Closed Bug 937342 Opened 11 years ago Closed 11 years ago

Intermittent ASAN heap-buffer-overflow in test_bug364677.html

Categories

(Core :: Security: PSM, defect)

x86_64
Linux
defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 934902

People

(Reporter: RyanVM, Unassigned)

References

Details

(Keywords: crash, intermittent-failure)

Now I'm getting nervous. Related to bug 936808 by chance? Calling this s-s until someone says otherwise.

https://tbpl.mozilla.org/php/getParsedLog.php?id=30422516&tree=B2g-Inbound

Ubuntu ASAN VM 12.04 x64 b2g-inbound opt test mochitest-1 on 2013-11-11 08:46:27 PST for push 26407a874057
slave: tst-linux64-ec2-045

08:52:04     INFO -  1189 INFO TEST-START | /tests/browser/base/content/test/general/test_bug364677.html
08:52:05     INFO -  1190 INFO TEST-PASS | /tests/browser/base/content/test/general/test_bug364677.html | Feed served as text/xml without a channel/link should have been sniffed
08:52:05     INFO -  =================================================================
08:52:05     INFO -  ==2442==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61d00057f928 at pc 0x7f1e8a9b4a2e bp 0x7f1e57410ac0 sp 0x7f1e57410ab8
08:52:05     INFO -  READ of size 4 at 0x61d00057f928 thread T39 (SSL Cert #2)
08:52:05     INFO -  1191 INFO TEST-END | /tests/browser/base/content/test/general/test_bug364677.html | finished in 916ms
08:52:05     INFO -      #0 0x7f1e8a9b4a2d in SECITEM_CompareItem_Util /builds/slave/b2g-in-l64-asan-00000000000000/build/security/nss/lib/util/secitem.c:188
08:52:05     INFO -      #1 0x7f1e8a4a59ed in CERT_CompareCerts /builds/slave/b2g-in-l64-asan-00000000000000/build/security/nss/lib/certdb/certdb.c:1811
08:52:05     INFO -      #2 0x7f1e8a60e5a4 in pkix_pl_Cert_Equals /builds/slave/b2g-in-l64-asan-00000000000000/build/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c:1292
08:52:05     INFO -      #3 0x7f1e8a67c33f in PKIX_PL_Object_Equals /builds/slave/b2g-in-l64-asan-00000000000000/build/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_object.c:996
08:52:05     INFO -      #4 0x7f1e8a61479c in PKIX_PL_Cert_VerifySignature /builds/slave/b2g-in-l64-asan-00000000000000/build/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c:2832
08:52:05     INFO -      #5 0x7f1e8a53b94c in pkix_SignatureChecker_Check /builds/slave/b2g-in-l64-asan-00000000000000/build/security/nss/lib/libpkix/pkix/checker/pkix_signaturechecker.c:209
08:52:05     INFO -      #6 0x7f1e8a57befd in pkix_CheckCert /builds/slave/b2g-in-l64-asan-00000000000000/build/security/nss/lib/libpkix/pkix/top/pkix_validate.c:174
08:52:05     INFO -      #7 0x7f1e8a57befd in pkix_CheckChain /builds/slave/b2g-in-l64-asan-00000000000000/build/security/nss/lib/libpkix/pkix/top/pkix_validate.c:800
08:52:05     INFO -      #8 0x7f1e8a5b36a6 in pkix_Build_ValidateEntireChain /builds/slave/b2g-in-l64-asan-00000000000000/build/security/nss/lib/libpkix/pkix/top/pkix_build.c:1334
08:52:05     INFO -      #9 0x7f1e8a5a3ecb in pkix_BuildForwardDepthFirstSearch /builds/slave/b2g-in-l64-asan-00000000000000/build/security/nss/lib/libpkix/pkix/top/pkix_build.c:2557
08:52:05     INFO -      #10 0x7f1e8a598a05 in pkix_Build_InitiateBuildChain /builds/slave/b2g-in-l64-asan-00000000000000/build/security/nss/lib/libpkix/pkix/top/pkix_build.c:3620
08:52:05     INFO -      #11 0x7f1e8a58f602 in PKIX_BuildChain /builds/slave/b2g-in-l64-asan-00000000000000/build/security/nss/lib/libpkix/pkix/top/pkix_build.c:3785
08:52:05     INFO -      #12 0x7f1e8a4116a9 in CERT_PKIXVerifyCert /builds/slave/b2g-in-l64-asan-00000000000000/build/security/nss/lib/certhigh/certvfypkix.c:2191
08:52:05     INFO -  1192 INFO TEST-START | /tests/browser/base/content/test/general/test_bug395533.html
08:52:05     INFO -  1193 INFO TEST-PASS | /tests/browser/base/content/test/general/test_bug395533.html | Text got sniffed as a feed?
08:52:05     INFO -  1194 INFO TEST-END | /tests/browser/base/content/test/general/test_bug395533.html | finished in 292ms
08:52:05     INFO -  1195 INFO TEST-START | /tests/browser/base/content/test/general/test_feed_discovery.html
08:52:05     INFO -  ==2442==AddressSanitizer: while reporting a bug found another one.Ignoring.
08:52:07     INFO -      #13 0x7f1e818810f9 in mozilla::psm::CertVerifier::VerifyCert(CERTCertificateStr*, long, long, nsIInterfaceRequestor*, unsigned int, CERTCertListStr**, SECOidTag*, CERTVerifyLogStr*) /builds/slave/b2g-in-l64-asan-00000000000000/build/security/manager/ssl/src/CertVerifier.cpp:263
08:52:07     INFO -      #14 0x7f1e8193fd4d in GetHostNameRaw /builds/slave/b2g-in-l64-asan-00000000000000/build/security/manager/ssl/src/SSLServerCertVerification.cpp:658
08:52:07     INFO -      #15 0x7f1e8193fd4d in mozilla::psm::(anonymous namespace)::AuthCertificate(mozilla::psm::TransportSecurityInfo*, CERTCertificateStr*, SECItemStr*, unsigned int) /builds/slave/b2g-in-l64-asan-00000000000000/build/security/manager/ssl/src/SSLServerCertVerification.cpp:886
08:52:07     INFO -      #16 0x7f1e819442ea in mozilla::psm::(anonymous namespace)::SSLServerCertVerificationJob::Run() /builds/slave/b2g-in-l64-asan-00000000000000/build/security/manager/ssl/src/SSLServerCertVerification.cpp:1057
08:52:07     INFO -      #17 0x7f1e8351a150 in nsThreadPool::Run() /builds/slave/b2g-in-l64-asan-00000000000000/build/xpcom/threads/nsThreadPool.cpp:204
08:52:07     INFO -      #18 0x7f1e8351a459 in non-virtual thunk to nsThreadPool::Run() /builds/slave/b2g-in-l64-asan-00000000000000/build/xpcom/threads/nsThreadPool.cpp:218
08:52:07     INFO -      #19 0x7f1e83514da4 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/b2g-in-l64-asan-00000000000000/build/xpcom/threads/nsThread.cpp:610
08:52:07     INFO -      #20 0x7f1e83441041 in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/b2g-in-l64-asan-00000000000000/build/xpcom/glue/nsThreadUtils.cpp:251
08:52:07     INFO -      #21 0x7f1e83512900 in nsThread::ThreadFunc(void*) /builds/slave/b2g-in-l64-asan-00000000000000/build/xpcom/threads/nsThread.cpp:248
08:52:07     INFO -      #22 0x7f1e8c108a69 in _pt_root /builds/slave/b2g-in-l64-asan-00000000000000/build/nsprpub/pr/src/pthreads/ptthread.c:204
08:52:07     INFO -      #23 0x44cf03 in __asan::AsanThread::ThreadStart(unsigned long) /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_thread.cc:138
08:52:07     INFO -      #24 0x7f1e8f622e99 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7e99)
