Crash on invalid address in CalculateUTF8Size::write

RESOLVED FIXED

Status

()

Core
DOM
--
critical
RESOLVED FIXED
5 years ago
4 years ago

People

(Reporter: Abhishek Arya, Assigned: Bobby Holley (parental leave - send mail for anything urgent))

Tracking

(5 keywords)

Trunk
x86_64
All
crash, regression, sec-other, testcase, verifyme
Points:
---
Dependency tree / graph
Bug Flags:
sec-bounty -

Firefox Tracking Flags

(firefox20 unaffected, firefox21 fixed, firefox-esr17 unaffected, b2g18 unaffected)

Details

(Whiteboard: [asan][sg:dupe 832435][adv-main21-])

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
Created attachment 704242 [details]
Testcase

In debug, crashes on JS_ASSERT(JSVAL_IS_STRING(v));

In release, crashes here.
>==27012== ERROR: AddressSanitizer: SEGV on unknown address 0x7f12cb900000 (pc 0x7f130419120e sp 0x7ffff9db2cc0 bp 0x7ffff9db2f70 T0)
>AddressSanitizer can not provide additional info.
>    #0 0x7f130419120d in CalculateUTF8Size::write(unsigned short const*, unsigned int) src/../../../dist/include/nsUTF8Utils.h:574
>    #1 0x7f1304190d04 in nsCharSinkTraits<CalculateUTF8Size>::write(CalculateUTF8Size&, unsigned short const*, unsigned int) src/../../../dist/include/nsCharTraits.h:673
>    #2 0x7f130417909a in CalculateUTF8Size& copy_string<nsReadingIterator<unsigned short>, CalculateUTF8Size>(nsReadingIterator<unsigned short> const&, nsReadingIterator<unsigned short> const&, CalculateUTF8Size&) src/../../../dist/include/nsAlgorithm.h:92
>    #3 0x7f130417a81f in ToNewUTF8String(nsAString_internal const&, unsigned int*) src/xpcom/string/src/nsReadableUtils.cpp:266
>    #4 0x7f12fb2d0124 in nsJSThunk::EvaluateScript(nsIChannel*, PopupControlState, unsigned int, nsPIDOMWindow*) src/dom/src/jsurl/nsJSProtocolHandler.cpp:369
>    #5 0x7f12fb2db904 in nsJSChannel::EvaluateScript() src/dom/src/jsurl/nsJSProtocolHandler.cpp:731
>    #6 0x7f12fb2f66b2 in nsRunnableMethodImpl<void (nsJSChannel::*)(), true>::Run() src/../../../dist/include/nsThreadUtils.h:367
>    #7 0x7f13040124cf in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:627
>    #8 0x7f1303c86e55 in NS_ProcessNextEvent_P(nsIThread*, bool) src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:238
>    #9 0x7f130109788c in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:82
>    #10 0x7f13043098e2 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:215
>    #11 0x7f1304309719 in MessageLoop::RunHandler() src/ipc/chromium/src/base/message_loop.cc:208
>    #12 0x7f13043095ee in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:182
>    #13 0x7f1300451a77 in nsBaseAppShell::Run() src/widget/xpwidgets/nsBaseAppShell.cpp:163
>    #14 0x7f12fef5d425 in nsAppStartup::Run() src/toolkit/components/startup/nsAppStartup.cpp:288
>    #15 0x7f12f41c5a04 in XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:3823
>    #16 0x7f12f41cb5ea in XREMain::XRE_main(int, char**, nsXREAppData const*) src/toolkit/xre/nsAppRunner.cpp:3890
>    #17 0x7f12f41ce3c0 in XRE_main src/toolkit/xre/nsAppRunner.cpp:4093
>    #18 0x41d963 in do_main(int, char**, nsIFile*) src/browser/app/nsBrowserApp.cpp:195
>    #19 0x41ac69 in main src/browser/app/nsBrowserApp.cpp:388
>    #20 0x7f13169f076c in
>Stats: 257M malloced (3610M for red zones) by 451929 calls
>Stats: 48M realloced by 25636 calls
>Stats: 230M freed by 305625 calls
>Stats: 217M really freed by 274349 calls
>Stats: 1589M (1589M-0M) mmaped; 397 maps, 0 unmaps
>  mmaps   by size class: 13:177664; 14:1024; 15:256; 16:448; 17:736; 18:48; 19:40; 20:24;
>  mallocs by size class: 13:445919; 14:2458; 15:510; 16:1531; 17:1371; 18:75; 19:42; 20:23;
>  frees   by size class: 13:300119; 14:2212; 15:380; 16:1447; 17:1351; 18:57; 19:39; 20:20;
>  rfrees  by size class: 13:269156; 14:2164; 15:365; 16:1200; 17:1349; 18:56; 19:39; 20:20;
>Stats: malloc large: 1511 small slow: 29081
>Stats: StackDepot: 0 ids; 0M mapped
>==27012== ABORTING
>
>
>
Regression from bug 824864?  This cset in particular:
http://hg.mozilla.org/mozilla-central/diff/3cb7ad47f6d9/dom/src/jsurl/nsJSProtocolHandler.cpp
changed 'result' from being 'nsString' to 'nsDependentJSString'.

http://hg.mozilla.org/mozilla-central/annotate/01a8559f5560/dom/src/jsurl/nsJSProtocolHandler.cpp#l369
Severity: normal → critical
Component: General → DOM
Keywords: crash, regression, testcase
Product: Firefox → Core
Whiteboard: [asan]
Blocks: 824864
Related to bug 832599 ?
Or bug 832435, about compartment mismatches with javascript: urls? There's a patch there, does it address this bug?
Assignee: nobody → bobbyholley+bmo
Flags: sec-bounty?
Yes, this is almost certainly a dupe.
Depends on: 832435
Presumably fixed now if it is a dupe -- needs verification.
Status: NEW → RESOLVED
Last Resolved: 5 years ago
status-b2g18: --- → unaffected
status-firefox20: --- → unaffected
status-firefox21: --- → fixed
status-firefox-esr17: --- → unaffected
Keywords: sec-other, verifyme
Resolution: --- → FIXED
Whiteboard: [asan] → [asan][sg:dupe 832435]

Comment 6

5 years ago
non-qual for the bounty.  ollie found 832435 a day before this one.
Flags: sec-bounty? → sec-bounty-
Whiteboard: [asan][sg:dupe 832435] → [asan][sg:dupe 832435][adv-main21-]
Group: core-security
You need to log in before you can comment on or make changes to this bug.