[WPE 2.38] WPENetworkProcess crash observed with signal SIGSEGV

[Santhosh-Kumar-infosys]

There are significant number of crashes (SIGSEGV) observed in WPENetworkProcess and following is stack trace observed:

Crash reason: SIGSEGV
Crash address: 0x0
Process uptime: not available
Thread 0 (crashed)
0 libc.so.6!____strtoul_l_internal [strtol_l.c : 292 + 0x0]
r0 = 0xb45f25d4 r1 = 0x00000000 r2 = 0x00000000 r3 = 0x00000000
r4 = 0x00000000 r5 = 0x67057aca r6 = 0x0000000a r7 = 0xbefcd718
r8 = 0x00000000 r9 = 0x00000000 r10 = 0x00000000 r12 = 0xb4220464
fp = 0x00000000 sp = 0xbefcd718 lr = 0xb456eeb7 pc = 0xb456f218
Found by: given as instruction pointer in context
1 libc.so.6!__strtoul [strtol.c : 106 + 0x9]
r4 = 0xb329f800 r5 = 0x67057aca r6 = 0x0008a5a4 r7 = 0xbefcd768
r8 = 0x00000000 r9 = 0x00000000 r10 = 0x00000000 fp = 0x00000000
sp = 0xbefcd760 pc = 0xb456eeb7
Found by: call frame info
2 libsoup-2.4.so.1!callback [soup-cookie-jar-db.c : 167 + 0x3]
r4 = 0x00074c48 r5 = 0x67057aca r6 = 0x0008a5a4 r7 = 0xbefcd780
r8 = 0x00000000 r9 = 0x00000000 r10 = 0x00000000 fp = 0x00000000
sp = 0xbefcd778 pc = 0xb41d9391
Found by: call frame info
3 libsqlite3.so.0!sqlite3_exec [sqlite3.c : 125294 + 0xb]
r4 = 0xb41d935d r5 = 0x0008a580 r6 = 0x0005b808 r7 = 0xbefcd7b8
r8 = 0x00000009 r9 = 0xbefcd814 r10 = 0x0008a5c8 fp = 0x0008a5a4
sp = 0xbefcd7b0 pc = 0xb3e73919
Found by: call frame info
4 libsoup-2.4.so.1!exec_query_with_try_create_table [soup-cookie-jar-db.c : 209 + 0x3]
r4 = 0x0005b808 r5 = 0xb41fc053 r6 = 0xb41d935d r7 = 0xbefcd810
r8 = 0x00074c48 r9 = 0x00000000 r10 = 0xbefcd814 fp = 0x00000001
sp = 0xbefcd808 pc = 0xb41d942f
Found by: call frame info

On further exploration/analysis on this crash issue, it seems that the root cause of the crash is related to two issues, integer overflow and out of bounds read in libsoup library. Fix for these issues are available in latest libsoup versions 2.74.3 and 3.6.5 which are fixed recently. Note that current libsoup version used with WPE 2.38 is 2.68.4.

Following are the fixes available in latest version:

Issue-1 : (CVE-2025-4945) (#YWH-PGM9867-64) Integer Overflow on libsoup through libsoup/soup-date-utils.c via parse_timezone() function caused by malformed "expired" value when cookie is parsed with "soup_cookie_parse"
https://gitlab.gnome.org/GNOME/libsoup/-/issues/448

Issue-2 : (CVE-2025-11021) (#YWH-PGM9867-103) Out-of-bounds Read in libsoup through libsoup/cookies/soup-cookie.c via soup_date_time_to_string()
https://gitlab.gnome.org/GNOME/libsoup/-/issues/459

Please suggest if we have to backport the above fixes into current libsoup library 2.68.4 version.

[magomez]

Thanks for the report @Santhosh-Kumar-infosys!
I understand that upgrading libsoup is not an option, so the only alternative is backporting the fixes for the issues yes.
If I understood the bugs properly, it seems that backporting https://gitlab.gnome.org/GNOME/libsoup/-/commit/8988379984e33dcc7d3aa58551db13e48755959f should be enough to fix this. This is the fix for the first issue you mention.
The second issue has a different fix, but there's a comment there mentioning that in the end it was already fixed by the fix to the previous issue.

So, I would backport https://gitlab.gnome.org/GNOME/libsoup/-/commit/8988379984e33dcc7d3aa58551db13e48755959f and check whether the problem persists. If you still see crashes, then backport https://gitlab.gnome.org/GNOME/libsoup/-/commit/9e1a427d2f047439d0320defe1593e6352595788 as well, which is the fix for the second issue.

I don't expect complications in the backport, the commits seem pretty small and self contained.

[Santhosh-Kumar-infosys]

Thanks for your suggestion Miguel Gómez, I will check further