GNOME Bugzilla – Bug 795740
Crashes at libephymain.so (0x7fff8ea7f700)
Last modified: 2018-06-08 14:42:12 UTC
Hi Team, While running bulk testcases(fuzzing) on epiphany Web 3.28.1 on Linux 4.15.0-20-generic. The browser crashes, however running the testcase and browser on debug mode generate this error, below are the stack-trace for your reference. Thread 15 "pool" received signal SIGSEGV, Segmentation fault.
+ Trace 238593
Thread 140735586760448 (LWP 3827)
Request team to please look into this. PS: @magicmac2000 // This testcase is written by him.
Created attachment 371595 [details] Proof of concept
Thanks for taking the time to report this. Unfortunately, that stack trace misses some elements that will help a lot to solve the problem, so it will be hard for the developers to fix that crash. Can you get us a full stack trace that includes debugging symbols? Please see https://wiki.gnome.org/Community/GettingInTouch/Bugzilla/GettingTraces for more information on how to do so and reopen this bug report. Thanks in advance! And how to run the "Proof of concept"? It refers to files like "sleep_one_second.php" that we do not have. This task welcomes steps to reproduce.
Thank you for looking into this. I was performing a blind fuzz so didn't look at the PoC which creates this crash. However, I had a look on testcase for now where and have minimize it as well. Steps to reproduce: 1. Open crash.html in Epiphany 2. It crashes crash.html <script> win = window.open("blah", "WIN"); </script> Below is the stack trace for your reference. Thread 15 "pool" received signal SIGSEGV, Segmentation fault.
+ Trace 238594
Thread 140735184115456 (LWP 2714)
However, if the stack is still not visible, I have attached an txt file for same, hope this helps. Request you to please have a look again. Cheers!
Created attachment 371602 [details] Stack trace ftw@ftw-box:~$ gdb epiphany (gdb) run Starting program: /usr/bin/epiphany [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". [New Thread 0x7fffe08bc700 (LWP 2279)] [New Thread 0x7fffdee51700 (LWP 2280)] [New Thread 0x7fffde650700 (LWP 2281)] [New Thread 0x7fffdcdd5700 (LWP 2282)] [New Thread 0x7fffd7fff700 (LWP 2283)] [New Thread 0x7fffd77fe700 (LWP 2284)] [New Thread 0x7fffd6ffd700 (LWP 2285)] [New Thread 0x7fffd67fc700 (LWP 2286)] [New Thread 0x7fffd5b8c700 (LWP 2287)] [New Thread 0x7fffd538b700 (LWP 2288)] [New Thread 0x7fff8f486700 (LWP 2294)] [New Thread 0x7fff8da1e700 (LWP 2304)] [New Thread 0x7fff8d21d700 (LWP 2305)] [New Thread 0x7fff8ea7f700 (LWP 2315)] [Thread 0x7fffd5b8c700 (LWP 2287) exited] [Thread 0x7fffd67fc700 (LWP 2286) exited] Thread 15 "pool" received signal SIGSEGV, Segmentation fault.
+ Trace 238595
Thread 140735586760448 (LWP 2315)
Thanks! That stacktrace still misses any symbols but the steps to reproduce were helpful. :) $:\> gdb epiphany GNU gdb (GDB) Fedora 8.1-11.fc28 Reading symbols from epiphany...Reading symbols from /usr/lib/debug/usr/bin/epiphany-3.28.1.1-1.fc28.x86_64.debug...done. done. (gdb) run ./crash.html Starting program: /usr/bin/epiphany ./crash.html [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". [New Thread 0x7fffdf364700 (LWP 30708)] [New Thread 0x7fffd2184700 (LWP 30709)] [New Thread 0x7fffd1983700 (LWP 30710)] [New Thread 0x7fffd1182700 (LWP 30711)] [New Thread 0x7fff7ecff700 (LWP 30712)] [New Thread 0x7fff7e4fe700 (LWP 30713)] [New Thread 0x7fff7dcfd700 (LWP 30714)] [New Thread 0x7fff7d4fc700 (LWP 30715)] (epiphany:30698): GLib-CRITICAL **: 11:53:37.349: g_strdelimit: assertion 'string != NULL' failed (epiphany:30698): GLib-CRITICAL **: 11:53:37.349: g_strdelimit: assertion 'string != NULL' failed Detaching after fork from child process 30716. Detaching after fork from child process 30718. [New Thread 0x7fff6ffff700 (LWP 30720)] [New Thread 0x7fff6f5c3700 (LWP 30727)] [New Thread 0x7fff6edc2700 (LWP 30728)] [New Thread 0x7fff6de48700 (LWP 30740)] [New Thread 0x7fff5bfff700 (LWP 30743)] [New Thread 0x7fff537fe700 (LWP 30744)] [Thread 0x7fff537fe700 (LWP 30744) exited] Thread 13 "pool" received signal SIGSEGV, Segmentation fault.
