Closed Bug 1123021 Opened 5 years ago Closed 5 years ago

Use After Free in WebSocketChannelChild::OnStart()

Categories

(Core :: DOM: Workers, defect)

37 Branch
x86_64
Linux
defect
Not set

Tracking

()

RESOLVED FIXED
mozilla38
Tracking Status
firefox35 --- unaffected
firefox36 --- unaffected
firefox37 + fixed
firefox38 --- fixed
firefox-esr31 --- unaffected
b2g-v1.4 --- unaffected
b2g-v2.0 --- unaffected
b2g-v2.0M --- unaffected
b2g-v2.1 --- unaffected
b2g-v2.1S --- unaffected
b2g-v2.2 --- fixed
b2g-master --- fixed

People

(Reporter: loobenyang, Assigned: baku)

Details

(Keywords: csectype-uaf, sec-critical)

Attachments

(2 files)

Attached file wsserver_uaf240.js
Steps to reproduce:


On client side, initiate web sockets with protocol "wsm1-protocol" in web workers.
On server side, it accepts web socket   with protocol "wsm1-protocol".
Client side and server side code have been combined in a single Node.js source file wsserver_uaf240.js, which needs to run with websocket module.

Firefox Version: 38.0a1 (2015-01-16)
Operating System: Ubuntu 14.04 LTS 64bit



Actual results:

Asan reported Use After Free in WebSocketChannelChild::OnStart():


=================================================================
==5570==ERROR: AddressSanitizer: heap-use-after-free on address 0x6110002eb980 at pc 0x7f2631a6bc2f bp 0x7f26126f7940 sp 0x7f26126f7938
READ of size 8 at 0x6110002eb980 thread T21 (DOM Worker)
    #0 0x7f2631a6bc2e in mozilla::net::WebSocketChannelChild::OnStart(nsCString const&, nsCString const&, nsString const&, bool const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/netwerk/protocol/websocket/WebSocketChannelChild.cpp:202
    #1 0x7f2631a72383 in mozilla::net::WrappedChannelEvent::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/netwerk/protocol/websocket/WebSocketChannelChild.cpp:105
    #2 0x7f2633436a88 in mozilla::dom::(anonymous namespace)::WorkerRunnableDispatcher::WorkerRun(JSContext*, mozilla::dom::workers::WorkerPrivate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/WebSocket.cpp:2565
    #3 0x7f2635df54ea in mozilla::dom::workers::WorkerRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerRunnable.cpp:326
    #4 0x7f2631446d34 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:855
    #5 0x7f26314a69fa in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:265
    #6 0x7f2635dd622d in mozilla::dom::workers::WorkerPrivate::DoRunLoop(JSContext*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:4408
    #7 0x7f2635d9c3ef in (anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/RuntimeService.cpp:2664
    #8 0x7f2631446d34 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:855
    #9 0x7f26314a69fa in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:265
    #10 0x7f2631cd41f8 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:368
    #11 0x7f2631c7e62c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:233
    #12 0x7f2631c7e62c in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:226
    #13 0x7f2631c7e62c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:200
    #14 0x7f26314437c5 in nsThread::ThreadFunc(void*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:356
    #15 0x7f263d270135 in _pt_root /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:212
    #16 0x7f263dac0181 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8181)
    #17 0x7f262f15330c (/lib/x86_64-linux-gnu/libc.so.6+0xfb30c)

