Closed Bug 1788543 Opened 3 years ago Closed 2 years ago

AddressSanitizer: heap-use-after-free [@ strcmp] with READ of size 1 through [@ nsPrinterCUPS::TryEnsurePrinterInfo]

Categories

(Core :: Printing: Setup, defect)

Product:
Core
Component:
Printing: Setup
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED INCOMPLETE
Tracking Flags:
Tracking Status
firefox106 --- wontfix

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: crash, csectype-uaf, sec-vector)

Attachments

(1 file)

Detailed Crash Information
28.69 KB, text/plain
Details

The attached crash information was submitted via the ASan Nightly Reporter on mozilla-central-asan-nightly revision 106.0a1-20220831093258-https://hg.mozilla.org/mozilla-central/rev/11e997d3cf78eb6a4f31a1e13a2509f4181f4b0a.

For detailed crash information, see attachment.

Group: core-security → layout-core-security
Component: General → Printing: Output

It looks like this is inside CUPS code so I don't know how actionable it is.

Emily, it looks like you've done some work in nsPrinterCUPS.cpp recently. Do you have any ideas about what we might be able to do for this? Thanks.

Component: Printing: Output → Printing: Setup
Flags: needinfo?(emcdonough)
Keywords: csectype-uaf

I'll take a look at this and see if I can figure anything out.

OK, I looked into this. Unfortunately, though the stacktrace looks valid, I don't think it helps us track down the exact issue beyond having some issue with memory management and CUPS. I believe that either this is the result of unrelated memory corruption that happened to hit the CUPS string table, or (more likely to me) this is a real issue with our usage of CUPS but this stacktrace occurs during a later call into CUPS code, and not the call that caused the problem.

Unfortunately this stacktrace doesn't indicate enough information about the CUPS configuration for me to really diagnose anything specific at this point. It's possible this is in some way related to the implied crashes with Firefox using a remote CUPS server, or this could be a new issue.

There were some concerns that CUPS code may have race conditions in its string table code, but after looking through it I think it's pretty carefully implemented to lock the string table with a mutex for any accesses and so I don't think this is the cause.

(Leaving my ni because I want to investigate further with a local ASAN build and see if I can reproduce this issue locally)

I'll mark this sec-vector.

Keywords: sec-vector

(RE 'regression' keyword: we don't strictly know that this is a regression; we've just gotten a single report and that's the only info we have, really.)

Severity: critical → S2

(In reply to Emily McDonough [:alaskanemily] from comment #4)

(Leaving my ni because I want to investigate further with a local ASAN build and see if I can reproduce this issue locally)

Did you get around to this?

(In reply to Christian Holler (:decoder) from comment #0)

The attached crash information was submitted via the ASan Nightly Reporter

Given we only have this one data-point, and there's external software / tooling involved (CUPS / printers), this might end up being stalled/dunno. (Emily investigated pretty thoroughly in comment 4, modulo the pending needinfo, and it sounds like we're a bit stumped.)

Flags: needinfo?(choller)

Calling this stalled and downgrading to S3 at the moment, per end of comment 7.

Severity: S2 → S3
Keywords: stalled
See Also: → 1823565
See Also: → 1824800

Resolving stalled bugs we don't have ongoing issues with or a path forward on.

Status: NEW → RESOLVED
Closed: 2 years ago
Flags: needinfo?(emcdonough)
Flags: needinfo?(choller)
Resolution: --- → INCOMPLETE

Since the bug is closed, the stalled keyword is now meaningless.
For more information, please visit BugBot documentation.

Keywords: stalled
Group: layout-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: