Bug 1166924 (CVE-2015-2722)

Use After Free in CanonicalizeXPCOMParticipant

RESOLVED FIXED in Firefox 39

Status

()

defect
--
critical
RESOLVED FIXED
4 years ago
2 years ago

People

(Reporter: loobenyang, Assigned: baku)

Tracking

({csectype-uaf, sec-critical})

unspecified
mozilla41
Points:
---
Dependency tree / graph
Bug Flags:
sec-bounty +
in-testsuite ?

Firefox Tracking Flags

(firefox38 wontfix, firefox39+ fixed, firefox38.0.5 wontfix, firefox40+ fixed, firefox41+ fixed, firefox-esr3139+ verified, firefox-esr3839+ verified, b2g-v2.0 fixed, b2g-v2.0M fixed, b2g-v2.1 fixed, b2g-v2.1S fixed, b2g-v2.2 fixed, b2g-master fixed)

Details

(Whiteboard: [asan][adv-main39+][adv-esr38.1+][adv-esr31.8+])

Attachments

(3 attachments, 1 obsolete attachment)

Reporter

Description

4 years ago
Using XMLHttpRequest in shared workers can trigger Use After Free.

Firefox version: 41.0a1 (2015-05-19)

Run the test case with local built Firefox in Visual Studio, it crashes in CanonicalizeXPCOMParticipant():


First-chance exception at 0x0F1969CD (xul.dll) in firefox.exe: 0xC0000005: Access violation reading location 0x5A5A5A5A.
Unhandled exception at 0x0F1969CD (xul.dll) in firefox.exe: 0xC0000005: Access violation reading location 0x5A5A5A5A.

The 0x5A5A5A5A memory pattern indicates a use after free.

Variables:

-		&out	0x1acff7ec {0x00000000 <NULL>}	nsISupports * *
+			0x00000000 <NULL>	nsISupports *
-		aIn	0x09c02920 {...}	nsISupports *
+		__vfptr	0x5a5a5a5a {???, ???, ???}	void * *
+		out	0x00000000 <NULL>	nsISupports *



The call stack:

>	xul.dll!CanonicalizeXPCOMParticipant(nsISupports * aIn) Line 931	C++
 	xul.dll!CCGraphBuilder::NoteXPCOMChild(nsISupports * aChild) Line 2332	C++
 	xul.dll!mozilla::CycleCollectedJSRuntime::NoteGCThingXPCOMChildren(const js::Class * aClasp, JSObject * aObj, nsCycleCollectionTraversalCallback & aCb) Line 631	C++
 	xul.dll!mozilla::CycleCollectedJSRuntime::TraverseGCThing(mozilla::CycleCollectedJSRuntime::TraverseSelect aTs, JS::GCCellPtr aThing, nsCycleCollectionTraversalCallback & aCb) Line 666	C++
 	xul.dll!mozilla::JSGCThingParticipant::Traverse(void * aPtr, nsCycleCollectionTraversalCallback & aCb) Line 354	C++
 	xul.dll!CCGraphBuilder::BuildGraph(js::SliceBudget & aBudget) Line 2239	C++
 	xul.dll!nsCycleCollector::MarkRoots(js::SliceBudget & aBudget) Line 2839	C++
 	xul.dll!nsCycleCollector::Collect(ccType aCCType, js::SliceBudget & aBudget, nsICycleCollectorListener * aManualListener, bool aPreferShorterSlices) Line 3612	C++
 	xul.dll!nsCycleCollector_collect(nsICycleCollectorListener * aManualListener) Line 4099	C++
 	xul.dll!`anonymous namespace'::WorkerJSRuntime::CustomGCCallback(JSGCStatus aStatus) Line 1021	C++
 	xul.dll!mozilla::CycleCollectedJSRuntime::OnGC(JSGCStatus aStatus) Line 1263	C++
 	xul.dll!mozilla::CycleCollectedJSRuntime::GCCallback(JSRuntime * aRuntime, JSGCStatus aStatus, void * aData) Line 758	C++
 	xul.dll!js::gc::GCRuntime::collect(bool incremental, js::SliceBudget budget, JS::gcreason::Reason reason) Line 6189	C++
 	xul.dll!js::gc::GCRuntime::gc(JSGCInvocationKind gckind, JS::gcreason::Reason reason) Line 6246	C++
 	xul.dll!js::DestroyContext(JSContext * cx, js::DestroyContextMode mode) Line 187	C++
 	xul.dll!JS_DestroyContext(JSContext * cx) Line 730	C++
 	xul.dll!`anonymous namespace'::WorkerThreadPrimaryRunnable::Run() Line 2823	C++
 	xul.dll!nsThread::ProcessNextEvent(bool aMayWait, bool * aResult) Line 866	C++
 	xul.dll!NS_ProcessNextEvent(nsIThread * aThread, bool aMayWait) Line 265	C++
 	xul.dll!mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate * aDelegate) Line 355	C++
 	xul.dll!MessageLoop::RunInternal() Line 234	C++
 	xul.dll!MessageLoop::RunHandler() Line 227	C++
 	xul.dll!MessageLoop::Run() Line 201	C++
 	xul.dll!nsThread::ThreadFunc(void * aArg) Line 364	C++
 	nss3.dll!_PR_NativeRunThread(void * arg) Line 397	C
 	nss3.dll!pr_root(void * arg) Line 90	C
 	[External Code]	
 	[Frames below may be incorrect and/or missing, no symbols loaded for msvcr120.dll]
Any testcase for this?
Reporter

Comment 2

4 years ago
Run the test case in Linux Asan build 41.0a1 (2015-05-16), it does report a Use After Free:


=================================================================
==12341==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000206c40 at pc 0x7f9d2f6f0ba2 bp 0x7f9d0ecea7d0 sp 0x7f9d0ecea7c8
READ of size 8 at 0x611000206c40 thread T23 (DOM Worker)
    #0 0x7f9d2f6f0ba1 in CanonicalizeXPCOMParticipant /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/base/nsCycleCollector.cpp:930
    #1 0x7f9d2f6f0ba1 in CCGraphBuilder::NoteXPCOMChild(nsISupports*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/base/nsCycleCollector.cpp:2332
    #2 0x7f9d2f6e3876 in mozilla::CycleCollectedJSRuntime::TraverseGCThing(mozilla::CycleCollectedJSRuntime::TraverseSelect, JS::GCCellPtr, nsCycleCollectionTraversalCallback&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/base/CycleCollectedJSRuntime.cpp:664
    #3 0x7f9d2f6e3417 in mozilla::JSGCThingParticipant::Traverse(void*, nsCycleCollectionTraversalCallback&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/base/CycleCollectedJSRuntime.cpp:353
    #4 0x7f9d2f6ef234 in CCGraphBuilder::BuildGraph(js::SliceBudget&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/base/nsCycleCollector.cpp:2239
    #5 0x7f9d2f6f4487 in nsCycleCollector::MarkRoots(js::SliceBudget&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/base/nsCycleCollector.cpp:2839
    #6 0x7f9d2f6f9337 in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/base/nsCycleCollector.cpp:3603
    #7 0x7f9d2f6fc92a in nsCycleCollector_collect(nsICycleCollectorListener*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/base/nsCycleCollector.cpp:4098
    #8 0x7f9d2f6e71ac in mozilla::CycleCollectedJSRuntime::OnGC(JSGCStatus) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/base/CycleCollectedJSRuntime.cpp:1262
    #9 0x7f9d3893ff8c in js::gc::GCRuntime::collect(bool, js::SliceBudget, JS::gcreason::Reason) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsgc.cpp:6189
    #10 0x7f9d38940929 in js::gc::GCRuntime::gc(JSGCInvocationKind, JS::gcreason::Reason) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsgc.cpp:6245
    #11 0x7f9d3885d621 in js::DestroyContext(JSContext*, js::DestroyContextMode) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jscntxt.cpp:185
    #12 0x7f9d346954c8 in (anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/RuntimeService.cpp:2823
    #13 0x7f9d2f7f70b4 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:866
    #14 0x7f9d2f8586ca in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:265
    #15 0x7f9d300b4538 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:355
    #16 0x7f9d30040b1c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:233
    #17 0x7f9d30040b1c in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:226
    #18 0x7f9d30040b1c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:200
    #19 0x7f9d2f7f3ba8 in nsThread::ThreadFunc(void*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:362
    #20 0x7f9d3bf30135 in _pt_root /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:212
    #21 0x7f9d3c570181 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8181)
    #22 0x7f9d2d3db30c (/lib/x86_64-linux-gnu/libc.so.6+0xfb30c)

0x611000206c40 is located 0 bytes inside of 232-byte region [0x611000206c40,0x611000206d28)
freed by thread T23 (DOM Worker) here:
    #0 0x474a01 in free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64
    #1 0x7f9d2f6f402d in SnowWhiteKiller::~SnowWhiteKiller() /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/base/nsCycleCollector.cpp:2639
    #2 0x7f9d2f6f3c5e in nsCycleCollector::FreeSnowWhite(bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/base/nsCycleCollector.cpp:2807
    #3 0x7f9d2f6f9d0e in nsCycleCollector::BeginCollection(ccType, nsICycleCollectorListener*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/base/nsCycleCollector.cpp:3774
    #4 0x7f9d2f6f9325 in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/base/nsCycleCollector.cpp:3599
    #5 0x7f9d2f6fc92a in nsCycleCollector_collect(nsICycleCollectorListener*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/base/nsCycleCollector.cpp:4098
    #6 0x7f9d2f6e71ac in mozilla::CycleCollectedJSRuntime::OnGC(JSGCStatus) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/base/CycleCollectedJSRuntime.cpp:1262
    #7 0x7f9d3893ff8c in js::gc::GCRuntime::collect(bool, js::SliceBudget, JS::gcreason::Reason) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsgc.cpp:6189
    #8 0x7f9d38940929 in js::gc::GCRuntime::gc(JSGCInvocationKind, JS::gcreason::Reason) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsgc.cpp:6245
    #9 0x7f9d3885d621 in js::DestroyContext(JSContext*, js::DestroyContextMode) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jscntxt.cpp:185
    #10 0x7f9d346954c8 in (anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/RuntimeService.cpp:2823
    #11 0x7f9d2f7f70b4 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:866
    #12 0x7f9d2f8586ca in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:265
    #13 0x7f9d300b4538 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:355
    #14 0x7f9d30040b1c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:233
    #15 0x7f9d30040b1c in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:226
    #16 0x7f9d30040b1c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:200
    #17 0x7f9d2f7f3ba8 in nsThread::ThreadFunc(void*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:362
    #18 0x7f9d3bf30135 in _pt_root /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:212
    #19 0x7f9d3c570181 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8181)

previously allocated by thread T23 (DOM Worker) here:
    #0 0x474c01 in __interceptor_malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:74
    #1 0x4921cd in moz_xmalloc /builds/slave/m-cen-l64-asan-000000000000000/build/src/memory/mozalloc/mozalloc.cpp:83
    #2 0x7f9d34721af5 in operator new /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/workers/../../dist/include/mozilla/mozalloc.h:186
    #3 0x7f9d34721af5 in mozilla::dom::workers::XMLHttpRequest::Constructor(mozilla::dom::GlobalObject const&, mozilla::dom::MozXMLHttpRequestParameters const&, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/XMLHttpRequest.cpp:1646
    #4 0x7f9d32c5bcb0 in mozilla::dom::XMLHttpRequestBinding_workers::_constructor(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/bindings/./XMLHttpRequestBinding.cpp:3175
    #5 0x7f9d37e10a4e in CallJSNative /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jscntxtinlines.h:235
    #6 0x7f9d37e10a4e in CallJSNativeConstructor /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jscntxtinlines.h:268
    #7 0x7f9d37e10a4e in js::InvokeConstructor(JSContext*, JS::CallArgs) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:822
    #8 0x7f9d37e0118b in Interpret(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:2953
    #9 0x7f9d37de2879 in js::RunScript(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:677
    #10 0x7f9d37e11fdd in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::AbstractFramePtr, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:903
    #11 0x7f9d37e12624 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:942
    #12 0x7f9d3887e81a in Evaluate(JSContext*, JS::Handle<JSObject*>, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsapi.cpp:4258
    #13 0x7f9d3468c7f1 in (anonymous namespace)::ScriptExecutorRunnable::WorkerRun(JSContext*, mozilla::dom::workers::WorkerPrivate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/ScriptLoader.cpp:1662
    #14 0x7f9d347122cd in mozilla::dom::workers::WorkerRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerRunnable.cpp:357
    #15 0x7f9d2f7f70b4 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:866
    #16 0x7f9d2f8586ca in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:265
    #17 0x7f9d346fb577 in mozilla::dom::workers::WorkerPrivate::RunCurrentSyncLoop() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:6038
    #18 0x7f9d34675554 in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.h:1439
    #19 0x7f9d34675554 in (anonymous namespace)::LoadAllScripts(JSContext*, mozilla::dom::workers::WorkerPrivate*, nsTArray<(anonymous namespace)::ScriptLoadInfo>&, bool, mozilla::dom::workers::WorkerScriptType) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/ScriptLoader.cpp:1743
    #20 0x7f9d34674f65 in mozilla::dom::workers::scriptloader::LoadMainScript(JSContext*, nsAString_internal const&, mozilla::dom::workers::WorkerScriptType) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/ScriptLoader.cpp:1838
    #21 0x7f9d34752381 in (anonymous namespace)::CompileScriptRunnable::WorkerRun(JSContext*, mozilla::dom::workers::WorkerPrivate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:1058
    #22 0x7f9d347122cd in mozilla::dom::workers::WorkerRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerRunnable.cpp:357
    #23 0x7f9d2f7f70b4 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:866
    #24 0x7f9d2f8586ca in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:265
    #25 0x7f9d346f20c3 in mozilla::dom::workers::WorkerPrivate::DoRunLoop(JSContext*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:5207
    #26 0x7f9d34695412 in (anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/RuntimeService.cpp:2803
    #27 0x7f9d2f7f70b4 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:866
    #28 0x7f9d2f8586ca in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:265
    #29 0x7f9d300b4538 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:355
    #30 0x7f9d30040b1c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:233
    #31 0x7f9d30040b1c in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:226
    #32 0x7f9d30040b1c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:200
    #33 0x7f9d2f7f3ba8 in nsThread::ThreadFunc(void*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:362
    #34 0x7f9d3bf30135 in _pt_root /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:212
    #35 0x7f9d3c570181 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8181)

Thread T23 (DOM Worker) created by T0 (Web Content) here:
    #0 0x461475 in pthread_create /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:175
    #1 0x7f9d3bf2cabd in _PR_CreateThread /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:453
    #2 0x7f9d3bf2c63a in PR_CreateThread /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:544
    #3 0x7f9d2f7f4f0b in nsThread::Init() /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:476
    #4 0x7f9d3471c48a in mozilla::dom::workers::WorkerThread::Create(mozilla::dom::workers::WorkerThreadFriendKey const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerThread.cpp:90
    #5 0x7f9d34669316 in mozilla::dom::workers::RuntimeService::ScheduleWorker(JSContext*, mozilla::dom::workers::WorkerPrivate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/RuntimeService.cpp:1751
    #6 0x7f9d34666a44 in mozilla::dom::workers::RuntimeService::RegisterWorker(JSContext*, mozilla::dom::workers::WorkerPrivate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/RuntimeService.cpp:1605
    #7 0x7f9d346f0a9e in mozilla::dom::workers::WorkerPrivate::Constructor(JSContext*, nsAString_internal const&, bool, mozilla::dom::WorkerType, nsACString_internal const&, mozilla::dom::workers::WorkerLoadInfo*, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:4781
    #8 0x7f9d3466f2bc in mozilla::dom::workers::RuntimeService::CreateSharedWorkerFromLoadInfo(JSContext*, mozilla::dom::workers::WorkerLoadInfo*, nsAString_internal const&, nsACString_internal const&, mozilla::dom::WorkerType, mozilla::dom::workers::SharedWorker**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/RuntimeService.cpp:2428
    #9 0x7f9d3466eb7e in mozilla::dom::workers::RuntimeService::CreateSharedWorkerInternal(mozilla::dom::GlobalObject const&, nsAString_internal const&, nsACString_internal const&, mozilla::dom::WorkerType, mozilla::dom::workers::SharedWorker**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/RuntimeService.cpp:2379
    #10 0x7f9d346d803a in CreateSharedWorker /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/RuntimeService.h:142
    #11 0x7f9d346d803a in mozilla::dom::workers::SharedWorker::Constructor(mozilla::dom::GlobalObject const&, JSContext*, nsAString_internal const&, mozilla::dom::Optional<nsAString_internal> const&, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/SharedWorker.cpp:69
    #12 0x7f9d3286f68d in mozilla::dom::SharedWorkerBinding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/bindings/./SharedWorkerBinding.cpp:233
    #13 0x7f9d37e10a4e in CallJSNative /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jscntxtinlines.h:235
    #14 0x7f9d37e10a4e in CallJSNativeConstructor /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jscntxtinlines.h:268
    #15 0x7f9d37e10a4e in js::InvokeConstructor(JSContext*, JS::CallArgs) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:822
    #16 0x7f9d37e112a8 in js::InvokeConstructor(JSContext*, JS::Value, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:837
    #17 0x7f9d3828f8de in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jit/BaselineIC.cpp:10410
    #18 0x7f9d382b2a6d in EnterBaseline(JSContext*, js::jit::EnterJitData&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jit/BaselineJIT.cpp:124
    #19 0x7f9d382b396a in js::jit::EnterBaselineAtBranch(JSContext*, js::InterpreterFrame*, unsigned char*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jit/BaselineJIT.cpp:212
    #20 0x7f9d37e05096 in Interpret(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:1986
    #21 0x7f9d37de2879 in js::RunScript(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:677
    #22 0x7f9d37e11fdd in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::AbstractFramePtr, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:903
    #23 0x7f9d37e12624 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:942
    #24 0x7f9d3887e81a in Evaluate(JSContext*, JS::Handle<JSObject*>, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsapi.cpp:4258
    #25 0x7f9d3887ef7f in Evaluate /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsapi.cpp:4285
    #26 0x7f9d3887ef7f in JS::Evaluate(JSContext*, JS::AutoVectorRooter<JSObject*>&, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsapi.cpp:4340
    #27 0x7f9d31b5ffaa in nsJSUtils::EvaluateString(JSContext*, JS::SourceBufferHolder&, JS::Handle<JSObject*>, JS::CompileOptions&, nsJSUtils::EvaluateOptions const&, JS::MutableHandle<JS::Value>, void**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsJSUtils.cpp:265
    #28 0x7f9d31b60edb in nsJSUtils::EvaluateString(JSContext*, JS::SourceBufferHolder&, JS::Handle<JSObject*>, JS::CompileOptions&, void**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsJSUtils.cpp:337
    #29 0x7f9d31be32ff in nsScriptLoader::EvaluateScript(nsScriptLoadRequest*, JS::SourceBufferHolder&, void**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsScriptLoader.cpp:1146
    #30 0x7f9d31be0a21 in nsScriptLoader::ProcessRequest(nsScriptLoadRequest*, void**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsScriptLoader.cpp:975
    #31 0x7f9d31bda167 in nsScriptLoader::ProcessScriptElement(nsIScriptElement*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsScriptLoader.cpp:764
    #32 0x7f9d31bd57ce in nsScriptElement::MaybeProcessScript() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsScriptElement.cpp:141
    #33 0x7f9d3100f894 in operator-> /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsIScriptElement.h:221
    #34 0x7f9d3100f894 in nsHtml5TreeOpExecutor::RunScript(nsIContent*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:663
    #35 0x7f9d3100dd81 in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/slave/m-cen-l64-asan-000000000000000/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:488
    #36 0x7f9d3101483b in nsHtml5ExecutorFlusher::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/parser/html/nsHtml5StreamParser.cpp:127
    #37 0x7f9d2f7f70b4 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:866
    #38 0x7f9d2f8586ca in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:265
    #39 0x7f9d300b3538 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:127
    #40 0x7f9d30040b1c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:233
    #41 0x7f9d30040b1c in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:226
    #42 0x7f9d30040b1c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:200
    #43 0x7f9d34b7d397 in nsBaseAppShell::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/widget/nsBaseAppShell.cpp:165
    #44 0x7f9d3674ea32 in XRE_RunAppShell /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:738
    #45 0x7f9d30040b1c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:233
    #46 0x7f9d30040b1c in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:226
    #47 0x7f9d30040b1c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:200
    #48 0x7f9d3674e14e in XRE_InitChildProcess /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:575
    #49 0x48d292 in content_process_main(int, char**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/app/../contentproc/plugin-container.cpp:236
    #50 0x7f9d2d301ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)

SUMMARY: AddressSanitizer: heap-use-after-free /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/base/nsCycleCollector.cpp:930 CanonicalizeXPCOMParticipant
Shadow bytes around the buggy address:
  0x0c2280038d30: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c2280038d40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2280038d50: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c2280038d60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2280038d70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c2280038d80: fa fa fa fa fa fa fa fa[fd]fd fd fd fd fd fd fd
  0x0c2280038d90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2280038da0: fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa
  0x0c2280038db0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2280038dc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2280038dd0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap==12341==ABORTING
[Parent 12162] WARNING: pipe error (45): Connection reset by peer: file /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 459
Reporter

Comment 3

4 years ago
(In reply to Olli Pettay [:smaug] from comment #1)
> Any testcase for this?

Yes, will simplify the test case first and upload it shortly.
From the stacks, it looks like we delete the worker XMLHttpRequest object, then the cycle collector traces from some JS object back into the XHR object (probably the XHR's reflector as I don't know what else might hold onto it).  Very odd!
Reporter

Comment 5

4 years ago
The repro has been attached.

Steps to reproduce:
1. Run server side script Uaf_CanonicalizeXPCOMParticipant.js in Node.js (node Uaf_CanonicalizeXPCOMParticipant.js).
2. Enter http://localhost:12345 in Firefox browser.
3. If it crashes in other places, just restore the tab.
Flags: sec-bounty?
Assignee

Comment 6

4 years ago
Posted patch patch 0 (obsolete) — Splinter Review
Debugging this issue with a debug build, I had to fix a couple of other things first. The main one is: OpenRunnable() is a sync runnable and it can happen that the worker is closed by the nested event loop.

Plus, some teardown runnables can fail and we should not crash for this.
Attachment #8609366 - Flags: review?(bent.mozilla)
Keywords: sec-critical
Whiteboard: [asan]
Assignee

Comment 7

4 years ago
Posted patch patch 0Splinter Review
Attachment #8609366 - Attachment is obsolete: true
Attachment #8609366 - Flags: review?(bent.mozilla)
Attachment #8609445 - Flags: review?(bent.mozilla)
Assignee

Updated

4 years ago
Assignee: nobody → amarchesini
Assignee

Comment 8

4 years ago
Posted patch patch 1Splinter Review
bent, this is your patch. I can review it if you are not comfortable enough to review your own code. :)
Attachment #8609446 - Flags: review?(bent.mozilla)
Comment on attachment 8609445 [details] [diff] [review]
patch 0

Review of attachment 8609445 [details] [diff] [review]:
-----------------------------------------------------------------

::: dom/workers/XMLHttpRequest.cpp
@@ +1848,5 @@
>    mWorkerPrivate->AssertIsOnWorkerThread();
>  
> +  // No send() calls when open is running.
> +  if (mProxy->mOpening) {
> +    aRv.Throw(NS_ERROR_FAILURE);

Make sure this is the same error thrown by main thread XHR?

@@ +1937,5 @@
>      new OpenRunnable(mWorkerPrivate, mProxy, aMethod, aUrl, aUser, aPassword,
>                       mBackgroundRequest, mWithCredentials,
>                       mTimeout);
>  
> +  mProxy->mOpening = true;

Use AutoRestore for resetting it.
Attachment #8609445 - Flags: review?(bent.mozilla) → review+
Attachment #8609446 - Flags: review?(bent.mozilla) → review?(amarchesini)
Assignee

Updated

4 years ago
Attachment #8609446 - Flags: review?(amarchesini) → review+
Assignee

Comment 10

4 years ago
Comment on attachment 8609445 [details] [diff] [review]
patch 0

[Security approval request comment]
How easily could an exploit be constructed based on the patch?

Easy. Using send() in the xhr.onreadystatechange can cause this issue.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?

Yes. No tests but easy to follow what the patch does.

Which older supported branches are affected by this flaw?

All the branches.

If not all supported branches, which bug introduced the flaw?

Since the first XMLHttpRequest implementation in workers I guess. All the branches are effected.

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?

Easy to backport the patch.

How likely is this patch to cause regressions; how much testing does it need?

No regressions, I guess can be generated by this patch.
Attachment #8609445 - Flags: sec-approval?
Assignee

Comment 11

4 years ago
Comment on attachment 8609446 [details] [diff] [review]
patch 1

See previous comment.
Attachment #8609446 - Flags: sec-approval?
Comment on attachment 8609445 [details] [diff] [review]
patch 0

sec-approval=dveditz
Attachment #8609445 - Flags: sec-approval? → sec-approval+
Attachment #8609446 - Flags: sec-approval? → sec-approval+
Assignee

Updated

4 years ago
Keywords: checkin-needed
These patches were both missing commit info, just fyi.
https://hg.mozilla.org/mozilla-central/rev/635ef933d0d5
https://hg.mozilla.org/mozilla-central/rev/0facd655bce5

Please request Aurora/Beta/esr38/esr31 approval on this when you get a chance.
Status: NEW → RESOLVED
Closed: 4 years ago
Flags: needinfo?(amarchesini)
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla41
Assignee

Comment 16

4 years ago
Comment on attachment 8609445 [details] [diff] [review]
patch 0

[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration:
User impact if declined: a crash
Fix Landed on Version: m-i.
Risk to taking this patch (and alternatives if risky): no risks. the patch is very simple. We use a boolean to avoid to call Send() into the Open() nested event loop.
String or UUID changes made by this patch:  none

See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for more info.

