NULL pointer dereference when running cross_fuzz

NEW
Unassigned

Status

()

Core
DOM
--
critical
7 years ago
6 years ago

People

(Reporter: sachin shinde, Unassigned)

Tracking

({crash, testcase})

5 Branch
x86
All
crash, testcase
Points:
---

Firefox Tracking Flags

(firefox6- wontfix, firefox7- wontfix, firefox8+ affected, firefox9+ affected, firefox10- affected, status1.9.2 wontfix)

Details

(Whiteboard: [sg:dos?])

Attachments

(5 attachments)

(Reporter)

Description

7 years ago
User Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0
Build ID: 20110615151330

Steps to reproduce:

Used cross_fuzz with added server side logger.

Firefox version: 5.0 
about:buildconfig
Source

Built from http://hg.mozilla.org/releases/mozilla-release/rev/7b56ff900c2a
Build platform
target
i686-pc-mingw32
Build tools
Compiler 	Version 	Compiler flags
d;D:\mozilla-build\msys\mozilla-build\python25\python2.5.exe -O e;D:\mozilla-build\msys\builds\moz2_slave\rel-rel-w32-bld\build\build\cl.py cl 	14.00.50727.762 	-TC -nologo -W3 -Gy -Fdgenerated.pdb -DNDEBUG -DTRIMMED -Zi -Zi -UDEBUG -DNDEBUG -GL -wd4624 -wd4952 -O1
d;D:\mozilla-build\msys\mozilla-build\python25\python2.5.exe -O e;D:\mozilla-build\msys\builds\moz2_slave\rel-rel-w32-bld\build\build\cl.py cl 	14.00.50727.762 	-GR- -TP -nologo -Zc:wchar_t- -W3 -Gy -Fdgenerated.pdb -wd4800 -DNDEBUG -DTRIMMED -Zi -Zi -UDEBUG -DNDEBUG -GL -wd4624 -wd4952 -O1
Configure arguments

--enable-application=browser --enable-update-channel=release --enable-update-packaging --enable-jemalloc --enable-tests --enable-official-branding

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>


Build identifier: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

To reproduce use 

server/cross_fuzz/cross_fuzz_randomized_20110105_seed.html#-501598811

this will reproduce the bug.I am attachin rar files which contains logs and dump files

steps to reproduce
1> start apache2 server
2>start firefox 5 attach debugger
3>on crash "grep -F firefox access.log >> firefox_crash"





Actual results:

Null pointer deference or USER AFTER FREE in xul.dll 
here is the call stack

STACK_TEXT:  
WARNING: Stack unwind information not available. Following frames may be wrong.
0012c254 102b5d42 0a8cffb0 0012c368 00000001 xul!XRE_LockProfileDirectory+0x2291a
0012c268 100b49de 03af3cf0 00000005 00000001 xul!NS_InvokeByIndex_P+0x27
0012c668 00525e90 03ca39e0 00000000 024001c0 xul!gfxPoint::gfxPoint+0x525b
00000000 00000000 00000000 00000000 00000000 mozjs!JS_CompareValues+0x2a60
(Reporter)

Updated

7 years ago
Severity: normal → critical
> this will reproduce the bug.I am attachin rar files which contains logs and
> dump files

were you going to attach those? If they're too big for attachments here you can mail them to our security address (where they'll also be too big, but the mail address allows hand-moderation to get them in).
Severity: critical → normal
(Reporter)

Comment 2

7 years ago
Created attachment 555712 [details]
crash dumps and log files
(Reporter)

Comment 3

7 years ago
Created attachment 555714 [details]
cross_fuzz with server side logger
(Reporter)

Comment 4

7 years ago
Comment on attachment 555714 [details]
cross_fuzz with server side logger

To use the logger you have to point the SERVER_URL variable to your server address.
(Reporter)

Updated

7 years ago
Severity: normal → critical
The stack doesn't make sense.  I think you need to use the symbol server
for non-debug builds:
https://developer.mozilla.org/en/Using_the_Mozilla_symbol_server
Created attachment 561967 [details]
stack nsRefreshDriver::~nsRefreshDriver()

Here's a stack I got from a mozilla-release (version 7.0) debug build
on WinXP.  It aborts in nsRefreshDriver::~nsRefreshDriver() on

119:  NS_ABORT_IF_FALSE(ObserverCount() == 0,
120:                    "observers should have unregistered");

Updated

7 years ago
Component: Security → Layout
Product: Firefox → Core
QA Contact: firefox → layout
Created attachment 561988 [details]
crash stack nsINode::GetNextNode
Does this happen in 3.6.x? if not the regression range might give us a pointer to the area of code where the bug lives. Jst says the parent pointer looks bogus, the second crash Mats got looks like an area where Olli recently made a change (though not as early as Fx5)
Assignee: nobody → matspal
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: XUL NULL pointer deference/USER AFTER FREE (Probably Exploitable) → Layout NULL pointer deference/USER AFTER FREE (Probably Exploitable)
Whiteboard: [sg:critical?]

Updated

7 years ago
status-firefox10: --- → affected
status-firefox6: --- → wontfix
status-firefox7: --- → wontfix
status-firefox8: --- → affected
status-firefox9: --- → affected
tracking-firefox10: --- → +
tracking-firefox6: --- → -
tracking-firefox7: --- → -
tracking-firefox8: --- → +
tracking-firefox9: --- → +
Mats, any updates here?
I think Olli made some improvements to node ownership recently that might help with
the nsINode::GetNextNode crash.  I'm trying to reproduce that or the
~nsRefreshDriver() crash in a trunk (10.0a1) Linux64 build (with patches in
bug 693212 and bug 671484 applied)
My trunk debug build on WinXP doesn't crash with the -501598811 seed, I'm running
3.6.x debug on WinXP (with bug 345094 applied) now...
Created attachment 566270 [details]
1.9.2 null-pointer crash in nsDOMTokenList::AddInternal

1.9.2 Fx debug build on WinXP crashed eventually (after ~2 hours) accessing
'mElement' null-pointer in nsDOMTokenList::AddInternal
Running cross_fuzz overnight on Linux64 -> no crash.  The only crash in Layout
I've seen is the abort-if-false in a Fx7 debug build (comment 6).  The rest are DOM-
related null-pointer crashes (also when using other seeds). Re-assigning accordingly.
Assignee: matspal → nobody
Component: Layout → DOM
OS: Windows XP → All
QA Contact: layout → general
Summary: Layout NULL pointer deference/USER AFTER FREE (Probably Exploitable) → NULL pointer dereference when running cross_fuzz
Whiteboard: [sg:critical?] → [sg:dos?]
Group: core-security
status1.9.2: --- → wontfix
Keywords: crash, testcase

Comment 13

7 years ago
Dan, is this still an issue we want to track for FF9? This implies we are going to do something about this. Should we continue to track it?
Untracking for FF10 since this wasn't a concern for FF9. Please re-nominate if that's not true.
tracking-firefox10: + → -
You need to log in before you can comment on or make changes to this bug.