08:52:07     INFO -      #25 0x7f1e8e733dbc (/lib/x86_64-linux-gnu/libc.so.6+0xf3dbc)
08:52:07     INFO -  0x61d00057f928 is located 280 bytes inside of 5765232-byte region [0x61d00057f810,0x61d000aff080)
08:52:07     INFO -  freed by thread T0 here:
08:52:07     INFO -  ==2442==AddressSanitizer CHECK failed: /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_allocator2.cc:228 "((id)) != (0)" (0x0, 0x0)
08:52:07     INFO -      #0 0x44bcf4 in __asan::AsanCheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_rtl.cc:63
08:52:07     INFO -      #1 0x450f21 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_common.cc:60
08:52:07     INFO -      #2 0x42337c in GetStackTraceFromId /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_allocator2.cc:228
08:52:07     INFO -      #3 0x42337c in __asan::AsanChunkView::GetFreeStack(__sanitizer::StackTrace*) /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_allocator2.cc:246
08:52:07     INFO -      #4 0x448fca in __asan::DescribeHeapAddress(unsigned long, unsigned long) /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_report.cc:383
08:52:07     INFO -      #5 0x449ed4 in __asan_report_error /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_report.cc:740
08:52:07     INFO -      #6 0x44afa6 in __asan_report_load4 /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_rtl.cc:252
08:52:07     INFO -      #7 0x7f1e8a9b4a2d in SECITEM_CompareItem_Util /builds/slave/b2g-in-l64-asan-00000000000000/build/security/nss/lib/util/secitem.c:188
08:52:07     INFO -      #8 0x7f1e8a4a59ed in CERT_CompareCerts /builds/slave/b2g-in-l64-asan-00000000000000/build/security/nss/lib/certdb/certdb.c:1811
08:52:07     INFO -      #9 0x7f1e8a60e5a4 in pkix_pl_Cert_Equals /builds/slave/b2g-in-l64-asan-00000000000000/build/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c:1292
08:52:07     INFO -      #10 0x7f1e8a67c33f in PKIX_PL_Object_Equals /builds/slave/b2g-in-l64-asan-00000000000000/build/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_object.c:996
08:52:07     INFO -      #11 0x7f1e8a61479c in PKIX_PL_Cert_VerifySignature /builds/slave/b2g-in-l64-asan-00000000000000/build/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c:2832
08:52:07     INFO -      #12 0x7f1e8a53b94c in pkix_SignatureChecker_Check /builds/slave/b2g-in-l64-asan-00000000000000/build/security/nss/lib/libpkix/pkix/checker/pkix_signaturechecker.c:209
08:52:07     INFO -      #13 0x7f1e8a57befd in pkix_CheckCert /builds/slave/b2g-in-l64-asan-00000000000000/build/security/nss/lib/libpkix/pkix/top/pkix_validate.c:174
08:52:07     INFO -      #14 0x7f1e8a57befd in pkix_CheckChain /builds/slave/b2g-in-l64-asan-00000000000000/build/security/nss/lib/libpkix/pkix/top/pkix_validate.c:800
08:52:07     INFO -      #15 0x7f1e8a5b36a6 in pkix_Build_ValidateEntireChain /builds/slave/b2g-in-l64-asan-00000000000000/build/security/nss/lib/libpkix/pkix/top/pkix_build.c:1334
08:52:07     INFO -      #16 0x7f1e8a5a3ecb in pkix_BuildForwardDepthFirstSearch /builds/slave/b2g-in-l64-asan-00000000000000/build/security/nss/lib/libpkix/pkix/top/pkix_build.c:2557
08:52:07     INFO -      #17 0x7f1e8a598a05 in pkix_Build_InitiateBuildChain /builds/slave/b2g-in-l64-asan-00000000000000/build/security/nss/lib/libpkix/pkix/top/pkix_build.c:3620
08:52:07     INFO -      #18 0x7f1e8a58f602 in PKIX_BuildChain /builds/slave/b2g-in-l64-asan-00000000000000/build/security/nss/lib/libpkix/pkix/top/pkix_build.c:3785
08:52:07     INFO -      #19 0x7f1e8a4116a9 in CERT_PKIXVerifyCert /builds/slave/b2g-in-l64-asan-00000000000000/build/security/nss/lib/certhigh/certvfypkix.c:2191
08:52:07     INFO -      #20 0x7f1e818810f9 in mozilla::psm::CertVerifier::VerifyCert(CERTCertificateStr*, long, long, nsIInterfaceRequestor*, unsigned int, CERTCertListStr**, SECOidTag*, CERTVerifyLogStr*) /builds/slave/b2g-in-l64-asan-00000000000000/build/security/manager/ssl/src/CertVerifier.cpp:263
08:52:07     INFO -      #21 0x7f1e8193fd4d in GetHostNameRaw /builds/slave/b2g-in-l64-asan-00000000000000/build/security/manager/ssl/src/SSLServerCertVerification.cpp:658
08:52:07     INFO -      #22 0x7f1e8193fd4d in mozilla::psm::(anonymous namespace)::AuthCertificate(mozilla::psm::TransportSecurityInfo*, CERTCertificateStr*, SECItemStr*, unsigned int) /builds/slave/b2g-in-l64-asan-00000000000000/build/security/manager/ssl/src/SSLServerCertVerification.cpp:886
08:52:07     INFO -      #23 0x7f1e819442ea in mozilla::psm::(anonymous namespace)::SSLServerCertVerificationJob::Run() /builds/slave/b2g-in-l64-asan-00000000000000/build/security/manager/ssl/src/SSLServerCertVerification.cpp:1057
08:52:07     INFO -      #24 0x7f1e8351a150 in nsThreadPool::Run() /builds/slave/b2g-in-l64-asan-00000000000000/build/xpcom/threads/nsThreadPool.cpp:204
08:52:07     INFO -      #25 0x7f1e8351a459 in non-virtual thunk to nsThreadPool::Run() /builds/slave/b2g-in-l64-asan-00000000000000/build/xpcom/threads/nsThreadPool.cpp:218
08:52:07     INFO -      #26 0x7f1e83514da4 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/b2g-in-l64-asan-00000000000000/build/xpcom/threads/nsThread.cpp:610
08:52:07     INFO -      #27 0x7f1e83441041 in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/b2g-in-l64-asan-00000000000000/build/xpcom/glue/nsThreadUtils.cpp:251
08:52:07     INFO -      #28 0x7f1e83512900 in nsThread::ThreadFunc(void*) /builds/slave/b2g-in-l64-asan-00000000000000/build/xpcom/threads/nsThread.cpp:248
08:52:07     INFO -      #29 0x7f1e8c108a69 in _pt_root /builds/slave/b2g-in-l64-asan-00000000000000/build/nsprpub/pr/src/pthreads/ptthread.c:204
08:52:07     INFO -      #30 0x44cf03 in __asan::AsanThread::ThreadStart(unsigned long) /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_thread.cc:138
08:52:07     INFO -      #31 0x7f1e8f622e99 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7e99)
08:52:07     INFO -      #32 0x7f1e8e733dbc (/lib/x86_64-linux-gnu/libc.so.6+0xf3dbc)
08:52:07  WARNING -  TEST-UNEXPECTED-FAIL | /tests/browser/base/content/test/general/test_feed_discovery.html | application terminated with exit code 256
Depends on: 937721
Stack trace is basically the same as bug 934902 so marking this a dup. This is a buffer overflow and bug 934902 is reported as a use-after-free. I assume that a use-after-free can manifest itself as a buffer overflow sometimes. Please correct me if I'm mistaken on that.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.