Closed
Bug 1847780
Opened 2 years ago
Closed 2 years ago
Crash [@ __pthread_mutex_clocklock_common] through [@ mozilla::RemoteLazyInputStream::TakeInternalStream]
Categories
(Core :: IPC, defect)
Tracking
()
RESOLVED
FIXED
118 Branch
People
(Reporter: decoder, Assigned: decoder)
Details
(Keywords: crash, testcase)
Crash Data
Attachments
(3 files)
In experimental IPC fuzzing, we found the following crash on mozilla-central revision f14ed3bab724+ (fuzzing-asan-nyx-opt build):
=================================================================
==1733==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000068 (pc 0x7ffff7f85fc4 bp 0x7ffffffdc630 sp 0x7ffffffdc5f8 T0)
==1733==The signal is caused by a READ memory access.
==1733==Hint: address points to the zero page.
#0 0x7ffff7f85fc4 in __pthread_mutex_clocklock_common ??:0:0
#1 0x5555559cb630 in mozilla::detail::MutexImpl::mutexLock() mozglue/misc/Mutex_posix.cpp:96:3
#2 0x5555559cb5f8 in mozilla::detail::MutexImpl::lock() mozglue/misc/Mutex_posix.cpp:118:43
#3 0x7fffc89278f8 in mozilla::OffTheBooksMutex::Lock() objdir-ff-aflpp/dist/include/mozilla/Mutex.h:65:48
#4 0x7fffc8927406 in mozilla::detail::BaseAutoLock<mozilla::Mutex&>::BaseAutoLock(mozilla::Mutex&) objdir-ff-aflpp/dist/include/mozilla/Mutex.h:236:11
#5 0x7fffd5ca2eff in mozilla::RemoteLazyInputStream::TakeInternalStream(nsIInputStream**) dom/file/ipc/RemoteLazyInputStream.cpp:234:19
#6 0x7fffccbe0422 in mozilla::ipc::InputStreamHelper::DeserializeInputStream(mozilla::ipc::InputStreamParams const&) ipc/glue/InputStreamUtils.cpp:129:9
#7 0x7fffccbdfe84 in mozilla::ipc::DeserializeIPCStream(mozilla::ipc::IPCStream const&) ipc/glue/IPCStreamUtils.cpp:157:10
#8 0x7fffccbe159f in mozilla::ipc::DeserializeIPCStream(mozilla::Maybe<mozilla::ipc::IPCStream> const&) ipc/glue/IPCStreamUtils.cpp:166:10
#9 0x7fffccbe1c0e in IPC::ParamTraits<nsIInputStream*>::Read(IPC::MessageReader*, RefPtr<nsIInputStream>*) ipc/glue/IPCStreamUtils.cpp:189:14
#10 0x7fffcc2e2f58 in IPC::ParamTraitsMozilla<RefPtr<nsIInputStream> >::Read(IPC::MessageReader*, RefPtr<nsIInputStream>*) ipc/chromium/src/chrome/common/ipc_message_utils.h:1046:12
#11 0x7fffcc281185 in _ZN3IPC9ReadParamI6RefPtrI14nsIInputStreamEEENS_10ReadResultIT_Xoosr3stdE26is_default_constructible_vIS5_Eclsr6detailE40HasDeprecatedReadParamPrivateConstructorIS5_ELi0EEEEEPNS_13MessageReaderE ipc/chromium/src/chrome/common/ipc_message_utils.h:481:13
#12 0x7fffd9e3e011 in IPC::ParamTraits<mozilla::dom::DocShellLoadStateInit>::Read(IPC::MessageReader*) objdir-ff-aflpp/ipc/ipdl/DOMTypes.cpp:1617:34
#13 0x7fffd9d27612 in bool IPC::ReadParam<mozilla::dom::DocShellLoadStateInit>(IPC::MessageReader*, mozilla::dom::DocShellLoadStateInit*) ipc/chromium/src/chrome/common/ipc_message_utils.h:464:18
#14 0x7fffd9d26e00 in IPC::ParamTraits<nsDocShellLoadState*>::Read(IPC::MessageReader*, RefPtr<nsDocShellLoadState>*) dom/ipc/DocShellMessageUtils.cpp:23:8
