Closed Bug 1847788 Opened 2 years ago Closed 2 years ago

Crash [@ nsIURI::SchemeIs] through [@ mozilla::dom::WindowGlobalParent::RecvReloadWithHttpsOnlyException]

Categories

(Core :: DOM: Content Processes, defect, P2)

Product:
Core
Component:
DOM: Content Processes
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
118 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- wontfix
firefox-esr115 --- wontfix
firefox116 --- wontfix
firefox117 --- wontfix
firefox118 --- fixed

People

(Reporter: decoder, Assigned: decoder)

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(3 files)

Detailed Crash Information
4.01 KB, text/plain
Details
Testcase
6.71 KB, application/octet-stream
Details
Bug 1847788 - Add missing null check to RecvReloadWithHttpsOnlyException. r?nika
48 bytes, text/x-phabricator-request
Details | Review

In experimental IPC fuzzing, we found the following crash on mozilla-central revision f14ed3bab724+ (fuzzing-asan-nyx-opt build):

=================================================================
==1733==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fffca03b524 bp 0x7ffffffe3b50 sp 0x7ffffffe3a20 T0)
==1733==The signal is caused by a READ memory access.
==1733==Hint: address points to the zero page.
    #0 0x7fffca03b524 in nsIURI::SchemeIs(char const*) objdir-ff-aflpp/dist/include/nsIURI.h:98:39
    #1 0x7fffd9dcb325 in mozilla::dom::WindowGlobalParent::RecvReloadWithHttpsOnlyException() dom/ipc/WindowGlobalParent.cpp:1292:35
    #2 0x7fffda345366 in mozilla::dom::PWindowGlobalParent::OnMessageReceived(IPC::Message const&) objdir-ff-aflpp/ipc/ipdl/PWindowGlobalParent.cpp:1959:86
    #3 0x7fffda062260 in mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&) objdir-ff-aflpp/ipc/ipdl/PContentParent.cpp:6681:32
    #4 0x7fffccc0b586 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) ipc/glue/MessageChannel.cpp:1826:25
    #5 0x7fffccc07155 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message> >) ipc/glue/MessageChannel.cpp:1747:9
    [...]

This is a simple null check missing, BrowsingContext()->Top()->GetCurrentURI() is returning null here. Patch coming up soon.

Attached file Testcase
Assignee: nobody → choller
Status: NEW → ASSIGNED
Severity: -- → S3
Priority: -- → P2
Pushed by choller@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/60bddb7ad6aa Add missing null check to RecvReloadWithHttpsOnlyException. r=nika

https://hg.mozilla.org/mozilla-central/rev/60bddb7ad6aa

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox118: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 118 Branch

Looks like we see these crashes in the wild too - did you want to nominate this for Beta & ESR115 approval?

status-firefox116: --- → wontfix
status-firefox117: --- → affected
status-firefox-esr102: --- → wontfix
status-firefox-esr115: --- → affected
Flags: needinfo?(choller)

FWIW, I don't see any crashes with this signature that have RecvReloadWithHttpsOnlyException in the proto signature, so I don't think this patch will help any of our existing issues. Crashes under this signature look like they come from a wide variety of call sites.

Alright, thanks for the clarification.

status-firefox117: affectedwontfix
status-firefox-esr115: affectedwontfix
Flags: needinfo?(choller)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: