Closed Bug 1836322 Opened 1 year ago Closed 11 months ago

Corrupt JAR file causes hang

Categories

(Core :: Networking: JAR, defect, P2)

Product:
Core
Component:
Networking: JAR
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
116 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- wontfix
firefox-esr115 --- wontfix
firefox114 --- wontfix
firefox115 --- wontfix
firefox116 --- fixed

People

(Reporter: tsmith, Assigned: valentin)

References

Details

(Keywords: sec-other, testcase, Whiteboard: [fuzzblocker][necko-triaged][adv-main116-])

Attachments

(3 files)

testcase.jar
729 bytes, application/octet-stream
Details
Bug 1836322 - End jar inflation if nothing to read r=jesup,kershaw
48 bytes, text/x-phabricator-request
Details | Review
Bug 1836322 - test r=jesup,kershaw
48 bytes, text/x-phabricator-request
Details | Review

The fuzzer is able to find this fairly quickly which blocks fuzzing at scale.

This was found with the fix for bug 1836175 applied.

Fuzzing interface docs can be found here: https://firefox-source-docs.mozilla.org/tools/fuzzing/fuzzing_interface.html
The command used to reproduce with patch from bug 1798631:

FUZZER=JARParser firefox testcase.jar -detect_leaks=0 -malloc_limit_mb=12288 -rss_limit_mb=12288 -timeout=15

==2757183== ERROR: libFuzzer: timeout after 15 seconds
    #0 0x55e0c2b13cf1 in __sanitizer_print_stack_trace /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_stack.cpp:87:3
    #1 0x55e0c2d18b48 in fuzzer::PrintStackTrace() /home/twsmith/code/mozilla-central/tools/fuzzing/libfuzzer/FuzzerUtil.cpp:210:5
    #2 0x55e0c2d02a60 in fuzzer::Fuzzer::AlarmCallback() /home/twsmith/code/mozilla-central/tools/fuzzing/libfuzzer/FuzzerLoop.cpp:309:5
    #3 0x7fe0a72de41f  (/lib/x86_64-linux-gnu/libpthread.so.0+0x1441f) (BuildId: 7b4536f41cdaa5888408e82d0836e33dcf436466)
    #4 0x7fe0a6ee9b40  /build/glibc-SzIz7B/glibc-2.31/string/../sysdeps/x86_64/multiarch/memset-vec-unaligned-erms.S:150
    #5 0x55e0c2a746f5 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_allocator.cpp:588:7
    #6 0x55e0c2a72243 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_allocator.cpp:953:34
    #7 0x55e0c2b091ee in malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:70:10
    #8 0x7fe08761a6d2 in (anonymous namespace)::BufferWriter::WriteSync() /home/twsmith/code/mozilla-central/netwerk/base/nsNetUtil.cpp:1464:17
    #9 0x7fe08761a6d2 in (anonymous namespace)::BufferWriter::Write() /home/twsmith/code/mozilla-central/netwerk/base/nsNetUtil.cpp:1411:14
    #10 0x7fe08761a6d2 in NS_ReadInputStreamToBuffer(nsIInputStream*, void**, long, unsigned long*) /home/twsmith/code/mozilla-central/netwerk/base/nsNetUtil.cpp:1655:25
    #11 0x7fe08761b049 in NS_ReadInputStreamToString(nsIInputStream*, nsTSubstring<char>&, long, unsigned long*) /home/twsmith/code/mozilla-central/netwerk/base/nsNetUtil.cpp:1704:7
    #12 0x7fe0837ecc08 in FuzzEntries(char**, unsigned long*, nsIZipReader*, nsTSubstring<char> const&) /home/twsmith/code/mozilla-central/netwerk/test/fuzz/TestJARFuzzing.cpp:90:14
    #13 0x7fe0837ee127 in FuzzReader(char**, unsigned long*, nsIZipReader*) /home/twsmith/code/mozilla-central/netwerk/test/fuzz/TestJARFuzzing.cpp:135:14
    #14 0x7fe0837ef130 in FuzzingRunJARParser(unsigned char const*, unsigned long) /home/twsmith/code/mozilla-central/netwerk/test/fuzz/TestJARFuzzing.cpp:180:10
    #15 0x55e0c2d03a6b in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /home/twsmith/code/mozilla-central/tools/fuzzing/libfuzzer/FuzzerLoop.cpp:570:11
    #16 0x55e0c2cf21f5 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /home/twsmith/code/mozilla-central/tools/fuzzing/libfuzzer/FuzzerDriver.cpp:301:6
    #17 0x55e0c2cf6571 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /home/twsmith/code/mozilla-central/tools/fuzzing/libfuzzer/FuzzerDriver.cpp:810:9
    #18 0x7fe0988505e2 in mozilla::FuzzerRunner::Run(int*, char***) /home/twsmith/code/mozilla-central/tools/fuzzing/interface/harness/FuzzerRunner.cpp:75:13
    #19 0x7fe09875f6f8 in XREMain::XRE_mainStartup(bool*) /home/twsmith/code/mozilla-central/toolkit/xre/nsAppRunner.cpp:4659:35
    #20 0x7fe098770991 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/twsmith/code/mozilla-central/toolkit/xre/nsAppRunner.cpp:5847:12
    #21 0x7fe098771c11 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/twsmith/code/mozilla-central/toolkit/xre/nsAppRunner.cpp:5915:21
    #22 0x55e0c2b46e62 in do_main(int, char**, char**) /home/twsmith/code/mozilla-central/browser/app/nsBrowserApp.cpp:227:22
    #23 0x55e0c2b46e62 in main /home/twsmith/code/mozilla-central/browser/app/nsBrowserApp.cpp:445:16
    #24 0x7fe0a6d82082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #25 0x55e0c2a70838 in _start (/home/twsmith/code/mozilla-central/objdir-ff-ubsan/dist/bin/firefox+0x10b838) (BuildId: 58f1ce17f17d92db0b0ddde6cc0c794d)
Attached file testcase.jar
Assignee: nobody → valentin.gosu
Status: NEW → ASSIGNED

Depends on D179796

The issue here seems to be that we have a jar entry with a corrupted realSize.
We attempt to read this into a string, so we allocate a buffer of that size (or in this case a max of 256 Mb see bug 1812038 )
We then attempt to read from the entry, which calls inflate. In this case, inflate returns Z_OK, but no data is actually inflated. Since we never get to the end of the input, we never check the CRC here.

Presumably the crc could also be corrupt in such a way that the values match?
I wonder if we should actually return FILE_CORRUPTED if inflate does nothing?

Severity: -- → S3
Priority: -- → P2
Whiteboard: [fuzzblocker] → [fuzzblocker][necko-triaged]

This bug prevents fuzzing from making progress; however, it has low severity. It is important for fuzz blocker bugs to be addressed in a timely manner (see here why?).
:valentin, could you consider increasing the severity?

For more information, please visit BugBot documentation.

Flags: needinfo?(valentin.gosu)
Flags: needinfo?(valentin.gosu)

End jar inflation if nothing to read r=jesup
https://hg.mozilla.org/integration/autoland/rev/83ef0028983475fb8a405cd05cc2c54b8aa54dd3
https://hg.mozilla.org/mozilla-central/rev/83ef00289834

Group: network-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 11 months ago
status-firefox116: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 116 Branch

The patch landed in nightly and beta is affected.
:valentin, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox115 to wontfix.

For more information, please visit BugBot documentation.

Flags: needinfo?(valentin.gosu)

This only affects fuzzing.
If we encounter a corrupt JAR file "in the wild" then we'd just try allocating memory for it. If that fails, we return failure. If it doesn't then we go on to read the entry which will turn out to be smaller than the expected size, which again wouldn't be a problem. I think this can ride the trains.

status-firefox115: affectedwontfix
Flags: needinfo?(valentin.gosu)
QA Whiteboard: [post-critsmash-triage]
Whiteboard: [fuzzblocker][necko-triaged] → [fuzzblocker][necko-triaged][adv-main116-]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: