Closed
Bug 965314
Opened 11 years ago
Closed 9 years ago
Intermittent ASAN use-after-poison in CERT_DestroyCertificate during test_bug514732.html
Categories
(Core :: Security: PSM, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: RyanVM, Unassigned)
References
Details
(4 keywords)
Assuming this is s-s. Feel free to unset if it isn't. https://tbpl.mozilla.org/php/getParsedLog.php?id=33742057&tree=Mozilla-Inbound Ubuntu ASAN VM 12.04 x64 mozilla-inbound opt test mochitest-5 on 2014-01-29 06:03:22 PST for push c605fcc341a7 slave: tst-linux64-spot-476 06:11:54 INFO - 2276 INFO TEST-PASS | /tests/layout/generic/test/test_bug514732.html | Received expected inner contraction event 06:11:54 INFO - 2277 INFO TEST-PASS | /tests/layout/generic/test/test_bug514732.html | Contraction event x is 0 06:11:54 INFO - 2278 INFO TEST-PASS | /tests/layout/generic/test/test_bug514732.html | Contraction event y is 0 06:11:54 INFO - 2279 INFO TEST-PASS | /tests/layout/generic/test/test_bug514732.html | Inner contraction event width matches body width 06:11:54 INFO - 2280 INFO TEST-PASS | /tests/layout/generic/test/test_bug514732.html | Inner contraction event height matches body height 06:11:55 INFO - ================================================================= 06:11:55 INFO - ==3003==ERROR: AddressSanitizer: use-after-poison on address 0x61d000569338 at pc 0x7fec2bb41fe8 bp 0x7fec12664170 sp 0x7fec12664168 06:11:55 INFO - READ of size 8 at 0x61d000569338 thread T5 (Socket Thread) 06:11:55 INFO - #0 0x7fec2bb41fe7 in CERT_DestroyCertificate /builds/slave/m-in-l64-asan-0000000000000000/build/security/nss/lib/certdb/stanpcertdb.c:791 06:11:55 INFO - #1 0x7fec2d103a68 in ssl3_CleanupPeerCerts /builds/slave/m-in-l64-asan-0000000000000000/build/security/nss/lib/ssl/ssl3con.c:9658 06:11:55 INFO - #2 0x7fec2d103a68 in ssl3_DestroySSL3Info /builds/slave/m-in-l64-asan-0000000000000000/build/security/nss/lib/ssl/ssl3con.c:12015 06:11:55 INFO - #3 0x7fec2d139fbe in ssl_DestroySocketContents /builds/slave/m-in-l64-asan-0000000000000000/build/security/nss/lib/ssl/sslsock.c:337 06:11:55 INFO - #4 0x7fec2d139d17 in ssl_FreeSocket /builds/slave/m-in-l64-asan-0000000000000000/build/security/nss/lib/ssl/sslsock.c:400 06:11:55 INFO - #5 0x7fec2d11e0d9 in ssl_DefClose /builds/slave/m-in-l64-asan-0000000000000000/build/security/nss/lib/ssl/ssldef.c:205 06:11:56 INFO - #6 0x7fec25015a58 in nsNSSSocketInfo::CloseSocketAndDestroy(nsNSSShutDownPreventionLock const&) /builds/slave/m-in-l64-asan-0000000000000000/build/security/manager/ssl/src/nsNSSIOLayer.cpp:865 06:11:56 INFO - #7 0x7fec250179f6 in nsSSLIOLayerClose(PRFileDesc*) /builds/slave/m-in-l64-asan-0000000000000000/build/security/manager/ssl/src/nsNSSIOLayer.cpp:842 06:11:56 INFO - #8 0x7fec1f9a6252 in nsSocketTransport::ReleaseFD_Locked(PRFileDesc*) /builds/slave/m-in-l64-asan-0000000000000000/build/netwerk/base/src/nsSocketTransport2.cpp:1604 06:11:56 INFO - #9 0x7fec1f9b206e in nsSocketTransport::OnSocketDetached(PRFileDesc*) /builds/slave/m-in-l64-asan-0000000000000000/build/netwerk/base/src/nsSocketTransport2.cpp:1867 06:11:56 INFO - #10 0x7fec1f9b80ef in nsSocketTransportService::DetachSocket(nsSocketTransportService::SocketContext*, nsSocketTransportService::SocketContext*) /builds/slave/m-in-l64-asan-0000000000000000/build/netwerk/base/src/nsSocketTransportService2.cpp:181 06:11:56 INFO - #11 0x7fec1f9bc1ad in nsSocketTransportService::DoPollIteration(bool) /builds/slave/m-in-l64-asan-0000000000000000/build/netwerk/base/src/nsSocketTransportService2.cpp:782 06:11:56 INFO - #12 0x7fec1f9bbc2f in nsSocketTransportService::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/netwerk/base/src/nsSocketTransportService2.cpp:684 06:11:56 INFO - #13 0x7fec1f9bd419 in non-virtual thunk to nsSocketTransportService::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/netwerk/base/src/nsSocketTransportService2.cpp:728 06:11:56 INFO - #14 0x7fec1f8d6915 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-in-l64-asan-0000000000000000/build/xpcom/threads/nsThread.cpp:637 06:11:56 INFO - #15 0x7fec1f7aaba1 in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-in-l64-asan-0000000000000000/build/xpcom/glue/nsThreadUtils.cpp:263 06:11:56 INFO - #16 0x7fec20108e0f in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/slave/m-in-l64-asan-0000000000000000/build/ipc/glue/MessagePump.cpp:303 06:11:56 INFO - #17 0x7fec2007d013 in RunInternal /builds/slave/m-in-l64-asan-0000000000000000/build/ipc/chromium/src/base/message_loop.cc:226 06:11:56 INFO - #18 0x7fec2007d013 in RunHandler /builds/slave/m-in-l64-asan-0000000000000000/build/ipc/chromium/src/base/message_loop.cc:219 06:11:56 INFO - #19 0x7fec2007d013 in MessageLoop::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/ipc/chromium/src/base/message_loop.cc:193 06:11:56 INFO - #20 0x7fec1f8d35f2 in nsThread::ThreadFunc(void*) /builds/slave/m-in-l64-asan-0000000000000000/build/xpcom/threads/nsThread.cpp:258 06:11:56 INFO - #21 0x7fec2dcbad59 in _pt_root /builds/slave/m-in-l64-asan-0000000000000000/build/nsprpub/pr/src/pthreads/ptthread.c:205 06:11:56 INFO - #22 0x44cf03 in __asan::AsanThread::ThreadStart(unsigned long) /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_thread.cc:138 06:11:56 INFO - #23 0x7fec311d4e99 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7e99) 06:11:56 INFO - #24 0x7fec302e5dbc (/lib/x86_64-linux-gnu/libc.so.6+0xf3dbc) 06:11:56 INFO - 0x61d000569338 is located 696 bytes inside of 2048-byte region [0x61d000569080,0x61d000569880) 06:11:56 INFO - allocated by thread T5 (Socket Thread) here: 06:11:56 INFO - #0 0x446395 in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:74 06:11:56 INFO - #1 0x7fec2d83ed8d in PL_ArenaAllocate /builds/slave/m-in-l64-asan-0000000000000000/build/nsprpub/lib/ds/plarena.c:203 06:11:56 INFO - Thread T5 (Socket Thread) created by T0 here: 06:11:56 INFO - #0 0x437801 in __interceptor_pthread_create /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:155 06:11:56 INFO - #1 0x7fec2dcb6cb5 in _PR_CreateThread /builds/slave/m-in-l64-asan-0000000000000000/build/nsprpub/pr/src/pthreads/ptthread.c:445 06:11:56 INFO - #2 0x7fec2dcb6807 in PR_CreateThread /builds/slave/m-in-l64-asan-0000000000000000/build/nsprpub/pr/src/pthreads/ptthread.c:528 06:11:56 INFO - SUMMARY: AddressSanitizer: use-after-poison /builds/slave/m-in-l64-asan-0000000000000000/build/security/nss/lib/certdb/stanpcertdb.c:791 CERT_DestroyCertificate 06:11:56 INFO - Shadow bytes around the buggy address: 06:11:56 INFO - 0x0c3a800a5210: 00 00 00 00 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 06:11:56 INFO - 0x0c3a800a5220: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 06:11:56 INFO - 0x0c3a800a5230: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 06:11:56 INFO - 0x0c3a800a5240: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 06:11:56 INFO - 0x0c3a800a5250: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 06:11:56 INFO - =>0x0c3a800a5260: f7 f7 f7 f7 f7 f7 f7[f7]f7 f7 f7 f7 f7 f7 f7 f7 06:11:56 INFO - 0x0c3a800a5270: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 06:11:56 INFO - 0x0c3a800a5280: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 06:11:56 INFO - 0x0c3a800a5290: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 06:11:56 INFO - 0x0c3a800a52a0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 06:11:56 INFO - 0x0c3a800a52b0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 06:11:56 INFO - Shadow byte legend (one shadow byte represents 8 application bytes): 06:11:56 INFO - Addressable: 00 06:11:56 INFO - Partially addressable: 01 02 03 04 05 06 07 06:11:56 INFO - Heap left redzone: fa 06:11:56 INFO - Heap right redzone: fb 06:11:56 INFO - Freed heap region: fd 06:11:56 INFO - Stack left redzone: f1 06:11:56 INFO - Stack mid redzone: f2 06:11:56 INFO - Stack right redzone: f3 06:11:56 INFO - Stack partial redzone: f4 06:11:56 INFO - Stack after return: f5 06:11:56 INFO - Stack use after scope: f8 06:11:56 INFO - Global redzone: f9 06:11:56 INFO - Global init order: f6 06:11:56 INFO - Poisoned by user: f7 06:11:56 INFO - ASan internal: fe 06:11:56 INFO - ==3003==ABORTING 06:11:56 WARNING - TEST-UNEXPECTED-FAIL | /tests/layout/generic/test/test_bug514732.html | application terminated with exit code 1 06:11:56 INFO - INFO | runtests.py | Application ran for: 0:00:58.106187 06:11:56 INFO - INFO | zombiecheck | Reading PID log: /tmp/tmpxIXBNWpidlog 06:11:56 INFO - WARNING | leakcheck | refcount logging is off, so leaks can't be detected! 06:11:56 INFO - runtests.py | Running tests: end. 06:11:56 ERROR - Return code: 1
Comment 1•11 years ago
|
||
Looks like bug 963150 to me.
Assignee: nobody → nobody
Component: Security → Libraries
Depends on: CVE-2014-1544
Product: Core → NSS
Version: Trunk → trunk
Comment 2•11 years ago
|
||
Almost definitely a problem with PSM or Necko. Thanks for reporting this.
Assignee: nobody → nobody
Component: Libraries → Security: PSM
Product: NSS → Core
Version: trunk → Trunk
Updated•11 years ago
|
Keywords: csectype-uaf,
sec-critical
Updated•11 years ago
|
status-firefox29:
--- → affected
Updated•11 years ago
|
status-firefox30:
--- → affected
Updated•11 years ago
|
tracking-firefox30:
--- → +
Comment 3•10 years ago
|
||
Changing rating until we can reproduce it since we don't know what's really going on.
Keywords: sec-critical → sec-other
Comment 4•10 years ago
|
||
(In reply to Al Billings [:abillings] from comment #3) > Changing rating until we can reproduce it since we don't know what's really > going on. Based on that comment, we also don't need to track this since there's nothing to go on yet.
Comment 5•9 years ago
|
||
Inactive; closing (see bug 1180138).
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → WORKSFORME
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•