Closed Bug 1021928 Opened 10 years ago Closed 10 years ago

Intermittent use-after-free in IsClosed

Tracking

()

Status:

RESOLVED WORKSFORME

Tracking Flags:

Tracking

Status

firefox33

---

fixed

People

(Reporter: mccr8, Unassigned)

References

Details

(Keywords: csectype-uaf, sec-high, Whiteboard: [asan][adv-main33-])

Andrew McCreight [:mccr8]

Reporter

Description

•

10 years ago

See the latest staxcks on bug 1019934.

13:07:21     INFO -  ==1735==ERROR: AddressSanitizer: heap-use-after-free on address 0x6130003e1490 at pc 0x7f25dbb0df6f bp 0x7fff7334c8d0 sp 0x7fff7334c8c8
13:07:21     INFO -  READ of size 4 at 0x6130003e1490 thread T0
13:07:22     INFO -  -1912162560[6120000ecec0]: [ProcessThread|WebrtcVideoSessionConduit] VideoConduit.cpp:1118: SendRTCPPacket RTCP Packet Send Failed
13:07:23     INFO -      #0 0x7f25dbb0df6e in IsClosed /builds/slave/b2g-in-l64-asan-00000000000000/build/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp:1832
13:07:23     INFO -      #1 0x7f25dbb0df6e in CheckApiState /builds/slave/b2g-in-l64-asan-00000000000000/build/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp:1650
13:07:23     INFO -      #2 0x7f25dbb0df6e in sipcc::PeerConnectionImpl::SetDtlsConnected(bool) /builds/slave/b2g-in-l64-asan-00000000000000/build/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp:1409
13:07:23     INFO -      #3 0x7f25dbb33e80 in mozilla::runnable_args_m_1<sipcc::PeerConnectionImpl*, tag_nsresult (sipcc::PeerConnectionImpl::*)(bool), bool>::Run() /builds/slave/b2g-in-l64-asan-00000000000000/build/media/webrtc/signaling/../../../media/mtransport/runnable_utils_generated.h:122
13:07:23     INFO -      #4 0x7f25da9569f5 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/b2g-in-l64-asan-00000000000000/build/xpcom/threads/nsThread.cpp:766
13:07:23     INFO -      #5 0x7f25da8164ea in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/b2g-in-l64-asan-00000000000000/build/xpcom/glue/nsThreadUtils.cpp:263
13:07:23     INFO -      #6 0x7f25db164969 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/b2g-in-l64-asan-00000000000000/build/ipc/glue/MessagePump.cpp:95
13:07:23     INFO -      #7 0x7f25db10e7e0 in RunInternal /builds/slave/b2g-in-l64-asan-00000000000000/build/ipc/chromium/src/base/message_loop.cc:229
13:07:23     INFO -      #8 0x7f25db10e7e0 in RunHandler /builds/slave/b2g-in-l64-asan-00000000000000/build/ipc/chromium/src/base/message_loop.cc:222
13:07:23     INFO -      #9 0x7f25db10e7e0 in MessageLoop::Run() /builds/slave/b2g-in-l64-asan-00000000000000/build/ipc/chromium/src/base/message_loop.cc:196
13:07:23     INFO -      #10 0x7f25dd4acb27 in nsBaseAppShell::Run() /builds/slave/b2g-in-l64-asan-00000000000000/build/widget/xpwidgets/nsBaseAppShell.cpp:164
13:07:23     INFO -      #11 0x7f25e03ed5d8 in nsAppStartup::Run() /builds/slave/b2g-in-l64-asan-00000000000000/build/toolkit/components/startup/nsAppStartup.cpp:278
13:07:23     INFO -      #12 0x7f25e025c4c3 in XREMain::XRE_mainRun() /builds/slave/b2g-in-l64-asan-00000000000000/build/toolkit/xre/nsAppRunner.cpp:4012
13:07:23     INFO -      #13 0x7f25e025d3a6 in XREMain::XRE_main(int, char**, nsXREAppData const*) /builds/slave/b2g-in-l64-asan-00000000000000/build/toolkit/xre/nsAppRunner.cpp:4083
13:07:23     INFO -      #14 0x7f25e025e1fd in XRE_main /builds/slave/b2g-in-l64-asan-00000000000000/build/toolkit/xre/nsAppRunner.cpp:4297
13:07:23     INFO -      #15 0x48a2c7 in do_main /builds/slave/b2g-in-l64-asan-00000000000000/build/browser/app/nsBrowserApp.cpp:282
13:07:23     INFO -      #16 0x48a2c7 in main /builds/slave/b2g-in-l64-asan-00000000000000/build/browser/app/nsBrowserApp.cpp:643
13:07:23     INFO -      #17 0x7f25e940e76c (/lib/x86_64-linux-gnu/libc.so.6+0x2176c)
13:07:23     INFO -      #18 0x48972c in _start (/builds/slave/test/build/application/firefox/firefox+0x48972c)
13:07:23     INFO -  0x6130003e1490 is located 144 bytes inside of 384-byte region [0x6130003e1400,0x6130003e1580)
13:07:23     INFO -  freed by thread T0 here:
13:07:23     INFO -      #0 0x471b41 in __interceptor_free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64
13:07:23     INFO -      #1 0x7f25dbafe35c in sipcc::PeerConnectionImpl::Release() /builds/slave/b2g-in-l64-asan-00000000000000/build/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp:467
13:07:23     INFO -      #2 0x7f25da85efd9 in ReleaseSliceNow(unsigned int, void*) /builds/slave/b2g-in-l64-asan-00000000000000/build/xpcom/base/CycleCollectedJSRuntime.cpp:1066
13:07:23     INFO -      #3 0x7f25da85fba9 in mozilla::IncrementalFinalizeRunnable::ReleaseNow(bool) /builds/slave/b2g-in-l64-asan-00000000000000/build/xpcom/base/CycleCollectedJSRuntime.cpp:1138
13:07:23     INFO -      #4 0x7f25da85dab9 in mozilla::CycleCollectedJSRuntime::OnGC(JSGCStatus) /builds/slave/b2g-in-l64-asan-00000000000000/build/xpcom/base/CycleCollectedJSRuntime.cpp:1238
13:07:23     INFO -  previously allocated by thread T0 here:
13:07:23     INFO -      #0 0x471d41 in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:74
13:07:23     INFO -      #1 0x7f25e5588bed in moz_xmalloc /builds/slave/b2g-in-l64-asan-00000000000000/build/memory/mozalloc/mozalloc.cpp:52
13:07:23     INFO -      #2 0x7f25dbb25e39 in operator new /builds/slave/b2g-in-l64-asan-00000000000000/build/obj-firefox/media/webrtc/signaling/signaling_ecc/../../../../dist/include/mozilla/mozalloc.h:201
13:07:23     INFO -      #3 0x7f25dbb25e39 in sipcc::PeerConnectionImpl::Constructor(mozilla::dom::GlobalObject const&, mozilla::ErrorResult&) /builds/slave/b2g-in-l64-asan-00000000000000/build/media/webrtc/signaling/src/peerconnection/PeerConnectionMedia.cpp:122
13:07:23     INFO -      #4 0x7f25dcbf3434 in mozilla::dom::PeerConnectionImplBinding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/slave/b2g-in-l64-asan-00000000000000/build/obj-firefox/dom/bindings/./PeerConnectionImplBinding.cpp:1179
13:07:23     INFO -      #5 0x7f25dd6e9fd8 in xpc::DOMXrayTraits::construct(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&, js::Wrapper&) /builds/slave/b2g-in-l64-asan-00000000000000/build/js/xpconnect/wrappers/XrayWrapper.cpp:1865
13:07:23     INFO -  SUMMARY: AddressSanitizer: heap-use-after-free /builds/slave/b2g-in-l64-asan-00000000000000/build/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp:1832 IsClosed

Al Billings [:abillings - ex-MoCo]

Updated

•

10 years ago

status-firefox33: --- → affected

Andrew McCreight [:mccr8]

Reporter

Comment 1

•

10 years ago

Fixed by a backout.

Status: NEW → RESOLVED

Closed: 10 years ago

status-firefox33: affected → fixed

Resolution: --- → WORKSFORME

Al Billings [:abillings - ex-MoCo]

Comment 2

•

10 years ago

Andrew told me in IRC that he thinks this was bug 1016738.

Whiteboard: [asan] → [asan][adv-main33-]

Daniel Veditz [:dveditz]

Updated

•

9 years ago

Group: core-security

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

Intermittent use-after-free in IsClosed

Categories

(Core :: WebRTC: Signaling, defect)

Tracking

()

People

(Reporter: mccr8, Unassigned)

References

Details

(Keywords: csectype-uaf, sec-high, Whiteboard: [asan][adv-main33-])

Crash Data

Security

(public)

User Story

Description

Updated

Comment 1

Comment 2

Updated