Closed Bug 638236 Opened 14 years ago Closed 14 years ago

Crash [@ nsConverterInputStream::Fill(unsigned int *) ] | ASSERTION: Whoa. The converter should have returned NS_OK_UDEC_MOREINPUT before this point!: 'srcConsumed <= mByteData->GetLength()'

Categories

(Core :: Internationalization, defect)

Product:
Core
Component:
Internationalization
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- final+
status1.9.2 --- .17-fixed
status1.9.1 --- .19-fixed

People

(Reporter: bc, Assigned: dbaron)

References

(
URL
)

Details

(4 keywords, Whiteboard: [sg:critical?][hardblocker])

Crash Data

Attachments

(5 files)

CSS file for testcase
1 byte, text/css
Details
Minimized testcase
1.05 KB, text/html; charset=UTF-16
Details
fix converter
2.47 KB, patch
smontagu
: review+
hsivonen
: feedback+
Details | Diff | Splinter Review
fix for converter input stream
951 bytes, patch
bzbarsky
: review+
christian
: approval1.9.2.17+
christian
: approval1.9.1.19+
Details | Diff | Splinter Review
The test as crashtest, for check in after we release with the fixes
1.15 KB, patch
Details | Diff | Splinter Review
1. http://zchoin.fct.put.poznan.pl/en.html 2. assert like a mad man and then crash (wait for it) 1.9.2 doesn't seem to crash but 2.0.0 does. (these files haven't changed since the switch from cvs...) 1.9.2: ###!!! ASSERTION: Whoa. The converter should have returned NS_OK_UDEC_MOREINPUT before this point!: 'srcConsumed <= mByteData->GetLength()', file /work/mozilla/builds/1.9.2/mozilla/intl/uconv/src/nsConverterInputStream.cpp, line 255 ###!!! ASSERTION: Decoder returned an error but filled the output buffer! Should not happen.: '0 < mUnicharData->GetBufferSize() - mUnicharDataLength', file /work/mozilla/builds/1.9.2/mozilla/intl/uconv/src/nsConverterInputStream.cpp, line 246 2.0.0: ASSERTION: Whoa. The converter should have returned NS_OK_UDEC_MOREINPUT before this point!: 'srcConsumed <= mByteData->GetLength()', file /work/mozilla/builds/2.0.0/mozilla/intl/uconv/src/nsConverterInputStream.cpp, line 255 ss since I don't like the write aspect and the assert. On Mac: Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_INVALID_ADDRESS at address: 0xfffdfffd [Switching to process 44119 thread 0x4603] 0x04cc8b42 in nsRefPtr<nsIRunnable>::~nsRefPtr (this=0xb032abc0) at nsAutoPtr.h:969 969 mRawPtr->Release(); (gdb) bt #0 0x04cc8b42 in nsRefPtr<nsIRunnable>::~nsRefPtr (this=0xb032abc0) at nsAutoPtr.h:969 #1 0x0646fc53 in nsEventQueue::PutEvent (this=0x51839c, runnable=0x23ad8920) at /work/mozilla/builds/2.0.0/mozilla/xpcom/threads/nsEventQueue.cpp:140 #2 0x06471332 in nsThread::nsChainedEventQueue::PutEvent (this=0x518394, event=0x23ad8920) at /work/mozilla/builds/2.0.0/mozilla/xpcom/threads/nsThread.cpp:760 #3 0x064715c7 in nsThread::PutEvent (this=0x518360, event=0x23ad8920) at /work/mozilla/builds/2.0.0/mozilla/xpcom/threads/nsThread.cpp:389 #4 0x06472b6c in nsThread::Dispatch (this=0x518360, event=0x23ad8920, flags=0) at /work/mozilla/builds/2.0.0/mozilla/xpcom/threads/nsThread.cpp:433 #5 0x0647a79b in nsTimerImpl::PostTimerEvent (this=0x581980) at /work/mozilla/builds/2.0.0/mozilla/xpcom/threads/nsTimerImpl.cpp:552 #6 0x0647b41a in TimerThread::Run (this=0x518620) at /work/mozilla/builds/2.0.0/mozilla/xpcom/threads/TimerThread.cpp:313 #7 0x06471acc in nsThread::ProcessNextEvent (this=0x5806c0, mayWait=1, result=0xb032aecc) at /work/mozilla/builds/2.0.0/mozilla/xpcom/threads/nsThread.cpp:633 #8 0x063f808a in NS_ProcessNextEvent_P (thread=0x5806c0, mayWait=1) at nsThreadUtils.cpp:250 #9 0x064725f3 in nsThread::ThreadFunc (arg=0x5806c0) at /work/mozilla/builds/2.0.0/mozilla/xpcom/threads/nsThread.cpp:278 #10 0x00084c49 in _pt_root (arg=0x583ec0) at /work/mozilla/builds/2.0.0/mozilla/nsprpub/pr/src/pthreads/ptthread.c:187 #11 0x95f28155 in _pthread_start () #12 0x95f28012 in thread_start () On Windows: Operating system: Windows NT 5.1.2600 Service Pack 3 CPU: x86 GenuineIntel family 6 model 44 stepping 2 1 CPU Crash reason: EXCEPTION_ACCESS_VIOLATION_WRITE Crash address: 0x4281000 Thread 0 (crashed) 0 xul.dll!nsConverterInputStream::Fill(unsigned int *) [nsConverterInputStream.cpp : 247 + 0x29] eip = 0x10088306 esp = 0x0012d1c8 ebp = 0x0012d210 ebx = 0x00000001 esi = 0x0000a770 edi = 0x00000000 eax = 0x0426c120 ecx = 0x041fe9b8 edx = 0x1153fffd efl = 0x00010246 Found by: given as instruction pointer in context 1 xul.dll!nsConverterInputStream::Read(unsigned short *,unsigned int,unsigned int *) [nsConverterInputStream.cpp : 105 + 0xe] eip = 0x10087d84 esp = 0x0012d218 ebp = 0x0012d228 Found by: call frame info 2 xul.dll!nsCSSScanner::EnsureData() [nsCSSScanner.cpp : 634 + 0x2e] eip = 0x109d3663 esp = 0x0012d230 ebp = 0x0012d24c Found by: call frame info 3 xul.dll!nsCSSScanner::Read() [nsCSSScanner.cpp : 653 + 0x1b] eip = 0x109d3714 esp = 0x0012d254 ebp = 0x0012d25c Found by: call frame info 4 xul.dll!nsCSSScanner::Next(nsCSSToken &) [nsCSSScanner.cpp : 754 + 0x7] eip = 0x109d3a51 esp = 0x0012d264 ebp = 0x0012d284 Found by: call frame info 5 xul.dll!`anonymous namespace'::CSSParserImpl::GetToken(int) [nsCSSParser.cpp : 1292 + 0x11] eip = 0x109d6a9c esp = 0x0012d28c ebp = 0x0012d294 Found by: call frame info 6 xul.dll!`anonymous namespace'::CSSParserImpl::Parse(nsIUnicharInputStream *,nsIURI *,nsIURI *,nsIPrincipal *,unsigned int,int) [nsCSSParser.cpp : 916 + 0x9] eip = 0x109d5abc esp = 0x0012d29c ebp = 0x0012d2c4 Found by: call frame info 7 xul.dll!nsCSSParser::Parse(nsIUnicharInputStream *,nsIURI *,nsIURI *,nsIPrincipal *,unsigned int,int) [nsCSSParser.cpp : 9045 + 0x21] eip = 0x109e7de9 esp = 0x0012d2cc ebp = 0x0012d2e8 Found by: call frame info 17 crashes on windows in last week in socorro.
I'm getting several other signatures on this url as well: Operating system: Windows NT 6.1.7601 Service Pack 1 CPU: x86 GenuineIntel family 6 model 44 stepping 2 1 CPU Crash reason: EXCEPTION_ACCESS_VIOLATION_READ Crash address: 0xfffffffffffe000d Thread 8 (crashed) 0 xul.dll!nsHttpConnectionMgr::EnsureSocketThreadTargetIfOnline() [nsHttpConnectionMgr.cpp : 120 + 0xc] eip = 0x646bb4d9 esp = 0x02eef61c ebp = 0x02eef668 ebx = 0x0047fa80 esi = 0x00000000 edi = 0x00000000 eax = 0x02eef630 ecx = 0xfffdfffd edx = 0x02eef664 efl = 0x00010246 Found by: given as instruction pointer in context 1 xul.dll!nsHttpConnectionMgr::PostEvent(void ( nsHttpConnectionMgr::*)(int,void *),int,void *) [nsHttpConnectionMgr.cpp : 195 + 0x7] eip = 0x646bb741 esp = 0x02eef670 ebp = 0x02eef6a8 Found by: call frame info 2 