Corrupt JAR file causes hang
Categories
(Core :: Networking: JAR, defect, P2)
Tracking
()
People
(Reporter: tsmith, Assigned: valentin)
References
Details
(Keywords: sec-other, testcase, Whiteboard: [fuzzblocker][necko-triaged][adv-main116-])
Attachments
(3 files)
The fuzzer is able to find this fairly quickly which blocks fuzzing at scale.
This was found with the fix for bug 1836175 applied.
Fuzzing interface docs can be found here: https://firefox-source-docs.mozilla.org/tools/fuzzing/fuzzing_interface.html
The command used to reproduce with patch from bug 1798631:
FUZZER=JARParser firefox testcase.jar -detect_leaks=0 -malloc_limit_mb=12288 -rss_limit_mb=12288 -timeout=15
==2757183== ERROR: libFuzzer: timeout after 15 seconds
#0 0x55e0c2b13cf1 in __sanitizer_print_stack_trace /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_stack.cpp:87:3
#1 0x55e0c2d18b48 in fuzzer::PrintStackTrace() /home/twsmith/code/mozilla-central/tools/fuzzing/libfuzzer/FuzzerUtil.cpp:210:5
#2 0x55e0c2d02a60 in fuzzer::Fuzzer::AlarmCallback() /home/twsmith/code/mozilla-central/tools/fuzzing/libfuzzer/FuzzerLoop.cpp:309:5
#3 0x7fe0a72de41f (/lib/x86_64-linux-gnu/libpthread.so.0+0x1441f) (BuildId: 7b4536f41cdaa5888408e82d0836e33dcf436466)
#4 0x7fe0a6ee9b40 /build/glibc-SzIz7B/glibc-2.31/string/../sysdeps/x86_64/multiarch/memset-vec-unaligned-erms.S:150
#5 0x55e0c2a746f5 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_allocator.cpp:588:7
#6 0x55e0c2a72243 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_allocator.cpp:953:34
#7 0x55e0c2b091ee in malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:70:10
#8 0x7fe08761a6d2 in (anonymous namespace)::BufferWriter::WriteSync() /home/twsmith/code/mozilla-central/netwerk/base/nsNetUtil.cpp:1464:17
#9 0x7fe08761a6d2 in (anonymous namespace)::BufferWriter::Write() /home/twsmith/code/mozilla-central/netwerk/base/nsNetUtil.cpp:1411:14
#10 0x7fe08761a6d2 in NS_ReadInputStreamToBuffer(nsIInputStream*, void**, long, unsigned long*) /home/twsmith/code/mozilla-central/netwerk/base/nsNetUtil.cpp:1655:25
#11 0x7fe08761b049 in NS_ReadInputStreamToString(nsIInputStream*, nsTSubstring<char>&, long, unsigned long*) /home/twsmith/code/mozilla-central/netwerk/base/nsNetUtil.cpp:1704:7
#12 0x7fe0837ecc08 in FuzzEntries(char**, unsigned long*, nsIZipReader*, nsTSubstring<char> const&) /home/twsmith/code/mozilla-central/netwerk/test/fuzz/TestJARFuzzing.cpp:90:14
#13 0x7fe0837ee127 in FuzzReader(char**, unsigned long*, nsIZipReader*) /home/twsmith/code/mozilla-central/netwerk/test/fuzz/TestJARFuzzing.cpp:135:14
#14 0x7fe0837ef130 in FuzzingRunJARParser(unsigned char const*, unsigned long) /home/twsmith/code/mozilla-central/netwerk/test/fuzz/TestJARFuzzing.cpp:180:10
#15 0x55e0c2d03a6b in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /home/twsmith/code/mozilla-central/tools/fuzzing/libfuzzer/FuzzerLoop.cpp:570:11
#16 0x55e0c2cf21f5 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /home/twsmith/code/mozilla-central/tools/fuzzing/libfuzzer/FuzzerDriver.cpp:301:6
#17 0x55e0c2cf6571 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /home/twsmith/code/mozilla-central/tools/fuzzing/libfuzzer/FuzzerDriver.cpp:810:9
#18 0x7fe0988505e2 in mozilla::FuzzerRunner::Run(int*, char***) /home/twsmith/code/mozilla-central/tools/fuzzing/interface/harness/FuzzerRunner.cpp:75:13
#19 0x7fe09875f6f8 in XREMain::XRE_mainStartup(bool*) /home/twsmith/code/mozilla-central/toolkit/xre/nsAppRunner.cpp:4659:35
#20 0x7fe098770991 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/twsmith/code/mozilla-central/toolkit/xre/nsAppRunner.cpp:5847:12
#21 0x7fe098771c11 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/twsmith/code/mozilla-central/toolkit/xre/nsAppRunner.cpp:5915:21
#22 0x55e0c2b46e62 in do_main(int, char**, char**) /home/twsmith/code/mozilla-central/browser/app/nsBrowserApp.cpp:227:22
#23 0x55e0c2b46e62 in main /home/twsmith/code/mozilla-central/browser/app/nsBrowserApp.cpp:445:16
#24 0x7fe0a6d82082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#25 0x55e0c2a70838 in _start (/home/twsmith/code/mozilla-central/objdir-ff-ubsan/dist/bin/firefox+0x10b838) (BuildId: 58f1ce17f17d92db0b0ddde6cc0c794d)
Reporter | ||
Comment 1•1 year ago
|
||
Assignee | ||
Comment 2•1 year ago
|
||
Depends on D162239
Updated•1 year ago
|
Assignee | ||
Comment 3•1 year ago
|
||
Depends on D179796
Assignee | ||
Comment 4•1 year ago
|
||
The issue here seems to be that we have a jar entry with a corrupted realSize.
We attempt to read this into a string, so we allocate a buffer of that size (or in this case a max of 256 Mb see bug 1812038 )
We then attempt to read from the entry, which calls inflate. In this case, inflate returns Z_OK, but no data is actually inflated. Since we never get to the end of the input, we never check the CRC here.
Presumably the crc could also be corrupt in such a way that the values match?
I wonder if we should actually return FILE_CORRUPTED if inflate does nothing?
Updated•1 year ago
|
Comment 5•1 year ago
|
||
This bug prevents fuzzing from making progress; however, it has low severity. It is important for fuzz blocker bugs to be addressed in a timely manner (see here why?).
:valentin, could you consider increasing the severity?
For more information, please visit BugBot documentation.
Assignee | ||
Updated•11 months ago
|
Comment 6•11 months ago
|
||
End jar inflation if nothing to read r=jesup
https://hg.mozilla.org/integration/autoland/rev/83ef0028983475fb8a405cd05cc2c54b8aa54dd3
https://hg.mozilla.org/mozilla-central/rev/83ef00289834
Updated•11 months ago
|
Comment 7•11 months ago
|
||
The patch landed in nightly and beta is affected.
:valentin, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- If no, please set
status-firefox115
towontfix
.
For more information, please visit BugBot documentation.
Assignee | ||
Comment 8•11 months ago
|
||
This only affects fuzzing.
If we encounter a corrupt JAR file "in the wild" then we'd just try allocating memory for it. If that fails, we return failure. If it doesn't then we go on to read the entry which will turn out to be smaller than the expected size, which again wouldn't be a problem. I think this can ride the trains.
Updated•10 months ago
|
Updated•10 months ago
|
Updated•10 months ago
|
Updated•4 months ago
|
Description
•