Closed Bug 1781744 Opened 3 years ago Closed 3 years ago

Crash [@ mozilla::dom::Document::IsValidDomain]

Categories

(Core :: DOM: Content Processes, defect)

Product:
Core
Component:
DOM: Content Processes
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
105 Branch
Tracking Flags:
Tracking Status
firefox-esr91 --- wontfix
firefox-esr102 --- wontfix
firefox103 --- wontfix
firefox104 --- wontfix
firefox105 --- fixed

People

(Reporter: decoder, Assigned: decoder)

Details

(Keywords: crash, sec-other, testcase, Whiteboard: [adv-main105-])

Crash Data

Attachments

(3 files)

Detailed Crash Information
3.33 KB, text/plain
Details
Testcase
64.30 KB, application/octet-stream
Details
Bug 1781744 - Add missing null check in RecvSetDocumentDomain. r?nika
48 bytes, text/x-phabricator-request
Details | Review

In experimental IPC fuzzing, we found the following crash on mozilla-central revision 375d42ba2f83+:

=================================================================
==2123==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fffd4deffcc bp 0x7fffffd87bb0 sp 0x7fffffd87940 T0)
==2123==The signal is caused by a READ memory access.
    #0 0x7fffd4deffcc in mozilla::dom::Document::IsValidDomain(nsIURI*, nsIURI*) dom/base/Document.cpp:9010:7
    #1 0x7fffdf5f127a in mozilla::dom::WindowGlobalParent::RecvSetDocumentDomain(nsIURI*) dom/ipc/WindowGlobalParent.cpp:1300:8
    #2 0x7fffdfdd8728 in mozilla::dom::PWindowGlobalParent::OnMessageReceived(IPC::Message const&) objdir-ff-asan-oldc/ipc/ipdl/PWindowGlobalParent.cpp:2117:86
    #3 0x7fffdfabb966 in mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&) objdir-ff-asan-oldc/ipc/ipdl/PContentParent.cpp:6615:32
    #4 0x7fffd19d7ea3 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) ipc/glue/MessageChannel.cpp:1749:25
    [...]
    #23 0x7fffeafd1521 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) toolkit/xre/nsAppRunner.cpp:5942:8

This seems to be missing a null check for aDomain in WindowGlobalParent::RecvSetDocumentDomain. I'll push a patch in a few.

(s-s until we unhide all the IPC bugs).

Attached file Testcase
Assignee: nobody → choller
Status: NEW → ASSIGNED
Keywords: sec-other

Add missing null check in RecvSetDocumentDomain. r=nika
https://hg.mozilla.org/integration/autoland/rev/6c785b80bde527e19e2b0080cd35a4ea184c5e5a
https://hg.mozilla.org/mozilla-central/rev/6c785b80bde5

Group: dom-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox105: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 105 Branch
QA Whiteboard: [qa-regression-triage]
Flags: qe-verify-
Whiteboard: [adv-main105-]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: