Closed Bug 1110359 Opened 10 years ago Closed 10 years ago

Invalid write of size 4 in clone() on browser shutdown

Categories

(Firefox :: Untriaged, defect)

Product:
Firefox
Component:
Untriaged
Version:
34 Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: mitchwharper, Unassigned)

Details

Attachments

(1 file)

Complaint and thread status
58.71 KB, text/plain
Details
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:34.0) Gecko/20100101 Firefox/34.0 Build ID: 20141210200223 Steps to reproduce: Was attempting to repro other bugs, browser started hanging so I killed Valgrind, and as it was closing I got this complaint. As it's on shutdown it might not be a big concern. Ran 34.0.5 through `G_SLICE=always-malloc valgrind --tool=memcheck --vex-iropt-register-updates=allregs-at-mem-access --smc-check=all-non-file ./firefox` built with mozconfig mk_add_options MOZ_MAKE_FLAGS="-j4" mk_add_options MOZ_OBJDIR=@TOPSRCDIR@/ff-opt-g ac_add_options --disable-tests ac_add_options --enable-optimize="-g -Og" ac_add_options --disable-jemalloc ac_add_options --enable-valgrind ac_add_options --enable-debug-symbols Actual results: Valgrind complaint (attached is a longer trace with thread status): ==13706== Thread 46 Shutdow~minator: ==13706== Invalid write of size 4 ==13706== at 0x99F6E3B: mozilla::(anonymous namespace)::Run(void*) (nsTerminator.cpp:101) ==13706== by 0x646CE63: _pt_root (ptthread.c:212) ==13706== by 0x4E3F181: start_thread (pthread_create.c:312) ==13706== by 0x595E00C: clone (clone.S:111) ==13706== Address 0x0 is not stack'd, malloc'd or (recently) free'd ==13706== ==13706== Unsupported clone() flags: 0x800600 ==13706== ==13706== The only supported clone() uses are: ==13706== - via a threads library (LinuxThreads or NPTL) ==13706== - via the implementation of fork or vfork ==13706== ==13706== Valgrind detected that your program requires ==13706== the following unimplemented functionality: ==13706== Valgrind does not support general clone(). ==13706== This may be because the functionality is hard to implement, ==13706== or because no reasonable program would behave this way, ==13706== or because nobody has yet needed it. In any case, let us know at ==13706== www.valgrind.org and/or try to work around the problem, if you can. ==13706== ==13706== Valgrind has to exit now. Sorry. Bye! ==13706==
Yoric, do you know more about what's going on here? It doesn't sound serious / sec-sensitive to me - more like a valgrind bug, but I'd prefer to be sure. :-)
Flags: needinfo?(dteller)
Well, this is a use of clone() by thread spawning, so this looks like a valgrind bug indeed. I'm just surprised that it doesn't show up anywhere else in our code. I don't think it's serious / sec-sensitive at all.
Flags: needinfo?(dteller)
Resolving. Please reopen if you have evidence something actually wrong is going on. :-)
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → INVALID
OK, I just saw the attempt to write to 0x0 inside the clone method and wanted to make sure there wasn't some sort of use-after-free going on.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: