Closed Bug 1817588 Opened 2 years ago Closed 2 years ago

NULL dereferences on MIME handler failures on OpenBSD

Categories

(Firefox :: Untriaged, defect)

Product:
Firefox
Component:
Untriaged
Version:
Firefox 109
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
112 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- unaffected
firefox110 --- wontfix
firefox111 --- wontfix
firefox112 --- fixed

People

(Reporter: tb, Assigned: tb)

References

(Regression)

Details

(Keywords: regression)

Attachments

(1 file, 6 obsolete files)

Bug 1817588 - Ensure OpenBSD URI handlers set GError on failure r=gaston,stransky
48 bytes, text/x-phabricator-request
Details | Review

Steps to reproduce:

Try to download a magnet feed, selecting qbittorrent as handler.

Actual results:

The firefox main process crashed

Expected results:

Firefox should have downloaded the magnet feed and passed it to qbittorrent to handle.

content_type can be populated and result_uncertain can be true,
and in that case, content_type leaks.

There are various failure paths that result in NULL dereferences
of error. Fix this by setting the error explicitly to match the
API contract of the glib2 functions these replace. These crashes
are particularly annoying since they happen in the main process.

Depends on D170274

Assignee: nobody → tb
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Attachment #9318568 - Attachment description: WIP: Bug 1817588 - Plug memory leak in g_app_info_launch_default_for_uri_openbsd() → Bug 1817588 - Plug memory leak in g_app_info_launch_default_for_uri_openbsd()
Attachment #9318569 - Attachment description: WIP: Bug 1817588 - Ensure openbsd uri handlers set GError on failure → Bug 1817588 - Ensure openbsd uri handlers set GError on failure

caused by

Regressed by: 1714919

Set release status flags based on info from the regressing bug 1714919

status-firefox110: --- → affected
status-firefox111: --- → affected
status-firefox112: --- → affected
status-firefox-esr102: --- → unaffected

Fwiw, i've backported the patch to thunderbird 110.0b4 which i'm testing, and i think g_warning is redundant with g_set_error since i have this on stderr:

[Parent 62186, Main Thread] WARNING: Could not find content type for URI: https://www.thunderbird.net/thunderbird/102.0/eoy/: 'glib warning', file /usr/obj/ports/thunderbird-110.0beta4/thunderbird-110.0/toolkit/xre/nsSigHandlers.cpp:167

** (thunderbird-default:62186): WARNING **: 22:35:03.536: Could not find content type for URI: https://www.thunderbird.net/thunderbird/102.0/eoy/
[Parent 62186, Main Thread] WARNING: Could not launch default application for URI: Could not find content type for URI: https://www.thunderbird.net/thunderbird/102.0/eoy/: 'glib warning', file /usr/obj/ports/thunderbird-110.0beta4/thunderbird-110.0/toolkit/xre/nsSigHandlers.cpp:167

** (thunderbird-default:62186): WARNING **: 22:35:03.536: Could not launch default application for URI: Could not find content type for URI: https://www.thunderbird.net/thunderbird/102.0/eoy/

since the initial intent of g_warning was to have some feedback on stderr, if setting error via g_set_error makes it printed to stderr, then we can delete the g_warning call.

without the patch, thunderbird crashed straight away at the same spot, so it definitely avoids that NULL deref.

:stransky, what do you think about it ?

Flags: needinfo?(stransky)

The errors set using g_set_error() are printed later, so these are
redundant. Drop them.

Depends on D170275

Attachment #9318724 - Attachment description: Bug 1817588 - Drop redundant g_warning() → Bug 1817588 - Drop redundant g_warning() r=gaston,stransky

Depends on D170345

g_filename_from_uri() allocates the path it returns, so that
must also be freed.

Depends on D170402

Depends on D170413

:stransky: can we have all the commits squashed in one (once reviewed) when landing ? phabricator can be super user-hostile for outsiders/newcomers...

Theo, do you mind to create just one big patch for all those changes? It may be easier to review / land and also check all changes are in place.
Thanks.

Flags: needinfo?(stransky) → needinfo?(tb)

There are various failure paths that result in NULL dereferences
of error. Fix this by setting the error explicitly to match the
API contract of the glib2 functions these OpenBSD specific functions
replace. The crashes are particularly annoying since they happen in
the main process. In addition, plug a number of memory leaks.

Pushed by alissy@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/022f05513860 Ensure OpenBSD URI handlers set GError on failure r=gaston,stransky

https://hg.mozilla.org/mozilla-central/rev/022f05513860

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox112: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 112 Branch

Unfortunately we dont have the correct environment to verify this issue, @Theo Buehler could please check on your end in our latest Nightly build and see if the issue is fixed or if it still occurs ? you can find the build here: https://nightly.mozilla.org/

(In reply to Rares Doghi from comment #15)

Unfortunately we dont have the correct environment to verify this issue, @Theo Buehler could please check on your end in our latest Nightly build and see if the issue is fixed or if it still occurs ? you can find the build here: https://nightly.mozilla.org/

there are no nightly builds for tier3 platforms, but it's been tested on our side and backported to the firefox 110 package shipped to OpenBSD users.

Flags: needinfo?(tb)
Attachment #9318568 - Attachment is obsolete: true
Attachment #9318832 - Attachment is obsolete: true
Attachment #9318924 - Attachment is obsolete: true
Attachment #9318851 - Attachment is obsolete: true
Attachment #9318724 - Attachment is obsolete: true
Attachment #9318569 - Attachment is obsolete: true
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: