Closed Bug 1684377 Opened 5 years ago Closed 5 years ago

pointer index expression overflowed src/mfbt/lz4/lz4hc.c:108

Categories

(Core :: MFBT, defect)

Product:
Core
Component:
MFBT
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
86 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- wontfix
firefox84 --- wontfix
firefox85 --- wontfix
firefox86 --- fixed

People

(Reporter: tsmith, Assigned: RyanVM)

References

(Blocks 1 open bug)

Details

(Keywords: sec-moderate, Whiteboard: [post-critsmash-triage][adv-main86+r])

This happend once randomly while trying to reproduce another issue. Found with m-c 20201222-be30820869d8. Marking s-s to be safe.

src/mfbt/lz4/lz4hc.c:108:23: runtime error: pointer index expression with base 0x000000f7e800 overflowed to 0xffffffffff9aa970
    #0 0x55e0f43c84da in LZ4HC_init_internal src/mfbt/lz4/lz4hc.c:108:23
    #1 0x55e0f43c98a7 in LZ4_compressHC_continue_generic src/mfbt/lz4/lz4hc.c:1082:31
    #2 0x55e0f43c9797 in LZ4_compress_HC_continue src/mfbt/lz4/lz4hc.c:1112:16
    #3 0x55e0f43c7829 in LZ4F_compressBlockHC_continue src/mfbt/lz4/lz4frame.c:794:12
    #4 0x55e0f43bce8c in LZ4F_makeBlock src/mfbt/lz4/lz4frame.c:746:22
    #5 0x55e0f43bd70c in LZ4F_flush src/mfbt/lz4/lz4frame.c:954:15
    #6 0x55e0f43bb1bf in LZ4F_compressEnd src/mfbt/lz4/lz4frame.c:991:30
    #7 0x55e0f443328f in mozilla::Compression::LZ4FrameCompressionContext::EndCompressing() src/mfbt/Compression.cpp:144:7
    #8 0x4628685d105b in mozilla::scache::StartupCache::WriteToDisk() src/startupcache/StartupCache.cpp:581:5
    #9 0x4628685d9197 in mozilla::scache::StartupCache::MaybeWriteOffMainThread()::$_3::operator()() src/startupcache/StartupCache.cpp:755:29
    #10 0x4628685d8f5d in mozilla::detail::RunnableFunction<mozilla::scache::StartupCache::MaybeWriteOffMainThread()::$_3>::Run() src/objdir-ff-ubsan/dist/include/nsThreadUtils.h:534:5
    #11 0x462850218a0d in nsThreadPool::Run() src/xpcom/threads/nsThreadPool.cpp:301:14
    #12 0x462850207deb in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1200:14
    #13 0x462850213709 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:548:10
    #14 0x462852859a24 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:332:5
    #15 0x4628525434bf in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:334:10
    #16 0x462852543414 in MessageLoop::RunHandler() src/ipc/chromium/src/base/message_loop.cc:327:3
    #17 0x462852543381 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:309:3
    #18 0x4628501ff949 in nsThread::ThreadFunc(void*) src/xpcom/threads/nsThread.cpp:441:10
    #19 0x5c1111f9fff9 in _pt_root src/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #20 0x190f299506da in start_thread /build/glibc-2ORdQG/glibc-2.27/nptl/pthread_create.c:463
    #21 0x55e0f3cd4a3e in clone /build/glibc-2ORdQG/glibc-2.27/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

A Pernosco session is available here: https://pernos.co/debug/_IaWjDXGvGFF_VG8GrSq6Q/index.html

Not sure if that will fix it, but we have a pending update to upstream lz4 1.9.3 in Bug 1682604, which is currently blocked by some other UBSan issue.

See Also: → 1682604
Group: core-security → dom-core-security
Keywords: sec-moderate

Can you share the test case that the Pernosco session used?

Flags: needinfo?(twsmith)

(In reply to Simon Giesecke [:sg] [he/him] from comment #3)

Can you share the test case that the Pernosco session used?

The test case is actually 3 un-reduced test cases that are >4K lines each and can take over 1000 iterations under rr in chaos mode it repro. That said I'd be happy to test a patch or build if you like since I have everything set up and can let it run for a few days.

Flags: needinfo?(twsmith) → needinfo?(sgiesecke)

Ok, could you check this out with applying https://phabricator.services.mozilla.com/D99816? This now contains the fix for the UBSan issue mentioned in comment 2.

Flags: needinfo?(sgiesecke)

(In reply to Simon Giesecke [:sg] [he/him] from comment #5)

Ok, could you check this out with applying https://phabricator.services.mozilla.com/D99816? This now contains the fix for the UBSan issue mentioned in comment 2.

I am unable to reproduce it with the patch applied.

Sounds good. So this can be resolved as fixed through Bug 1682604.

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Assignee: nobody → ryanvm
Group: dom-core-security → core-security-release
status-firefox84: --- → wontfix
status-firefox85: --- → wontfix
status-firefox86: affectedfixed
status-firefox-esr78: --- → wontfix
Target Milestone: --- → 86 Branch
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main86+r]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.