0x6110002eb980 is located 0 bytes inside of 240-byte region [0x6110002eb980,0x6110002eba70)
freed by thread T0 (Web Content) here:
    #0 0x4721e1 in free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64
    #1 0x7f2631a6931d in mozilla::net::WebSocketChannelChild::Release() /builds/slave/m-cen-l64-asan-000000000000000/build/src/netwerk/protocol/websocket/WebSocketChannelChild.cpp:39
    #2 0x7f2631a8e589 in mozilla::net::NeckoChild::DeallocPWebSocketChild(mozilla::net::PWebSocketChild*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/netwerk/ipc/NeckoChild.cpp:166
    #3 0x7f263243c578 in mozilla::net::PWebSocketChild::OnMessageReceived(IPC::Message const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/ipc/ipdl/./PWebSocketChild.cpp:488
    #4 0x7f2631f4fd85 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/ipc/ipdl/./PContentChild.cpp:4792
    #5 0x7f2631ccbe31 in DispatchAsyncMessage /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessageChannel.cpp:1218
    #6 0x7f2631ccbe31 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessageChannel.cpp:1145
    #7 0x7f2631cc1875 in mozilla::ipc::MessageChannel::OnMaybeDequeueOne() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessageChannel.cpp:1129
    #8 0x7f2631c7faa4 in RunTask /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:361
    #9 0x7f2631c7faa4 in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:369
    #10 0x7f2631c80b57 in MessageLoop::DoWork() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:447
    #11 0x7f2631cd3ab2 in mozilla::ipc::DoWorkRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:233
    #12 0x7f2631446d34 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:855
    #13 0x7f26314a69fa in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:265
    #14 0x7f2631cd3219 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:99
    #15 0x7f2631c7e62c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:233
    #16 0x7f2631c7e62c in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:226
    #17 0x7f2631c7e62c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:200
    #18 0x7f263621d657 in nsBaseAppShell::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/widget/nsBaseAppShell.cpp:164
    #19 0x7f2637d87a52 in XRE_RunAppShell /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:738
    #20 0x7f2631c7e62c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:233
    #21 0x7f2631c7e62c in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:226
    #22 0x7f2631c7e62c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:200
    #23 0x7f2637d87034 in XRE_InitChildProcess /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:575
    #24 0x48a9f1 in content_process_main(int, char**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/app/../contentproc/plugin-container.cpp:211
    #25 0x7f262f079ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)

previously allocated by thread T0 (Web Content) here:
    #0 0x4723e1 in __interceptor_malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:74
    #1 0x7f263d8aacbd in moz_xmalloc /builds/slave/m-cen-l64-asan-000000000000000/build/src/memory/mozalloc/mozalloc.cpp:52
    #2 0x7f2631c291df in operator new /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/netwerk/build/../../dist/include/mozilla/mozalloc.h:209
    #3 0x7f2631c291df in WebSocketChannelConstructor /builds/slave/m-cen-l64-asan-000000000000000/build/src/netwerk/build/nsNetModule.cpp:295
    #4 0x7f2631c291df in mozilla::net::WebSocketChannelConstructor(nsISupports*, nsID const&, void**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/netwerk/build/nsNetModule.cpp:326
    #5 0x7f2631423f81 in nsComponentManagerImpl::CreateInstanceByContractID(char const*, nsISupports*, nsID const&, void**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/components/nsComponentManager.cpp:1199
    #6 0x7f2631496216 in CallCreateInstance /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsComponentManagerUtils.cpp:149
    #7 0x7f2631496216 in nsCreateInstanceByContractID::operator()(nsID const&, void**) const /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsComponentManagerUtils.cpp:197
    #8 0x7f263149295d in nsCOMPtr_base::assign_from_helper(nsCOMPtr_helper const&, nsID const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsCOMPtr.cpp:125
    #9 0x7f26333ceae1 in operator= /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/base/../../dist/include/nsCOMPtr.h:621
    #10 0x7f26333ceae1 in mozilla::dom::WebSocketImpl::InitializeConnection() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/WebSocket.cpp:1540
    #11 0x7f26333cb88f in mozilla::dom::WebSocketImpl::Init(JSContext*, nsIPrincipal*, nsAString_internal const&, nsTArray<nsString>&, nsACString_internal const&, unsigned int, mozilla::ErrorResult&, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/WebSocket.cpp:1475
    #12 0x7f263343751a in InitWithWindow /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/WebSocket.cpp:1012
    #13 0x7f263343751a in mozilla::dom::(anonymous namespace)::InitRunnable::MainThreadRun() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/WebSocket.cpp:983
    #14 0x7f2635df6747 in mozilla::dom::workers::WorkerMainThreadRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerRunnable.cpp:527
    #15 0x7f2631446d34 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:855
    #16 0x7f26314a69fa in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:265
    #17 0x7f2631cd3219 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:99
    #18 0x7f2631c7e62c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:233
    #19 0x7f2631c7e62c in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:226
    #20 0x7f2631c7e62c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:200
    #21 0x7f263621d657 in nsBaseAppShell::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/widget/nsBaseAppShell.cpp:164
    #22 0x7f2637d87a52 in XRE_RunAppShell /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:738
    #23 0x7f2631c7e62c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:233
    #24 0x7f2631c7e62c in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:226
    #25 0x7f2631c7e62c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:200
    #26 0x7f2637d87034 in XRE_InitChildProcess /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:575
    #27 0x48a9f1 in content_process_main(int, char**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/app/../contentproc/plugin-container.cpp:211
    #28 0x7f262f079ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)

Thread T21 (DOM Worker) created by T0 (Web Content) here:
    #0 0x45ec55 in pthread_create /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:175
    #1 0x7f263d26cabd in _PR_CreateThread /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:453
    #2 0x7f263d26c63a in PR_CreateThread /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:544
    #3 0x7f2631444cdb in nsThread::Init() /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:467
    #4 0x7f2635dfb98a in mozilla::dom::workers::WorkerThread::Create(mozilla::dom::workers::WorkerThreadFriendKey const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerThread.cpp:90
    #5 0x7f2635d7ba46 in mozilla::dom::workers::RuntimeService::ScheduleWorker(JSContext*, mozilla::dom::workers::WorkerPrivate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/RuntimeService.cpp:1586
    #6 0x7f2635d79558 in mozilla::dom::workers::RuntimeService::RegisterWorker(JSContext*, mozilla::dom::workers::WorkerPrivate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/RuntimeService.cpp:1449
    #7 0x7f2635dd1d75 in mozilla::dom::workers::WorkerPrivate::Constructor(JSContext*, nsAString_internal const&, bool, mozilla::dom::workers::WorkerType, nsACString_internal const&, mozilla::dom::workers::WorkerPrivateParent<mozilla::dom::workers::WorkerPrivate>::LoadInfo*, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:4024
    #8 0x7f2635dd1716 in Constructor /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:3960
    #9 0x7f2635dd1716 in mozilla::dom::workers::WorkerPrivate::Constructor(mozilla::dom::GlobalObject const&, nsAString_internal const&, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:3901
    #10 0x7f2634c642cb in mozilla::dom::WorkerBinding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/bindings/./WorkerBinding.cpp:707
    #11 0x7f2639c8d999 in CallJSNative /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jscntxtinlines.h:226
    #12 0x7f2639c8d999 in CallJSNativeConstructor /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jscntxtinlines.h:259
    #13 0x7f2639c8d999 in js::InvokeConstructor(JSContext*, JS::CallArgs) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:595
    #14 0x7f2639c7f2bd in Interpret(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:2558
    #15 0x7f2639c6323c in js::RunScript(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:448
    #16 0x7f2639c8ed5f in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::AbstractFramePtr, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:657
    #17 0x7f2639c8f314 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:693
    #18 0x7f26398ad122 in Evaluate(JSContext*, JS::Handle<JSObject*>, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsapi.cpp:4431
    #19 0x7f26398ad8be in Evaluate /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsapi.cpp:4458
    #20 0x7f26398ad8be in JS::Evaluate(JSContext*, JS::AutoObjectVector&, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsapi.cpp:4513
    #21 0x7f26335d6240 in nsJSUtils::EvaluateString(JSContext*, JS::SourceBufferHolder&, JS::Handle<JSObject*>, JS::CompileOptions&, nsJSUtils::EvaluateOptions const&, JS::MutableHandle<JS::Value>, void**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsJSUtils.cpp:265
    #22 0x7f26335d726b in nsJSUtils::EvaluateString(JSContext*, JS::SourceBufferHolder&, JS::Handle<JSObject*>, JS::CompileOptions&, void**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsJSUtils.cpp:337
    #23 0x7f26336682b4 in nsScriptLoader::EvaluateScript(nsScriptLoadRequest*, JS::SourceBufferHolder&, void**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsScriptLoader.cpp:1144
    #24 0x7f26336659ce in nsScriptLoader::ProcessRequest(nsScriptLoadRequest*, void**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsScriptLoader.cpp:974
    #25 0x7f263365faa7 in nsScriptLoader::ProcessScriptElement(nsIScriptElement*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsScriptLoader.cpp:782
    #26 0x7f263365b4fe in nsScriptElement::MaybeProcessScript() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsScriptElement.cpp:140
    #27 0x7f2632b253c4 in operator-> /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsIScriptElement.h:220
    #28 0x7f2632b253c4 in nsHtml5TreeOpExecutor::RunScript(nsIContent*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:663
    #29 0x7f2632b23612 in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/slave/m-cen-l64-asan-000000000000000/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:488
    #30 0x7f2632b2a5cb in nsHtml5ExecutorFlusher::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/parser/html/nsHtml5StreamParser.cpp:127
    #31 0x7f2631446d34 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:855
    #32 0x7f26314a69fa in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:265
    #33 0x7f2631cd3219 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:99
    #34 0x7f2631c7e62c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:233
    #35 0x7f2631c7e62c in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:226
    #36 0x7f2631c7e62c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:200
    #37 0x7f263621d657 in nsBaseAppShell::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/widget/nsBaseAppShell.cpp:164
    #38 0x7f2637d87a52 in XRE_RunAppShell /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:738
    #39 0x7f2631c7e62c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:233
    #40 0x7f2631c7e62c in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:226
    #41 0x7f2631c7e62c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:200
    #42 0x7f2637d87034 in XRE_InitChildProcess /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:575
    #43 0x48a9f1 in content_process_main(int, char**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/app/../contentproc/plugin-container.cpp:211
    #44 0x7f262f079ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)

