Closed Bug 1154076 Opened 9 years ago Closed 9 years ago

Use After Free in dom::Console::ProcessCallData()

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Version:
40 Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla40
Tracking Flags:
Tracking Status
firefox38 --- unaffected
firefox39 --- unaffected
firefox40 --- fixed
firefox-esr31 --- unaffected
firefox-esr38 --- unaffected
b2g-v1.4 --- unaffected
b2g-v2.0 --- unaffected
b2g-v2.0M --- unaffected
b2g-v2.1 --- unaffected
b2g-v2.1S --- unaffected
b2g-v2.2 --- unaffected
b2g-master --- fixed

People

(Reporter: loobenyang, Assigned: baku)

References

Details

(Keywords: csectype-uaf, sec-high)

Attachments

(2 files, 1 obsolete file)

Uaf_ProcessCallData_repro.zip
59.47 KB, application/zip
Details
crash.patch
3.44 KB, patch
Details | Diff | Splinter Review 
Opening pdf in iframe can trigger a Use After Free in mozilla::dom::Console::ProcessCallData().

Firefox Version: 40.0a1 (2015-04-07)
Operating System: Ubuntu 14.04 LTS 64bit

Reproduction test case (including 2 files uaf_ProcessCallData.html, uaf_ProcessCallData.pdf) has been attached, the content of the HTML file is: 

<html><head></head><body>
<iframe id='target' width=100% height=1000 ></iframe>
</body>
<script>
var target=document.getElementById('target')
setInterval(function(){target.src="uaf_ProcessCallData.pdf"},2500);
</script></html>


Put uaf_ProcessCallData.html and uaf_ProcessCallData.pdf in the same directory, open uaf_ProcessCallData.html in Firefox asan build, Asan reports a Use After Free:

=================================================================
==2495==ERROR: AddressSanitizer: heap-use-after-free on address 0x60f000073ed8 at pc 0x7f449cb992cd bp 0x7fff3ff2bf10 sp 0x7fff3ff2bf08
READ of size 8 at 0x60f000073ed8 thread T0 (Web Content)
    #0 0x7f449cb992cc in get /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/base/../../dist/include/nsCOMPtr.h:685
    #1 0x7f449cb992cc in operator nsIConsoleAPIStorage * /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/base/../../dist/include/nsCOMPtr.h:693
    #2 0x7f449cb992cc in mozilla::dom::Console::ProcessCallData(mozilla::dom::ConsoleCallData*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/Console.cpp:1292
    #3 0x7f449cbda839 in mozilla::dom::ConsoleCallDataRunnable::ProcessCallData(JSContext*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/Console.cpp:530
    #4 0x7f449cbda015 in mozilla::dom::ConsoleCallDataRunnable::RunConsole(JSContext*, nsPIDOMWindow*, nsPIDOMWindow*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/Console.cpp:491
    #5 0x7f449cbdc780 in mozilla::dom::ConsoleRunnable::RunWithWindow(nsPIDOMWindow*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/Console.cpp:339
    #6 0x7f449cbd8fb4 in mozilla::dom::ConsoleRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/Console.cpp:318
    #7 0x7f449abf9c24 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:866
    #8 0x7f449ac5bd0a in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:265
    #9 0x7f449b4ae3c9 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:99
    #10 0x7f449b43f6dc in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:233
    #11 0x7f449b43f6dc in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:226
    #12 0x7f449b43f6dc in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:200
    #13 0x7f449fe77af7 in nsBaseAppShell::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/widget/nsBaseAppShell.cpp:164
    #14 0x7f44a19feb42 in XRE_RunAppShell /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:738
    #15 0x7f449b43f6dc in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:233
    #16 0x7f449b43f6dc in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:226
    #17 0x7f449b43f6dc in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:200
    #18 0x7f44a19fe1b2 in XRE_InitChildProcess /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:575
    #19 0x48ce81 in content_process_main(int, char**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/app/../contentproc/plugin-container.cpp:222
    #20 0x7f4498751ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #21 0x48c24c in _start (/home/parnell/FirefoxBuilds/firefox/plugin-container+0x48c24c)

0x60f000073ed8 is located 56 bytes inside of 168-byte region [0x60f000073ea0,0x60f000073f48)
freed by thread T22 (DOM Worker) here:
    #0 0x474661 in free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64
    #1 0x7f449aaf96fd in SnowWhiteKiller::~SnowWhiteKiller() /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/base/nsCycleCollector.cpp:2647
    #2 0x7f449aaf932e in nsCycleCollector::FreeSnowWhite(bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/base/nsCycleCollector.cpp:2815
    #3 0x7f449aafba04 in nsCycleCollector_dispatchDeferredDeletion /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/base/nsCycleCollector.cpp:4036
    #4 0x7f449aafba04 in nsCycleCollector::CollectWhite() /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/base/nsCycleCollector.cpp:3297
    #5 0x7f449aafe63b in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/base/nsCycleCollector.cpp:3611
    #6 0x7f449ab0141f in nsCycleCollector_collect(nsICycleCollectorListener*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/base/nsCycleCollector.cpp:4073
    #7 0x7f449aaec886 in mozilla::CycleCollectedJSRuntime::OnGC(JSGCStatus) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/base/CycleCollectedJSRuntime.cpp:1244
    #8 0x7f44a3a0c036 in js::gc::GCRuntime::collect(bool, js::SliceBudget, JS::gcreason::Reason) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsgc.cpp:6096
    #9 0x7f44a3938dd1 in js::DestroyContext(JSContext*, js::DestroyContextMode) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jscntxt.cpp:186
    #10 0x7f449f9af275 in (anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/RuntimeService.cpp:2768
    #11 0x7f449abf9c24 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:866
    #12 0x7f449ac5bd0a in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:265
    #13 0x7f449b4af3a8 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:368
    #14 0x7f449b43f6dc in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:233
    #15 0x7f449b43f6dc in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:226
    #16 0x7f449b43f6dc in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:200
    #17 0x7f449abf6718 in nsThread::ThreadFunc(void*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:364
    #18 0x7f44a7130135 in _pt_root /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:212
    #19 0x7f44a7770181 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8181)

previously allocated by thread T22 (DOM Worker) here:
    #0 0x474861 in __interceptor_malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:74
    #1 0x491d4d in moz_xmalloc /builds/slave/m-cen-l64-asan-000000000000000/build/src/memory/mozalloc/mozalloc.cpp:83
    #2 0x7f449fa243c3 in operator new /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/workers/../../dist/include/mozilla/mozalloc.h:181
    #3 0x7f449fa243c3 in mozilla::dom::workers::WorkerGlobalScope::GetConsole() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerScope.cpp:115
    #4 0x7f449e120be0 in mozilla::dom::WorkerGlobalScopeBinding_workers::get_console(JSContext*, JS::Handle<JSObject*>, mozilla::dom::workers::WorkerGlobalScope*, JSJitGetterCallArgs) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/bindings/./WorkerGlobalScopeBinding.cpp:66
    #5 0x7f449e11b8f7 in mozilla::dom::WorkerGlobalScopeBinding_workers::genericGetter(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/bindings/./WorkerGlobalScopeBinding.cpp:1207
    #6 0x7f44a2eb06fe in CallJSNative /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jscntxtinlines.h:235
    #7 0x7f44a2eb06fe in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:697
    #8 0x7f44a2e681a6 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:760
    #9 0x7f44a2efc8d6 in js::InvokeGetter(JSContext*, JSObject*, JS::Value, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:829
    #10 0x7f44a2fb437d in CallGetter /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/NativeObject.cpp:1574
    #11 0x7f44a2fb437d in GetExistingProperty<1> /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/NativeObject.cpp:1621
    #12 0x7f44a2fb437d in js::NativeGetExistingProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<js::NativeObject*>, JS::Handle<js::Shape*>, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/NativeObject.cpp:1642
    #13 0x7f44a2f5accb in bool js::FetchName<false>(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<js::PropertyName*>, JS::Handle<js::Shape*>, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter-inl.h:248
    #14 0x7f44a2ee8e75 in GetNameOperation /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:321:12
    #15 0x7f44a2ee8e75 in Interpret(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:2969
    #16 0x7f44a2ecf9b1 in js::RunScript(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:654
    #17 0x7f44a2eb0c9e in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:723
    #18 0x7f44a2e681a6 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:760
    #19 0x7f44a336caad in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jit/BaselineIC.cpp:9871
    #20 0x7f44a338f1ff in EnterBaseline(JSContext*, js::jit::EnterJitData&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jit/BaselineJIT.cpp:124
    #21 0x7f44a338eb5d in js::jit::EnterBaselineMethod(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jit/BaselineJIT.cpp:156

Thread T22 (DOM Worker) created by T0 (Web Content) here:
    #0 0x4610d5 in pthread_create /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:175
    #1 0x7f44a712cabd in _PR_CreateThread /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:453
    #2 0x7f44a712c63a in PR_CreateThread /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:544
    #3 0x7f449abf7a7b in nsThread::Init() /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:478
    #4 0x7f449fa2b72a in mozilla::dom::workers::WorkerThread::Create(mozilla::dom::workers::WorkerThreadFriendKey const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerThread.cpp:90
    #5 0x7f449f984b76 in mozilla::dom::workers::RuntimeService::ScheduleWorker(JSContext*, mozilla::dom::workers::WorkerPrivate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/RuntimeService.cpp:1707
    #6 0x7f449f9822cb in mozilla::dom::workers::RuntimeService::RegisterWorker(JSContext*, mozilla::dom::workers::WorkerPrivate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/RuntimeService.cpp:1561
    #7 0x7f449f9ff8c9 in mozilla::dom::workers::WorkerPrivate::Constructor(JSContext*, nsAString_internal const&, bool, mozilla::dom::WorkerType, nsACString_internal const&, mozilla::dom::workers::WorkerLoadInfo*, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:4781
    #8 0x7f449f9ff1c6 in Constructor /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:4716
    #9 0x7f449f9ff1c6 in mozilla::dom::workers::WorkerPrivate::Constructor(mozilla::dom::GlobalObject const&, nsAString_internal const&, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:4657
    #10 0x7f449df15afb in mozilla::dom::WorkerBinding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/bindings/./WorkerBinding.cpp:738
    #11 0x7f44a2efbc8e in CallJSNative /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jscntxtinlines.h:235
    #12 0x7f44a2efbc8e in CallJSNativeConstructor /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jscntxtinlines.h:268
    #13 0x7f44a2efbc8e in js::InvokeConstructor(JSContext*, JS::CallArgs) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:798
    #14 0x7f44a2eec82a in Interpret(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:2839
    #15 0x7f44a2ecf9b1 in js::RunScript(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:654
    #16 0x7f44a2eb0c9e in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:723
    #17 0x7f44a2e681a6 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:760
    #18 0x7f44a395a34f in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsapi.cpp:4375
    #19 0x7f449e4064b5 in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/bindings/./EventListenerBinding.cpp:47
    #20 0x7f449ec0211e in HandleEvent<mozilla::dom::EventTarget *> /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/events/../../dist/include/mozilla/dom/EventListenerBinding.h:51
    #21 0x7f449ec0211e in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/EventListenerManager.cpp:961
    #22 0x7f449ec038f2 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/EventListenerManager.cpp:1113
    #23 0x7f449ebf37a1 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/EventDispatcher.cpp:299
    #24 0x7f449ebf7c0d in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/EventDispatcher.cpp:633
    #25 0x7f449cb07ad3 in PostMessageEvent::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsGlobalWindow.cpp:8189
    #26 0x7f449abf9c24 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:866
    #27 0x7f449ac5bd0a in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:265
    #28 0x7f449b4ae3c9 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:99
    #29 0x7f449b43f6dc in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:233
    #30 0x7f449b43f6dc in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:226
    #31 0x7f449b43f6dc in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:200
    #32 0x7f449fe77af7 in nsBaseAppShell::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/widget/nsBaseAppShell.cpp:164
    #33 0x7f44a19feb42 in XRE_RunAppShell /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:738
    #34 0x7f449b43f6dc in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:233
    #35 0x7f449b43f6dc in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:226
    #36 0x7f449b43f6dc in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:200
    #37 0x7f44a19fe1b2 in XRE_InitChildProcess /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:575
    #38 0x48ce81 in content_process_main(int, char**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/app/../contentproc/plugin-container.cpp:222
    #39 0x7f4498751ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)

SUMMARY: AddressSanitizer: heap-use-after-free /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/base/../../dist/include/nsCOMPtr.h:685 get
Shadow bytes around the buggy address:
  0x0c1e80006780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1e80006790: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c1e800067a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
  0x0c1e800067b0: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
  0x0c1e800067c0: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
=>0x0c1e800067d0: fa fa fa fa fd fd fd fd fd fd fd[fd]fd fd fd fd
  0x0c1e800067e0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
  0x0c1e800067f0: fa fa 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1e80006800: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
  0x0c1e80006810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1e80006820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb[==2495==ABORTING
Flags: needinfo?(amarchesini)
Flags: sec-bounty?
Assignee: nobody → amarchesini
Flags: needinfo?(amarchesini)
Attached patch crash.patch (obsolete) — Splinter Review 

        Attachment #8592252 -
        Flags: review?(bent.mozilla)

    
    

    
  
Comment on attachment 8592252 [details] [diff] [review]
crash.patch

Review of attachment 8592252 [details] [diff] [review]:
-----------------------------------------------------------------

::: dom/base/Console.cpp
@@ +356,5 @@
> +      {
> +        MOZ_ASSERT(aWorkerPrivate);
> +        aWorkerPrivate->AssertIsOnWorkerThread();
> +
> +        aWorkerPrivate->RemoveFeature(aCx, mRunnable);

mRunnable->mConsole = nullptr;

    
    

    
  
Comment on attachment 8592252 [details] [diff] [review]
crash.patch

Review of attachment 8592252 [details] [diff] [review]:
-----------------------------------------------------------------

r=me with these changes:

::: dom/base/Console.cpp
@@ +299,1 @@
>      if (NS_FAILED(NS_DispatchToMainThread(this))) {

Might as well make this MOZ_ALWAYS_TRUE(NS_SUCCEEDED(...)) because this failure case should not be possible.

@@ +337,5 @@
>  
>    void
> +  PostDispatch()
> +  {
> +    class ConsoleReleaseRunnable final : public WorkerControlRunnable

Please make this inherit MainThreadWorkerControlRunnable, and call Dispatch() on the runnable itself rather than calling mWorkerPrivate->DispatchControlRunnable.

@@ +430,5 @@
>               nsPIDOMWindow* aInnerWindow) = 0;
>  
>    WorkerPrivate* mWorkerPrivate;
>  
> +  nsRefPtr<Console> mConsole;

Nit: Comment about it needing to be released on the worker thread after being dispatched back.

        Attachment #8592252 -
        Flags: review?(bent.mozilla) → review+

    
    

    
  

      
      
      
      

        Attached patch
          
          
        crash.patchSplinter Review
      

    


  
[Security approval request comment]
How easily could an exploit be constructed based on the patch?

The bug is relatively easy to reproduce. But it's still racy.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?

Yes, the idea is that we should keep the Worker alive until the operation of logging is concluded.

Which older supported branches are affected by this flaw?

m-i only.

If not all supported branches, which bug introduced the flaw?

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?

easy to backport.

How likely is this patch to cause regressions; how much testing does it need?

Green on try. I don't think we will have regressions from this patch.

        Attachment #8592252 -
        Attachment is obsolete: true

        Attachment #8592675 -
        Flags: sec-approval?

    
    

    
  
Comment on attachment 8592675 [details] [diff] [review]
crash.patch

mozilla-central-only issues don't need sec-approval.

        Attachment #8592675 -
        Flags: sec-approval?

    
    

    
  
This patch triggers a build warning (treated as error in warnings-as-errors builds) on clang 3.6:
{
dom/base/Console.cpp:311:14: error: 'Run' overrides a member function but is not marked 'override' [-Werror,-Winconsistent-missing-override]
}

In fact, the guilty un-annotated "Run()" method predated this patch, but this patch caused the warning by adding another method which *is* labeled as 'override', which made Run()'s lack-of-an-annotation inconsistent' -- hence, -Winconsistent-missing-override.

Anyway, I pushed a followup to fix the build warning, so I can build (using blanket r+ that ehsan
granted me for fixes of this sort over in bug 1126447 comment 2):
https://hg.mozilla.org/integration/mozilla-inbound/rev/473627b1b002
Flags: sec-bounty? → sec-bounty+
Group: core-security
Component: DOM → DOM: Core & HTML

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: