Closed Bug 1140804 Opened 5 years ago Closed 5 years ago

Use After Free in WorkerPrivate::NotifyFeatures()

Categories

(Core :: DOM: Workers, defect, critical)

38 Branch
x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla39
Tracking Status
firefox36 --- unaffected
firefox37 + disabled
firefox38 + fixed
firefox39 + fixed
firefox-esr31 --- unaffected
firefox-esr38 --- fixed
b2g-v2.0 --- unaffected
b2g-v2.0M --- unaffected
b2g-v2.1 --- unaffected
b2g-v2.1S --- unaffected
b2g-v2.2 --- disabled
b2g-master --- fixed

People

(Reporter: loobenyang, Assigned: baku)

References

Details

(Keywords: csectype-uaf, sec-critical, Whiteboard: [asan][post-critsmash-triage])

Attachments

(3 files, 2 obsolete files)

Found a Use After Free when using Broadcast Channel and Websocket in webworkers.

Firefox Version: 38.0a1 (2015-02-16)
Operating System: Ubuntu 14.04 LTS 64bit

To reproduce, run wsserver_NotifyFeatures.js with Node.js websocket module,  enter http://localhost:12345/ in Firefox browser.Asan reports a Use After Free in WorkerPrivate::NotifyFeatures() in  10 minutes:


==11967==ERROR: AddressSanitizer: heap-use-after-free on address 0x60200017e4f0 at pc 0x7f6a25b6ec97 bp 0x7f6a00ff78f0 sp 0x7f6a00ff78e8
READ of size 8 at 0x60200017e4f0 thread T23 (DOM Worker)
    #0 0x7f6a25b6ec96 in mozilla::dom::workers::WorkerPrivate::NotifyFeatures(JSContext*, mozilla::dom::workers::Status) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:5180
    #1 0x7f6a25b6a48f in mozilla::dom::workers::WorkerPrivate::NotifyInternal(JSContext*, mozilla::dom::workers::Status) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:5547
    #2 0x7f6a25b877d2 in mozilla::dom::workers::WorkerRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerRunnable.cpp:326
    #3 0x7f6a25b69fa5 in mozilla::dom::workers::WorkerPrivate::ProcessAllControlRunnablesLocked() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:4982
    #4 0x7f6a25b67eec in mozilla::dom::workers::WorkerPrivate::DoRunLoop(JSContext*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:4414
    #5 0x7f6a25b25c43 in (anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/RuntimeService.cpp:2671
    #6 0x7f6a210f79f4 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:855
    #7 0x7f6a21157c7a in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:265
    #8 0x7f6a2198d428 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:368
    #9 0x7f6a2193642c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:233
    #10 0x7f6a2193642c in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:226
    #11 0x7f6a2193642c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:200
    #12 0x7f6a210f4465 in nsThread::ThreadFunc(void*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:356
    #13 0x7f6a2d0db135 in _pt_root /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:212
    #14 0x7f6a2d922181 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8181)
    #15 0x7f6a1edd230c (/lib/x86_64-linux-gnu/libc.so.6+0xfb30c)

0x60200017e4f0 is located 0 bytes inside of 16-byte region [0x60200017e4f0,0x60200017e500)
freed by thread T23 (DOM Worker) here:
    #0 0x4743f1 in free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64
    #1 0x7f6a25c08c7a in assign /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/broadcastchannel/../../dist/include/nsAutoPtr.h:41
    #2 0x7f6a25c08c7a in operator= /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/broadcastchannel/../../dist/include/nsAutoPtr.h:111
    #3 0x7f6a25c08c7a in mozilla::dom::BroadcastChannel::Shutdown() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/broadcastchannel/BroadcastChannel.cpp:649
    #4 0x7f6a25c088cf in mozilla::dom::BroadcastChannel::~BroadcastChannel() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/broadcastchannel/BroadcastChannel.cpp:414
    #5 0x7f6a25c0932d in mozilla::dom::BroadcastChannel::~BroadcastChannel() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/broadcastchannel/BroadcastChannel.cpp:413
    #6 0x7f6a20ffbc6d in SnowWhiteKiller::~SnowWhiteKiller() /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/base/nsCycleCollector.cpp:2646
    #7 0x7f6a20ffb89e in nsCycleCollector::FreeSnowWhite(bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/base/nsCycleCollector.cpp:2814
    #8 0x7f6a2100191a in nsCycleCollector::BeginCollection(ccType, nsICycleCollectorListener*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/base/nsCycleCollector.cpp:3756
    #9 0x7f6a21001072 in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/base/nsCycleCollector.cpp:3587
    #10 0x7f6a2100484f in nsCycleCollector_collect(nsICycleCollectorListener*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/base/nsCycleCollector.cpp:4182
    #11 0x7f6a20fefb16 in mozilla::CycleCollectedJSRuntime::OnGC(JSGCStatus) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/base/CycleCollectedJSRuntime.cpp:1284
    #12 0x7f6a29af8296 in js::gc::GCRuntime::collect(bool, js::SliceBudget, JS::gcreason::Reason) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsgc.cpp:6154
    #13 0x7f6a25b780c2 in mozilla::dom::workers::WorkerPrivate::GarbageCollectInternal(JSContext*, bool, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:6097
    #14 0x7f6a25bbc4bb in (anonymous namespace)::GarbageCollectRunnable::WorkerRun(JSContext*, mozilla::dom::workers::WorkerPrivate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:1694
    #15 0x7f6a25b877d2 in mozilla::dom::workers::WorkerRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerRunnable.cpp:326
    #16 0x7f6a25b69fa5 in mozilla::dom::workers::WorkerPrivate::ProcessAllControlRunnablesLocked() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:4982
    #17 0x7f6a25b71558 in mozilla::dom::workers::WorkerPrivate::RunCurrentSyncLoop() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:5296
    #18 0x7f6a25b53e2e in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.h:1380
    #19 0x7f6a25b53e2e in mozilla::dom::workers::WorkerMainThreadRunnable::Dispatch(JSContext*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerRunnable.cpp:519
    #20 0x7f6a230ba6ab in mozilla::dom::WebSocketImpl::CloseConnection(unsigned short, nsACString_internal const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/WebSocket.cpp:469
    #21 0x7f6a2312768e in mozilla::dom::(anonymous namespace)::WebSocketWorkerFeature::Notify(JSContext*, mozilla::dom::workers::Status) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/WebSocket.cpp:1986
    #22 0x7f6a25b6e664 in mozilla::dom::workers::WorkerPrivate::NotifyFeatures(JSContext*, mozilla::dom::workers::Status) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:5180
    #23 0x7f6a25b6a48f in mozilla::dom::workers::WorkerPrivate::NotifyInternal(JSContext*, mozilla::dom::workers::Status) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:5547
    #24 0x7f6a25b877d2 in mozilla::dom::workers::WorkerRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerRunnable.cpp:326
    #25 0x7f6a25b69fa5 in mozilla::dom::workers::WorkerPrivate::ProcessAllControlRunnablesLocked() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:4982
    #26 0x7f6a25b67eec in mozilla::dom::workers::WorkerPrivate::DoRunLoop(JSContext*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:4414
    #27 0x7f6a25b25c43 in (anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/RuntimeService.cpp:2671
    #28 0x7f6a210f79f4 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:855
    #29 0x7f6a21157c7a in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:265
    #30 0x7f6a2198d428 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:368
    #31 0x7f6a2193642c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:233
    #32 0x7f6a2193642c in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:226
    #33 0x7f6a2193642c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:200
    #34 0x7f6a210f4465 in nsThread::ThreadFunc(void*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:356

previously allocated by thread T23 (DOM Worker) here:
    #0 0x4745f1 in __interceptor_malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:74
    #1 0x7f6a2d71385d in moz_xmalloc /builds/slave/m-cen-l64-asan-000000000000000/build/src/memory/mozalloc/mozalloc.cpp:52
    #2 0x7f6a25c0a205 in operator new /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/broadcastchannel/../../dist/include/mozilla/mozalloc.h:209
    #3 0x7f6a25c0a205 in mozilla::dom::BroadcastChannel::Constructor(mozilla::dom::GlobalObject const&, nsAString_internal const&, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/broadcastchannel/BroadcastChannel.cpp:512
    #4 0x7f6a23762846 in mozilla::dom::BroadcastChannelBinding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/bindings/./BroadcastChannelBinding.cpp:293
    #5 0x7f6a28fe1182 in CallJSNative /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jscntxtinlines.h:226
    #6 0x7f6a28fe1182 in CallJSNativeConstructor /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jscntxtinlines.h:259
    #7 0x7f6a28fe1182 in js::InvokeConstructor(JSContext*, JS::CallArgs) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:588
    #8 0x7f6a28fc89b7 in Interpret(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:2531
    #9 0x7f6a28fa7594 in js::RunScript(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:444
    #10 0x7f6a28fe237f in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::AbstractFramePtr, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:650
    #11 0x7f6a28fe2937 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:686
    #12 0x7f6a29a10463 in Evaluate(JSContext*, JS::Handle<JSObject*>, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsapi.cpp:4085
    #13 0x7f6a25b22454 in (anonymous namespace)::ScriptExecutorRunnable::WorkerRun(JSContext*, mozilla::dom::workers::WorkerPrivate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/ScriptLoader.cpp:772
    #14 0x7f6a25b877d2 in mozilla::dom::workers::WorkerRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerRunnable.cpp:326
    #15 0x7f6a210f79f4 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:855
    #16 0x7f6a21157c7a in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:265
    #17 0x7f6a25b71787 in mozilla::dom::workers::WorkerPrivate::RunCurrentSyncLoop() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:5310
    #18 0x7f6a25b10959 in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.h:1380
    #19 0x7f6a25b10959 in (anonymous namespace)::LoadAllScripts(JSContext*, mozilla::dom::workers::WorkerPrivate*, nsTArray<(anonymous namespace)::ScriptLoadInfo>&, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/ScriptLoader.cpp:846
    #20 0x7f6a25b104d3 in mozilla::dom::workers::scriptloader::LoadWorkerScript(JSContext*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/ScriptLoader.cpp:940
    #21 0x7f6a25bbc6b1 in (anonymous namespace)::CompileScriptRunnable::WorkerRun(JSContext*, mozilla::dom::workers::WorkerPrivate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:885
    #22 0x7f6a25b877d2 in mozilla::dom::workers::WorkerRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerRunnable.cpp:326
    #23 0x7f6a210f79f4 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:855
    #24 0x7f6a21157c7a in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:265
    #25 0x7f6a25b68420 in mozilla::dom::workers::WorkerPrivate::DoRunLoop(JSContext*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:4482
    #26 0x7f6a25b25c43 in (anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/RuntimeService.cpp:2671
    #27 0x7f6a210f79f4 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:855
    #28 0x7f6a21157c7a in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:265
    #29 0x7f6a2198d428 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:368
    #30 0x7f6a2193642c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:233
    #31 0x7f6a2193642c in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:226
    #32 0x7f6a2193642c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:200
    #33 0x7f6a210f4465 in nsThread::ThreadFunc(void*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:356
    #34 0x7f6a2d0db135 in _pt_root /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:212
    #35 0x7f6a2d922181 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8181)

Thread T23 (DOM Worker) created by T0 (Web Content) here:
    #0 0x460e65 in pthread_create /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:175
    #1 0x7f6a2d0d7abd in _PR_CreateThread /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:453
    #2 0x7f6a2d0d763a in PR_CreateThread /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:544
    #3 0x7f6a210f599b in nsThread::Init() /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:467
    #4 0x7f6a25b8e04a in mozilla::dom::workers::WorkerThread::Create(mozilla::dom::workers::WorkerThreadFriendKey const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerThread.cpp:90
    #5 0x7f6a25b04596 in mozilla::dom::workers::RuntimeService::ScheduleWorker(JSContext*, mozilla::dom::workers::WorkerPrivate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/RuntimeService.cpp:1595
    #6 0x7f6a25b02666 in mozilla::dom::workers::RuntimeService::RegisterWorker(JSContext*, mozilla::dom::workers::WorkerPrivate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/RuntimeService.cpp:1458
    #7 0x7f6a25b63f45 in mozilla::dom::workers::WorkerPrivate::Constructor(JSContext*, nsAString_internal const&, bool, mozilla::dom::workers::WorkerType, nsACString_internal const&, mozilla::dom::workers::WorkerPrivateParent<mozilla::dom::workers::WorkerPrivate>::LoadInfo*, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:4098
    #8 0x7f6a25b638e6 in Constructor /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:4034
    #9 0x7f6a25b638e6 in mozilla::dom::workers::WorkerPrivate::Constructor(mozilla::dom::GlobalObject const&, nsAString_internal const&, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:3975
    #10 0x7f6a242ecc8b in mozilla::dom::WorkerBinding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/bindings/./WorkerBinding.cpp:707
    #11 0x7f6a28fe1182 in CallJSNative /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jscntxtinlines.h:226
    #12 0x7f6a28fe1182 in CallJSNativeConstructor /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jscntxtinlines.h:259
    #13 0x7f6a28fe1182 in js::InvokeConstructor(JSContext*, JS::CallArgs) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:588
    #14 0x7f6a28fc89b7 in Interpret(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:2531
    #15 0x7f6a28fa7594 in js::RunScript(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:444
    #16 0x7f6a28fe237f in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::AbstractFramePtr, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:650
    #17 0x7f6a28fe2937 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:686
    #18 0x7f6a29a10463 in Evaluate(JSContext*, JS::Handle<JSObject*>, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsapi.cpp:4085
    #19 0x7f6a29a10b7e in Evaluate /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsapi.cpp:4112
    #20 0x7f6a29a10b7e in JS::Evaluate(JSContext*, JS::AutoObjectVector&, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsapi.cpp:4167
    #21 0x7f6a232b80c9 in nsJSUtils::EvaluateString(JSContext*, JS::SourceBufferHolder&, JS::Handle<JSObject*>, JS::CompileOptions&, nsJSUtils::EvaluateOptions const&, JS::MutableHandle<JS::Value>, void**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsJSUtils.cpp:265
    #22 0x7f6a232b907b in nsJSUtils::EvaluateString(JSContext*, JS::SourceBufferHolder&, JS::Handle<JSObject*>, JS::CompileOptions&, void**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsJSUtils.cpp:337
    #23 0x7f6a23349404 in nsScriptLoader::EvaluateScript(nsScriptLoadRequest*, JS::SourceBufferHolder&, void**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsScriptLoader.cpp:1144
    #24 0x7f6a23346b1e in nsScriptLoader::ProcessRequest(nsScriptLoadRequest*, void**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsScriptLoader.cpp:974
    #25 0x7f6a23340bf7 in nsScriptLoader::ProcessScriptElement(nsIScriptElement*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsScriptLoader.cpp:782
    #26 0x7f6a2333c64e in nsScriptElement::MaybeProcessScript() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsScriptElement.cpp:140
    #27 0x7f6a227e8414 in operator-> /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsIScriptElement.h:220
    #28 0x7f6a227e8414 in nsHtml5TreeOpExecutor::RunScript(nsIContent*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:663
    #29 0x7f6a227e66b2 in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/slave/m-cen-l64-asan-000000000000000/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:488
    #30 0x7f6a227ed55b in nsHtml5ExecutorFlusher::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/parser/html/nsHtml5StreamParser.cpp:127
    #31 0x7f6a210f79f4 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:855
    #32 0x7f6a21157c7a in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:265
    #33 0x7f6a2198c449 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:99
    #34 0x7f6a2193642c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:233
    #35 0x7f6a2193642c in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:226
    #36 0x7f6a2193642c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:200
    #37 0x7f6a25fbbc77 in nsBaseAppShell::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/widget/nsBaseAppShell.cpp:164
    #38 0x7f6a27aeff52 in XRE_RunAppShell /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:738
    #39 0x7f6a2193642c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:233
    #40 0x7f6a2193642c in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:226
    #41 0x7f6a2193642c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:200
    #42 0x7f6a27aef57e in XRE_InitChildProcess /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:575
    #43 0x48cc01 in content_process_main(int, char**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/app/../contentproc/plugin-container.cpp:211
    #44 0x7f6a1ecf8ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)

