Closed Bug 502571 Opened 15 years ago Closed 15 years ago

valgrind - invalid read of size 1 in memcpy/SHA256_Update with jemalloc

Categories

(Core :: Security: PSM, defect)

x86
Linux
defect
Not set
normal

Tracking

()

RESOLVED INVALID

People

(Reporter: bc, Assigned: KaiE)

References

()

Details

(Keywords: valgrind)

linux trunk with jemalloc

http://test.bclary.com//tests/mozilla.org/js/js-test-driver-standards.html?test=ecma/Date/15.9.5.10-10.js;language=type;text/javascript;version=1.5

This occurred in a series of tests with the same profile, starting and stopping the browser for each url. Considering that it is related to the UrlClassifier Cache it may not be reproducible loading just this single page.

==1090== Invalid read of size 1
==1090==    at 0x4007A00: memcpy (mc_replace_strmem.c:402)
==1090==    by 0xC35DF49: SHA256_Update (sha512.c:429)
==1090==    by 0xC314106: SHA256_Update (loader.c:982)
==1090==    by 0xC2F5D14: NSC_DigestUpdate (pkcs11c.c:1382)
==1090==    by 0xC185714: PK11_DigestOp (pk11cxt.c:818)
==1090==    by 0xC174B30: HASH_Update (sechash.c:403)
==1090==    by 0xC03107A: nsCryptoHash::Update(unsigned char const*, unsigned int) (nsNSSComponent.cpp:2623)
==1090==    by 0x5A33A63: nsUrlClassifierHash<4u>::FromPlaintext(nsACString_internal const&, nsICryptoHash*) (nsUrlClassifierDBService.cpp:235)
==1090==    by 0x5A25027: nsUrlClassifierDBServiceWorker::CacheEntries(nsACString_internal const&) (nsUrlClassifierDBService.cpp:1575)
==1090==    by 0x5A2514C: nsUrlClassifierDBServiceWorker::Check(nsACString_internal const&, nsTArray<nsUrlClassifierLookupResult>&) (nsUrlClassifierDBService.cpp:1599)
==1090==    by 0x5A256ED: nsUrlClassifierDBServiceWorker::DoLookup(nsACString_internal const&, nsIUrlClassifierLookupCallback*) (nsUrlClassifierDBService.cpp:1713)
==1090==    by 0x5A258B9: nsUrlClassifierDBServiceWorker::HandlePendingLookups() (nsUrlClassifierDBService.cpp:1746)
==1090==  Address 0xadca748 is 8 bytes after a block of size 32 alloc'd
==1090==    at 0x8058AF5: arena_malloc_small (jemalloc.c:4057)
==1090==    by 0x8058F3F: arena_malloc (jemalloc.c:4117)
==1090==    by 0x805901E: imalloc (jemalloc.c:4129)
==1090==    by 0x805DA17: malloc (jemalloc.c:6160)
==1090==    by 0x435AA39: nsStringBuffer::Alloc(unsigned int) (nsSubstring.cpp:204)
==1090==    by 0x435C7FC: nsACString_internal::MutatePrep(unsigned int, char**, unsigned int*) (nsTSubstring.cpp:179)
==1090==    by 0x435C903: nsACString_internal::ReplacePrep(unsigned int, unsigned int, unsigned int) (nsTSubstring.cpp:224)
==1090==    by 0x435CCBC: nsACString_internal::Assign(char const*, unsigned int) (nsTSubstring.cpp:360)
==1090==    by 0x435CEE7: nsACString_internal::Assign(nsACString_internal const&) (nsTSubstring.cpp:421)
==1090==    by 0x7BDC691: nsCString::nsCString(nsCString const&) (nsTString.h:86)
==1090==    by 0x7BE7025: void nsTArrayElementTraits<nsCString>::Construct<nsDependentCString>(nsCString*, nsDependentCString const&) (nsTArray.h:193)
==1090==    by 0x7BE6D48: void nsTArray<nsCString>::AssignRange<nsDependentCString>(unsigned int, unsigned int, nsDependentCString const*) (nsTArray.h:875)
==1090==
no error with normal malloc. wfm and open up?
Just want to be clear here that, if there's a bug, it's not in NSS. 
It means that the caller of NSS gave it a buffer address and length 
that caused the access of the last byte of that buffer to be an invalid
access.  e.g. 
   buffer = malloc(99)
   HASH_Update(,cx, buffer, 100);
cc'ing Honza who recently worked on nsCryptoHash
According to comment 1, this behaves a different way with jemalloc and normal std malloc? I assume there is no regular test case for this?
no test case and possibly no bug after my discussions with Julian and Nick about the use of valgrind with jemalloc. Julian/Nick: This bug is total BS, right?
If you aren't getting the Valgrind error with normal malloc, it's likely that the problem is with jemalloc's annotations.  See bug 503249.
by consensus, this is invalid.
Group: core-security
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.