Approval Request Comment
[Feature/regressing bug #]: XHR in workers
[User impact if declined]: a crash
[Describe test coverage new/current, TreeHerder]: green on try but no specific test for this issue.
[Risks and why]: the patch is very simple.
[String/UUID change made/needed]: none.
Flags: needinfo?(amarchesini)
Attachment #8609445 - Flags: approval-mozilla-esr38?
Attachment #8609445 - Flags: approval-mozilla-esr31?
Attachment #8609445 - Flags: approval-mozilla-aurora?
Assignee

Comment 17

4 years ago
Comment on attachment 8609446 [details] [diff] [review]
patch 1

See the previous comment. Here we use a boolean to differentiate the Teardown() call in case we have to send a Unpin runnable or not.
Attachment #8609446 - Flags: approval-mozilla-esr38?
Attachment #8609446 - Flags: approval-mozilla-esr31?
Attachment #8609446 - Flags: approval-mozilla-aurora?
Attachment #8609445 - Flags: approval-mozilla-beta?
Attachment #8609446 - Flags: approval-mozilla-beta?
Comment on attachment 8609445 [details] [diff] [review]
patch 0

Approved for uplift to beta, esr 31 and esr 38. 

Approved for uplift to aurora but please wait to land that until Tuesday June 2 after the release (since we have had aurora updates disabled for a few days).
Attachment #8609445 - Flags: approval-mozilla-esr38?
Attachment #8609445 - Flags: approval-mozilla-esr38+
Attachment #8609445 - Flags: approval-mozilla-esr31?
Attachment #8609445 - Flags: approval-mozilla-esr31+
Attachment #8609445 - Flags: approval-mozilla-beta?
Attachment #8609445 - Flags: approval-mozilla-beta+
Attachment #8609445 - Flags: approval-mozilla-aurora?
Attachment #8609445 - Flags: approval-mozilla-aurora+
Comment on attachment 8609446 [details] [diff] [review]
patch 1

Approved for uplift to beta, esr 31 and esr 38. 

Approved for uplift to aurora but please wait to land that until Tuesday June 2 after the release (since we have had aurora updates disabled for a few days).
Attachment #8609446 - Flags: approval-mozilla-esr38?
Attachment #8609446 - Flags: approval-mozilla-esr38+
Attachment #8609446 - Flags: approval-mozilla-esr31?
Attachment #8609446 - Flags: approval-mozilla-esr31+
Attachment #8609446 - Flags: approval-mozilla-beta?
Attachment #8609446 - Flags: approval-mozilla-beta+
Attachment #8609446 - Flags: approval-mozilla-aurora?
Attachment #8609446 - Flags: approval-mozilla-aurora+
Flags: sec-bounty? → sec-bounty+
Alias: CVE-2015-2722
Whiteboard: [asan] → [asan][adv-main39+][adv-esr38.1+][adv-esr31.8+]
Looben Yang, could you please confirm that this is properly fixed on:
- ESR 31.8.0 - ftp://ftp.mozilla.org/pub/mozilla.org/firefox/candidates/31.8.0esr-candidates/build1/
- ESR 38.1.0 - ftp://ftp.mozilla.org/pub/mozilla.org/firefox/candidates/38.1.0esr-candidates/build1/
Flags: needinfo?(loobenyang)
Reporter

Comment 27

4 years ago
(In reply to Florin Mezei, QA (:FlorinMezei) from comment #26)
> Looben Yang, could you please confirm that this is properly fixed on:
> - ESR 31.8.0 -
> ftp://ftp.mozilla.org/pub/mozilla.org/firefox/candidates/31.8.0esr-
> candidates/build1/
> - ESR 38.1.0 -
> ftp://ftp.mozilla.org/pub/mozilla.org/firefox/candidates/38.1.0esr-
> candidates/build1/

Per my testing, it's fixed in ESR 31.8.0 and ESR 38.1.0.
I just download the win32 exes from ftp://ftp.mozilla.org/pub/mozilla.org/firefox/candidates/38.1.0esr-candidates/build1/win32/en-US/ and ftp://ftp.mozilla.org/pub/mozilla.org/firefox/candidates/31.8.0esr-candidates/build1/win32/en-US/, ran the same test case Uaf_CanonicalizeXPCOMParticipant.js, and did not see the crash.
Flags: needinfo?(loobenyang)
Thanks Looben! Marking this as verified for ESRs then.

Updated

4 years ago
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.