xul.dll!nsHttpConnectionMgr::ReclaimConnection(nsHttpConnection *) [nsHttpConnectionMgr.cpp : 363 + 0x12] eip = 0x646bbf9f esp = 0x02eef6b0 ebp = 0x02eef6c4 Found by: call frame info 3 xul.dll!nsHttpHandler::ReclaimConnection(nsHttpConnection *) [nsHttpHandler.h : 159 + 0xe] eip = 0x646bddf6 esp = 0x02eef6cc ebp = 0x02eef6d4 Found by: call frame info 4 xul.dll!nsHttpConnectionMgr::nsConnectionHandle::~nsConnectionHandle() [nsHttpConnectionMgr.cpp : 1069 + 0x11] eip = 0x646bddab esp = 0x02eef6dc ebp = 0x02eef6e4 Found by: call frame info 5 xul.dll!nsHttpConnectionMgr::nsConnectionHandle::`scalar deleting destructor'(unsigned int) + 0xe eip = 0x646bd05f esp = 0x02eef6ec ebp = 0x02eef6f0 Found by: call frame info Operating system: Windows NT 6.1.7601 Service Pack 1 CPU: x86 GenuineIntel family 6 model 44 stepping 2 2 CPUs Crash reason: EXCEPTION_ACCESS_VIOLATION_READ Crash address: 0xfffffffffffe0000 Thread 8 (crashed) 0 nspr4.dll!PR_EnterMonitor [prmon.c : 96 + 0x6] eip = 0x718f9f4a esp = 0x0442f89c ebp = 0x0442f8a0 ebx = 0x00449350 esi = 0x00000000 edi = 0x00000000 eax = 0x05203620 ecx = 0xfffdfffd edx = 0x0442f8ec efl = 0x00010202 Found by: given as instruction pointer in context 1 xul.dll!nsAutoMonitor::nsAutoMonitor(PRMonitor *,mozilla::GuardObjectNotifier const &) [nsAutoLock.h : 310 + 0xc] eip = 0x6bd61917 esp = 0x0442f8a8 ebp = 0x0442f8b0 Found by: call frame info 2 xul.dll!nsHttpConnectionMgr::EnsureSocketThreadTargetIfOnline() [nsHttpConnectionMgr.cpp : 120 + 0x17] eip = 0x6c3ab4e5 esp = 0x0442f8b8 ebp = 0x0442f908 Found by: call frame info 3 xul.dll!nsHttpConnectionMgr::PostEvent(void ( nsHttpConnectionMgr::*)(int,void *),int,void *) [nsHttpConnectionMgr.cpp : 195 + 0x7] eip = 0x6c3ab741 esp = 0x0442f910 ebp = 0x0442f948 Found by: call frame info 4 xul.dll!nsHttpConnectionMgr::ReclaimConnection(nsHttpConnection *) [nsHttpConnectionMgr.cpp : 363 + 0x12] eip = 0x6c3abf9f esp = 0x0442f950 ebp = 0x0442f964 Found by: call frame info 5 xul.dll!nsHttpHandler::ReclaimConnection(nsHttpConnection *) [nsHttpHandler.h : 159 + 0xe] eip = 0x6c3addf6 esp = 0x0442f96c ebp = 0x0442f974 Found by: call frame info Operating system: Windows NT 5.1.2600 Service Pack 3 CPU: x86 GenuineIntel family 6 model 44 stepping 2 1 CPU Crash reason: EXCEPTION_ACCESS_VIOLATION_READ Crash address: 0xfffffffffffdfffd Thread 15 (crashed) 0 ntdll.dll + 0x190f7 eip = 0x7c9190f7 esp = 0x048ffa5c ebp = 0x048ffa6c ebx = 0x02c60000 esi = 0x04221d58 edi = 0x00000806 eax = 0x04221d60 ecx = 0xfffdfffd edx = 0xfffdfffd efl = 0x00010246 Found by: given as instruction pointer in context 1 ntdll.dll + 0x12481 eip = 0x7c912482 esp = 0x048ffa74 ebp = 0x048ffc98 Found by: previous frame's frame pointer 2 msvcr80d.dll + 0x12f4b eip = 0x002b2f4c esp = 0x048ffca0 ebp = 0x048ffcb4 Found by: previous frame's frame pointer
http://zchoin.fct.put.poznan.pl/en.html is in UTF-16, even though it contains <meta http-equiv="Content-Type" content="text/html; charset=iso 8859-2" /> so this is probably a regression from bug 634257.
Status: NEW → ASSIGNED
blocking2.0: --- → ?
Keywords: testcase-wantedregression, testcase
Blocks: 634257
Summary: Crash [@ nsConverterInputStream::Fill(unsigned int *)] | ASSERTION: Whoa. The converter should have returned NS_OK_UDEC_MOREINPUT before this point!: 'srcConsumed <= mByteData->GetLength()' → Crash [@ nsConverterInputStream::Fill(unsigned int *) ] | ASSERTION: Whoa. The converter should have returned NS_OK_UDEC_MOREINPUT before this point!: 'srcConsumed <= mByteData->GetLength()'
Simon: did you prove the regression by backing out bug 634257? If that's the cause maybe we should just do that for FF4.0 and figure out the right fix for 634257 in 4.0.1 Chofmann says he sees this signature going back prior to that checkin though, so it's not guaranteed to be the cause.
Whiteboard: [sg:critical?]
Blocking as this is something that's happening in the wild, and constructing an exploit from this is probably not that hard. We need to decide if we want to fix this by backing out the fix for bug 634257, or if there's a super super safe fix for this w/o backing out the fix for bug 634257.
blocking2.0: ? → final+
Whiteboard: [sg:critical?] → [sg:critical?][hardblocker]
FWIW, backing out the fix for bug 634257 does *not* seem to eliminate all problems here. So far I have not seen a crash here myself, but I do see what looks like an infinite loop when loading the testcase, both with and w/o the fix for bug 634257 in my tree.
On a 64-bit Linux mozilla-central debug build, I see an infinite loop of assertions on attachment 516422 [details] both with or without http://hg.mozilla.org/mozilla-central/rev/aa28638dc457 backed out. On m-c, the loop only fires one repeating assertion; with the patch backed out I see two assertions repeating in alternation.
So I think the underlying crash here shows two bugs: (1) The converter is returning a failure result when given a 0-byte input buffer. (It's given a 0-byte buffer by nsConvertInputStream::Fill the second time around, after it fails with the 1-byte buffer, we reset and skip the 1 byte, and then try again.) (2) nsConverterInputStream::Fill writes replacement characters into its output buffer regardless of the available space in that buffer, so a repeated sequence of encoding errors (in any encoding) can overrun that stack buffer with 0xFFFDFFFD.
Attached patch fix converterSplinter Review
It seems like, maybe, it ought to be considered an invariant that if a convert is given a zero-byte input buffer, it shouldn't return failure. Not that we document our converter invariants... but it's not an entirely unreasonable assumption. So this fixes (1) above. But (1) is not, I think, sg:critical; based on my description of my understanding of what's happening, dveditz believes (2) is. I expect (2) can be exploited using a sequence of UTF-8 continuation bytes (since they're all invalid)
Attachment #516479 - Flags: review?(smontagu)
... and such an exploit would allow the caller to write a exploiter-determined number of 0xFFFD 16-bit units into and past the end of the output buffer.
Comment on attachment 516481 [details] [diff] [review] fix for converter input stream ... though it's possible that this could still lead to a one byte overrun *if* a decoder can fill its output buffer *and* return failure... which seems like it's probably a bad thing to do. Again, something we ought to figure out regarding what the rules on decoders are.
