Closed Bug 1648493 Opened 1 year ago Closed 10 months ago

Assertion failure: aSeg.mLen < 0 || (aSeg.mPos + aSeg.mLen <= aSpec.Length() && aSeg.mPos + aSeg.mLen >= aSeg.mPos), at /builds/worker/checkouts/gecko/netwerk/base/nsStandardURL.cpp:233

Categories

(Core :: Networking, defect, P1)

defect

Tracking

()

VERIFIED FIXED
82 Branch
Tracking Status
firefox-esr68 --- wontfix
firefox-esr78 81+ fixed
firefox79 --- wontfix
firefox80 --- wontfix
firefox81 + fixed
firefox82 + fixed

People

(Reporter: jkratzer, Assigned: valentin)

References

(Blocks 1 open bug, Regression)

Details

(5 keywords, Whiteboard: [bugmon:bisected,confirmed][fuzzblocker][necko-triaged][adv-main81+r][adv-esr78.3+r][sec-survey])

Crash Data

Attachments

(3 files)

Attached file testcase.html

Testcase found while fuzzing mozilla-central rev db74cdf9afe7.

Assertion failure: aSeg.mLen < 0 || (aSeg.mPos + aSeg.mLen <= aSpec.Length() && aSeg.mPos + aSeg.mLen >= aSeg.mPos), at /builds/worker/checkouts/gecko/netwerk/base/nsStandardURL.cpp:233

==27627==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7f14a6e25324 bp 0x7ffd62ecdbd0 sp 0x7ffd62ecdbd0 T0)
==27627==The signal is caused by a WRITE memory access.
==27627==Hint: address points to the zero page.
    #0 0x7f14a6e25323 in mozilla::net::nsStandardURL::SanityCheck(mozilla::net::nsStandardURL::URLSegment const&, nsTString<char> const&) /builds/worker/checkouts/gecko/netwerk/base/nsStandardURL.cpp:230:3
    #1 0x7f14a6e25462 in mozilla::net::nsStandardURL::~nsStandardURL() /builds/worker/checkouts/gecko/netwerk/base/nsStandardURL.cpp:250:3
    #2 0x7f14a7a323dd in mozilla::net::SubstitutingURL::~SubstitutingURL() /builds/worker/checkouts/gecko/netwerk/protocol/res/SubstitutingURL.h:19:7
    #3 0x7f14a6e2fdcd in mozilla::net::nsStandardURL::Release() /builds/worker/checkouts/gecko/netwerk/base/nsStandardURL.cpp:1261:1
    #4 0x7f14aeab4708 in ~nsCOMPtr_base /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:329:7
    #5 0x7f14aeab4708 in mozilla::dom::URL::SetProtocol(nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/url/URL.cpp:237:1
    #6 0x7f14abc9eb8e in mozilla::dom::URL_Binding::set_protocol(JSContext*, JS::Handle<JSObject*>, void*, JSJitSetterCallArgs) /builds/worker/workspace/obj-build/dom/bindings/URLBinding.cpp:196:24
    #7 0x7f14ac83492d in bool mozilla::dom::binding_detail::GenericSetter<mozilla::dom::binding_detail::NormalThisPolicy>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3167:8
    #8 0x7f14b2f2ec3b in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:484:13
    #9 0x7f14b2f2ec3b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:576:12
    #10 0x7f14b2f30ed8 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:639:10
    #11 0x7f14b2f311b6 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:656:8
    #12 0x7f14b2f330b3 in js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:794:10
    #13 0x7f14b34e22e9 in SetExistingProperty(JSContext*, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyResult>, JS::ObjectOpResult&) /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2809:8
    #14 0x7f14b34e134b in bool js::NativeSetProperty<(js::QualifiedBool)1>(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2838:14
    #15 0x7f14b2f4ac50 in js::SetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) /builds/worker/checkouts/gecko/js/src/vm/ObjectOperations-inl.h:283:10
    #16 0x7f14b2f113c3 in SetPropertyOperation /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:270:10
    #17 0x7f14b2f113c3 in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3057:12
    #18 0x7f14b2efafa1 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:456:10
    #19 0x7f14b2f2ed1d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:611:13
    #20 0x7f14b2f30ed8 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:639:10
    #21 0x7f14b2f311b6 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:656:8
    #22 0x7f14b30d3fa0 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jsapi.cpp:2846:10
    #23 0x7f14ac42fa2e in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventListenerBinding.cpp:55:8
    #24 0x7f14acf38bed in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:66:12
    #25 0x7f14acf38614 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1082:43
    #26 0x7f14acf39e1d in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1279:17
    #27 0x7f14acf27f0f in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:355:17
    #28 0x7f14acf266ad in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:557:16
    #29 0x7f14acf2ac06 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1054:11
    #30 0x7f14af6d6fc2 in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:1148:7
    #31 0x7f14b2266087 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:5684:20
    #32 0x7f14b2265205 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:5426:7
    #33 0x7f14b226b9df in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp
    #34 0x7f14a94efbc0 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:1331:3
    #35 0x7f14a94eea8c in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:937:14
    #36 0x7f14a94eb00b in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:757:9
    #37 0x7f14a94ed57d in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:640:5
    #38 0x7f14a94ee61c in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp
    #39 0x7f14a6d8ba87 in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:615:22
    #40 0x7f14a6d8ec97 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:522:10
    #41 0x7f14aaac0d9f in mozilla::dom::Document::DoUnblockOnload() /builds/worker/checkouts/gecko/dom/base/Document.cpp:10716:18
    #42 0x7f14aaa775e6 in mozilla::dom::Document::UnblockOnload(bool) /builds/worker/checkouts/gecko/dom/base/Document.cpp:10648:9
    #43 0x7f14aaa9baca in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:7282:3
    #44 0x7f14aab69bd4 in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1186:12
    #45 0x7f14aab69bd4 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1192:12
    #46 0x7f14aab69bd4 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1238:13
    #47 0x7f14a6a9f8cd in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:146:20
    #48 0x7f14a6ada8ee in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1234:14
    #49 0x7f14a6ae57cc in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:501:10
    #50 0x7f14a7e74d0f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:87:21
    #51 0x7f14a7d50e17 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:315:10
    #52 0x7f14a7d50e17 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:308:3
    #53 0x7f14a7d50e17 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:290:3
    #54 0x7f14af0f9f88 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
    #55 0x7f14b2cc1786 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:913:20
    #56 0x7f14a7d50e17 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:315:10
    #57 0x7f14a7d50e17 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:308:3
    #58 0x7f14a7d50e17 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:290:3
    #59 0x7f14b2cc0d6f in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:744:34
    #60 0x55c9413feb43 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #61 0x55c9413feb43 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:303:18
    #62 0x7f14ca9f4b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/checkouts/gecko/netwerk/base/nsStandardURL.cpp:230:3 in mozilla::net::nsStandardURL::SanityCheck(mozilla::net::nsStandardURL::URLSegment const&, nsTString<char> const&)
Flags: in-testsuite?
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200625161839-324d5257f6f7.
The bug appears to have been introduced in the following build range:
> Start: e858eb7ffebab87cc1902efc7f7d17dd083ebc8e (20200624093107)
> End: 992822684324869697f7ed47b042aeef5aff7ab5 (20200624162433)
> Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=e858eb7ffebab87cc1902efc7f7d17dd083ebc8e&tochange=992822684324869697f7ed47b042aeef5aff7ab5
Crash Signature: [@ mozilla::net::nsStandardURL::~nsStandardURL ]
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed][fuzzblocker]

The fuzzers are frequently tripping over this issue and has been marked as a fuzzblocker[1]. Please prioritize this issue accordingly.

[1] https://firefox-source-docs.mozilla.org/tools/fuzzing/index.html#fuzz-blockers

A Pernosco session is available here: https://pernos.co/debug/Rd1dM5B0LjvMxBVv-pKXog/index.html

Valentin, could you take a look?
Thanks.

Flags: needinfo?(valentin.gosu)
Assignee: nobody → valentin.gosu
Group: core-security
Flags: needinfo?(valentin.gosu)
Severity: normal → S2
Priority: -- → P1
Component: DOM: Networking → Networking
Whiteboard: [bugmon:bisected,confirmed][fuzzblocker] → [bugmon:bisected,confirmed][fuzzblocker][necko-triaged]
Group: core-security → network-core-security

Comment on attachment 9172193 [details]
Bug 1648493 - tests r=#necko

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: Easily. We can split the patch into fix+tests if we want it to be less obvious, but this bug has already been public for a while.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Yes
  • Which older supported branches are affected by this flaw?: all
  • If not all supported branches, which bug introduced the flaw?: None
  • Do you have backports for the affected branches?: Yes
  • If not, how different, hard to create, and risky will they be?:
  • How likely is this patch to cause regressions; how much testing does it need?:
Attachment #9172193 - Flags: sec-approval?

Given the ease of this; is there a bug (whether or not it's really related at all) you could land the one-line change inside?

Flags: needinfo?(valentin.gosu)

(In reply to Tom Ritter [:tjr] (ni? for response to sec-[advisories/bounties/ratings/cves]) from comment #7)

Given the ease of this; is there a bug (whether or not it's really related at all) you could land the one-line change inside?

I think I could land it in some other bug patch, sure.
I'll wait for sec approval first.

Flags: needinfo?(valentin.gosu)

Comment on attachment 9172193 [details]
Bug 1648493 - tests r=#necko

This is approved to land inside another bug's patch (code change only; not test.)

Test can land Nov 1 or after.

Attachment #9172193 - Flags: sec-approval? → sec-approval+

I put the fix in https://lando.services.mozilla.com/D88123/ which is scheduled to land ASAP.

Status: NEW → RESOLVED
Closed: 10 months ago
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
Keywords: bugmon
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20200901032054-30a8286a26ed.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.

Please nominate this patch for Beta/ESR78 approval when you get a chance. I assume we'll want to land just this patch late next week rather than messing around with the cover bug for the branches.

Group: network-core-security → core-security-release
Depends on: 1660975
Flags: needinfo?(valentin.gosu)
Target Milestone: --- → 82 Branch

Looks like this is missing a rating also.

Comment on attachment 9174219 [details]
Bug 1648493 - beta/esr uplift

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: Potential of arbitrary memory read/write.
  • User impact if declined: Crashes. Security vulnerability.
  • Fix Landed on Version: 82
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): This offset should have always been set. The fact that it went unnoticed until now is due to the fact that the branch is rarely exercised.

Landed covertly in https://hg.mozilla.org/mozilla-central/rev/9bf43eb96305

  • String or UUID changes made by this patch:

Beta/Release Uplift Approval Request

  • User impact if declined: Crashes. Security vulnerability.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): This offset should have always been set. The fact that it went unnoticed until now is due to the fact that the branch is rarely exercised.
  • String changes made/needed:
Flags: needinfo?(valentin.gosu)
Attachment #9174219 - Flags: approval-mozilla-esr78?
Attachment #9174219 - Flags: approval-mozilla-beta?
Attachment #9172193 - Attachment description: Bug 1648493 - Set username offset when replacing the username r=#necko → Bug 1648493 - tests r=#necko
See Also: → 1663642

Comment on attachment 9174219 [details]
Bug 1648493 - beta/esr uplift

Approved for 81.0b9 and 78.3esr.

Attachment #9174219 - Flags: approval-mozilla-esr78?
Attachment #9174219 - Flags: approval-mozilla-esr78+
Attachment #9174219 - Flags: approval-mozilla-beta?
Attachment #9174219 - Flags: approval-mozilla-beta+
Whiteboard: [bugmon:bisected,confirmed][fuzzblocker][necko-triaged] → [bugmon:bisected,confirmed][fuzzblocker][necko-triaged][adv-main81+r]
Whiteboard: [bugmon:bisected,confirmed][fuzzblocker][necko-triaged][adv-main81+r] → [bugmon:bisected,confirmed][fuzzblocker][necko-triaged][adv-main81+r][adv-esr78.3+r]

As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.

Please visit this google form to reply.

Flags: needinfo?(valentin.gosu)
Whiteboard: [bugmon:bisected,confirmed][fuzzblocker][necko-triaged][adv-main81+r][adv-esr78.3+r] → [bugmon:bisected,confirmed][fuzzblocker][necko-triaged][adv-main81+r][adv-esr78.3+r][sec-survey]

(In reply to Release mgmt bot [:sylvestre / :calixte / :marco for bugbug] from comment #19)

As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.

Please visit this google form to reply.

Done.

Flags: needinfo?(valentin.gosu)
Group: core-security-release

:valentin, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.

Flags: needinfo?(valentin.gosu)
Flags: needinfo?(valentin.gosu)
Regressed by: 1647638, 1495313
You need to log in before you can comment on or make changes to this bug.