Closed Bug 1832812 Opened 2 years ago Closed 2 years ago

Crash [@ mozilla::ipc::IProtocol::CanSend] through [@ mozilla::dom::ContentParent::RecvBlurToParent]

Categories

(Core :: DOM: Content Processes, defect, P2)

Product:
Core
Component:
DOM: Content Processes
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
115 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- wontfix
firefox113 --- wontfix
firefox114 --- wontfix
firefox115 --- fixed

People

(Reporter: decoder, Assigned: decoder)

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(3 files)

Detailed Crash Information
8.20 KB, text/plain
Details
Testcase
1.07 KB, application/octet-stream
Details
Bug 1832812 - Add missing null checks to ContentParent::RecvBlurToParent. r?nika
48 bytes, text/x-phabricator-request
Details | Review

In experimental IPC fuzzing, we found the following crash on mozilla-central revision f14ed3bab724+ (fuzzing-asan-nyx-opt build):

==3886601==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000011 (pc 0x7fd005ee97ad bp 0x7ffdcc374090 sp 0x7ffdcc374070 T0)
    #0 0x7fd005ee97ad in mozilla::ipc::IProtocol::CanSend() const objdir-ff-asan-vanilla/dist/include/mozilla/ipc/ProtocolUtils.h:222:45
    #1 0x7fd007cf741a in mozilla::ipc::IProtocol::ChannelSend(mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) ipc/glue/ProtocolUtils.cpp:478:7
    #2 0x7fd01295f942 in mozilla::dom::PContentParent::SendBlurToChild(mozilla::dom::MaybeDiscarded<mozilla::dom::BrowsingContext> const&, mozilla::dom::MaybeDiscarded<mozilla::dom::BrowsingContext> const&, mozilla::dom::MaybeDiscarded<mozilla::dom::BrowsingContext> const&, bool const&, bool const&, unsigned long const&) objdir-ff-asan-vanilla/ipc/ipdl/PContentParent.cpp:6015:21
    #3 0x7fd012670aac in mozilla::dom::ContentParent::RecvBlurToParent(mozilla::dom::MaybeDiscarded<mozilla::dom::BrowsingContext> const&, mozilla::dom::MaybeDiscarded<mozilla::dom::BrowsingContext> const&, mozilla::dom::MaybeDiscarded<mozilla::dom::BrowsingContext> const&, bool, bool, bool, bool, unsigned long) dom/ipc/ContentParent.cpp:7682:17
    #4 0x7fd01299c59c in mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&) objdir-ff-asan-vanilla/ipc/ipdl/PContentParent.cpp:15939:81
    #5 0x7fd007cd8281 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) ipc/glue/MessageChannel.cpp:1806:25
    [...]

This looks like just more null checks missing, patch coming up.

Attached file Testcase
Assignee: nobody → choller
Status: NEW → ASSIGNED

The Bugbug bot thinks this bug should belong to the 'Core::DOM: Content Processes' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: General → DOM: Content Processes
Severity: -- → S3
Priority: -- → P2
Pushed by choller@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/dd2c98ec091f Add missing null checks to ContentParent::RecvBlurToParent. r=nika

https://hg.mozilla.org/mozilla-central/rev/dd2c98ec091f

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox115: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 115 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: