Crash [@ bool AssignJSString<nsTString<char>, (void*)0>]
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr91 | --- | unaffected |
| firefox99 | --- | unaffected |
| firefox100 | --- | unaffected |
| firefox101 | --- | fixed |
People
(Reporter: decoder, Assigned: saschanaz)
References
(Regression)
Details
(Keywords: crash, regression, testcase)
Crash Data
Attachments
(3 files)
The attached testcase crashes on mozilla-central revision 20220425-9cb38db713cc.
Backtrace:
==1177==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f0d30bc7986 bp 0x7fff19ff71d0 sp 0x7fff19ff6fa0 T0)
#0 0x7f0d30bc7986 in bool AssignJSString<nsTString<char>, (void*)0>(JSContext*, nsTString<char>&, JSString*) dist/include/mozilla/CheckedInt.h
#1 0x7f0d30e35da8 in mozilla::dom::ReadAsCString(JSContext*, JSStructuredCloneReader*, nsTString<char>&) /dom/base/DOMException.cpp:420:10
#2 0x7f0d30e35963 in mozilla::dom::DOMException::ReadStructuredClone(JSContext*, nsIGlobalObject*, JSStructuredCloneReader*) /dom/base/DOMException.cpp:433:8
#3 0x7f0d32854e75 in mozilla::dom::DOMException_Binding::Deserialize(JSContext*, nsIGlobalObject*, JSStructuredCloneReader*) /builds/worker/workspace/obj-build/dom/bindings/DOMExceptionBinding.cpp:740:46
#4 0x7f0d3117410b in mozilla::dom::StructuredCloneHolder::ReadFullySerializableObjects(JSContext*, JSStructuredCloneReader*, unsigned int) /dom/base/StructuredCloneHolder.cpp:430:12
#5 0x7f0d31176adb in mozilla::dom::StructuredCloneHolder::CustomReadHandler(JSContext*, JSStructuredCloneReader*, JS::CloneDataPolicy const&, unsigned int, unsigned int) /dom/base/StructuredCloneHolder.cpp:1008:10
#6 0x7f0d3b2f0566 in JSStructuredCloneReader::startRead(JS::MutableHandle<JS::Value>, js::gc::InitialHeap) /js/src/vm/StructuredClone.cpp:2844:11
#7 0x7f0d3b2d9394 in JSStructuredCloneReader::read(JS::MutableHandle<JS::Value>, unsigned long) /js/src/vm/StructuredClone.cpp:3261:8
#8 0x7f0d3b2d89d7 in ReadStructuredClone(JSContext*, JSStructuredCloneData const&, JS::StructuredCloneScope, JS::MutableHandle<JS::Value>, JS::CloneDataPolicy const&, JSStructuredCloneCallbacks const*, void*) /js/src/vm/StructuredClone.cpp:721:12
#9 0x7f0d3b2f885e in JS_ReadStructuredClone(JSContext*, JSStructuredCloneData const&, unsigned int, JS::StructuredCloneScope, JS::MutableHandle<JS::Value>, JS::CloneDataPolicy const&, JSStructuredCloneCallbacks const*, void*) /js/src/vm/StructuredClone.cpp:3438:10
#10 0x7f0d31173eb8 in mozilla::dom::StructuredCloneHolder::ReadFromBuffer(nsIGlobalObject*, JSContext*, JSStructuredCloneData&, unsigned int, JS::MutableHandle<JS::Value>, JS::CloneDataPolicy const&, mozilla::ErrorResult&) /dom/base/StructuredCloneHolder.cpp:409:8
#11 0x7f0d31173dd4 in mozilla::dom::StructuredCloneHolder::ReadFromBuffer(nsIGlobalObject*, JSContext*, JSStructuredCloneData&, JS::MutableHandle<JS::Value>, JS::CloneDataPolicy const&, mozilla::ErrorResult&) /dom/base/StructuredCloneHolder.cpp:395:3
#12 0x7f0d35583f97 in mozilla::dom::ipc::StructuredCloneData::Read(JSContext*, JS::MutableHandle<JS::Value>, JS::CloneDataPolicy const&, mozilla::ErrorResult&) /dom/ipc/StructuredCloneData.cpp:116:3
#13 0x7f0d3557be0c in mozilla::dom::ipc::StructuredCloneData::Read(JSContext*, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /dom/ipc/StructuredCloneData.cpp:104:3
#14 0x7f0d2c60fc70 in FuzzingRunDomSC(unsigned char const*, unsigned long) /dom/base/fuzztest/FuzzStructuredClone.cpp:62:10
[...]
To reproduce the issue, perform the following steps:
- Download the attached testcase, save as "test.bin".
2a. Build with--enable-fuzzing(requires Clang and ASan, also build gtests using./mach gtest dontruntests).
2b. Alternatively you can download builds from TC usingpython -mfuzzfetch -a --fuzzing --target firefox gtest(see https://github.com/MozillaSecurity/fuzzfetch). - Run
FUZZER=StructuredCloneReaderDOM objdir/dist/bin/firefox test.bin
|
Reporter | |
Comment 1•3 years ago
|
||
|
|
Reporter | |
Comment 2•3 years ago
|
||
|
||
Comment 3•3 years ago
|
||
It looks like we're hitting a null deref inside of CheckedInt. I'm not sure what that means, though, as there is no line number on the top frame.
|
||
Comment 4•3 years ago
|
||
Oh, hmm, https://searchfox.org/mozilla-central/rev/dc09246dfbfd8dafeb6d55ebee18a6294d525443/js/src/vm/StructuredClone.cpp#3616
As far as I see, readString may return null, so JS_ReadString returns a success value even though the underlying call fails, right?
|
Assignee | |
Comment 5•3 years ago
•
|
||
I'm not sure what I can do with testcase.bin, was this supposed to a zip file? 🤔
Edit: Ah okay, comment #0 has the steps. 😛
|
|
Reporter | |
Comment 6•3 years ago
|
||
(In reply to Kagami :saschanaz from comment #5)
I'm not sure what I can do with
testcase.bin, was this supposed to a zip file? 🤔Edit: Ah okay, comment #0 has the steps. 😛
Yea, the .bin file is the input to the fuzzing target, which in this case is here:
So this is the data that ends up in StructuredCloneData.
|
|
Assignee | |
Comment 7•3 years ago
|
||
Thanks, it totally makes sense to be a binary then!
BTW, do any of you know how to make a testcase here? Probably no way to cause such wrong binary by a WPT or a mochitest 🤔
|
|
Assignee | |
Comment 8•3 years ago
|
||
|
||
Updated•3 years ago
|
|
|
Reporter | |
Comment 9•3 years ago
|
||
(In reply to Kagami :saschanaz from comment #7)
Thanks, it totally makes sense to be a binary then!
BTW, do any of you know how to make a testcase here? Probably no way to cause such wrong binary by a WPT or a mochitest 🤔
Unfortunately, we don't have a good test framework for this right now, except crafting a gtest. But I am not sure if that would really provide us with a lot of benefits because fuzzing is exercising the code already by the exact same means (the fuzzing target is practically acting like a dynamic gtest).
|
||
Comment 10•3 years ago
|
||
|
||
Comment 11•3 years ago
|
||
| bugherder | ||
|
||
Updated•3 years ago
|
Description
•