Use After Free of ConsoleRunnable

RESOLVED FIXED in Firefox 40

Status

()

Core
DOM: Workers
RESOLVED FIXED
3 years ago
a year ago

People

(Reporter: Looben Yang, Assigned: baku)

Tracking

({csectype-uaf, sec-critical})

40 Branch
mozilla40
x86_64
Linux
csectype-uaf, sec-critical
Points:
---
Bug Flags:
sec-bounty +

Firefox Tracking Flags

(firefox39 unaffected, firefox40 fixed, firefox-esr31 unaffected, firefox-esr38 unaffected, b2g-v2.0 unaffected, b2g-v2.0M unaffected, b2g-v2.1 unaffected, b2g-v2.1S unaffected, b2g-v2.2 unaffected)

Details

Attachments

(3 attachments, 5 obsolete attachments)

256 bytes, text/html
Details
2.01 KB, patch
Ben Turner (not reading bugmail, use the needinfo flag!)
: review+
Details | Diff | Splinter Review
1.60 KB, patch
Ben Turner (not reading bugmail, use the needinfo flag!)
: review+
Details | Diff | Splinter Review
(Reporter)

Description

3 years ago
Created attachment 8593788 [details]
uaf_ConsoleRunnable.html

Close the worker right after a console.log() call can trigger a Use After Free in WorkerPrivate::NotifyFeatures.

Firefox Version: 40.0a1 (2015-04-16)
Operating System: Ubuntu 14.04 LTS 64bit

Reproduction test case (uaf_ConsoleRunnable.html): 

<html><body></body>
<script type="text/javascript">
var blob = new Blob(['console.log("AAAA");close();'],{type: "text/javascript"});
var worker = new Worker(window.URL.createObjectURL(blob));
setTimeout(function(){location.reload()},300);
</script></html>


Open uaf_ConsoleRunnable.html in Firefox asan build, Asan reports a Use After Free:


=================================================================
==5060==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b0000aa228 at pc 0x7fd283026020 bp 0x7fd259a8d930 sp 0x7fd259a8d928
READ of size 8 at 0x60b0000aa228 thread T22 (DOM Worker)
    #0 0x7fd28302601f in mozilla::dom::workers::WorkerPrivate::NotifyFeatures(JSContext*, mozilla::dom::workers::Status) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:5930
    #1 0x7fd2830212c8 in mozilla::dom::workers::WorkerPrivate::NotifyInternal(JSContext*, mozilla::dom::workers::Status) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:6394
    #2 0x7fd28303fae3 in mozilla::dom::workers::WorkerRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerRunnable.cpp:350
    #3 0x7fd283020e15 in mozilla::dom::workers::WorkerPrivate::ProcessAllControlRunnablesLocked() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:5731
    #4 0x7fd28301ebcc in mozilla::dom::workers::WorkerPrivate::DoRunLoop(JSContext*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:5137
    #5 0x7fd282fc9c72 in (anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/RuntimeService.cpp:2790
    #6 0x7fd27e1e8fe4 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:866
    #7 0x7fd27e24adea in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:265
    #8 0x7fd27eaa33c8 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:368
    #9 0x7fd27ea3024c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:233
    #10 0x7fd27ea3024c in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:226
    #11 0x7fd27ea3024c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:200
    #12 0x7fd27e1e5ad8 in nsThread::ThreadFunc(void*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:364
    #13 0x7fd28a760135 in _pt_root /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:212
    #14 0x7fd28ada0181 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8181)
    #15 0x7fd27be0b30c (/lib/x86_64-linux-gnu/libc.so.6+0xfb30c)

0x60b0000aa228 is located 24 bytes inside of 112-byte region [0x60b0000aa210,0x60b0000aa280)
freed by thread T22 (DOM Worker) here:
    #0 0x474a01 in __interceptor_free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64
    #1 0x7fd27e249bcc in nsRunnable::Release() /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:32
    #2 0x7fd2801985e7 in ~nsRefPtr /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/base/../../dist/include/nsRefPtr.h:60
    #3 0x7fd2801985e7 in ~ConsoleReleaseRunnable /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/Console.cpp:361
    #4 0x7fd2801985e7 in mozilla::dom::ConsoleRunnable::PostDispatch()::ConsoleReleaseRunnable::~ConsoleReleaseRunnable() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/Console.cpp:361
    #5 0x7fd28304121c in Release /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerRunnable.cpp:250
    #6 0x7fd28304121c in mozilla::dom::workers::WorkerControlRunnable::Release() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerRunnable.cpp:529
    #7 0x7fd283020e50 in mozilla::dom::workers::WorkerPrivate::ProcessAllControlRunnablesLocked() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:5735
    #8 0x7fd2830228f8 in ProcessAllControlRunnables /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.h:1291
    #9 0x7fd2830228f8 in mozilla::dom::workers::WorkerPrivate::OnProcessNextEvent(unsigned int) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:5265
    #10 0x7fd28304a2a5 in mozilla::dom::workers::WorkerThread::Observer::OnProcessNextEvent(nsIThreadInternal*, bool, unsigned int) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerThread.cpp:322
    #11 0x7fd27e1e8cb0 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:838
    #12 0x7fd27e24aafe in NS_ProcessPendingEvents(nsIThread*, unsigned int) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:207
    #13 0x7fd28302130d in ClearMainEventQueue /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:5760
    #14 0x7fd28302130d in mozilla::dom::workers::WorkerPrivate::NotifyInternal(JSContext*, mozilla::dom::workers::Status) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:6399
    #15 0x7fd28161d9aa in mozilla::dom::WorkerGlobalScopeBinding_workers::close(JSContext*, JS::Handle<JSObject*>, mozilla::dom::workers::WorkerGlobalScope*, JSJitMethodCallArgs const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/bindings/./WorkerGlobalScopeBinding.cpp:144
    #16 0x7fd28161636c in mozilla::dom::WorkerGlobalScopeBinding_workers::genericMethod(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/bindings/./WorkerGlobalScopeBinding.cpp:1139
    #17 0x7fd2864cc0de in CallJSNative /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jscntxtinlines.h:235
    #18 0x7fd2864cc0de in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:720
    #19 0x7fd28650bd2e in Interpret(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:2956
    #20 0x7fd2864ec731 in js::RunScript(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:677
    #21 0x7fd28651d55d in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::AbstractFramePtr, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:902
    #22 0x7fd28651dba4 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:941
    #23 0x7fd286f5e34a in Evaluate(JSContext*, JS::Handle<JSObject*>, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsapi.cpp:4211
    #24 0x7fd282fbf411 in (anonymous namespace)::ScriptExecutorRunnable::WorkerRun(JSContext*, mozilla::dom::workers::WorkerPrivate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/ScriptLoader.cpp:1590
    #25 0x7fd28303fae3 in mozilla::dom::workers::WorkerRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerRunnable.cpp:350
    #26 0x7fd27e1e8fe4 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:866
    #27 0x7fd27e24adea in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:265
    #28 0x7fd283028b07 in mozilla::dom::workers::WorkerPrivate::RunCurrentSyncLoop() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:6060
    #29 0x7fd282faba62 in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.h:1417
    #30 0x7fd282faba62 in (anonymous namespace)::LoadAllScripts(JSContext*, mozilla::dom::workers::WorkerPrivate*, nsTArray<(anonymous namespace)::ScriptLoadInfo>&, bool, mozilla::dom::workers::WorkerScriptType) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/ScriptLoader.cpp:1671
    #31 0x7fd282fab4b5 in mozilla::dom::workers::scriptloader::LoadMainScript(JSContext*, nsAString_internal const&, mozilla::dom::workers::WorkerScriptType) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/ScriptLoader.cpp:1766
    #32 0x7fd283083e63 in (anonymous namespace)::CompileScriptRunnable::WorkerRun(JSContext*, mozilla::dom::workers::WorkerPrivate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:1070
    #33 0x7fd28303fae3 in mozilla::dom::workers::WorkerRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerRunnable.cpp:350
    #34 0x7fd27e1e8fe4 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:866
    #35 0x7fd27e24adea in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:265
    #36 0x7fd28301f0f3 in mozilla::dom::workers::WorkerPrivate::DoRunLoop(JSContext*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:5229

