Closed Bug 1904582 Opened 5 months ago Closed 5 months ago

Hit MOZ_CRASH(nsStandardURL::SanityCheck failed) at /netwerk/base/nsStandardURL.cpp:298

Categories

(Core :: Networking, defect, P2)

x86_64
Linux
defect

Tracking

()

RESOLVED FIXED
130 Branch
Tracking Status
firefox130 --- fixed

People

(Reporter: jkratzer, Assigned: sekim)

References

(Blocks 2 open bugs)

Details

(Keywords: testcase, Whiteboard: [necko-triaged])

Attachments

(3 files)

Testcase found while fuzzing mozilla-central rev fc0f7d3e6a3d built with: --enable-address-sanitizer --enable-fuzzing.

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch
$ python -m fuzzfetch --build fc0f7d3e6a3d -a --fuzzing --target firefox gtest -n firefox
$ FUZZER=URIParser ./firefox/firefox testcase.bin
Hit MOZ_CRASH(nsStandardURL::SanityCheck failed) at /netwerk/base/nsStandardURL.cpp:298

    ==218==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7d259a4e9ba4 bp 0x7ffc3d216650 sp 0x7ffc3d216500 T0)
    ==218==The signal is caused by a WRITE memory access.
    ==218==Hint: address points to the zero page.
    SCARINESS: 10 (null-deref)
        #0 0x7d259a4e9ba4 in mozilla::net::nsStandardURL::SanityCheck() /netwerk/base/nsStandardURL.cpp:298:5
        #1 0x7d259a4f87e3 in mozilla::net::nsStandardURL::SetSpecWithEncoding(nsTSubstring<char> const&, mozilla::Encoding const*) /netwerk/base/nsStandardURL.cpp:1816:3
        #2 0x7d259a50763c in mozilla::net::nsStandardURL::SetFilePath(nsTSubstring<char> const&) /netwerk/base/nsStandardURL.cpp:3139:12
        #3 0x7d259bd387f7 in SetFilePath /builds/worker/workspace/obj-build/dist/include/nsIURIMutator.h:546:25
        #4 0x7d259bd387f7 in SetFilePath /modules/libjar/nsJARURI.cpp:486:34
        #5 0x7d259bd387f7 in nsJARURI::Mutator::SetFilePath(nsTSubstring<char> const&, nsIURIMutator**) /modules/libjar/nsJARURI.h:108:5
        #6 0x7d25964d4b6e in FuzzingRunURIParser(unsigned char const*, unsigned long) /netwerk/test/fuzz/TestURIFuzzing.cpp
        #7 0x623ddc48827b in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /tools/fuzzing/libfuzzer/FuzzerLoop.cpp:570:11
        #8 0x623ddc487d01 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /tools/fuzzing/libfuzzer/FuzzerLoop.cpp:479:7
        #9 0x623ddc489137 in fuzzer::Fuzzer::MutateAndTestOne() /tools/fuzzing/libfuzzer/FuzzerLoop.cpp:717:19
        #10 0x623ddc489b45 in fuzzer::Fuzzer::Loop(std::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /tools/fuzzing/libfuzzer/FuzzerLoop.cpp:861:9
        #11 0x623ddc47b16b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /tools/fuzzing/libfuzzer/FuzzerDriver.cpp:864:14
        #12 0x7d25a6f9a20b in mozilla::FuzzerRunner::Run(int*, char***) /tools/fuzzing/interface/harness/FuzzerRunner.cpp:75:13
        #13 0x7d25a6edc51c in XREMain::XRE_mainStartup(bool*) /toolkit/xre/nsAppRunner.cpp:4705:35
        #14 0x7d25a6ee864f in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /toolkit/xre/nsAppRunner.cpp:5980:12
        #15 0x7d25a6ee9531 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /toolkit/xre/nsAppRunner.cpp:6049:21
        #16 0x623ddc2e10f7 in do_main /browser/app/nsBrowserApp.cpp:230:22
        #17 0x623ddc2e10f7 in main /browser/app/nsBrowserApp.cpp:448:16
        #18 0x7d25bc9c4082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 0702430aef5fa3dda43986563e9ffcc47efbd75e)
        #19 0x623ddc208a98 in _start (/home/worker/firefox/firefox+0xd5a98) (BuildId: 20f97eda4a224bc930ba7aa9c66a9ed98a1c02d3)
    
    DEDUP_TOKEN: mozilla::net::nsStandardURL::SanityCheck()
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /netwerk/base/nsStandardURL.cpp:298:5 in mozilla::net::nsStandardURL::SanityCheck()
    
    Command: /home/worker/firefox/firefox -rss_limit_mb=3500 -use_value_profile=1 -timeout=5 -entropic=1 -dict=./tokens.dict ./corpora/ -handle_segv=0 -handle_bus=0 -handle_abrt=0 -handle_ill=0 -handle_fpe=0 -print_pcs=1
    
    ==218==ABORTING
Attached file Testcase
Attachment #9409417 - Attachment filename: testcase.html → testcase.bin
Flags: needinfo?(sekim)

I think I am able to reproduce this error, will look into this.

Assignee: nobody → sekim
Flags: needinfo?(sekim)
See Also: → 1904583
Severity: -- → S3
Priority: -- → P2
Whiteboard: [necko-triaged]
Attachment #9409616 - Attachment description: Bug 1904582 - Fix a case where the basename position is not initialized r?kershaw → Bug 1904582 - Fix an edge case where the basename, query, and hash position is not initialized r?kershaw
Attachment #9409616 - Attachment description: Bug 1904582 - Fix an edge case where the basename, query, and hash position is not initialized r?kershaw → Bug 1904582 - Fix an edge case where the basename, query, and ref position are not initialized r?kershaw
Status: NEW → ASSIGNED
Duplicate of this bug: 1904583
Attachment #9409616 - Attachment description: Bug 1904582 - Fix an edge case where the basename, query, and ref position are not initialized r?kershaw → Bug 1904582 - Fix an edge case for NS_MutateURI where the basename, query, and ref position are not adjusted accordingly r?kershaw
Pushed by archaeopteryx@coole-files.de: https://hg.mozilla.org/integration/autoland/rev/ac10105ea2df Fix an edge case for NS_MutateURI where the basename, query, and ref position are not adjusted accordingly r=kershaw,necko-reviewers
Status: ASSIGNED → RESOLVED
Closed: 5 months ago
Resolution: --- → FIXED
Target Milestone: --- → 130 Branch
See Also: → 1873915
See Also: 1904583
Blocks: fuzzing-uri
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: