Closed Bug 1781038 Opened 2 years ago Closed 2 years ago

Crash [@ mozilla::dom::TCPSocket::Send]

Categories

(Core :: Networking, defect)

Product:
Core
Component:
Networking
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
105 Branch
Tracking Flags:
Tracking Status
firefox-esr91 --- wontfix
firefox-esr102 --- wontfix
firefox103 --- wontfix
firefox104 --- wontfix
firefox105 --- fixed

People

(Reporter: decoder, Assigned: decoder)

Details

(4 keywords, Whiteboard: [adv-main105-])

Crash Data

Attachments

(3 files)

Detailed Crash Information
3.91 KB, text/plain
Details
Testcase
4.42 KB, application/octet-stream
Details
Bug 1781038 - Add missing null check in TCPSocketParent. r?kershaw
48 bytes, text/x-phabricator-request
Details | Review

In experimental IPC fuzzing, we found the following crash on mozilla-central revision 375d42ba2f83+:

=================================================================
==2126==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000000b0 (pc 0x7fffdead048b bp 0x7fffffdbca30 sp 0x7fffffdbc840 T0)
    #0 0x7fffdead048b in mozilla::dom::TCPSocket::Send(mozilla::dom::TypedArray<JS::ArrayBuffer> const&, unsigned int, mozilla::dom::Optional<unsigned int> const&, mozilla::ErrorResult&) dom/network/TCPSocket.cpp:780:19
    #1 0x7fffdeadf48b in mozilla::dom::TCPSocketParent::RecvData(SendableData const&) dom/network/TCPSocketParent.cpp:131:16
    #2 0x7fffdeb3add2 in mozilla::net::PTCPSocketParent::OnMessageReceived(IPC::Message const&) objdir/ipc/ipdl/PTCPSocketParent.cpp:354:97
    #3 0x7fffdfabb716 in mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&) objdir/ipc/ipdl/PContentParent.cpp:6615:32
    #4 0x7fffd19d7ce3 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) ipc/glue/MessageChannel.cpp:1749:25
    [...]
    #22 0x7fffeafce326 in XREMain::XRE_mainRun() toolkit/xre/nsAppRunner.cpp:5748:22

The issue is that there is no null check for mSocket in TCPSocketParent::RecvData. Other methods seem to have a check for this in the form of NS_ENSURE_TRUE(mSocket, IPC_OK()); while this one does not.

(Marking s-s until we unhide all of the other IPC fuzzing bugs).

Attached file Testcase 
Assignee: nobody → choller
Status: NEW → ASSIGNED
Group: core-security → network-core-security

    
    

    
  
Add missing null check in TCPSocketParent. r=kershaw

https://hg.mozilla.org/integration/autoland/rev/0f5671ee56eea4b5b5e098bee0535ba3bf79f4f6

https://hg.mozilla.org/mozilla-central/rev/0f5671ee56ee


Group: network-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 2 years ago

          status-firefox105:
          --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 105 Branch
QA Whiteboard: [post-critsmash-triage]
Flags: qe-verify-
Whiteboard: [adv-main105-]
Group: core-security-release

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: