Closed
Bug 1781038
Opened 2 years ago
Closed 2 years ago
Crash [@ mozilla::dom::TCPSocket::Send]
Categories
(Core :: Networking, defect)
Tracking
()
RESOLVED
FIXED
105 Branch
People
(Reporter: decoder, Assigned: decoder)
Details
(4 keywords, Whiteboard: [adv-main105-])
Crash Data
Attachments
(3 files)
In experimental IPC fuzzing, we found the following crash on mozilla-central revision 375d42ba2f83+:
=================================================================
==2126==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000000b0 (pc 0x7fffdead048b bp 0x7fffffdbca30 sp 0x7fffffdbc840 T0)
#0 0x7fffdead048b in mozilla::dom::TCPSocket::Send(mozilla::dom::TypedArray<JS::ArrayBuffer> const&, unsigned int, mozilla::dom::Optional<unsigned int> const&, mozilla::ErrorResult&) dom/network/TCPSocket.cpp:780:19
#1 0x7fffdeadf48b in mozilla::dom::TCPSocketParent::RecvData(SendableData const&) dom/network/TCPSocketParent.cpp:131:16
#2 0x7fffdeb3add2 in mozilla::net::PTCPSocketParent::OnMessageReceived(IPC::Message const&) objdir/ipc/ipdl/PTCPSocketParent.cpp:354:97
#3 0x7fffdfabb716 in mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&) objdir/ipc/ipdl/PContentParent.cpp:6615:32
#4 0x7fffd19d7ce3 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) ipc/glue/MessageChannel.cpp:1749:25
[...]
#22 0x7fffeafce326 in XREMain::XRE_mainRun() toolkit/xre/nsAppRunner.cpp:5748:22
The issue is that there is no null check for mSocket
in TCPSocketParent::RecvData
. Other methods seem to have a check for this in the form of NS_ENSURE_TRUE(mSocket, IPC_OK());
while this one does not.
(Marking s-s until we unhide all of the other IPC fuzzing bugs).
Assignee | ||
Comment 1•2 years ago
|
||
Assignee | ||
Comment 2•2 years ago
|
||
Assignee | ||
Comment 3•2 years ago
|
||
Updated•2 years ago
|
Assignee: nobody → choller
Status: NEW → ASSIGNED
Updated•2 years ago
|
Group: core-security → network-core-security
Comment 4•2 years ago
|
||
Add missing null check in TCPSocketParent. r=kershaw
https://hg.mozilla.org/integration/autoland/rev/0f5671ee56eea4b5b5e098bee0535ba3bf79f4f6
https://hg.mozilla.org/mozilla-central/rev/0f5671ee56ee
Group: network-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox105:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 105 Branch
Updated•2 years ago
|
status-firefox103:
--- → wontfix
status-firefox-esr102:
--- → wontfix
status-firefox-esr91:
--- → wontfix
Updated•2 years ago
|
QA Whiteboard: [post-critsmash-triage]
Flags: qe-verify-
Updated•2 years ago
|
Whiteboard: [adv-main105-]
Updated•1 year ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•