Comment on attachment 516481 [details] [diff] [review] fix for converter input stream r=me If we want to guard against the case you mention, we could just use dstLen one smaller than we use now (and change your new check accordingly). But I really hope none of our decoders are doing that...
Attachment #516481 - Flags: review?(bzbarsky) → review+
The converter input stream change looks very safe to me. The other change I don't really know enough about to evaluate, but if we don't need it to fix this bug (which is the case, I think), I'd be tempted to hold it till .next. It's probably safe too, but I don't trust the callers of that code very much without auditing them first....
Attachment #516481 - Flags: approval1.9.2.15?
Attachment #516481 - Flags: approval1.9.1.18?
Whiteboard: [sg:critical?][hardblocker] → [sg:critical?][hardblocker][has patch]
I landed the "fix for converter input stream": http://hg.mozilla.org/mozilla-central/rev/8be874c41712 I believe that fixes the known sg:critical aspects of this bug. I'd like to leave this open overnight so that Simon, Henri, and anyone else who cares to comment can express an opinion about what we want to do regarding any converter invariants that may or may not exist which we may or may not be disobeying as a result of bug 634257. We have *at least* the following options for 4.0 (for which we'd hope to give a go-to-build for a release candidate any day now), for 4.0.x, and for 5.0: * revert bug 634257 * keep the current state * land attachment 516479 [details] [diff] [review] There's a triage meeting at 9am Pacific tomorrow, so it would be good if you can express whatever thoughts you have on the matter before then (and sooner is always better anyway).
Whiteboard: [sg:critical?][hardblocker][has patch] → [sg:critical?][hardblocker]
Whiteboard: [sg:critical?][hardblocker] → [sg:critical?][hardblocker][has patch][one patch landed][remaining parts of bug might not block]
Comment on attachment 516479 [details] [diff] [review] fix converter Marking feedback-, because converters should never return NS_OK. The permitted return values are NS_ERROR_ILLEGAL_INPUT, NS_PARTIAL_MORE_OUTPUT and NS_PARTIAL_MORE_INPUT. Feedback+ if you change NS_OK to NS_PARTIAL_MORE_INPUT.
Attachment #516479 - Flags: feedback?(hsivonen) → feedback-
Converters return NS_OK all the time. NS_OK_UDEC_MOREINPUT means that the input so far hasn't been fully converted, but more input is required to finish outputting the result (e.g., the input stopped in the middle of a multi-byte UTF-8 sequence, or between the bytes of a 2-byte unit in UTF-16).
Attachment #516479 - Flags: feedback- → feedback?(hsivonen)
Comment on attachment 516479 [details] [diff] [review] fix converter It seems that returning NS_OK shouldn't confuse the HTML5 parser at least.
Attachment #516479 - Flags: feedback?(hsivonen) → feedback+
Comment on attachment 516479 [details] [diff] [review] fix converter Bug 634257 was also a hardblocker, though less critical than this, so I think we should land this rather than revert bug 634257 or leave it in its current state (i.e. with a bad fix).
Attachment #516479 - Flags: review?(smontagu)
Attachment #516479 - Flags: review+
Attachment #516479 - Flags: approval2.0?
(In reply to comment #21) > Marking feedback-, because converters should never return NS_OK. The permitted > return values are NS_ERROR_ILLEGAL_INPUT, NS_PARTIAL_MORE_OUTPUT and > NS_PARTIAL_MORE_INPUT. I suppose this is based on http://mxr.mozilla.org/mozilla-central/source/intl/uconv/public/nsIUnicodeDecoder.h#148, but it doesn't seem reasonable to me. I think it's only common sense that any interface can always return NS_OK even if the documentation doesn't explicitly say so.
Assignee: smontagu → dbaron
(In reply to comment #25) > (In reply to comment #21) > > Marking feedback-, because converters should never return NS_OK. The permitted > > return values are NS_ERROR_ILLEGAL_INPUT, NS_PARTIAL_MORE_OUTPUT and > > NS_PARTIAL_MORE_INPUT. > > I suppose this is based on > http://mxr.mozilla.org/mozilla-central/source/intl/uconv/public/nsIUnicodeDecoder.h#148, > but it doesn't seem reasonable to me. I think it's only common sense that any > interface can always return NS_OK even if the documentation doesn't explicitly > say so. I was lacking common sense when I wrote code that called the interface and got it right by luck. :-( It would be really nice for the interface to say explicitly which situation maps to NS_OK.
I landed the converter patch as well; my inclination is that we're safer with it than without it since other commonly used decoders (nsUTF8ToUnicode, nsUnicodeDecodeHelper::ConvertBy*) seem to return NS_OK when given empty source buffers, so we're better off sticking to that behavior: http://hg.mozilla.org/mozilla-central/rev/f76fac273005
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Whiteboard: [sg:critical?][hardblocker][has patch][one patch landed][remaining parts of bug might not block] → [sg:critical?][hardblocker]
Attachment #516479 - Flags: approval2.0?
Attachment #516479 - Flags: approval1.9.2.15?
Attachment #516479 - Flags: approval1.9.1.18?
Comment on attachment 516481 [details] [diff] [review] fix for converter input stream I'll rerequest approval in bug 634257 for a patch including this correction.
Attachment #516481 - Flags: approval1.9.2.15?
Attachment #516481 - Flags: approval1.9.1.18?
Comment on attachment 516481 [details] [diff] [review] fix for converter input stream Oops, wrong attachment
Attachment #516481 - Flags: approval1.9.2.15?
Attachment #516481 - Flags: approval1.9.1.18?
Attachment #516479 - Flags: approval1.9.2.15?
Attachment #516479 - Flags: approval1.9.1.18?
Attachment #516481 - Flags: approval1.9.2.15?
Attachment #516481 - Flags: approval1.9.1.18?
Attachment #516481 - Flags: approval1.9.2.15?
Attachment #516481 - Flags: approval1.9.1.18?
Comment on attachment 516481 [details] [diff] [review] fix for converter input stream Approved for branches, though this may be covered in the patch for bug 634257 based on comments
Attachment #516481 - Flags: approval1.9.2.15?
Attachment #516481 - Flags: approval1.9.2.15+
Attachment #516481 - Flags: approval1.9.1.18?
Attachment #516481 - Flags: approval1.9.1.18+
This one is needed; it's "fix converter" that should be rolled in to the other patch.
Actually, the approved patch in the other bug has "fix converter" incorporated, so we're ok.
status1.9.1: --- → .18-fixed
status1.9.2: --- → .16-fixed
Group: core-security
Crash Signature: [@ nsConverterInputStream::Fill(unsigned int *) ]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: