Closed
Bug 1838117
Opened 3 years ago
Closed 2 years ago
Corrupt JAR file causes hang
Corrupt JAR file causes hang
|
4.00 KB,
application/octet-stream
|
Details | |
|
48 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-esr115+
|
Details | Review |
| Reporter | |
Description•3 years ago
|
The fuzzer is able to find this fairly quickly which blocks fuzzing at scale. Found with m-c 53b4b785ae2a.
Fuzzing interface docs can be found here: https://firefox-source-docs.mozilla.org/tools/fuzzing/fuzzing_interface.html
The command used to reproduce with patch from bug 1798631:
FUZZER=JARParser firefox testcase.jar -detect_leaks=0 -malloc_limit_mb=12288 -rss_limit_mb=12288 -timeout=15
==191631== ERROR: libFuzzer: timeout after 16 seconds
#0 0x5614bb45bcf1 in __sanitizer_print_stack_trace /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_stack.cpp:87:3
#1 0x5614bb65ffb8 in fuzzer::PrintStackTrace() /home/twsmith/code/mozilla-central/tools/fuzzing/libfuzzer/FuzzerUtil.cpp:210:5
#2 0x5614bb64a010 in fuzzer::Fuzzer::AlarmCallback() /home/twsmith/code/mozilla-central/tools/fuzzing/libfuzzer/FuzzerLoop.cpp:309:5
#3 0x7f0b3380d41f (/lib/x86_64-linux-gnu/libpthread.so.0+0x1441f) (BuildId: 7b4536f41cdaa5888408e82d0836e33dcf436466)
#4 0x7f0b33418b40 /build/glibc-SzIz7B/glibc-2.31/string/../sysdeps/x86_64/multiarch/memset-vec-unaligned-erms.S:150
#5 0x5614bb3bc6f5 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_allocator.cpp:588:7
#6 0x5614bb3ba243 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_allocator.cpp:953:34
#7 0x5614bb4511ee in malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:70:10
#8 0x7f0b13c84917 in (anonymous namespace)::BufferWriter::WriteSync() /home/twsmith/code/mozilla-central/netwerk/base/nsNetUtil.cpp:1464:17
#9 0x7f0b13c84917 in (anonymous namespace)::BufferWriter::Write() /home/twsmith/code/mozilla-central/netwerk/base/nsNetUtil.cpp:1411:14
#10 0x7f0b13c84917 in NS_ReadInputStreamToBuffer(nsIInputStream*, void**, long, unsigned long*) /home/twsmith/code/mozilla-central/netwerk/base/nsNetUtil.cpp:1655:25
#11 0x7f0b13c852b9 in NS_ReadInputStreamToString(nsIInputStream*, nsTSubstring<char>&, long, unsigned long*) /home/twsmith/code/mozilla-central/netwerk/base/nsNetUtil.cpp:1704:7
#12 0x7f0b0fe36948 in FuzzEntries(char**, unsigned long*, nsIZipReader*, nsTSubstring<char> const&) /home/twsmith/code/mozilla-central/netwerk/test/fuzz/TestJARFuzzing.cpp:90:14
#13 0x7f0b0fe37e67 in FuzzReader(char**, unsigned long*, nsIZipReader*) /home/twsmith/code/mozilla-central/netwerk/test/fuzz/TestJARFuzzing.cpp:135:14
#14 0x7f0b0fe38e70 in FuzzingRunJARParser(unsigned char const*, unsigned long) /home/twsmith/code/mozilla-central/netwerk/test/fuzz/TestJARFuzzing.cpp:180:10
#15 0x5614bb64b02b in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /home/twsmith/code/mozilla-central/tools/fuzzing/libfuzzer/FuzzerLoop.cpp:570:11
#16 0x5614bb64aa61 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /home/twsmith/code/mozilla-central/tools/fuzzing/libfuzzer/FuzzerLoop.cpp:479:7
#17 0x5614bb64b92d in fuzzer::Fuzzer::MutateAndTestOne() /home/twsmith/code/mozilla-central/tools/fuzzing/libfuzzer/FuzzerLoop.cpp:717:19
#18 0x5614bb64c28d in fuzzer::Fuzzer::Loop(std::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile>>&) /home/twsmith/code/mozilla-central/tools/fuzzing/libfuzzer/FuzzerLoop.cpp:861:9
#19 0x5614bb63dd87 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /home/twsmith/code/mozilla-central/tools/fuzzing/libfuzzer/FuzzerDriver.cpp:864:14
#20 0x7f0b24d7ff52 in mozilla::FuzzerRunner::Run(int*, char***) /home/twsmith/code/mozilla-central/tools/fuzzing/interface/harness/FuzzerRunner.cpp:75:13
#21 0x7f0b24c8f53f in XREMain::XRE_mainStartup(bool*) /home/twsmith/code/mozilla-central/toolkit/xre/nsAppRunner.cpp:4659:35
#22 0x7f0b24ca08b4 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/twsmith/code/mozilla-central/toolkit/xre/nsAppRunner.cpp:5847:12
#23 0x7f0b24ca1b41 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/twsmith/code/mozilla-central/toolkit/xre/nsAppRunner.cpp:5915:21
#24 0x5614bb48ee62 in do_main(int, char**, char**) /home/twsmith/code/mozilla-central/browser/app/nsBrowserApp.cpp:227:22
#25 0x5614bb48ee62 in main /home/twsmith/code/mozilla-central/browser/app/nsBrowserApp.cpp:445:16
#26 0x7f0b332b1082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#27 0x5614bb3b8858 in _start (/home/twsmith/code/mozilla-central/objdir-ff-ubsan/dist/bin/firefox+0x10b858) (BuildId: db32caae4f35eb28821d39fe118fa109)
| Assignee | |
Updated•3 years ago
|
Severity: -- → S2
Priority: -- → P2
Whiteboard: [fuzzblocker] → [fuzzblocker][necko-triaged][necko-priority-queue]
| Assignee | |
Updated•3 years ago
|
Assignee: nobody → valentin.gosu
| Assignee | |
Comment 1•2 years ago
|
- Adds pref for whether to enforce size match with central->orglen
- Checks return code of inflateEnd and returns error if it's not Z_OK
- Also enter the finished block if mZs.total_out > mOutSize
Comment 2•2 years ago
|
Group: network-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 2 years ago
status-firefox114:
--- → wontfix
status-firefox115:
--- → wontfix
status-firefox116:
--- → fixed
status-firefox-esr102:
--- → wontfix
status-firefox-esr115:
--- → affected
Resolution: --- → FIXED
Target Milestone: --- → 116 Branch
Comment 3•2 years ago
|
Is this worth an ESR115 uplift? It grafts cleanly. Please nominate if yes since Valentin is on PTO.
Flags: needinfo?(rjesup)
Comment 4•2 years ago
|
Comment on attachment 9340000 [details]
Bug 1838117 - Reject JAR entries that don't inflate to the correct size r=jesup
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: Fuzzing bug; and jar files are used by extensions and so could be an attack vector. Not high risk, but a concern
- User impact if declined:
- Fix Landed on Version: 116
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Pref to turn off new behavior mitigates any risk due to bad jar files out in the wild
Flags: needinfo?(rjesup)
Attachment #9340000 -
Flags: approval-mozilla-esr115?
Comment 5•2 years ago
|
Comment on attachment 9340000 [details]
Bug 1838117 - Reject JAR entries that don't inflate to the correct size r=jesup
Approved for 115.1esr.
Attachment #9340000 -
Flags: approval-mozilla-esr115? → approval-mozilla-esr115+
Updated•2 years ago
|
tracking-firefox116:
--- → +
tracking-firefox-esr115:
--- → 116+
Updated•2 years ago
|
QA Whiteboard: [post-critsmash-triage]
Pushed by ffxbld-merge:
https://hg.mozilla.org/releases/mozilla-release/rev/8e2d2d475096
Reject JAR entries that don't inflate to the correct size r=jesup
https://hg.mozilla.org/releases/mozilla-release/rev/36c126e25c92
Backed out changeset 8e2d2d475096 for causing bustages in nsJARInputStream.cpp CLOSED TREE
Updated•2 years ago
|
Whiteboard: [fuzzblocker][necko-triaged][necko-priority-queue] → [fuzzblocker][necko-triaged][necko-priority-queue][adv-main116-][adv-ESR115.1-]
Updated•2 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.