1890346 - Hit MOZ_CRASH(nsStandardURL::SanityCheck failed) at /netwerk/base/nsStandardURL.cpp:298

Status: RESOLVED FIXED

(Core :: Networking, defect, P1)

Description

[Jason Kratzer [:jkratzer]]

Testcase found while fuzzing mozilla-central rev 3719e5d315bb built with: --enable-address-sanitizer --enable-fuzzing.

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch
$ python -m fuzzfetch --build 3719e5d315bb -a --fuzzing --target firefox gtest -n firefox
$ FUZZER=URIParser ./firefox/firefox testcase.bin

Hit MOZ_CRASH(nsStandardURL::SanityCheck failed) at /netwerk/base/nsStandardURL.cpp:298

    ==223==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7f06a10b3604 bp 0x7ffca68498d0 sp 0x7ffca6849780 T0)
    ==223==The signal is caused by a WRITE memory access.
    ==223==Hint: address points to the zero page.
    SCARINESS: 10 (null-deref)
        #0 0x7f06a10b3604 in mozilla::net::nsStandardURL::SanityCheck() /netwerk/base/nsStandardURL.cpp:298:5
        #1 0x7f06a10c5ab5 in mozilla::net::nsStandardURL::SetSpecWithEncoding(nsTSubstring<char> const&, mozilla::Encoding const*) /netwerk/base/nsStandardURL.cpp:1807:3
        #2 0x7f06a10dee08 in mozilla::net::nsStandardURL::Init(unsigned int, int, nsTSubstring<char> const&, char const*, nsIURI*) /netwerk/base/nsStandardURL.cpp:3537:12
        #3 0x7f06a10ebdbf in Init /netwerk/base/nsStandardURL.h:446:16
        #4 0x7f06a10ebdbf in non-virtual thunk to mozilla::net::nsStandardURL::TemplatedMutator<mozilla::net::nsStandardURL>::Init(unsigned int, int, nsTSubstring<char> const&, char const*, nsIURI*, nsIURIMutator**) /netwerk/base/nsStandardURL.h
        #5 0x7f06a10274b6 in NS_MutateURI& NS_MutateURI::Apply<nsresult (nsIStandardURLMutator::*)(unsigned int, int, nsTSubstring<char> const&, char const*, nsIURI*, nsIURIMutator**), nsIStandardURL::'unnamed', int, nsTSubstring<char> const&, char const*&, nsIURI*&, std::nullptr_t>(nsresult (nsIStandardURLMutator::*)(unsigned int, int, nsTSubstring<char> const&, char const*, nsIURI*, nsIURIMutator**), nsIStandardURL::'unnamed'&&, int&&, nsTSubstring<char> const&, char const*&, nsIURI*&, std::nullptr_t&&) /builds/worker/workspace/obj-build/dist/include/nsIURIMutator.h:592:15
        #6 0x7f06a1022316 in NS_NewURI(nsIURI**, nsTSubstring<char> const&, char const*, nsIURI*) /netwerk/base/nsNetUtil.cpp:1892:10
        #7 0x7f069cf920ff in FuzzingRunURIParser(unsigned char const*, unsigned long) /netwerk/test/fuzz/TestURIFuzzing.cpp:65:17
        #8 0x55e1e621091b in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /tools/fuzzing/libfuzzer/FuzzerLoop.cpp:570:11
        #9 0x55e1e62103a1 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /tools/fuzzing/libfuzzer/FuzzerLoop.cpp:479:7
        #10 0x55e1e62117d7 in fuzzer::Fuzzer::MutateAndTestOne() /tools/fuzzing/libfuzzer/FuzzerLoop.cpp:717:19
        #11 0x55e1e62121e5 in fuzzer::Fuzzer::Loop(std::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /tools/fuzzing/libfuzzer/FuzzerLoop.cpp:861:9
        #12 0x55e1e6202b6b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /tools/fuzzing/libfuzzer/FuzzerDriver.cpp:864:14
        #13 0x7f06b103a09e in mozilla::FuzzerRunner::Run(int*, char***) /tools/fuzzing/interface/harness/FuzzerRunner.cpp:75:13
        #14 0x7f06b0f49ef6 in XREMain::XRE_mainStartup(bool*) /toolkit/xre/nsAppRunner.cpp:4674:35
        #15 0x7f06b0f5b4af in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /toolkit/xre/nsAppRunner.cpp:5946:12
        #16 0x7f06b0f5c7f1 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /toolkit/xre/nsAppRunner.cpp:6015:21
        #17 0x55e1e603e7a2 in do_main /browser/app/nsBrowserApp.cpp:227:22
        #18 0x55e1e603e7a2 in main /browser/app/nsBrowserApp.cpp:445:16
        #19 0x7f06c94cd082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: eebe5d5f4b608b8a53ec446b63981bba373ca0ca)
        #20 0x55e1e5f62e68 in _start (/home/worker/firefox/firefox+0xdce68) (BuildId: f075d46fafdb6d7fd6b98bbf4aee49c03c471279)
    
    DEDUP_TOKEN: mozilla::net::nsStandardURL::SanityCheck()
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /netwerk/base/nsStandardURL.cpp:298:5 in mozilla::net::nsStandardURL::SanityCheck()
    
    Command: /home/worker/firefox/firefox -rss_limit_mb=3500 -use_value_profile=1 -timeout=5 -entropic=1 -dict=./tokens.dict ./corpora/ -handle_segv=0 -handle_bus=0 -handle_abrt=0 -handle_ill=0 -handle_fpe=0 -print_pcs=1
    
    ==223==ABORTING

Comment 1

[Jason Kratzer [:jkratzer]]

Attachment: Detailed Crash Information

Comment 2

[Jason Kratzer [:jkratzer]]

Attachment: Testcase

Comment 3

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1887614

Comment 4

[Valentin Gosu [:valentin] (he/him) {{ AFK in July }}]

Attachment: Bug 1890346 - Make sure net_CoalesceDirs doesn't overwrite initial / r=#necko

Before bug 1887614 landed this bug was impossible to trigger because
urlPtr would always advance by the time we got to copying #?.
However, once we allowed calling net_CoalesceDirs for a dirLength > 0,
urlPtr will stay on the first character, while fwdPtr is on ?.

That meant we incorrectly coalesced "/..?" to "?".

Comment 5

[Pulsebot]

Pushed by valentin.gosu@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/bb0c70875fd3
Make sure net_CoalesceDirs doesn't overwrite initial / r=necko-reviewers,kershaw

Comment 6

[Cristian Tuns]

https://hg.mozilla.org/mozilla-central/rev/bb0c70875fd3