SUMMARY: AddressSanitizer: heap-use-after-free /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:5180 mozilla::dom::workers::WorkerPrivate::NotifyFeatures(JSContext*, mozilla::dom::workers::Status)
Shadow bytes around the buggy address:
  0x0c0480027c40: fa fa 00 00 fa fa fd fd fa fa fd fa fa fa fd fa
  0x0c0480027c50: fa fa fd fd fa fa 00 00 fa fa fd fd fa fa fd fa
  0x0c0480027c60: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd
  0x0c0480027c70: fa fa 00 00 fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c0480027c80: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa
=>0x0c0480027c90: fa fa fd fa fa fa fd fd fa fa fd fd fa fa[fd]fd
  0x0c0480027ca0: fa fa fd fd fa fa 00 00 fa fa fd fd fa fa fd fd
  0x0c0480027cb0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c0480027cc0: fa fa fd fd fa fa fd fa fa fa 00 00 fa fa 00 fa
  0x0c0480027cd0: fa fa 00 00 fa fa fd fd fa fa fd fd fa fa 00 fa
  0x0c0480027ce0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      [==11967==ABORTING

###!!! [Parent][MessageChannel] Error: Channel error: cannot send/recv
Whiteboard: [asan]
Assignee: nobody → amarchesini
Depends on: 1141026
Attached patch wp.patch (obsolete) — Splinter Review
I don't think this patch fixes this issue but this plus the BroadcastChannel patch makes this issue non-reproducible. The script is more than 20 minutes running without a crash.

To me it's possible that the issue was related to the broadcastChannel feature, non-correctly registered.
Attachment #8574639 - Flags: review?(bugs)
Attached patch wp.patch (obsolete) — Splinter Review
Attachment #8574639 - Attachment is obsolete: true
Attachment #8574639 - Flags: review?(bugs)
Attachment #8574641 - Flags: review?(bugs)
Well, what if you use only this patch?
Attachment #8574641 - Flags: review?(bugs) → review+
I accidentally set the wrong flag before.
Keywords: sec-auditsec-critical
(In reply to Olli Pettay [:smaug] from comment #3)
> Well, what if you use only this patch?

We trigger the other bug. I found that debugging this.
Comment on attachment 8574641 [details] [diff] [review]
wp.patch

[Security approval request comment]
How easily could an exploit be constructed based on the patch?

It's easy to recreate with a small test as what we hve here attached.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?

Yes. We create a worker without checking if WorkerPrivate is null and before checking if we are shutting down the WebSocket.

Which older supported branches are affected by this flaw?

beta/aurora

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?

it's easy to go back.

How likely is this patch to cause regressions; how much testing does it need?

None.
Attachment #8574641 - Flags: sec-approval?
Comment on attachment 8574641 [details] [diff] [review]
wp.patch

sec-approval+ for trunk.

We'll want patches made and nominated for Aurora and Beta so we don't ship this flaw.
Attachment #8574641 - Flags: sec-approval? → sec-approval+
Olli, could you deal with landing this and getting approvals up for Aurora and Beta?  I think we're getting close to 37 release, and it looks like Andrea is away.  Thanks.
Flags: needinfo?(bugs)
I'm still trying to understand why the patch fixes the issue. baku never explained.
And as far as I see, it doesn't fix the bug. It fixes a bug. Comment 1 is about right.


(Note, I asked baku on irc week ago or so to explain why the patch would fix this particular bug, but I'm not seeing the explanation.)
Flags: needinfo?(bugs)
Attached patch possible patchSplinter Review
So we really don't want interesting stuff happening during ::Notify
That is the reason for the ConsoleError() and WebSocketImpl::CloseConnection changes.
WS channel should be still closed.

Perhaps not the prettiest fix.
Other option is to disable websockets-in-ws again.
Attachment #8578979 - Flags: review?(khuey)
Comment on attachment 8578979 [details] [diff] [review]
possible patch

Review of attachment 8578979 [details] [diff] [review]:
-----------------------------------------------------------------

::: dom/base/WebSocket.cpp
@@ +501,5 @@
>  
> +    if (aCanceling) {
> +      nsRefPtr<CancelWebSocketRunnable> runnable =
> +        new CancelWebSocketRunnable(mChannel, aReasonCode, aReasonString);
> +      NS_DispatchToMainThread(runnable);

Shouldn't this be connected to the above if somehow, since it's doing exactly what happens there?
I could add an assertion that aCanceling is ever set only when we're not in the main thread.
37 Beta 7 (final Beta) goes to build tomorrow (Thu, Mar 19). If we think it's worth uplifting this fix to 37, we need an uplift request by tomorrow morning.
Flags: needinfo?(bugs)
The other option is to disable Websockets in workers again.
I pinged khuey for a review.
Flags: needinfo?(bugs)
Attached patch +assertionSplinter Review
[Security approval request comment]
How easily could an exploit be constructed based on the patch? I'd say not easily

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
Checkin comment is about ensuring that we close the ws connection even in workers.

Which older supported branches are affected by this flaw?
beta/aurora/nightly

If not all supported branches, which bug introduced the flaw?
bug 504553

How likely is this patch to cause regressions; how much testing does it need?
Should be rather safe, but it is a new feature. Not that much tested yet.

[String/UUID change made/needed]: NA
Attachment #8579661 - Flags: sec-approval?
Attachment #8579661 - Flags: approval-mozilla-beta?
Attachment #8579661 - Flags: approval-mozilla-aurora?
I think it's kinda scary that we're still finding races in this code... Maybe we should just delay it one more cycle to be safe?
Comment on attachment 8579661 [details] [diff] [review]
+assertion

all things approved!
Attachment #8579661 - Flags: sec-approval?
Attachment #8579661 - Flags: sec-approval+
Attachment #8579661 - Flags: approval-mozilla-beta?
Attachment #8579661 - Flags: approval-mozilla-beta+
Attachment #8579661 - Flags: approval-mozilla-aurora?
Attachment #8579661 - Flags: approval-mozilla-aurora+
Crap, we're anyhow missing some related patches from beta. Can't land this there.
Attachment #8579661 - Flags: approval-mozilla-beta+
(In reply to Olli Pettay [:smaug] from comment #19)
> Crap, we're anyhow missing some related patches from beta. Can't land this
> there.

So do we need to pref off WebSocket on Workers?
We have done that for beta, see bug 1121406.
Smaug, I see that your patches include mine. Yesterday RyanMV asked me to land them. Are you OK if I land patch just wp_fix.patch?
Flags: needinfo?(bugs)
wp_fix.patch? What is that?
Comment on attachment 8574641 [details] [diff] [review]
wp.patch

We should not land this one, so marking obsolete.
Attachment #8574641 - Attachment is obsolete: true
Flags: needinfo?(bugs)
Comment on attachment 8579661 [details] [diff] [review]
+assertion

Review of attachment 8579661 [details] [diff] [review]:
-----------------------------------------------------------------

2 small NITs. I can fix them before landing the patch.

::: dom/base/WebSocket.cpp
@@ +427,5 @@
> +    , mReasonString(aReasonString)
> +  {}
> +
> +  NS_IMETHOD Run() MOZ_OVERRIDE
> +  {

MOZ_ASSERT(NS_IsMainThread());

@@ +502,5 @@
>  
> +    if (aCanceling) {
> +      nsRefPtr<CancelWebSocketRunnable> runnable =
> +        new CancelWebSocketRunnable(mChannel, aReasonCode, aReasonString);
> +      NS_DispatchToMainThread(runnable);

MOZ_ALWAYS_TRUE(NS_SUCCEEDED(NS_DispatchToMainThread(runnable)));

or:

return NS_DispatchToMainThread(runnable); and then remove the } else {
MOZ_ALWAYS_TRUE is wrong, at least in theory.
Landed this follow-up to fix the bustage, because MOZ_FINAL and MOZ_OVERRIDE do not exist any more.

https://hg.mozilla.org/integration/mozilla-inbound/rev/828959dd93fb
https://hg.mozilla.org/mozilla-central/rev/7be28b1e114c
https://hg.mozilla.org/mozilla-central/rev/828959dd93fb
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla39
Flags: sec-bounty?
Flags: sec-bounty? → sec-bounty+
Group: core-security → core-security-release
Whiteboard: [asan] → [asan][post-critsmash-triage]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.