Closed Bug 1981517 Opened 8 months ago Closed 8 months ago

Crash [@ mozilla::dom::CookieStoreParent::SetRequestOnMainThread]

Categories

(Core :: Networking: Cookies, defect)

Product:
Core
Component:
Networking: Cookies
Platform:
x86
Windows
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1981281

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: testcase, Whiteboard: [bugmon:confirm][fuzzblocker])

Crash Data

Attachments

(2 files)

Detailed Crash Information
6.01 KB, text/plain
Details
Testcase
146 bytes, text/html
Details

Testcase found while fuzzing mozilla-central rev 62b93e0936e5 (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch --build 62b93e0936e5 --debug --fuzzing --cpu x86 -n firefox
$ python -m grizzly.replay.bugzilla .\firefox\firefox.exe <bugid>

[@ ntdll.dll]

    eax = 0x00a7e154	ebp = 0x00a7e47c	ebx = 0x00a7e1f8
    ecx = 0x00000004	edi = 0x00a7de88	edx = 0x00a7de88
    eflags = 0x00000206	eip = 0x6c482e38	esi = 0x00a7ddb4
    esp = 0x00a7e1bc
    OS|Windows NT|10.0.26100
    CPU|x86|GenuineIntel family 6 model 186 stepping 2|6
    Crash|EXCEPTION_NONCONTINUABLE_EXCEPTION|0x00000000|0
    0|0|xul.dll|CrashReporter::CreateMinidumpsAndPair(void*, unsigned long, nsTSubstring<char> const&, mozilla::EnumeratedArray<CrashReporter::Annotation,nsTString<char>,179>&, nsIFile**)|hg:hg.mozilla.org/mozilla-central:toolkit/crashreporter/nsExceptionHandler.cpp:62b93e0936e577dc3983b93027e7212a88bb0d38|3633|0x408
    0|1|xul.dll|mozilla::ipc::CrashReporterHost::GenerateMinidumpAndPair(mozilla::ipc::GeckoChildProcessHost*, nsTSubstring<char> const&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/CrashReporterHost.h:62b93e0936e577dc3983b93027e7212a88bb0d38|82|0x56
    0|2|xul.dll|mozilla::dom::ContentParent::GeneratePairedMinidump(char const*)|hg:hg.mozilla.org/mozilla-central:dom/ipc/ContentParent.cpp:62b93e0936e577dc3983b93027e7212a88bb0d38|4263|0xf8
    0|3|xul.dll|mozilla::dom::ContentParent::KillHard(char const*)|hg:hg.mozilla.org/mozilla-central:dom/ipc/ContentParent.cpp:62b93e0936e577dc3983b93027e7212a88bb0d38|4311|0x142
    0|4|xul.dll|mozilla::dom::CookieStoreParent::SetRequestOnMainThread(mozilla::dom::ThreadsafeContentParentHandle*, const RefPtr<nsIURI>, nsTSubstring<char16_t> const&, mozilla::OriginAttributes const&, bool, bool, bool, bool, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, bool, long long, nsTSubstring<char16_t> const&, int, bool, nsID const&)|hg:hg.mozilla.org/mozilla-central:dom/cookiestore/CookieStoreParent.cpp:62b93e0936e577dc3983b93027e7212a88bb0d38|432|0x74e
    0|5|xul.dll|mozilla::dom::CookieStoreParent::RecvSetRequest::<lambda_20>::operator()() const|hg:hg.mozilla.org/mozilla-central:dom/cookiestore/CookieStoreParent.cpp:62b93e0936e577dc3983b93027e7212a88bb0d38|131|0xf1
    0|6|xul.dll|mozilla::detail::ProxyFunctionRunnable<`lambda at /dom/cookiestore/CookieStoreParent.cpp:127:7',mozilla::MozPromise<bool,nsresult,1> >::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/MozPromise.h:62b93e0936e577dc3983b93027e7212a88bb0d38|1838|0x26
    0|7|xul.dll|mozilla::RunnableTask::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/TaskController.cpp:62b93e0936e577dc3983b93027e7212a88bb0d38|703|0x1b
    0|8|xul.dll|mozilla::TaskController::RunTask(mozilla::Task*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/TaskController.cpp:62b93e0936e577dc3983b93027e7212a88bb0d38|196|0x3e8
    0|9|xul.dll|mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex &> const&)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/TaskController.cpp:62b93e0936e577dc3983b93027e7212a88bb0d38|1310|0x813
    0|10|xul.dll|mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex &> const&)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/TaskController.cpp:62b93e0936e577dc3983b93027e7212a88bb0d38|1133|0x56
    0|11|xul.dll|mozilla::TaskController::ProcessPendingMTTask(bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/TaskController.cpp:62b93e0936e577dc3983b93027e7212a88bb0d38|639|0x55
    0|12|xul.dll|mozilla::detail::RunnableFunction<`lambda at /xpcom/threads/TaskController.cpp:333:7'>::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.h:62b93e0936e577dc3983b93027e7212a88bb0d38|548|0x13
    0|13|xul.dll|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:62b93e0936e577dc3983b93027e7212a88bb0d38|1159|0x53b
    0|14|xul.dll|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:62b93e0936e577dc3983b93027e7212a88bb0d38|480|0x63
    0|15|xul.dll|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:62b93e0936e577dc3983b93027e7212a88bb0d38|85|0xbf
    0|16|xul.dll|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:62b93e0936e577dc3983b93027e7212a88bb0d38|369|0x7f
    0|17|xul.dll|MessageLoop::RunHandler()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:62b93e0936e577dc3983b93027e7212a88bb0d38|362|0x69
    0|18|xul.dll|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:62b93e0936e577dc3983b93027e7212a88bb0d38|344|0x55
    0|19|xul.dll|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:62b93e0936e577dc3983b93027e7212a88bb0d38|148|0x24
    0|20|xul.dll|nsAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/windows/nsAppShell.cpp:62b93e0936e577dc3983b93027e7212a88bb0d38|673|0x150
    0|21|xul.dll|nsAppStartup::Run()|hg:hg.mozilla.org/mozilla-central:toolkit/components/startup/nsAppStartup.cpp:62b93e0936e577dc3983b93027e7212a88bb0d38|291|0x68
    0|22|xul.dll|XREMain::XRE_mainRun()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsAppRunner.cpp:62b93e0936e577dc3983b93027e7212a88bb0d38|5893|0x1a90
    0|23|xul.dll|XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsAppRunner.cpp:62b93e0936e577dc3983b93027e7212a88bb0d38|6138|0x651
    0|24|xul.dll|XRE_main(int, char**, mozilla::BootstrapConfig const&)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsAppRunner.cpp:62b93e0936e577dc3983b93027e7212a88bb0d38|6211|0xa0
    0|25|xul.dll|mozilla::BootstrapImpl::XRE_main(int, char**, mozilla::BootstrapConfig const&)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/Bootstrap.cpp:62b93e0936e577dc3983b93027e7212a88bb0d38|46|0x10
    0|26|firefox.exe|NS_internal_main(int, char**, char**)|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:62b93e0936e577dc3983b93027e7212a88bb0d38|464|0x568
    0|27|firefox.exe|wmain(int, wchar_t**)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsWindowsWMain.cpp:62b93e0936e577dc3983b93027e7212a88bb0d38|151|0x1e2
    0|28|firefox.exe|__scrt_common_main_seh()|/builds/worker/workspace/obj-build/browser/app/D:/a/_work/1/s/src/vctools/crt/vcstartup/src/startup/exe_common.inl|288|0xf9
    0|29|kernel32.dll||||
    0|30|ntdll.dll||||
    0|31|ntdll.dll||||
Attached file Testcase
Attachment #9505516 - Attachment filename: testcase.html.undefined → testcase.html
Attachment #9505516 - Attachment mime type: text/plain → text/html
Summary: Crash [@ ntdll.dll] → Crash [@ mozilla::dom::CookieStoreParent::SetRequestOnMainThread]

I got a different crash from the testcase on Nightly: https://crash-stats.mozilla.org/report/index/bc10fd61-256f-4223-a89e-e82300250807

Crash Signature: [@ ntdll.dll] → [@ ntdll.dll] [@ IPCError-browser | CookieStore does not accept invalid cookies in the parent process ]
Flags: needinfo?(amarchesini)

This particular issue was fixed by bug 1981281. But I wonder if we should prevent this by validating the cookie before sending it to the parent process.

Status: NEW → RESOLVED
Closed: 8 months ago
Duplicate of bug: 1981281
Flags: needinfo?(amarchesini)
Resolution: --- → DUPLICATE

No valid actions for resolution (DUPLICATE).
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: