Stack buffer overflow found via fuzzing. Testcase requires the "MOZ_LOG=DataChannel:4" environment variable in order to reproduce issue. ==28794==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc882986b0 at pc 0x7fb106b10eda bp 0x7ffc882979b0 sp 0x7ffc882979a8 READ of size 1 at 0x7ffc882986b0 thread T0 #0 0x7fb106b10ed9 in mozilla::LogModuleManager::Print(char const*, mozilla::LogLevel, char const*, __va_list_tag*) /home/worker/workspace/build/src/xpcom/base/Logging.cpp:379:30 #1 0x7fb106b0eeb4 in Printv /home/worker/workspace/build/src/xpcom/base/Logging.cpp:565:3 #2 0x7fb106b0eeb4 in mozilla::detail::log_print(mozilla::LogModule const*, mozilla::LogLevel, char const*, ...) /home/worker/workspace/build/src/xpcom/base/Logging.cpp:62 #3 0x7fb1079dba2a in mozilla::DataChannelConnection::Open(nsACString_internal const&, nsACString_internal const&, mozilla::DataChannelConnection::Type, bool, unsigned int, mozilla::DataChannelListener*, nsISupports*, bool, unsigned short) /home/worker/workspace/build/src/netwerk/sctp/datachannel/DataChannel.cpp:1952:3 #4 0x7fb1108d8857 in mozilla::PeerConnectionImpl::CreateDataChannel(nsAString_internal const&, nsAString_internal const&, unsigned short, bool, unsigned short, unsigned short, bool, unsigned short, nsDOMDataChannel**) /home/worker/workspace/build/src/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp:1306:17 #5 0x7fb1108d83e9 in mozilla::PeerConnectionImpl::CreateDataChannel(nsAString_internal const&, nsAString_internal const&, unsigned short, bool, unsigned short, unsigned short, bool, unsigned short, mozilla::ErrorResult&) /home/worker/workspace/build/src/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp:1278:8 #6 0x7fb109e7d8ee in mozilla::dom::PeerConnectionImplBinding::createDataChannel(JSContext*, JS::Handle<JSObject*>, mozilla::PeerConnectionImpl*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/PeerConnectionImplBinding.cpp:1428:48 #7 0x7fb10b03d787 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2953:13 #8 0x7fb110b3b43f in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:282:15 #9 0x7fb110b3b43f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:448 #10 0x7fb110b21d60 in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:499:12 #11 0x7fb110b21d60 in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2955 #12 0x7fb110b0708b in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:394:12 #13 0x7fb110b3b756 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:466:15 #14 0x7fb110b3be32 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:512:10 #15 0x7fb11150d16c in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2878:12 #16 0x7fb109fb0892 in mozilla::dom::RTCPeerConnectionJSImpl::CreateDataChannel(nsAString_internal const&, mozilla::dom::RTCDataChannelInit const&, mozilla::ErrorResult&, JSCompartment*) /home/worker/workspace/build/src/obj-firefox/dom/bindings/RTCPeerConnectionBinding.cpp:7058:8 ...truncated... Address 0x7ffc882986b0 is located in stack of thread T0 at offset 3312 in frame #0 0x7fb106b1054f in mozilla::LogModuleManager::Print(char const*, mozilla::LogLevel, char const*, __va_list_tag*) /home/worker/workspace/build/src/xpcom/base/Logging.cpp:358 This frame has 6 object(s): [32, 2080) 'buf.i' [2208, 2248) 'ss.i' [2288, 3312) 'buff' <== Memory access at offset 3312 overflows this variable [3440, 3464) 'argsCopy' [3504, 3544) 'noNameThread' [3584, 3624) 'now'

I'm guessing that the most likely cause is invalid arguments being passed to the log function, rather than a bug in the log function itself, but I could be wrong.

Eric says we have (and are fixing) a known regression in log printing... please recheck when that's fixed or make this depend on that bug.

(In reply to Daniel Veditz [:dveditz] from comment #2) > Eric says we have (and are fixing) a known regression in log printing... > please recheck when that's fixed or make this depend on that bug. I think bug 1341017 should fix this.

Was the source of the bug the bug 1060419 landing?

(In reply to Randell Jesup [:jesup] from comment #4) > Was the source of the bug the bug 1060419 landing? Yes (at least for bug 1341017).

Per erahm's comment about bug 1060419, marking as 54-only. We can close this when that gets to m-c I assume

Just retested and this appears to be fixed on mozilla-central rev 20170302225754.