cross_fuzz crash in mozilla::dom::Navigator::GetMozBattery

RESOLVED FIXED in Firefox 14

Status

()

Core
DOM: Core & HTML
--
critical
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: cpeterson, Assigned: mounir)

Tracking

({crash, csectype-dos, reproducible})

Trunk
mozilla14
crash, csectype-dos, reproducible
Points:
---

Firefox Tracking Flags

(firefox11 affected, firefox12 affected, firefox13 affected, firefox14 verified, firefox-esr10 affected)

Details

(crash signature, URL)

Attachments

(1 attachment)

785 bytes, patch
Justin Lebar (not reading bugmail)
: review+
mounir
: checkin+
Details | Diff | Splinter Review
(Reporter)

Description

5 years ago
This bug was filed from the Socorro interface and is 
report bp-27e7d6fc-c8d9-4ca1-be95-f1be92120330 .
============================================================= 

STR:
1. Load http://lcamtuf.coredump.cx/cross_fuzz/
2. Run cross_fuzz_msie_randomized_seed.html test
3. Wait about 1-2 minutes

AR:
Easily reproducible crash in GetMozBattery(). I've test two different MacBook Pros and two different user profiles. I was able to reproduce this crash many times on Nightly 2012-03-29 and 2012-03-14.

https://crash-stats.mozilla.com/report/index/09a6e576-3824-4f2b-a2d3-e23312120329
https://crash-stats.mozilla.com/report/index/27e7d6fc-c8d9-4ca1-be95-f1be92120330
https://crash-stats.mozilla.com/report/index/dca52249-a269-4cd8-ace4-750012120330
https://crash-stats.mozilla.com/report/index/a2231a87-6696-4cc2-89b4-a34232120330
https://crash-stats.mozilla.com/report/index/09043995-5bee-43e6-b39d-f5cee2120330
https://crash-stats.mozilla.com/report/index/052e8251-354b-4104-9952-49ea72120330
https://crash-stats.mozilla.com/report/index/0e6cf481-9fc0-4a16-b758-194602120329
https://crash-stats.mozilla.com/report/index/66ebf1c3-78b6-4f0b-9a4b-fbe9a2120329
https://crash-stats.mozilla.com/report/index/d38a5d26-b011-4c42-84c0-27b922120330
https://crash-stats.mozilla.com/report/index/5ae59ce6-93ee-4535-aaea-cece92120330

Updated

5 years ago
Keywords: reproducible

Updated

5 years ago
Component: XPConnect → DOM: Core & HTML
QA Contact: xpconnect → general
(Assignee)

Comment 1

5 years ago
I can't reproduce that on my Linux laptop. Is that Mac only?
(Reporter)

Comment 2

5 years ago
I only have Mac test machines. I reproduced it on Mac OS X 10.6 and 10.7.
(Assignee)

Comment 3

5 years ago
Created attachment 611104 [details] [diff] [review]
Patch

Stupid mistake... sorry about that :(
Assignee: nobody → mounir
Status: NEW → ASSIGNED
Attachment #611104 - Flags: review?(justin.lebar+bug)
(Assignee)

Updated

5 years ago
OS: Mac OS X → All
(Assignee)

Updated

5 years ago
status-firefox-esr10: --- → affected
status-firefox11: --- → affected
status-firefox12: --- → affected
status-firefox13: --- → affected
status-firefox14: --- → affected
Comment on attachment 611104 [details] [diff] [review]
Patch

r=me
Attachment #611104 - Flags: review?(justin.lebar+bug) → review+
(Assignee)

Updated

5 years ago
Attachment #611104 - Flags: checkin+

Updated

5 years ago
Crash Signature: [@ mozilla::dom::Navigator::GetMozBattery] → [@ mozilla::dom::Navigator::GetMozBattery ]
https://hg.mozilla.org/mozilla-central/rev/839c971b9022
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
status-firefox14: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla14

Comment 6

5 years ago
I wonder why my fuzzer missed this bug. Is there a reduced testcase?
(Assignee)

Comment 7

5 years ago
I haven't done one but maybe we can ask QA to do one?

Comment 8

5 years ago
seems ff 13.0.2 is affected, please see Bug 767947
(Assignee)

Comment 9

5 years ago
This has been fixed in Firefox 14, see the target milestone.

Comment 10

5 years ago
yes i saw, but why not in 13.x ?
(Assignee)

Comment 11

5 years ago
We could indeed have pushed that to Firefox 13 but it's now too late.
Duplicate of this bug: 767947
Keywords: csec-dos
Duplicate of this bug: 767174
(In reply to David Maciejak from comment #10)
> yes i saw, but why not in 13.x ?

This is not an exploitable crash and is not a major stability problem since it's a new, little-used feature. There is no practical user benefit to the disruption of an out-of-cycle release.
Verified on Ubuntu 12.04, Mac OS X 10.6 and Mac OS X 10.7 that Firefox 14 beta 10 does not crash when using the STR from the Description. 

Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101 Firefox/14.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:14.0) Gecko/20100101 Firefox/14.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:14.0) Gecko/20100101 Firefox/14.0

Also, checked in Socorro and there are no crashes on Firefox 14.
status-firefox14: fixed → verified
Duplicate of this bug: 771037

Comment 17

5 years ago
reduced testcase 

https://bugzilla.mozilla.org/attachment.cgi?id=639210
You need to log in before you can comment on or make changes to this bug.