AddressSanitizer: heap-use-after-free [@ get] through [@ mozilla::net::Http2Session::RecvGoAway] with READ of size 8
Categories
(Core :: Networking: HTTP, defect, P1)
Tracking
()
People
(Reporter: decoder, Assigned: kershaw)
References
Details
(4 keywords, Whiteboard: [necko-triaged][necko-priority-queue][post-critsmash-triage][adv-main109+r][adv-esr102.7+r])
Attachments
(3 files, 1 obsolete file)
19.20 KB,
text/plain
|
Details | |
2.02 KB,
application/octet-stream
|
Details | |
48 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-beta+
RyanVM
:
approval-mozilla-esr102+
tjr
:
sec-approval+
|
Details | Review |
The attached testcase crashes on mozilla-central revision 20221219-91a9bbbe6bea (non-debug fuzzing ASan build).
For detailed crash information, see attachment.
To reproduce the issue, perform the following steps:
- Download the attached testcase, save as "test.bin".
2a. Build with--enable-fuzzing
(requires Clang and ASan, also build gtests using./mach gtest dontruntests
).
2b. Alternatively you can download builds from TC usingpython -mfuzzfetch -a --fuzzing --target firefox gtest
(see https://github.com/MozillaSecurity/fuzzfetch). - Run
FUZZER=NetworkHttp2ProxyHttp2 objdir/dist/bin/firefox test.bin
I reproduced this locally and it crashes consistently.
Reporter | ||
Comment 1•1 year ago
|
||
Reporter | ||
Comment 2•1 year ago
|
||
Reporter | ||
Updated•1 year ago
|
Assignee | ||
Updated•1 year ago
|
Assignee | ||
Updated•1 year ago
|
Assignee | ||
Comment 3•1 year ago
|
||
Assignee | ||
Comment 4•1 year ago
|
||
Comment on attachment 9309913 [details]
Bug 1806974 - Avoid manipulating the queue inside the loop, r=#necko
Security Approval Request
- How easily could an exploit be constructed based on the patch?: Probably quite easy.
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
- Which older supported branches are affected by this flaw?: all
- If not all supported branches, which bug introduced the flaw?: None
- Do you have backports for the affected branches?: Yes
- If not, how different, hard to create, and risky will they be?:
- How likely is this patch to cause regressions; how much testing does it need?: Low, since the behavior is not changed.
- Is Android affected?: Yes
Comment 5•1 year ago
|
||
Comment on attachment 9309913 [details]
Bug 1806974 - Avoid manipulating the queue inside the loop, r=#necko
Approved to land and request uplift
Assignee | ||
Comment 6•1 year ago
|
||
Original Revision: https://phabricator.services.mozilla.com/D165564
Updated•1 year ago
|
Updated•1 year ago
|
Assignee | ||
Comment 7•1 year ago
|
||
Comment on attachment 9309913 [details]
Bug 1806974 - Avoid manipulating the queue inside the loop, r=#necko
Beta/Release Uplift Approval Request
- User impact if declined: Possible crash due to UAF
- Is this code covered by automated tests?: No
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): This patch is straightforward and doesn't change the behavior.
- String changes made/needed: N/A
- Is Android affected?: Yes
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration:
- User impact if declined: Possible crash due to UAF
- Fix Landed on Version: 111
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): This patch is straightforward and doesn't change the behavior.
Comment 8•1 year ago
|
||
Avoid manipulating the queue inside the loop, r=necko-reviewers,valentin
https://hg.mozilla.org/integration/autoland/rev/39c4e552181d90707621d0cde92401acca2ebde5
https://hg.mozilla.org/mozilla-central/rev/39c4e552181d
Comment 9•1 year ago
|
||
Comment on attachment 9309913 [details]
Bug 1806974 - Avoid manipulating the queue inside the loop, r=#necko
Approved for 109.0b9.
Comment 10•1 year ago
|
||
uplift |
Comment 11•1 year ago
|
||
Comment on attachment 9309913 [details]
Bug 1806974 - Avoid manipulating the queue inside the loop, r=#necko
Approved for 102.7esr.
Comment 12•1 year ago
|
||
uplift |
Updated•1 year ago
|
Updated•1 year ago
|
Updated•9 months ago
|
Description
•