Closed
Bug 674189
Opened 13 years ago
Closed 13 years ago
crash @xptcstubs_gcc_x86_unix
Categories
(Firefox :: General, defect)
Tracking
()
RESOLVED
WORKSFORME
Tracking | Status | |
---|---|---|
firefox6 | - | wontfix |
firefox7 | - | unaffected |
firefox8 | --- | unaffected |
People
(Reporter: david.maciejak, Assigned: peterv)
References
(Blocks 1 open bug)
Details
(Whiteboard: [sg:critical?])
Attachments
(2 files)
User Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30
Steps to reproduce:
Hi,
I was playing with a fuzzer on firefox 5 (firefox 5.0+build1+nobinonly-0ubuntu0.11.04.2), and got the crash below:
Program received signal SIGSEGV, Segmentation fault.
0xb777fb06 in PrepareAndDispatch (methodIndex=<value optimized out>, self=0xa2ae7650, args=0xbfffe564)
at /build/buildd/firefox-5.0+build1+nobinonly/build-tree/mozilla/xpcom/reflect/xptcall/src/md/unix/xptcstubs_gcc_x86_unix.cpp:189
due to the nature of the fuzzer it will be hard to get a test case, but i can reproduce it if needed.
Regards,
David Maciejak
Fortinet's FortiGuard Global Security Research Team
Actual results:
firefox crashed, so i run it in gdb, find the full trace enclosed
Expected results:
no crash
Comment 1•13 years ago
|
||
We would definitely need more details than you have provided here: at least a backtrace, and probably a reproducible testcase.
With our internal fuzzers we work pretty hard to make sure that they at least log their actions to try and make bugs reproducible.
Comment 2•13 years ago
|
||
Oh, the backtrace is in the attachment. There's still not enough details to evaluate this: we're operating on a dead object pointer. With a testcase, a valgrind log would probably produce the most useful information.
Reporter | ||
Comment 3•13 years ago
|
||
I would like to provide a testcase too, but it's not easy to identify from the fuzzer which is based on cross_fuzz. I will try to do a smaller fuzz file and i will generate a valgrind log too.
Reporter | ||
Comment 4•13 years ago
|
||
Benjamin, pls tell me which valgrind option you want, seems firefox -g -d valgrind -a "-v --leak-check=full" is not giving much info
Comment 5•13 years ago
|
||
https://developer.mozilla.org/en/Debugging_Mozilla_with_valgrind has the details.
Reporter | ||
Comment 6•13 years ago
|
||
i have to rebuild firefox ? :S
Reporter | ||
Comment 7•13 years ago
|
||
Reporter | ||
Comment 8•13 years ago
|
||
i uploaded a smaller version of the fuzzer, running the cli command below with root is reproducing the issue in my lab after about 30s
#firefox -g -private-toggle file:///fuzzcase/cross_fuzz_seed_ftnt.html#864324348
Updated•13 years ago
|
Whiteboard: [sg:critical?]
Comment 9•13 years ago
|
||
Peter, this looks like it might be a bogus nsINode pointer making it into the DOM code, maybe something not working right in the offset table magic we do when unwrapping, or somesuch? Can you have a look?
Assignee: nobody → peterv
Comment 10•13 years ago
|
||
We ran out of time to take a fix for 6 safely here, but we're tracking this for 7 and beyond. Peter, if you happen to get a fix for this and it's trivial and really safe, we could consider this for 6, but we're pushing the limits there IMO.
status-firefox6:
--- → wontfix
status-firefox7:
--- → affected
status-firefox8:
--- → affected
tracking-firefox7:
--- → +
tracking-firefox8:
--- → +
Comment 11•13 years ago
|
||
How different is your version of cross_fuzz from upstream cross_fuzz?
Blocks: crossfuzz
Reporter | ||
Comment 12•13 years ago
|
||
In fact, for the version i sent the core is not changed, i just played with different document types, adding for example svg samples, webgl and more.
Updated•13 years ago
|
tracking-firefox6:
--- → -
Reporter | ||
Comment 13•13 years ago
|
||
fyi i can't reproduce it in ff 6.0
Comment 14•13 years ago
|
||
It's quite possible one of the many engine changes in Firefox 6 fixed this bug, but there's no way to say for sure. If you can no longer reproduce it we need to move on to other bugs.
If the bug recurs please reopen the bug with the additional information (or send mail to security at mozilla.org and we'll do it).
Status: UNCONFIRMED → RESOLVED
Closed: 13 years ago
tracking-firefox8:
+ → ---
Resolution: --- → WORKSFORME
Assignee | ||
Comment 15•13 years ago
|
||
I tried reproducing this on trunk but couldn't either. I also looked at the code, didn't see anything obviously wrong.
Updated•13 years ago
|
Attachment #548971 -
Attachment description: Bug Bounty Nomination → Bug Bounty non-qual
Updated•13 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•