+ Trace 238596
Thread 140735037081344 (LWP 30740)
Thread 13 (Thread 0x7fff6de48700 (LWP 30740))
Thread 9 (Thread 0x7fff7d4fc700 (LWP 30715))
Thread 8 (Thread 0x7fff7dcfd700 (LWP 30714)): ../../gdb/dictionary.c:690: internal-error: void insert_symbol_hashed(dictionary*, symbol*): Assertion `SYMBOL_LANGUAGE (sym) == DICT_LANGUAGE (dict)->la_language' failed. A problem internal to GDB has been detected, further debugging may prove unreliable. Quit this debugging session? (y or n) y This is a bug, please report it. For instructions, see: <http://www.gnu.org/software/gdb/bugs/>. ../../gdb/dictionary.c:690: internal-error: void insert_symbol_hashed(dictionary*, symbol*): Assertion `SYMBOL_LANGUAGE (sym) == DICT_LANGUAGE (dict)->la_language' failed. A problem internal to GDB has been detected, further debugging may prove unreliable. Create a core file of GDB? (y or n) n
OK, this was easy. Thanks a bunch for reporting it, and for fuzzing Epiphany! The following fix has been pushed: 4f4eb2c session: Fix crash when JS opens an invalid URI
Created attachment 372352 [details] [review] session: Fix crash when JS opens an invalid URI
Thank you Michael, CVE-2018-11396 is been assign to this. Cheers!
(In reply to Dhiraj from comment #1) > Created attachment 371595 [details] > Proof of concept Jeremy from Ubuntu noticed this is still crashing even with the fix applied. Problem is I fixed the PoC you posted in comment #3, but this PoC in attachment #371595 [details] is a completely different crash, in WebKitFaviconDatabase:
+ Trace 238628
Unfortunately the gdb crash makes it impossible to get a full trace, so it's hard to know for sure if this is an Epiphany bug or a WebKit bug. I'll need to investigate.
(In reply to Michael Catanzaro from comment #9) > Unfortunately the gdb crash makes it impossible to get a full trace, You can try "lldb", either stock one on other distros or on Fedora: dnf copr enable jankratochvil/lldb; dnf install lldb-experimental $ lldb-experimental -o run -- epiphany epiphany-crash.html (lldb) bt all (lldb) thread select 8 (lldb) up/down (lldb) frame variable
Got a backtrace using Fedora 27:
+ Trace 238632
(In reply to Michael Catanzaro from comment #9) > Jeremy from Ubuntu noticed this is still crashing even with the fix applied. > Problem is I fixed the PoC you posted in comment #3, but this PoC in > attachment #371595 [details] is a completely different crash, in > WebKitFaviconDatabase: https://bugs.webkit.org/show_bug.cgi?id=186164 Weird that two similar reproducers triggered two different crashes. I guess that's a reminder for us to verify that the crash is still the same when reducing crashers.
Note someone else filed a duplicate CVE request for this, CVE-2018-12016.
Yes, I have informed the requester who took DUP CVE for this, Reference URL: https://github.com/ldpreload/Disclosure/issues/1
I should have mentioned that I already informed MITRE, so now we have a duplicate duplicate notification... ah well, that doesn't matter. :D This is fixed in 3.28.3. Thanks again for fuzzing Epiphany!