previously allocated by thread T22 (DOM Worker) here:
    #0 0x474c01 in __interceptor_malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:74
    #1 0x4921cd in moz_xmalloc /builds/slave/m-cen-l64-asan-000000000000000/build/src/memory/mozalloc/mozalloc.cpp:83
    #2 0x7fd28014e719 in operator new /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/base/../../dist/include/mozilla/mozalloc.h:187
    #3 0x7fd28014e719 in mozilla::dom::Console::Method(JSContext*, mozilla::dom::Console::MethodName, nsAString_internal const&, mozilla::dom::Sequence<JS::Value> const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/Console.cpp:1142
    #4 0x7fd28014cca2 in mozilla::dom::Console::Log(JSContext*, mozilla::dom::Sequence<JS::Value> const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/Console.cpp:799
    #5 0x7fd2812c5d5c in mozilla::dom::ConsoleBinding::log(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Console*, JSJitMethodCallArgs const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/bindings/./ConsoleBinding.cpp:2018
    #6 0x7fd281eb456f in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/bindings/BindingUtils.cpp:2578
    #7 0x7fd2864cc0de in CallJSNative /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jscntxtinlines.h:235
    #8 0x7fd2864cc0de in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:720
    #9 0x7fd28650bd2e in Interpret(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:2956
    #10 0x7fd2864ec731 in js::RunScript(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:677
    #11 0x7fd28651d55d in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::AbstractFramePtr, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:902
    #12 0x7fd28651dba4 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:941
    #13 0x7fd286f5e34a in Evaluate(JSContext*, JS::Handle<JSObject*>, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsapi.cpp:4211
    #14 0x7fd282fbf411 in (anonymous namespace)::ScriptExecutorRunnable::WorkerRun(JSContext*, mozilla::dom::workers::WorkerPrivate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/ScriptLoader.cpp:1590
    #15 0x7fd28303fae3 in mozilla::dom::workers::WorkerRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerRunnable.cpp:350
    #16 0x7fd27e1e8fe4 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:866
    #17 0x7fd27e24adea in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:265
    #18 0x7fd283028b07 in mozilla::dom::workers::WorkerPrivate::RunCurrentSyncLoop() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:6060
    #19 0x7fd282faba62 in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.h:1417
    #20 0x7fd282faba62 in (anonymous namespace)::LoadAllScripts(JSContext*, mozilla::dom::workers::WorkerPrivate*, nsTArray<(anonymous namespace)::ScriptLoadInfo>&, bool, mozilla::dom::workers::WorkerScriptType) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/ScriptLoader.cpp:1671
    #21 0x7fd282fab4b5 in mozilla::dom::workers::scriptloader::LoadMainScript(JSContext*, nsAString_internal const&, mozilla::dom::workers::WorkerScriptType) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/ScriptLoader.cpp:1766
    #22 0x7fd283083e63 in (anonymous namespace)::CompileScriptRunnable::WorkerRun(JSContext*, mozilla::dom::workers::WorkerPrivate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:1070
    #23 0x7fd28303fae3 in mozilla::dom::workers::WorkerRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerRunnable.cpp:350
    #24 0x7fd27e1e8fe4 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:866
    #25 0x7fd27e24adea in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:265
    #26 0x7fd28301f0f3 in mozilla::dom::workers::WorkerPrivate::DoRunLoop(JSContext*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:5229
    #27 0x7fd282fc9c72 in (anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/RuntimeService.cpp:2790
    #28 0x7fd27e1e8fe4 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:866
    #29 0x7fd27e24adea in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:265
    #30 0x7fd27eaa33c8 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:368
    #31 0x7fd27ea3024c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:233
    #32 0x7fd27ea3024c in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:226
    #33 0x7fd27ea3024c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:200
    #34 0x7fd27e1e5ad8 in nsThread::ThreadFunc(void*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:364

Thread T22 (DOM Worker) created by T0 (Web Content) here:
    #0 0x461475 in pthread_create /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:175
    #1 0x7fd28a75cabd in _PR_CreateThread /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:453
    #2 0x7fd28a75c63a in PR_CreateThread /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:544
    #3 0x7fd27e1e6e3b in nsThread::Init() /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:478
    #4 0x7fd283049c2a in mozilla::dom::workers::WorkerThread::Create(mozilla::dom::workers::WorkerThreadFriendKey const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerThread.cpp:90
    #5 0x7fd282f9f676 in mozilla::dom::workers::RuntimeService::ScheduleWorker(JSContext*, mozilla::dom::workers::WorkerPrivate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/RuntimeService.cpp:1750
    #6 0x7fd282f9cda4 in mozilla::dom::workers::RuntimeService::RegisterWorker(JSContext*, mozilla::dom::workers::WorkerPrivate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/RuntimeService.cpp:1604
    #7 0x7fd28301daf9 in mozilla::dom::workers::WorkerPrivate::Constructor(JSContext*, nsAString_internal const&, bool, mozilla::dom::WorkerType, nsACString_internal const&, mozilla::dom::workers::WorkerLoadInfo*, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:4803
    #8 0x7fd28301d3f6 in Constructor /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:4738
    #9 0x7fd28301d3f6 in mozilla::dom::workers::WorkerPrivate::Constructor(mozilla::dom::GlobalObject const&, nsAString_internal const&, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:4679
    #10 0x7fd28162279b in mozilla::dom::WorkerBinding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/bindings/./WorkerBinding.cpp:738
    #11 0x7fd28651bf9e in CallJSNative /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jscntxtinlines.h:235
    #12 0x7fd28651bf9e in CallJSNativeConstructor /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jscntxtinlines.h:268
    #13 0x7fd28651bf9e in js::InvokeConstructor(JSContext*, JS::CallArgs) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:821
    #14 0x7fd28650bd22 in Interpret(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:2953
    #15 0x7fd2864ec731 in js::RunScript(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:677
    #16 0x7fd28651d55d in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::AbstractFramePtr, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:902
    #17 0x7fd28651dba4 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:941
    #18 0x7fd286f5e34a in Evaluate(JSContext*, JS::Handle<JSObject*>, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsapi.cpp:4211
    #19 0x7fd286f5eaaf in Evaluate /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsapi.cpp:4238
    #20 0x7fd286f5eaaf in JS::Evaluate(JSContext*, JS::AutoObjectVector&, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsapi.cpp:4293
    #21 0x7fd2804c0d96 in nsJSUtils::EvaluateString(JSContext*, JS::SourceBufferHolder&, JS::Handle<JSObject*>, JS::CompileOptions&, nsJSUtils::EvaluateOptions const&, JS::MutableHandle<JS::Value>, void**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsJSUtils.cpp:265
    #22 0x7fd2804c1c8b in nsJSUtils::EvaluateString(JSContext*, JS::SourceBufferHolder&, JS::Handle<JSObject*>, JS::CompileOptions&, void**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsJSUtils.cpp:337
    #23 0x7fd280541cfa in nsScriptLoader::EvaluateScript(nsScriptLoadRequest*, JS::SourceBufferHolder&, void**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsScriptLoader.cpp:1148
    #24 0x7fd28053f421 in nsScriptLoader::ProcessRequest(nsScriptLoadRequest*, void**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsScriptLoader.cpp:978
    #25 0x7fd280538c63 in nsScriptLoader::ProcessScriptElement(nsIScriptElement*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsScriptLoader.cpp:767
    #26 0x7fd2805342ce in nsScriptElement::MaybeProcessScript() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsScriptElement.cpp:140
    #27 0x7fd27f9a0e34 in operator-> /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsIScriptElement.h:220
    #28 0x7fd27f9a0e34 in nsHtml5TreeOpExecutor::RunScript(nsIContent*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:663
    #29 0x7fd27f99f321 in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/slave/m-cen-l64-asan-000000000000000/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:488
    #30 0x7fd27f9a5ddb in nsHtml5ExecutorFlusher::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/parser/html/nsHtml5StreamParser.cpp:127
    #31 0x7fd27e1e8fe4 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:866
    #32 0x7fd27e24adea in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:265
    #33 0x7fd27eaa23e9 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:99
    #34 0x7fd27ea3024c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:233
    #35 0x7fd27ea3024c in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:226
    #36 0x7fd27ea3024c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:200
    #37 0x7fd2834a1bc7 in nsBaseAppShell::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/widget/nsBaseAppShell.cpp:164
    #38 0x7fd285021fc2 in XRE_RunAppShell /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:738
    #39 0x7fd27ea3024c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:233
    #40 0x7fd27ea3024c in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:226
    #41 0x7fd27ea3024c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:200
    #42 0x7fd2850216de in XRE_InitChildProcess /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:575
    #43 0x48d292 in content_process_main(int, char**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/app/../contentproc/plugin-container.cpp:236
    #44 0x7fd27bd31ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)

SUMMARY: AddressSanitizer: heap-use-after-free /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:5930 mozilla::dom::workers::WorkerPrivate::NotifyFeatures(JSContext*, mozilla::dom::workers::Status)
Shadow bytes around the buggy address:
  0x0c168000d3f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c168000d400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c168000d410: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c168000d420: fa fa fa fa fa fa fa fa fa fa fa fa 00 00 00 00
  0x0c168000d430: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa
=>0x0c168000d440: fa fa fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd
  0x0c168000d450: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c168000d460: 00 00 00 00 00 fa fa fa fa fa fa fa fa fa 00 00
  0x0c168000d470: 00 00 00 00 00 00 00 00 00 00 06 fa fa fa fa fa
  0x0c168000d480: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c168000d490: 06 fa fa fa fa fa fa fa fa fa fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:    ==5060==ABORTING

Comment 1

3 years ago
Using the same object as nsRunnable (which is refcounted) and as WorkerFeature which isn't refcounted looks rather error prone.

Updated

3 years ago
Blocks: 1154076
(Assignee)

Updated

3 years ago
Assignee: nobody → amarchesini
(Assignee)

Comment 2

3 years ago
Created attachment 8593892 [details] [diff] [review]
crash.patch
Attachment #8593892 - Flags: review?(bugs)
(Assignee)

Comment 3

3 years ago
Created attachment 8593894 [details] [diff] [review]
crash.patch

Also ConsoleRunnable must check if leak or not mFeature.
Attachment #8593894 - Flags: review?(bugs)
(Assignee)

Updated

3 years ago
Attachment #8593892 - Attachment is obsolete: true
Attachment #8593892 - Flags: review?(bugs)
(Assignee)

Comment 4

3 years ago
Created attachment 8593895 [details] [diff] [review]
crash.patch

forgot hg qref.
Attachment #8593894 - Attachment is obsolete: true
Attachment #8593894 - Flags: review?(bugs)
Attachment #8593895 - Flags: review?(bugs)

Comment 5

3 years ago
Comment on attachment 8593895 [details] [diff] [review]
crash.patch

Bent is better reviewer for this.

(I wish WorkerFeatures were refcounted and their handling safer, that might have saved us here.)
Attachment #8593895 - Flags: review?(bugs) → review?(bent.mozilla)
Comment on attachment 8593895 [details] [diff] [review]
crash.patch

Review of attachment 8593895 [details] [diff] [review]:
-----------------------------------------------------------------

The runnable+feature combo should be just fine. We are not looking at a failure to dispatch because the report clearly shows that the runnable made it back to the worker thread and then got deleted after its refcount dropped to 0, exactly as expected. So somehow we still end up with a garbage pointer in the feature list.

Looking closer it seems like WorkerControlRunnable doesn't have a special Cancel hook (that would make it always Run(), like expected). That's what needs to be fixed.
Attachment #8593895 - Flags: review?(bent.mozilla) → review-
Flags: sec-bounty?
Keywords: csectype-uaf, sec-critical
(Assignee)

Comment 7

3 years ago
Created attachment 8594072 [details] [diff] [review]
crash2.patch
Attachment #8593895 - Attachment is obsolete: true
Attachment #8594072 - Flags: review?(bent.mozilla)
Comment on attachment 8594072 [details] [diff] [review]
crash2.patch

Review of attachment 8594072 [details] [diff] [review]:
-----------------------------------------------------------------

r=me with this change:

::: dom/base/Console.cpp
@@ +356,5 @@
>          return true;
>        }
>  
> +      virtual nsresult
> +      Cancel() override

I'd prefer we move this to WorkerControlRunnable, all of them should behave this way.
Attachment #8594072 - Flags: review?(bent.mozilla) → review+
(Assignee)

Comment 10

3 years ago
bent, it doesn't work in this way. What about if we do:

virtual nsresult Cancel() override { return NS_OK; }

and the nwe override this method in the console.

Feedback?
Flags: needinfo?(bent.mozilla)
(Assignee)

Comment 11

3 years ago
Created attachment 8594680 [details] [diff] [review]
crash2.patch

I guess we have to go back to the previous version of the patch.
Attachment #8594072 - Attachment is obsolete: true
Attachment #8594680 - Flags: review?(bent.mozilla)
Comment on attachment 8594680 [details] [diff] [review]
crash2.patch

Review of attachment 8594680 [details] [diff] [review]:
-----------------------------------------------------------------

No, comment 9 is the way we want to go here. It just exposed a different bug.
Attachment #8594680 - Flags: review?(bent.mozilla) → review-
I think we should try to figure out which WorkerControlRunnable is being scheduled after the worker has destroyed its JSContext. That's bad, and we should try to fix that.

And if we can't do that then we can make WorkerRunnable::Run a little more resilient so that it doesn't crash when being called after there's no JS context.
Flags: needinfo?(bent.mozilla)
(Assignee)

Comment 14

3 years ago
Created attachment 8595356 [details] [diff] [review]
crash2.patch

I'm having hard time to reproduce this issue. At least locally I cannot see the crash. But here a patch where we check if JSContext is null:

https://treeherder.mozilla.org/#/jobs?repo=try&revision=3e1ff2213ab5
Attachment #8594680 - Attachment is obsolete: true
Attachment #8595356 - Flags: review?(bent.mozilla)
Comment on attachment 8595356 [details] [diff] [review]
crash2.patch

Review of attachment 8595356 [details] [diff] [review]:
-----------------------------------------------------------------

This looks ok... But I hate that we can't find that other late runnable...

::: dom/workers/WorkerRunnable.h
@@ +320,5 @@
>    virtual ~WorkerControlRunnable()
>    { }
>  
> +  NS_IMETHOD
> +  Cancel() override

Nit: Move the impl to the cpp file.
Attachment #8595356 - Flags: review?(bent.mozilla) → review+
This only affects 40, right?
(In reply to Andrew McCreight [:mccr8] from comment #18)
> This only affects 40, right?

Yep
status-firefox39: --- → unaffected
status-firefox-esr31: --- → unaffected
status-firefox-esr38: --- → unaffected

Updated

3 years ago
Duplicate of this bug: 1157284
https://hg.mozilla.org/mozilla-central/rev/91e9b0c36889
Status: NEW → RESOLVED
Last Resolved: 3 years ago
status-firefox40: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla40
Flags: sec-bounty? → sec-bounty+
Group: core-security
Assuming that Firefox 37 and earlier weren't affected, hence setting status-b2g-* to unaffected. Please correct if I'm wrong.
status-b2g-v2.0: --- → unaffected
status-b2g-v2.0M: --- → unaffected
status-b2g-v2.1: --- → unaffected
status-b2g-v2.1S: --- → unaffected
status-b2g-v2.2: --- → unaffected
Flags: needinfo?(amarchesini)
(Assignee)

Comment 23

3 years ago
I think we should land a different version of this patch in v2.2. I'll keep the NI in order to do not forget and tomorrow I'll propose a patch.
(Assignee)

Comment 24

3 years ago
Created attachment 8620913 [details] [diff] [review]
patch v2.2
Flags: needinfo?(amarchesini)
Attachment #8620913 - Flags: review?(bent.mozilla)
Attachment #8620913 - Flags: review?(bent.mozilla) → review+
(Assignee)

Comment 25

3 years ago
Comment on attachment 8620913 [details] [diff] [review]
patch v2.2

[Approval Request Comment]
Bug caused by (feature/regressing bug #): Workers
User impact if declined: possibly a crash
Testing completed: no
Risk to taking this patch (and alternatives if risky): none
String or UUID changes made by this patch: none
Attachment #8620913 - Flags: approval-mozilla-b2g37?

Comment 26

3 years ago
(In reply to Andrea Marchesini (:baku) from comment #25)
> Comment on attachment 8620913 [details] [diff] [review]
> patch v2.2
> 
> [Approval Request Comment]
> Bug caused by (feature/regressing bug #): Workers
> User impact if declined: possibly a crash
> Testing completed: no
> Risk to taking this patch (and alternatives if risky): none
> String or UUID changes made by this patch: none

Hi Andrea,
Per comment 19 and 22, b2g37(2.2) and before are unaffected. Why we still need patch for 2.2?
Flags: needinfo?(amarchesini)
(Assignee)

Comment 27

3 years ago
It's not about the crash itself, but it's about some worker-shutdown procedure that could be wrongly executed.
About this particular bug, yes, this cnanot be executed in v2.2, but if the worker goes away, it can happen that some control runnable is not correctly executed.
Flags: needinfo?(amarchesini)

Comment 28

3 years ago
Comment on attachment 8620913 [details] [diff] [review]
patch v2.2

Thanks Baku,
Approving this as this increase stability for 2.2
Attachment #8620913 - Flags: approval-mozilla-b2g37? → approval-mozilla-b2g37+
You need to log in before you can comment on or make changes to this bug.