SUMMARY: AddressSanitizer: heap-use-after-free /builds/slave/m-cen-l64-asan-000000000000000/build/src/netwerk/protocol/websocket/WebSocketChannelChild.cpp:202 mozilla::net::WebSocketChannelChild::OnStart(nsCString const&, nsCString const&, nsString const&, bool const&)
Shadow bytes around the buggy address:
  0x0c22800556e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c22800556f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2280055700: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c2280055710: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2280055720: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
=>0x0c2280055730:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2280055740: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
  0x0c2280055750: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c2280055760: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2280055770: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c2280055780: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzon==5570==ABORTING

###!!! [Parent][MessageChannel] Error: Channel error: cannot send/recv
Assignee: nobody → amarchesini
Looks like the issue has been there since bug 537787.
Attached patch crash.patchSplinter Review
Attachment #8551361 - Flags: review?(bugs)
Comment on attachment 8551361 [details] [diff] [review]
crash.patch

Perhaps MaybeReleaseIPCObject could be declared close to
AddIPDLReference and ReleaseIPDLReference methods.
Attachment #8551361 - Flags: review?(bugs) → review+
Comment on attachment 8551361 [details] [diff] [review]
crash.patch

Forgot the sec-approval. But this patch is needed just for aurora... but sorry.

Approval Request Comment
[Feature/regressing bug #]: bug 537787
[User impact if declined]: a crash
[Describe test coverage new/current, TBPL]: none
[Risks and why]: I don't see big risks, this patch is very simple.
[String/UUID change made/needed]: none
Attachment #8551361 - Flags: approval-mozilla-aurora?
https://hg.mozilla.org/mozilla-central/rev/bb251436e156
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla38
Although bug 537787 landed in Firefox 7, this issue is only introduced in 37+ because of the introduction of web sockets in web workers. As this has already landed on 38, I think we should uplift after a couple of days on m-c.
[Tracking Requested - why for this release]: sec-critical
Flags: sec-bounty?
Attachment #8551361 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Flags: sec-bounty? → sec-bounty+
Group: core-security
You need to log in before you can comment on or make changes to this bug.