Closed Bug 1812038 Opened 1 year ago Closed 1 year ago

Corrupt JAR file may cause OOM

Categories

(Core :: Networking: JAR, defect, P2)

Product:
Core
Component:
Networking: JAR
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
115 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- wontfix
firefox113 --- wontfix
firefox114 --- wontfix
firefox115 --- fixed

People

(Reporter: valentin, Assigned: valentin)

References

Details

(Keywords: sec-low, Whiteboard: [necko-triaged][fuzzblocker][adv-main115-])

Attachments

(1 file)

Bug 1812038 - Avoid OOM with corrupt JAR archive r=#necko
48 bytes, text/x-phabricator-request
Details | Review

Because JARInputStream::Available() uses the value indicated by the JAR file as the size of the decompressed resource, in NS_ReadInputStreamToBuffer we may be allocating a huge buffer to hold all of the data that isn't there.

*** You are running in headless mode.
Running Fuzzer tests...
[92110, Main Thread] WARNING: NS_ENSURE_TRUE(greBinD) failed: file /mozilla-unified/tools/fuzzing/interface/harness/FuzzerTestHarness.h:211
[92110, Main Thread] WARNING: NS_ENSURE_TRUE(greD) failed: file /mozilla-unified/tools/fuzzing/interface/harness/FuzzerTestHarness.h:204
[Parent 92110, Main Thread] WARNING: NS_ENSURE_SUCCESS(rv, nullptr) failed with result 0x80004005 (NS_ERROR_FAILURE): file /mozilla-unified/toolkit/xre/MultiInstanceLock.cpp:263
INFO: Seed: 2567932663
INFO: Loaded 1 modules   (1542112 inline 8-bit counters): 1542112 [0x7f3356a74378, 0x7f3356becb58), 
INFO: Loaded 1 PC tables (1542112 PCs): 1542112 [0x7f3356becb58,0x7f3358374958), 
obj-asan-opt/dist/bin/firefox: Running 1 inputs 1 time(s) each.
Running: oom-45517b6816d66e06ade1c1b2568d63a21279e6f3
outsize:3338666000 total:0
mCount: 18446744073709551615 len 3338666000
==92110== ERROR: libFuzzer: out-of-memory (malloc(3338666000))
   To change the out-of-memory limit use -rss_limit_mb=<N>

    #0 0x55731c481e71 in __sanitizer_print_stack_trace /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_stack.cpp:87:3
    #1 0x55731c654108 in fuzzer::PrintStackTrace() /mozilla-unified/tools/fuzzing/libfuzzer/FuzzerUtil.cpp:210:5
    #2 0x55731c642513 in fuzzer::Fuzzer::HandleMalloc(unsigned long) /mozilla-unified/tools/fuzzing/libfuzzer/FuzzerLoop.cpp:131:3
    #3 0x55731c64242e in fuzzer::MallocHook(void const volatile*, unsigned long) /mozilla-unified/tools/fuzzing/libfuzzer/FuzzerLoop.cpp:100:6
    #4 0x55731c488a32 in __sanitizer::RunMallocHooks(void*, unsigned long) /builds/worker/fetches/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_common.cpp:325:5
    #5 0x55731c3f72db in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_allocator.cpp:600:5
    #6 0x55731c3f4e63 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_allocator.cpp:953:34
    #7 0x55731c477e9e in malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:70:10
    #8 0x7f333f08805d in (anonymous namespace)::BufferWriter::WriteSync() /mozilla-unified/netwerk/base/nsNetUtil.cpp:1467:17
    #9 0x7f333f08805d in (anonymous namespace)::BufferWriter::Write() /mozilla-unified/netwerk/base/nsNetUtil.cpp:1412:14
    #10 0x7f333f08805d in NS_ReadInputStreamToBuffer(nsIInputStream*, void**, long, unsigned long*) /mozilla-unified/netwerk/base/nsNetUtil.cpp:1658:25
    #11 0x7f333f089169 in NS_ReadInputStreamToString(nsIInputStream*, nsTSubstring<char>&, long, unsigned long*) /mozilla-unified/netwerk/base/nsNetUtil.cpp:1707:7
    #12 0x7f333bcd8f99 in FuzzInner(char**, unsigned long*, nsIZipReader*, nsTSubstring<char> const&) /mozilla-unified/netwerk/test/fuzz/TestJARFuzzing.cpp:72:14
    #13 0x7f333bcda812 in FuzzingRunJARParser(unsigned char const*, unsigned long) /mozilla-unified/netwerk/test/fuzz/TestJARFuzzing.cpp:144:16
    #14 0x55731c643e3e in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /mozilla-unified/tools/fuzzing/libfuzzer/FuzzerLoop.cpp:570:11
    #15 0x55731c636be2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /mozilla-unified/tools/fuzzing/libfuzzer/FuzzerDriver.cpp:301:6
    #16 0x55731c639fd5 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /mozilla-unified/tools/fuzzing/libfuzzer/FuzzerDriver.cpp:810:9
    #17 0x7f334d5d567c in mozilla::FuzzerRunner::Run(int*, char***) /mozilla-unified/tools/fuzzing/interface/harness/FuzzerRunner.cpp:75:13
    #18 0x7f334d4c67b9 in XREMain::XRE_mainStartup(bool*) /mozilla-unified/toolkit/xre/nsAppRunner.cpp:4656:35
    #19 0x7f334d4d9446 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /mozilla-unified/toolkit/xre/nsAppRunner.cpp:5812:12
    #20 0x7f334d4da053 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /mozilla-unified/toolkit/xre/nsAppRunner.cpp:5880:21
    #21 0x55731c4b51ed in do_main(int, char**, char**) /mozilla-unified/browser/app/nsBrowserApp.cpp:226:22
    #22 0x55731c4b51ed in main /mozilla-unified/browser/app/nsBrowserApp.cpp:423:16
    #23 0x7f335cbe6d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #24 0x7f335cbe6e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #25 0x55731c3f3468 in _start (/mozilla-unified/obj-asan-opt/dist/bin/firefox+0xf1468) (BuildId: 35d2bde7f42f97d1b5106cc44e20b41c)

SUMMARY: libFuzzer: out-of-memory

Not sure how exploitable this is, other than a DOS. We need to fix this to unblock fuzzing.

Whiteboard: [necko-triaged] → [necko-triaged][fuzzblocker]

This bug prevents fuzzing from making progress; however, it has low severity. It is important for fuzz blocker bugs to be addressed in a timely manner (see here why?).
:valentin, could you consider increasing the severity?

For more information, please visit BugBot documentation.

Flags: needinfo?(valentin.gosu)
Flags: needinfo?(valentin.gosu)

Landed: https://hg.mozilla.org/integration/autoland/rev/68f1bedc4fd557b47ca24344df19955f8c78135b

Backed out for causing Windows build bustages in nsJARInputStream.cpp:
https://hg.mozilla.org/integration/autoland/rev/5cf4056958d263b7b31962c88780869883118f94

Push which ran failing task
Failure log

modules/libjar/nsJARInputStream.cpp(177,18): error: no matching function for call to 'min'

Flags: needinfo?(valentin.gosu)

Avoid OOM with corrupt JAR archive r=necko-reviewers,kershaw
https://hg.mozilla.org/integration/autoland/rev/a59ca212b26ef75a3b32f240820468d4dc0421d4
https://hg.mozilla.org/mozilla-central/rev/a59ca212b26e

Group: network-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 1 year ago
status-firefox115: --- → fixed
Flags: needinfo?(valentin.gosu)
Resolution: --- → FIXED
Target Milestone: --- → 115 Branch
Flags: qe-verify-
Whiteboard: [necko-triaged][fuzzblocker] → [necko-triaged][fuzzblocker][adv-main115-]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: