1813284 - heap-buffer-overflow in [@ mozilla::dom::indexedDB::Key::EncodeAsString]

Status: VERIFIED FIXED

(Core :: Storage: IndexedDB, defect, P1)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.zip

Found while fuzzing m-c 20230106-7968ae37c117 (--enable-address-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.zip

==40760==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200012db48 at pc 0x7f57c98e01b6 bp 0x7f57238ca310 sp 0x7f57238ca308
WRITE of size 16 at 0x60200012db48 thread T18
    #0 0x7f57c98e01b5 in transform<const unsigned char *, char *, (lambda at /builds/worker/checkouts/gecko/dom/indexedDB/Key.cpp:644:20)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_algo.h:4306:12
    #1 0x7f57c98e01b5 in mozilla::Result<mozilla::Ok, nsresult> mozilla::dom::indexedDB::Key::EncodeAsString<unsigned char>(mozilla::Span<unsigned char const, 18446744073709551615ul>, unsigned char) /builds/worker/checkouts/gecko/dom/indexedDB/Key.cpp:643:5
    #2 0x7f57c98dd2f3 in mozilla::dom::indexedDB::Key::EncodeBinary(JSObject*, bool, unsigned char) /builds/worker/checkouts/gecko/dom/indexedDB/Key.cpp:845:10
    #3 0x7f57c98dbb5c in mozilla::dom::indexedDB::Key::EncodeJSValInternal(JSContext*, JS::Handle<JS::Value>, unsigned char, unsigned short) /builds/worker/checkouts/gecko/dom/indexedDB/Key.cpp:441:14
    #4 0x7f57c98e1e09 in mozilla::dom::indexedDB::Key::ArrayValueEncoder::ConvertSubkey(JSContext*, JS::Handle<JS::Value>, unsigned int) /builds/worker/checkouts/gecko/dom/indexedDB/Key.cpp:354:14
    #5 0x7f57c98dd944 in mozilla::Result<mozilla::Ok, mozilla::dom::indexedDB::detail::IDBError<(mozilla::dom::indexedDB::IDBSpecialValue)1>> mozilla::dom::indexedDB::(anonymous namespace)::ConvertArrayValueToKey<mozilla::dom::indexedDB::Key::ArrayValueEncoder>(JSContext*, JS::Handle<JSObject*>, mozilla::dom::indexedDB::Key::ArrayValueEncoder&&) /builds/worker/checkouts/gecko/dom/indexedDB/Key.cpp:92:27
    #6 0x7f57c98dbd67 in mozilla::dom::indexedDB::Key::EncodeJSValInternal(JSContext*, JS::Handle<JS::Value>, unsigned char, unsigned short) /builds/worker/checkouts/gecko/dom/indexedDB/Key.cpp:446:14
    #7 0x7f57c98e0e09 in EncodeJSVal /builds/worker/checkouts/gecko/dom/indexedDB/Key.cpp:546:10
    #8 0x7f57c98e0e09 in mozilla::dom::indexedDB::Key::SetFromJSVal(JSContext*, JS::Handle<JS::Value>) /builds/worker/checkouts/gecko/dom/indexedDB/Key.cpp:901:17
    #9 0x7f57c993d984 in mozilla::dom::IDBFactory::Cmp(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/indexedDB/IDBFactory.cpp:431:23
    #10 0x7f57c58b328a in mozilla::dom::IDBFactory_Binding::cmp(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/IDBFactoryBinding.cpp:343:39
    #11 0x7f57c70f9ba5 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3308:13
    #12 0x7f57cfd0bc74 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:459:13
    #13 0x7f57cfd0bc74 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:547:12
    #14 0x7f57cfcfac5a in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:614:10
    #15 0x7f57cfcfac5a in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:619:10
    #16 0x7f57cfcfac5a in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3362:16
    #17 0x7f57cfcded7c in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:431:13
    #18 0x7f57cfd0f6f9 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:812:13
    #19 0x7f57cfe457ae in EvaluateSourceBuffer<mozilla::Utf8Unit> /builds/worker/checkouts/gecko/js/src/vm/CompilationAndEvaluation.cpp:537:10
    #20 0x7f57cfe457ae in JS::Evaluate(JSContext*, JS::ReadOnlyCompileOptions const&, JS::SourceText<mozilla::Utf8Unit>&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CompilationAndEvaluation.cpp:545:10
    #21 0x7f57ca008896 in EvaluateSourceBuffer<mozilla::Utf8Unit> /builds/worker/checkouts/gecko/dom/workers/ScriptLoader.cpp:455:10
    #22 0x7f57ca008896 in mozilla::dom::workerinternals::loader::WorkerScriptLoader::EvaluateScript(JSContext*, JS::loader::ScriptLoadRequest*) /builds/worker/checkouts/gecko/dom/workers/ScriptLoader.cpp:1102:13
    #23 0x7f57ca007ffe in mozilla::dom::workerinternals::loader::WorkerScriptLoader::ProcessPendingRequests(JSContext*) /builds/worker/checkouts/gecko/dom/workers/ScriptLoader.cpp:800:10
    #24 0x7f57ca011493 in mozilla::dom::workerinternals::loader::ScriptExecutorRunnable::ProcessClassicScripts(JSContext*, mozilla::dom::WorkerPrivate*) /builds/worker/checkouts/gecko/dom/workers/ScriptLoader.cpp:1525:25
    #25 0x7f57ca0115ad in mozilla::dom::workerinternals::loader::ScriptExecutorRunnable::WorkerRun(JSContext*, mozilla::dom::WorkerPrivate*) /builds/worker/checkouts/gecko/dom/workers/ScriptLoader.cpp:1541:10
    #26 0x7f57ca06a550 in mozilla::dom::WorkerRunnable::Run() /builds/worker/checkouts/gecko/dom/workers/WorkerRunnable.cpp:377:12
    #27 0x7f57c1eb932b in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1191:16
    #28 0x7f57c1ec2e04 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:477:10
    #29 0x7f57ca05a845 in mozilla::dom::WorkerPrivate::RunCurrentSyncLoop() /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:4312:9
    #30 0x7f57c7cfc42e in mozilla::dom::AutoSyncLoopHolder::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/dom/WorkerPrivate.h:1526:27
    #31 0x7f57ca0124c2 in mozilla::dom::workerinternals::(anonymous namespace)::LoadAllScripts(mozilla::dom::WorkerPrivate*, mozilla::UniquePtr<mozilla::dom::SerializedStackHolder, mozilla::DefaultDelete<mozilla::dom::SerializedStackHolder>>, nsTArray<nsTString<char16_t>> const&, bool, mozilla::dom::WorkerScriptType, mozilla::ErrorResult&, mozilla::Encoding const*) /builds/worker/checkouts/gecko/dom/workers/ScriptLoader.cpp:249:14
    #32 0x7f57ca012042 in mozilla::dom::workerinternals::LoadMainScript(mozilla::dom::WorkerPrivate*, mozilla::UniquePtr<mozilla::dom::SerializedStackHolder, mozilla::DefaultDelete<mozilla::dom::SerializedStackHolder>>, nsTSubstring<char16_t> const&, mozilla::dom::WorkerScriptType, mozilla::ErrorResult&, mozilla::Encoding const*) /builds/worker/checkouts/gecko/dom/workers/ScriptLoader.cpp:1661:3
    #33 0x7f57ca07c707 in mozilla::dom::(anonymous namespace)::CompileScriptRunnable::WorkerRun(JSContext*, mozilla::dom::WorkerPrivate*) /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:381:5
    #34 0x7f57ca06a550 in mozilla::dom::WorkerRunnable::Run() /builds/worker/checkouts/gecko/dom/workers/WorkerRunnable.cpp:377:12
    #35 0x7f57c1eb932b in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1191:16
    #36 0x7f57c1ec2e04 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:477:10
    #37 0x7f57ca0521ac in mozilla::dom::WorkerPrivate::DoRunLoop(JSContext*) /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:3265:7
    #38 0x7f57ca028702 in mozilla::dom::workerinternals::(anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp:2044:42
    #39 0x7f57c1eb932b in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1191:16
    #40 0x7f57c1ec2e04 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:477:10
    #41 0x7f57c3645f14 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300:20
    #42 0x7f57c34c3877 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
    #43 0x7f57c34c3877 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
    #44 0x7f57c34c3877 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
    #45 0x7f57c1eb0e05 in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:383:10
    #46 0x7f57e4391628 in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #47 0x7f57e47f4b42 in start_thread nptl/pthread_create.c:442:8
    #48 0x7f57e48869ff  misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

0x60200012db48 is located 8 bytes to the right of 16-byte region [0x60200012db30,0x60200012db40)
allocated by thread T18 here:
    #0 0x5613db6eb8ee in malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
    #1 0x7f57c1c1a235 in Alloc /builds/worker/checkouts/gecko/xpcom/string/nsStringBuffer.cpp:68:42
    #2 0x7f57c1c1a235 in nsTSubstring<char>::StartBulkWriteImpl(unsigned long, unsigned long, bool, unsigned long, unsigned long, unsigned long) /builds/worker/checkouts/gecko/xpcom/string/nsTSubstring.cpp:232:32
    #3 0x7f57c1c298db in SetLength /builds/worker/checkouts/gecko/xpcom/string/nsTSubstring.cpp:960:12
    #4 0x7f57c1c298db in nsTSubstring<char>::EnsureMutable(unsigned long) /builds/worker/checkouts/gecko/xpcom/string/nsTSubstring.cpp:381:10
    #5 0x7f57c1c3f91a in nsTSubstring<char>::GetMutableData(char**, unsigned long) /builds/worker/workspace/obj-build/dist/include/nsTSubstring.h:1020:10
    #6 0x7f57c98dffa6 in mozilla::Result<mozilla::Ok, nsresult> mozilla::dom::indexedDB::Key::EncodeAsString<unsigned char>(mozilla::Span<unsigned char const, 18446744073709551615ul>, unsigned char) /builds/worker/checkouts/gecko/dom/indexedDB/Key.cpp:609:16
    #7 0x7f57c98dd2f3 in mozilla::dom::indexedDB::Key::EncodeBinary(JSObject*, bool, unsigned char) /builds/worker/checkouts/gecko/dom/indexedDB/Key.cpp:845:10
    #8 0x7f57c98dbb5c in mozilla::dom::indexedDB::Key::EncodeJSValInternal(JSContext*, JS::Handle<JS::Value>, unsigned char, unsigned short) /builds/worker/checkouts/gecko/dom/indexedDB/Key.cpp:441:14
    #9 0x7f57c98e1e09 in mozilla::dom::indexedDB::Key::ArrayValueEncoder::ConvertSubkey(JSContext*, JS::Handle<JS::Value>, unsigned int) /builds/worker/checkouts/gecko/dom/indexedDB/Key.cpp:354:14
    #10 0x7f57c98dd944 in mozilla::Result<mozilla::Ok, mozilla::dom::indexedDB::detail::IDBError<(mozilla::dom::indexedDB::IDBSpecialValue)1>> mozilla::dom::indexedDB::(anonymous namespace)::ConvertArrayValueToKey<mozilla::dom::indexedDB::Key::ArrayValueEncoder>(JSContext*, JS::Handle<JSObject*>, mozilla::dom::indexedDB::Key::ArrayValueEncoder&&) /builds/worker/checkouts/gecko/dom/indexedDB/Key.cpp:92:27
    #11 0x7f57c98dbd67 in mozilla::dom::indexedDB::Key::EncodeJSValInternal(JSContext*, JS::Handle<JS::Value>, unsigned char, unsigned short) /builds/worker/checkouts/gecko/dom/indexedDB/Key.cpp:446:14
    #12 0x7f57c98e0e09 in EncodeJSVal /builds/worker/checkouts/gecko/dom/indexedDB/Key.cpp:546:10
    #13 0x7f57c98e0e09 in mozilla::dom::indexedDB::Key::SetFromJSVal(JSContext*, JS::Handle<JS::Value>) /builds/worker/checkouts/gecko/dom/indexedDB/Key.cpp:901:17
    #14 0x7f57c993d984 in mozilla::dom::IDBFactory::Cmp(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/indexedDB/IDBFactory.cpp:431:23
    #15 0x7f57c58b328a in mozilla::dom::IDBFactory_Binding::cmp(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/IDBFactoryBinding.cpp:343:39
    #16 0x7f57c70f9ba5 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3308:13
    #17 0x7f57cfd0bc74 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:459:13
    #18 0x7f57cfd0bc74 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:547:12
    #19 0x7f57cfcfac5a in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:614:10
    #20 0x7f57cfcfac5a in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:619:10
    #21 0x7f57cfcfac5a in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3362:16
    #22 0x7f57cfcded7c in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:431:13
    #23 0x7f57cfd0f6f9 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:812:13
    #24 0x7f57cfe457ae in EvaluateSourceBuffer<mozilla::Utf8Unit> /builds/worker/checkouts/gecko/js/src/vm/CompilationAndEvaluation.cpp:537:10
    #25 0x7f57cfe457ae in JS::Evaluate(JSContext*, JS::ReadOnlyCompileOptions const&, JS::SourceText<mozilla::Utf8Unit>&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CompilationAndEvaluation.cpp:545:10
    #26 0x7f57ca008896 in EvaluateSourceBuffer<mozilla::Utf8Unit> /builds/worker/checkouts/gecko/dom/workers/ScriptLoader.cpp:455:10
    #27 0x7f57ca008896 in mozilla::dom::workerinternals::loader::WorkerScriptLoader::EvaluateScript(JSContext*, JS::loader::ScriptLoadRequest*) /builds/worker/checkouts/gecko/dom/workers/ScriptLoader.cpp:1102:13
    #28 0x7f57ca007ffe in mozilla::dom::workerinternals::loader::WorkerScriptLoader::ProcessPendingRequests(JSContext*) /builds/worker/checkouts/gecko/dom/workers/ScriptLoader.cpp:800:10
    #29 0x7f57ca011493 in mozilla::dom::workerinternals::loader::ScriptExecutorRunnable::ProcessClassicScripts(JSContext*, mozilla::dom::WorkerPrivate*) /builds/worker/checkouts/gecko/dom/workers/ScriptLoader.cpp:1525:25
    #30 0x7f57ca0115ad in mozilla::dom::workerinternals::loader::ScriptExecutorRunnable::WorkerRun(JSContext*, mozilla::dom::WorkerPrivate*) /builds/worker/checkouts/gecko/dom/workers/ScriptLoader.cpp:1541:10
    #31 0x7f57ca06a550 in mozilla::dom::WorkerRunnable::Run() /builds/worker/checkouts/gecko/dom/workers/WorkerRunnable.cpp:377:12
    #32 0x7f57c1eb932b in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1191:16
    #33 0x7f57c1ec2e04 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:477:10
    #34 0x7f57ca05a845 in mozilla::dom::WorkerPrivate::RunCurrentSyncLoop() /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:4312:9
    #35 0x7f57c7cfc42e in mozilla::dom::AutoSyncLoopHolder::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/dom/WorkerPrivate.h:1526:27
    #36 0x7f57ca0124c2 in mozilla::dom::workerinternals::(anonymous namespace)::LoadAllScripts(mozilla::dom::WorkerPrivate*, mozilla::UniquePtr<mozilla::dom::SerializedStackHolder, mozilla::DefaultDelete<mozilla::dom::SerializedStackHolder>>, nsTArray<nsTString<char16_t>> const&, bool, mozilla::dom::WorkerScriptType, mozilla::ErrorResult&, mozilla::Encoding const*) /builds/worker/checkouts/gecko/dom/workers/ScriptLoader.cpp:249:14
    #37 0x7f57ca012042 in mozilla::dom::workerinternals::LoadMainScript(mozilla::dom::WorkerPrivate*, mozilla::UniquePtr<mozilla::dom::SerializedStackHolder, mozilla::DefaultDelete<mozilla::dom::SerializedStackHolder>>, nsTSubstring<char16_t> const&, mozilla::dom::WorkerScriptType, mozilla::ErrorResult&, mozilla::Encoding const*) /builds/worker/checkouts/gecko/dom/workers/ScriptLoader.cpp:1661:3

Thread T18 created by T0 (Isolated Servic) here:
    #0 0x5613db6d47dc in pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:208:3
    #1 0x7f57e43816f9 in _PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:458:14
    #2 0x7f57e4372b6e in PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:533:12
    #3 0x7f57c1eb42ab in nsThread::Init(nsTSubstring<char> const&) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:618:18
    #4 0x7f57ca078a0a in mozilla::dom::WorkerThread::Create(mozilla::dom::WorkerThreadFriendKey const&) /builds/worker/checkouts/gecko/dom/workers/WorkerThread.cpp:102:7
    #5 0x7f57c9ffef87 in mozilla::dom::workerinternals::RuntimeService::ScheduleWorker(mozilla::dom::WorkerPrivate&) /builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp:1325:37
    #6 0x7f57c9ffdcea in mozilla::dom::workerinternals::RuntimeService::RegisterWorker(mozilla::dom::WorkerPrivate&) /builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp:1207:19
    #7 0x7f57ca04c4d5 in mozilla::dom::WorkerPrivate::Constructor(JSContext*, nsTSubstring<char16_t> const&, bool, mozilla::dom::WorkerKind, mozilla::dom::RequestCredentials, mozilla::dom::WorkerType, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, mozilla::dom::WorkerLoadInfo*, mozilla::ErrorResult&, nsTString<char16_t>) /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:2639:24
    #8 0x7f57ca04bea3 in mozilla::dom::WorkerPrivate::Constructor(JSContext*, nsTSubstring<char16_t> const&, bool, mozilla::dom::WorkerKind, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, mozilla::dom::WorkerLoadInfo*, mozilla::ErrorResult&, nsTString<char16_t>) /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:2549:10
    #9 0x7f57ca08b60a in mozilla::dom::RemoteWorkerChild::ExecWorkerOnMainThread(mozilla::dom::RemoteWorkerData&&) /builds/worker/checkouts/gecko/dom/workers/remoteworkers/RemoteWorkerChild.cpp:452:41
    #10 0x7f57ca0bf08a in operator() /builds/worker/checkouts/gecko/dom/workers/remoteworkers/RemoteWorkerChild.cpp:307:29
    #11 0x7f57ca0bf08a in mozilla::detail::RunnableFunction<mozilla::dom::RemoteWorkerChild::ExecWorker(mozilla::dom::RemoteWorkerData const&)::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:546:5
    #12 0x7f57c1e7c3ef in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:114:20
    #13 0x7f57c1e8fb79 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:539:16
    #14 0x7f57c1e86997 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:852:26
    #15 0x7f57c1e83c18 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:684:15
    #16 0x7f57c1e84340 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:462:36
    #17 0x7f57c1e95cb4 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:191:37
    #18 0x7f57c1e95cb4 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:546:5
    #19 0x7f57c1eb8b04 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1197:16
    #20 0x7f57c1ec2e04 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:477:10
    #21 0x7f57c36448c3 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:107:5
    #22 0x7f57c34c3877 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
    #23 0x7f57c34c3877 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
    #24 0x7f57c34c3877 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
    #25 0x7f57ca945359 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
    #26 0x7f57cf8ee928 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:742:20
    #27 0x7f57c34c3877 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
    #28 0x7f57c34c3877 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
    #29 0x7f57c34c3877 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
    #30 0x7f57cf8ee0bf in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:675:34
    #31 0x5613db728494 in content_process_main(mozilla::Bootstrap*, int, char**) /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #32 0x5613db728957 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:353:18
    #33 0x7f57e4789d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

Comment 1

[Tyson Smith [:tsmith]]

A Pernosco session is available here: https://pernos.co/debug/SWAbizoG1ARi2ldc8oK4Ow/index.html

Comment 2

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20230127094652-f75c73066b88.
The bug appears to have been introduced in the following build range:

Start: 3549afc9ae9392bd97f10982e0c3962d72d6a854 (20221014170630)
End: f824c70961a719178dbd35d0c43400bbb999df60 (20221014182855)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=3549afc9ae9392bd97f10982e0c3962d72d6a854&tochange=f824c70961a719178dbd35d0c43400bbb999df60

Comment 3

[Jens Stutte [:jstutte]]

Looks like Key::EncodeAsString is calculating buffer sizes inside uint32_t variables. The testcase passes in a 0x100000000 long string as key which will make integer operations wrap and fail, resulting here in a nice 4GB buffer overflow.

Either we limit the maximum length of keys (which IIRC would not really be backed by the spec) or we need to just deal with long buffers correctly (using probably size_t instead).

Comment 4

[Andrew Sutherland [:asuth] (he/him)]

I think we just have https://searchfox.org/mozilla-central/rev/861fb9abfcaff123aab45f6ac56a0106b116dc14/dom/indexedDB/Key.cpp#560-563 as existing limits used in 2 places

// nsCString maximum length is limited by INT32_MAX.
// XXX: We probably want to enforce even shorter keys, though.
#define KEY_MAXIMUM_BUFFER_LENGTH \
  ::mozilla::detail::nsTStringLengthStorage<char>::kMax

Comment 5

[Jens Stutte [:jstutte]]

Thanks, that was only a few lines above... And I touched that code recently, without seeing the 32Bit footgun.

Comment 6

[Jens Stutte [:jstutte]]

Attachment: Bug 1813284 - Check KEY_MAXIMUM_BUFFER_LENGTH in EncodeNumber and propagate errors. r?#dom-storage-reviewers

Comment 7

[BugBot [:suhaib / :marco/ :calixte]]

Based on comment #2, this bug contains a bisection range found by bugmon. However, the Regressed by field is still not filled.

:jstutte, if possible, could you fill the Regressed by field and investigate this regression?

For more information, please visit auto_nag documentation.

Comment 8

[Jens Stutte [:jstutte]]

(In reply to Release mgmt bot [:suhaib / :marco/ :calixte] from comment #7)

Based on comment #2, this bug contains a bisection range found by bugmon. However, the Regressed by field is still not filled.

So bug 1774462 removed this preliminary check believing that the rest of the code did the right check. And it did, except for the integer wrap (which before would never been hit). The original check was not 100% correct as well, as it did not account well for multibytes, but it would have protected us at least from this specific case, I think. The formerly used CheckedUint32 types instead would not have helped in release, neither.

Comment 9

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1774462

Comment 10

[Jens Stutte [:jstutte]]

Comment on attachment 9315062 [details]
Bug 1813284 - Check KEY_MAXIMUM_BUFFER_LENGTH in EncodeNumber and propagate errors. r?#dom-storage-reviewers

Security Approval Request

• How easily could an exploit be constructed based on the patch?: We tried to not just make the uint32_t to size_t change but made some more refactoring, adding return value and checks also to EncodeNumber.
  Said that, it is quite clear that we handle with limits on copies into memory buffers here, the hope would be that people hunt for the wrong limit.
• Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
• Which older supported branches are affected by this flaw?: none
• If not all supported branches, which bug introduced the flaw?: Bug 1774462
• Do you have backports for the affected branches?: No
• If not, how different, hard to create, and risky will they be?: Not needed, AFAICS.
• How likely is this patch to cause regressions; how much testing does it need?: Not very likely. The main change is to use size_t where appropriate. The additional check in EncodeNumber should be hit only in very rare cases (but is needed).
• Is Android affected?: Unknown

Comment 11

[Jens Stutte [:jstutte]]

We will add a test based on the fuzzer test case later.

Comment 12

[Tom Ritter [:tjr]]

Comment on attachment 9315062 [details]
Bug 1813284 - Check KEY_MAXIMUM_BUFFER_LENGTH in EncodeNumber and propagate errors. r?#dom-storage-reviewers

Approved to land if you and relman are comfortable uplifting this to Beta this late in the cycle.

Comment 13

[Jens Stutte [:jstutte]]

(In reply to Tom Ritter [:tjr] from comment #12)

Approved to land if you and relman are comfortable uplifting this to Beta this late in the cycle.

Donal, are you? Should I just proceed with landing in nightly?

Comment 14

[Pascal Chevrel:pascalc]

Jens, what it the regression risk on uplifting to 110? Thanks

Comment 15

[Jens Stutte [:jstutte]]

(In reply to Pascal Chevrel:pascalc from comment #14)

Jens, what it the regression risk on uplifting to 110? Thanks

AFAICS very low, after successful landing in nightly, of course. We could make an even smaller version of the patch with only the size_t change, but that would probably paint a bulls-eye on the real issue and thus be counter-productive.

Comment 16

[Pascal Chevrel:pascalc]

Please proceed with landing and add an uplift request for beta, thanks!

Comment 17

[Jens Stutte [:jstutte]]

Comment on attachment 9315062 [details]
Bug 1813284 - Check KEY_MAXIMUM_BUFFER_LENGTH in EncodeNumber and propagate errors. r?#dom-storage-reviewers

Beta/Release Uplift Approval Request

• User impact if declined: A potential buffer overflow, sec-high. Landing in nightly still pending.
• Is this code covered by automated tests?: Yes
• Has the fix been verified in Nightly?: No
• Needs manual test from QE?: No
• If yes, steps to reproduce:
• List of other uplifts needed: None
• Risk to taking this patch: Low
• Why is the change risky/not risky? (and alternatives if risky): The patch just widens some integers used for buffer length calculations from 32 to 64 bit on 64 bit platforms and adds a buffer length check.
• String changes made/needed:
• Is Android affected?: Unknown

Comment 18

[Jens Stutte [:jstutte]]

Note that I assume, Android is affected, too, but I did not test.

Comment 19

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

Check KEY_MAXIMUM_BUFFER_LENGTH in EncodeNumber and propagate errors. r=dom-storage-reviewers,janv
https://hg.mozilla.org/integration/autoland/rev/fa8239b37a6b9eed16135780e806a57f7f053568
https://hg.mozilla.org/mozilla-central/rev/fa8239b37a6b

Comment 20

[Bugmon [:jkratzer for issues]]

Verified bug as fixed on rev mozilla-central 20230201215112-b7f075124503.

Comment 21

[Pascal Chevrel:pascalc]

Comment on attachment 9315062 [details]
Bug 1813284 - Check KEY_MAXIMUM_BUFFER_LENGTH in EncodeNumber and propagate errors. r?#dom-storage-reviewers

Approved for our last 110 beta, thanks.

Comment 22

[Pascal Chevrel:pascalc]

https://hg.mozilla.org/releases/mozilla-beta/rev/21e73cc4ce18

Comment 23

[BugBot [:suhaib / :marco/ :calixte]]

a month ago, Tom Ritter [:tjr] placed a reminder on the bug using the whiteboard tag [reminder-test 2023-03-28] .

jstutte, please refer to the original comment to better understand the reason for the reminder.

Comment 24

[Jens Stutte [:jstutte]]

(In reply to Release mgmt bot [:suhaib / :marco/ :calixte] from comment #23)

a month ago, Tom Ritter [:tjr] placed a reminder on the bug using the whiteboard tag [reminder-test 2023-03-28] .

jstutte, please refer to the original comment to better understand the reason for the reminder.

Edit: The testcase is allocating ~4GB of memory when executed. Not sure if we want this to run frequently as a regression test? FWIW, it would be probably straight forward to transform it, though.

Comment 25

[Jens Stutte [:jstutte]]

Keeping the ni? to make some try push with a test case.

Comment 26

[Jens Stutte [:jstutte]]

Attachment: Bug 1813284 - Add a crashtest. r?#dom-storage-reviewers

Comment 27

[BugBot [:suhaib / :marco/ :calixte]]

A patch has been attached on this bug, which was already closed. Filing a separate bug will ensure better tracking. If this was not by mistake and further action is needed, please alert the appropriate party. (Or: if the patch doesn't change behavior -- e.g. landing a test case, or fixing a typo -- then feel free to disregard this message)

Comment 28

[Jens Stutte [:jstutte]]

:tjr, can I just go ahead with the landing of the test?

Edit: After the soft-freeze ends, I assume.

Comment 29

[Tom Ritter [:tjr]]

Yes, you can land the test whenever you are comfortable doing so.

Comment 30

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

Add a crashtest. r=dom-storage-reviewers,asuth
https://hg.mozilla.org/integration/autoland/rev/96173ccdb37e11dacf5a9f0b9c45a7eae2decbc8
https://hg.mozilla.org/mozilla-central/rev/96173ccdb37e