57a6f in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:5759:32
    #5 0x7fcb737d9246 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /src/ipc/glue/MessageChannel.cpp:2185:25
    #6 0x7fcb737d3e9d in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /src/ipc/glue/MessageChannel.cpp:2109:9
    #7 0x7fcb737d64c7 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /src/ipc/glue/MessageChannel.cpp:1954:3
    #8 0x7fcb737d7357 in mozilla::ipc::MessageChannel::MessageTask::Run() /src/ipc/glue/MessageChannel.cpp:1985:13
    #9 0x7fcb725c03f6 in nsThread::ProcessNextEvent(bool, bool*) /src/xpcom/threads/nsThread.cpp:1225:14
    #10 0x7fcb725c62f8 in NS_ProcessNextEvent(nsIThread*, bool) /src/xpcom/threads/nsThreadUtils.cpp:486:10
    #11 0x7fcb737e262f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /src/ipc/glue/MessagePump.cpp:88:21
    #12 0x7fcb736df2f2 in RunInternal /src/ipc/chromium/src/base/message_loop.cc:315:10
    #13 0x7fcb736df2f2 in RunHandler /src/ipc/chromium/src/base/message_loop.cc:308
    #14 0x7fcb736df2f2 in MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:290
    #15 0x7fcb7baebbd9 in nsBaseAppShell::Run() /src/widget/nsBaseAppShell.cpp:137:27
    #16 0x7fcb7f9dd7af in XRE_RunAppShell() /src/toolkit/xre/nsEmbedFunctions.cpp:934:20
    #17 0x7fcb736df2f2 in RunInternal /src/ipc/chromium/src/base/message_loop.cc:315:10
    #18 0x7fcb736df2f2 in RunHandler /src/ipc/chromium/src/base/message_loop.cc:308
    #19 0x7fcb736df2f2 in MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:290
    #20 0x7fcb7f9dd056 in XRE_InitChildProcess(int, char**, XREChildData const*) /src/toolkit/xre/nsEmbedFunctions.cpp:769:34
    #21 0x5621442c6dda in content_process_main /src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #22 0x5621442c6dda in main /src/browser/app/nsBrowserApp.cpp:272
    #23 0x7fcb940b5b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #24 0x5621441e83fc in _start (/home/worker/builds/m-c-20190911215306-fuzzing-asan-opt/firefox+0x453fc)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /src/obj-firefox/dist/include/mozilla/Assertions.h:313:3 in MOZ_Crash
==107019==ABORTING

Comment 1

[Jason Kratzer [:jkratzer]]

Attachment: part_1.html

Comment 2

[Jason Kratzer [:jkratzer]]

Attachment: part_2.html

Comment 3

[BugBot [:suhaib / :marco/ :calixte]]

Bugbug thinks this bug is a regression, but please revert this change in case of error.

Comment 4

[Jason Kratzer [:jkratzer]]

Testcase bisects to the following range:

Start: 1e7c6202d94f27e9b14450dc8710f32e7df31572 (20190329224421)
End: d42c60ccf0d05a8b1e6098c1ab62d26e6edd2267 (20190330093204)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=1e7c6202d94f27e9b14450dc8710f32e7df31572&tochange=d42c60ccf0d05a8b1e6098c1ab62d26e6edd2267

Comment 5

[J.C. Jones [:jcj] (he/they)]

While regressed by Bug 1448408, this state machine error was always a problem. Now it just isn't solved by aborting on context switch.

Comment 6

[Andrew Overholt [:overholt]]

JC, we were looking at this in the regression triage meeting today and wondering what next steps are. Can you update flags or comment here to update things?

Comment 7

[J.C. Jones [:jcj] (he/they)]

Next steps are: rewrite WebAuthn's UI. Re-listening to visibility events won't fix this everywhere (we have to ignore them on Windows w/ Hello enabled), and eventual CTAP2 support requires a new UX anyway.

This would be the first thing I'd work on when I work on WebAuthn again, but I realize P2 makes it appear like that might happen in the next cycle, which it won't. Moving to P3.

Comment 8

[Andrei Purice]

Hey Jason,
Can you still reproduce this or should we close it?

Comment 9

[Jason Kratzer [:jkratzer]]

I was unable to reproduce this issue using mozilla-central rev 152fdda295bb. I think we can safely close this issue.