Assertion failure: aSeg.mLen < 0 || (aSeg.mPos + aSeg.mLen <= aSpec.Length() && aSeg.mPos + aSeg.mLen >= aSeg.mPos), at /builds/worker/checkouts/gecko/netwerk/base/nsStandardURL.cpp:233
Categories
(Core :: Networking, defect, P1)
Tracking
()
People
(Reporter: jkratzer, Assigned: valentin)
References
(Blocks 1 open bug, Regression)
Details
(5 keywords, Whiteboard: [bugmon:bisected,confirmed][fuzzblocker][necko-triaged][adv-main81+r][adv-esr78.3+r][sec-survey])
Crash Data
Attachments
(3 files)
308 bytes,
text/html
|
Details | |
47 bytes,
text/x-phabricator-request
|
tjr
:
sec-approval+
|
Details | Review |
47 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-beta+
RyanVM
:
approval-mozilla-esr78+
|
Details | Review |
Testcase found while fuzzing mozilla-central rev db74cdf9afe7.
Assertion failure: aSeg.mLen < 0 || (aSeg.mPos + aSeg.mLen <= aSpec.Length() && aSeg.mPos + aSeg.mLen >= aSeg.mPos), at /builds/worker/checkouts/gecko/netwerk/base/nsStandardURL.cpp:233
==27627==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7f14a6e25324 bp 0x7ffd62ecdbd0 sp 0x7ffd62ecdbd0 T0)
==27627==The signal is caused by a WRITE memory access.
==27627==Hint: address points to the zero page.
#0 0x7f14a6e25323 in mozilla::net::nsStandardURL::SanityCheck(mozilla::net::nsStandardURL::URLSegment const&, nsTString<char> const&) /builds/worker/checkouts/gecko/netwerk/base/nsStandardURL.cpp:230:3
#1 0x7f14a6e25462 in mozilla::net::nsStandardURL::~nsStandardURL() /builds/worker/checkouts/gecko/netwerk/base/nsStandardURL.cpp:250:3
#2 0x7f14a7a323dd in mozilla::net::SubstitutingURL::~SubstitutingURL() /builds/worker/checkouts/gecko/netwerk/protocol/res/SubstitutingURL.h:19:7
#3 0x7f14a6e2fdcd in mozilla::net::nsStandardURL::Release() /builds/worker/checkouts/gecko/netwerk/base/nsStandardURL.cpp:1261:1
#4 0x7f14aeab4708 in ~nsCOMPtr_base /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:329:7
#5 0x7f14aeab4708 in mozilla::dom::URL::SetProtocol(nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/url/URL.cpp:237:1
#6 0x7f14abc9eb8e in mozilla::dom::URL_Binding::set_protocol(JSContext*, JS::Handle<JSObject*>, void*, JSJitSetterCallArgs) /builds/worker/workspace/obj-build/dom/bindings/URLBinding.cpp:196:24
#7 0x7f14ac83492d in bool mozilla::dom::binding_detail::GenericSetter<mozilla::dom::binding_detail::NormalThisPolicy>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3167:8
#8 0x7f14b2f2ec3b in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:484:13
#9 0x7f14b2f2ec3b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:576:12
#10 0x7f14b2f30ed8 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:639:10
#11 0x7f14b2f311b6 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:656:8
#12 0x7f14b2f330b3 in js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:794:10
#13 0x7f14b34e22e9 in SetExistingProperty(JSContext*, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyResult>, JS::ObjectOpResult&) /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2809:8
#14 0x7f14b34e134b in bool js::NativeSetProperty<(js::QualifiedBool)1>(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2838:14
#15 0x7f14b2f4ac50 in js::SetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) /builds/worker/checkouts/gecko/js/src/vm/ObjectOperations-inl.h:283:10
#16 0x7f14b2f113c3 in SetPropertyOperation /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:270:10
#17 0x7f14b2f113c3 in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3057:12
#18 0x7f14b2efafa1 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:456:10
#19 0x7f14b2f2ed1d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:611:13
#20 0x7f14b2f30ed8 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:639:10
#21 0x7f14b2f311b6 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:656:8
#22 0x7f14b30d3fa0 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jsapi.cpp:2846:10
#23 0x7f14ac42fa2e in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventListenerBinding.cpp:55:8
#24 0x7f14acf38bed in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:66:12
#25 0x7f14acf38614 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1082:43
#26 0x7f14acf39e1d in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1279:17
#27 0x7f14acf27f0f in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:355:17
#28 0x7f14acf266ad in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:557:16
#29 0x7f14acf2ac06 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1054:11
#30 0x7f14af6d6fc2 in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:1148:7
#31 0x7f14b2266087 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:5684:20
#32 0x7f14b2265205 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:5426:7
#33 0x7f14b226b9df in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp
#34 0x7f14a94efbc0 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:1331:3
#35 0x7f14a94eea8c in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:937:14
#36 0x7f14a94eb00b in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:757:9
#37 0x7f14a94ed57d in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:640:5
#38 0x7f14a94ee61c in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp
#39 0x7f14a6d8ba87 in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:615:22
#40 0x7f14a6d8ec97 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:522:10
#41 0x7f14aaac0d9f in mozilla::dom::Document::DoUnblockOnload() /builds/worker/checkouts/gecko/dom/base/Document.cpp:10716:18
#42 0x7f14aaa775e6 in mozilla::dom::Document::UnblockOnload(bool) /builds/worker/checkouts/gecko/dom/base/Document.cpp:10648:9
#43 0x7f14aaa9baca in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:7282:3
#44 0x7f14aab69bd4 in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1186:12
#45 0x7f14aab69bd4 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1192:12
#46 0x7f14aab69bd4 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1238:13
#47 0x7f14a6a9f8cd in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:146:20
#48 0x7f14a6ada8ee in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1234:14
#49 0x7f14a6ae57cc in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:501:10
#50 0x7f14a7e74d0f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:87:21
#51 0x7f14a7d50e17 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:315:10
#52 0x7f14a7d50e17 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:308:3
#53 0x7f14a7d50e17 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:290:3
#54 0x7f14af0f9f88 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
#55 0x7f14b2cc1786 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:913:20
#56 0x7f14a7d50e17 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:315:10
#57 0x7f14a7d50e17 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:308:3
#58 0x7f14a7d50e17 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:290:3
#59 0x7f14b2cc0d6f in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:744:34
#60 0x55c9413feb43 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#61 0x55c9413feb43 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:303:18
#62 0x7f14ca9f4b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/checkouts/gecko/netwerk/base/nsStandardURL.cpp:230:3 in mozilla::net::nsStandardURL::SanityCheck(mozilla::net::nsStandardURL::URLSegment const&, nsTString<char> const&)
Reporter | ||
Updated•4 years ago
|
Reporter | ||
Comment 1•4 years ago
|
||
Updated•4 years ago
|
Reporter | ||
Updated•4 years ago
|
Comment 2•4 years ago
•
|
||
The fuzzers are frequently tripping over this issue and has been marked as a fuzzblocker[1]. Please prioritize this issue accordingly.
[1] https://firefox-source-docs.mozilla.org/tools/fuzzing/index.html#fuzz-blockers
Comment 3•4 years ago
|
||
A Pernosco session is available here: https://pernos.co/debug/Rd1dM5B0LjvMxBVv-pKXog/index.html
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Updated•4 years ago
|
Updated•4 years ago
|
Assignee | ||
Comment 5•4 years ago
|
||
Assignee | ||
Comment 6•4 years ago
|
||
Comment on attachment 9172193 [details]
Bug 1648493 - tests r=#necko
Security Approval Request
- How easily could an exploit be constructed based on the patch?: Easily. We can split the patch into fix+tests if we want it to be less obvious, but this bug has already been public for a while.
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Yes
- Which older supported branches are affected by this flaw?: all
- If not all supported branches, which bug introduced the flaw?: None
- Do you have backports for the affected branches?: Yes
- If not, how different, hard to create, and risky will they be?:
- How likely is this patch to cause regressions; how much testing does it need?:
Comment 7•4 years ago
|
||
Given the ease of this; is there a bug (whether or not it's really related at all) you could land the one-line change inside?
Assignee | ||
Comment 8•4 years ago
•
|
||
(In reply to Tom Ritter [:tjr] (ni? for response to sec-[advisories/bounties/ratings/cves]) from comment #7)
Given the ease of this; is there a bug (whether or not it's really related at all) you could land the one-line change inside?
I think I could land it in some other bug patch, sure.
I'll wait for sec approval first.
Comment 9•4 years ago
|
||
Comment on attachment 9172193 [details]
Bug 1648493 - tests r=#necko
This is approved to land inside another bug's patch (code change only; not test.)
Test can land Nov 1 or after.
Updated•4 years ago
|
Assignee | ||
Comment 10•4 years ago
|
||
I put the fix in https://lando.services.mozilla.com/D88123/ which is scheduled to land ASAP.
Assignee | ||
Comment 11•4 years ago
|
||
Assignee | ||
Updated•4 years ago
|
Reporter | ||
Comment 12•4 years ago
|
||
Comment 13•4 years ago
|
||
Please nominate this patch for Beta/ESR78 approval when you get a chance. I assume we'll want to land just this patch late next week rather than messing around with the cover bug for the branches.
Comment 14•4 years ago
|
||
Looks like this is missing a rating also.
Assignee | ||
Comment 15•4 years ago
|
||
Assignee | ||
Comment 16•4 years ago
|
||
Comment on attachment 9174219 [details]
Bug 1648493 - beta/esr uplift
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: Potential of arbitrary memory read/write.
- User impact if declined: Crashes. Security vulnerability.
- Fix Landed on Version: 82
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): This offset should have always been set. The fact that it went unnoticed until now is due to the fact that the branch is rarely exercised.
Landed covertly in https://hg.mozilla.org/mozilla-central/rev/9bf43eb96305
- String or UUID changes made by this patch:
Beta/Release Uplift Approval Request
- User impact if declined: Crashes. Security vulnerability.
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): This offset should have always been set. The fact that it went unnoticed until now is due to the fact that the branch is rarely exercised.
- String changes made/needed:
Updated•4 years ago
|
Comment 17•4 years ago
|
||
Comment on attachment 9174219 [details]
Bug 1648493 - beta/esr uplift
Approved for 81.0b9 and 78.3esr.
Comment 18•4 years ago
|
||
uplift |
Updated•4 years ago
|
Updated•4 years ago
|
Updated•4 years ago
|
Comment 19•4 years ago
|
||
As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.
Please visit this google form to reply.
Assignee | ||
Comment 20•4 years ago
|
||
(In reply to Release mgmt bot [:sylvestre / :calixte / :marco for bugbug] from comment #19)
As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.
Please visit this google form to reply.
Done.
Updated•4 years ago
|
Comment 21•4 years ago
|
||
:valentin, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.
Assignee | ||
Updated•4 years ago
|
Updated•4 years ago
|
Updated•3 years ago
|
Description
•