Closed Bug 1750978 Opened 3 years ago Closed 1 year ago

Crash in [@ neqo_transport::connection::Connection::input_path]

Categories

(Core :: Networking: HTTP, defect, P2)

Product:
Core
Component:
Networking: HTTP
Version:
Firefox 96
Platform:
x86_64
Linux
Type:
defect
Points:
13

Tracking

()

Status:
RESOLVED INCOMPLETE
Tracking Flags:
Tracking Status
firefox96 --- affected

People

(Reporter: office, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, csectype-wildptr, sec-high, Whiteboard: [necko-triaged])

Crash Data

Maybe Fission related. (DOMFissionEnabled=1)

Crash report: https://crash-stats.mozilla.org/report/index/666270cb-ce60-4e6e-9fbf-a74470220119

Reason: SIGSEGV / SEGV_ACCERR

Top 10 frames of crashing thread:

0 None @0x00007fc7a19799c0 
1 libxul.so core::fmt::write library/core/src/fmt/mod.rs:1163
2 libxul.so alloc::fmt::format library/alloc/src/fmt.rs:579
3 libxul.so neqo_transport::connection::Connection::input_path third_party/rust/neqo-transport/src/connection/mod.rs:1346
4 libxul.so neqo_transport::connection::Connection::input third_party/rust/neqo-transport/src/connection/mod.rs:1295
5 libxul.so neqo_transport::connection::Connection::process_input third_party/rust/neqo-transport/src/connection/mod.rs:891
6 libxul.so neqo_http3::connection_client::Http3Client::process_input third_party/rust/neqo-http3/src/connection_client.rs:467
7 libxul.so neqo_http3conn_process_input netwerk/socket/neqo_glue/src/lib.rs:263
8 libxul.so mozilla::net::Http3Session::ProcessInput netwerk/protocol/http/Http3Session.cpp:295
9 libxul.so mozilla::net::Http3Session::RecvData netwerk/protocol/http/Http3Session.cpp:1158
Severity: -- → S3
Points: --- → 13
status-firefox96: --- → affected
Priority: -- → P3

The Bugbug bot thinks this bug should belong to the 'Core::Networking: HTTP' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.

Component: Untriaged → Networking: HTTP
Product: Firefox → Core

The product::component has been changed since the backlog priority was decided, so we're resetting it.
For more information, please visit auto_nag documentation.

Priority: P3 → --

I don't really understand this crash. Could you take a look?

Blocks: QUIC
Crash Signature: [@ core::fmt::write] → [@ neqo_transport::connection::Connection::input_path]
Flags: needinfo?(dd.mozilla)
Priority: -- → P2
Summary: Crash in [@ core::fmt::write] → Crash in [@ neqo_transport::connection::Connection::input_path]

I am not sure what is happing either.
This crash is for out-of-bound https://crash-stats.mozilla.org/report/index/02708507-0e63-4026-881e-e39750211226
That is the only Linux crash. The other crashes are different.

Keeping needinfo.

Whiteboard: [necko-triaged]

The bug has a crash signature, thus the bug will be considered confirmed.

Status: UNCONFIRMED → NEW
Ever confirmed: true

I have opened a neqo issue: https://github.com/mozilla/neqo/issues/1363

Flags: needinfo?(dd.mozilla)

Often-wildptr crash, low frequency (~4/week).

Interesting because we're seeing wildptr crashes from Rust code

Seems associated with packet.decrypt

Group: core-security
Keywords: crash, csectype-wildptr
Group: core-security → network-core-security

The severity field for this bug is set to S3. However, the bug is flagged with the sec-high keyword.
:valentin, could you consider increasing the severity of this security bug?

For more information, please visit auto_nag documentation.

Flags: needinfo?(valentin.gosu)
Flags: needinfo?(valentin.gosu)

While this is still happening, it is on file in neqo and not currently actionable.

Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → INCOMPLETE

Since the bug is closed, the stalled keyword is now meaningless.
For more information, please visit BugBot documentation.

Keywords: stalled
Group: network-core-security
You need to log in before you can comment on or make changes to this bug.