#15 0x7fffcc2db618 in IPC::ParamTraitsMozilla<RefPtr<nsDocShellLoadState> >::Read(IPC::MessageReader*, RefPtr<nsDocShellLoadState>*) ipc/chromium/src/chrome/common/ipc_message_utils.h:1046:12
#16 0x7fffcc2db375 in _ZN3IPC9ReadParamI6RefPtrI19nsDocShellLoadStateEEENS_10ReadResultIT_Xoosr3stdE26is_default_constructible_vIS5_Eclsr6detailE40HasDeprecatedReadParamPrivateConstructorIS5_ELi0EEEEEPNS_13MessageReaderE ipc/chromium/src/chrome/common/ipc_message_utils.h:481:13
#17 0x7fffcc2db174 in IPC::ParamTraitsMozilla<mozilla::NotNull<RefPtr<nsDocShellLoadState> > >::Read(IPC::MessageReader*) ipc/chromium/src/chrome/common/ipc_message_utils.h:1073:16
#18 0x7fffcc26f0a8 in _ZN3IPC9ReadParamIN7mozilla7NotNullI6RefPtrI19nsDocShellLoadStateEEEEENS_10ReadResultIT_Xoosr3stdE26is_default_constructible_vIS8_Eclsr6detailE40HasDeprecatedReadParamPrivateConstructorIS8_ELi0EEEEEPNS_13MessageReaderE ipc/chromium/src/chrome/common/ipc_message_utils.h:478:12
#19 0x7fffcc26e516 in IPC::ParamTraits<mozilla::net::DocumentChannelCreationArgs>::Read(IPC::MessageReader*) objdir-ff-aflpp/ipc/ipdl/NeckoChannelParams.cpp:4410:30
#20 0x7fffcc360028 in _ZN3IPC9ReadParamIN7mozilla3net27DocumentChannelCreationArgsEEENS_10ReadResultIT_Xoosr3stdE26is_default_constructible_vIS5_Eclsr6detailE40HasDeprecatedReadParamPrivateConstructorIS5_ELi0EEEEEPNS_13MessageReaderE ipc/chromium/src/chrome/common/ipc_message_utils.h:478:12
#21 0x7fffcc350958 in mozilla::net::PNeckoParent::OnMessageReceived(IPC::Message const&) objdir-ff-aflpp/ipc/ipdl/PNeckoParent.cpp:2002:32
#22 0x7fffda062260 in mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&) objdir-ff-aflpp/ipc/ipdl/PContentParent.cpp:6681:32
[...]
What happens here is that params.stream() ends up being null here:
Confirmed locally that this patch would fix the issue:
diff --git a/ipc/glue/InputStreamUtils.cpp b/ipc/glue/InputStreamUtils.cpp
--- a/ipc/glue/InputStreamUtils.cpp
+++ b/ipc/glue/InputStreamUtils.cpp
@@ -120,6 +120,10 @@ already_AddRefed<nsIInputStream> InputSt
const RemoteLazyInputStreamParams& params =
aParams.get_RemoteLazyInputStreamParams();
+ if (!params.stream()) {
+ return nullptr;
+ }
+
// If the RemoteLazyInputStream already has an internal stream, unwrap it.
// This is required as some code unfortunately depends on the precise
// topology of received streams, and cannot handle being passed a
|
Assignee | |
Comment 1•2 years ago
|
||
|
|
Assignee | |
Comment 2•2 years ago
|
||
|
|
Assignee | |
Comment 3•2 years ago
|
||
|
||
Updated•2 years ago
|
Assignee: nobody → choller
Status: NEW → ASSIGNED
Pushed by choller@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/daf8c825b7c8
Make RemoteLazyInputStream and DataPipeReceiver non-nullable. r=nika
|
||
Comment 5•2 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → 118 Branch
|
||
Updated•2 years ago
|
status-firefox116:
--- → wontfix
status-firefox117:
--- → wontfix
status-firefox-esr102:
--- → wontfix
status-firefox-esr115:
--- → wontfix
You need to log in
before you can comment on or make changes to this bug.
Description
•