All users were logged out of Bugzilla on October 13th, 2018

valgrind - invalid read of size 1 in memcpy/SHA256_Update with jemalloc




9 years ago
9 years ago


(Reporter: bc, Assigned: kaie)




Firefox Tracking Flags

(Not tracked)





9 years ago
linux trunk with jemalloc;language=type;text/javascript;version=1.5

This occurred in a series of tests with the same profile, starting and stopping the browser for each url. Considering that it is related to the UrlClassifier Cache it may not be reproducible loading just this single page.

==1090== Invalid read of size 1
==1090==    at 0x4007A00: memcpy (mc_replace_strmem.c:402)
==1090==    by 0xC35DF49: SHA256_Update (sha512.c:429)
==1090==    by 0xC314106: SHA256_Update (loader.c:982)
==1090==    by 0xC2F5D14: NSC_DigestUpdate (pkcs11c.c:1382)
==1090==    by 0xC185714: PK11_DigestOp (pk11cxt.c:818)
==1090==    by 0xC174B30: HASH_Update (sechash.c:403)
==1090==    by 0xC03107A: nsCryptoHash::Update(unsigned char const*, unsigned int) (nsNSSComponent.cpp:2623)
==1090==    by 0x5A33A63: nsUrlClassifierHash<4u>::FromPlaintext(nsACString_internal const&, nsICryptoHash*) (nsUrlClassifierDBService.cpp:235)
==1090==    by 0x5A25027: nsUrlClassifierDBServiceWorker::CacheEntries(nsACString_internal const&) (nsUrlClassifierDBService.cpp:1575)
==1090==    by 0x5A2514C: nsUrlClassifierDBServiceWorker::Check(nsACString_internal const&, nsTArray<nsUrlClassifierLookupResult>&) (nsUrlClassifierDBService.cpp:1599)
==1090==    by 0x5A256ED: nsUrlClassifierDBServiceWorker::DoLookup(nsACString_internal const&, nsIUrlClassifierLookupCallback*) (nsUrlClassifierDBService.cpp:1713)
==1090==    by 0x5A258B9: nsUrlClassifierDBServiceWorker::HandlePendingLookups() (nsUrlClassifierDBService.cpp:1746)
==1090==  Address 0xadca748 is 8 bytes after a block of size 32 alloc'd
==1090==    at 0x8058AF5: arena_malloc_small (jemalloc.c:4057)
==1090==    by 0x8058F3F: arena_malloc (jemalloc.c:4117)
==1090==    by 0x805901E: imalloc (jemalloc.c:4129)
==1090==    by 0x805DA17: malloc (jemalloc.c:6160)
==1090==    by 0x435AA39: nsStringBuffer::Alloc(unsigned int) (nsSubstring.cpp:204)
==1090==    by 0x435C7FC: nsACString_internal::MutatePrep(unsigned int, char**, unsigned int*) (nsTSubstring.cpp:179)
==1090==    by 0x435C903: nsACString_internal::ReplacePrep(unsigned int, unsigned int, unsigned int) (nsTSubstring.cpp:224)
==1090==    by 0x435CCBC: nsACString_internal::Assign(char const*, unsigned int) (nsTSubstring.cpp:360)
==1090==    by 0x435CEE7: nsACString_internal::Assign(nsACString_internal const&) (nsTSubstring.cpp:421)
==1090==    by 0x7BDC691: nsCString::nsCString(nsCString const&) (nsTString.h:86)
==1090==    by 0x7BE7025: void nsTArrayElementTraits<nsCString>::Construct<nsDependentCString>(nsCString*, nsDependentCString const&) (nsTArray.h:193)
==1090==    by 0x7BE6D48: void nsTArray<nsCString>::AssignRange<nsDependentCString>(unsigned int, unsigned int, nsDependentCString const*) (nsTArray.h:875)

Comment 1

9 years ago
no error with normal malloc. wfm and open up?
Just want to be clear here that, if there's a bug, it's not in NSS. 
It means that the caller of NSS gave it a buffer address and length 
that caused the access of the last byte of that buffer to be an invalid
access.  e.g. 
   buffer = malloc(99)
   HASH_Update(,cx, buffer, 100);

Comment 3

9 years ago
cc'ing Honza who recently worked on nsCryptoHash
According to comment 1, this behaves a different way with jemalloc and normal std malloc? I assume there is no regular test case for this?

Comment 5

9 years ago
no test case and possibly no bug after my discussions with Julian and Nick about the use of valgrind with jemalloc. Julian/Nick: This bug is total BS, right?
If you aren't getting the Valgrind error with normal malloc, it's likely that the problem is with jemalloc's annotations.  See bug 503249.

Comment 7

9 years ago
by consensus, this is invalid.
Group: core-security
Last Resolved: 9 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.