Closed Bug 1169867 (CVE-2015-2733) Opened 9 years ago Closed 9 years ago

Use After Free in CanonicalizeXPCOMParticipant() with dedicated worker

Categories

(Core :: DOM: Workers, defect)

41 Branch
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla41
Tracking Status
firefox38 --- wontfix
firefox39 + fixed
firefox38.0.5 --- wontfix
firefox40 + fixed
firefox41 + fixed
firefox-esr31 39+ fixed
firefox-esr38 39+ fixed
b2g-v2.0 --- fixed
b2g-v2.0M --- fixed
b2g-v2.1 --- fixed
b2g-v2.1S --- fixed
b2g-v2.2 --- fixed
b2g-master --- fixed

People

(Reporter: loobenyang, Assigned: baku)

References

Details

(Keywords: csectype-uaf, sec-critical, Whiteboard: [adv-main39+][adv-esr38.1+][adv-esr31.8+][b2g-adv-main2.2+])

Attachments

(2 files, 3 obsolete files)

Using XMLHttpRequest in dedicated workers can trigger a Use After Free. It's kind of a variant of Bug 1166924 (a similar use after free in shared worker), however,this bug was found after Bug 1166924  was fixed.


Firefox version: 41.0a1 (2015-05-29)

Steps to reproduce:
1. Run server side script Uaf_CanonicalizeXPCOMParticipant_DedicatedWorker_repro.js in Node.js (node Uaf_CanonicalizeXPCOMParticipant_DedicatedWorker_repro.js).
2. Enter http://localhost:12345 in Firefox browser.
3. If it crashes in other places, just restore the tab.


Result in Asan build:


=================================================================
==8659==ERROR: AddressSanitizer: heap-use-after-free on address 0x61100026b3c0 at pc 0x7ff5728da512 bp 0x7ff55298a7d0 sp 0x7ff55298a7c8
READ of size 8 at 0x61100026b3c0 thread T22 (DOM Worker)
    #0 0x7ff5728da511 in CanonicalizeXPCOMParticipant /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/base/nsCycleCollector.cpp:930
    #1 0x7ff5728da511 in CCGraphBuilder::NoteXPCOMChild(nsISupports*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/base/nsCycleCollector.cpp:2332
    #2 0x7ff5728cd446 in mozilla::CycleCollectedJSRuntime::TraverseGCThing(mozilla::CycleCollectedJSRuntime::TraverseSelect, JS::GCCellPtr, nsCycleCollectionTraversalCallback&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/base/CycleCollectedJSRuntime.cpp:664
    #3 0x7ff5728ccfe8 in mozilla::JSGCThingParticipant::Traverse(void*, nsCycleCollectionTraversalCallback&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/base/CycleCollectedJSRuntime.cpp:353
    #4 0x7ff5728d8ba4 in CCGraphBuilder::BuildGraph(js::SliceBudget&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/base/nsCycleCollector.cpp:2239
    #5 0x7ff5728dddf7 in nsCycleCollector::MarkRoots(js::SliceBudget&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/base/nsCycleCollector.cpp:2839
    #6 0x7ff5728e2ca7 in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/base/nsCycleCollector.cpp:3603
    #7 0x7ff5728e629a in nsCycleCollector_collect(nsICycleCollectorListener*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/base/nsCycleCollector.cpp:4098
    #8 0x7ff5728d0bac in mozilla::CycleCollectedJSRuntime::OnGC(JSGCStatus) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/base/CycleCollectedJSRuntime.cpp:1266
    #9 0x7ff57be5916c in js::gc::GCRuntime::collect(bool, js::SliceBudget, JS::gcreason::Reason) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsgc.cpp:6178
    #10 0x7ff57be59b09 in js::gc::GCRuntime::gc(JSGCInvocationKind, JS::gcreason::Reason) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsgc.cpp:6234
    #11 0x7ff57bd54531 in js::DestroyContext(JSContext*, js::DestroyContextMode) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jscntxt.cpp:185
    #12 0x7ff57791eea8 in (anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/RuntimeService.cpp:2823
    #13 0x7ff5729df784 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:846
    #14 0x7ff572a585ba in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:265
    #15 0x7ff57329a378 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:355
    #16 0x7ff573226a0c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:233
    #17 0x7ff573226a0c in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:226
    #18 0x7ff573226a0c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:200
    #19 0x7ff5729dc2c8 in nsThread::ThreadFunc(void*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:359
    #20 0x7ff57f4b0135 in _pt_root /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:212
    #21 0x7ff57faf0181 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8181)
    #22 0x7ff57058b30c (/lib/x86_64-linux-gnu/libc.so.6+0xfb30c)

0x61100026b3c0 is located 0 bytes inside of 232-byte region [0x61100026b3c0,0x61100026b4a8)
freed by thread T22 (DOM Worker) here:
    #0 0x474a01 in free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64
    #1 0x7ff5728dd99d in SnowWhiteKiller::~SnowWhiteKiller() /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/base/nsCycleCollector.cpp:2639
    #2 0x7ff5728dd5ce in nsCycleCollector::FreeSnowWhite(bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/base/nsCycleCollector.cpp:2807
    #3 0x7ff5728e367e in nsCycleCollector::BeginCollection(ccType, nsICycleCollectorListener*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/base/nsCycleCollector.cpp:3774
    #4 0x7ff5728e2c95 in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/base/nsCycleCollector.cpp:3599
    #5 0x7ff5728e629a in nsCycleCollector_collect(nsICycleCollectorListener*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/base/nsCycleCollector.cpp:4098
    #6 0x7ff5728d0bac in mozilla::CycleCollectedJSRuntime::OnGC(JSGCStatus) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/base/CycleCollectedJSRuntime.cpp:1266
    #7 0x7ff57be5916c in js::gc::GCRuntime::collect(bool, js::SliceBudget, JS::gcreason::Reason) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsgc.cpp:6178
    #8 0x7ff57be59b09 in js::gc::GCRuntime::gc(JSGCInvocationKind, JS::gcreason::Reason) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsgc.cpp:6234
    #9 0x7ff57bd54531 in js::DestroyContext(JSContext*, js::DestroyContextMode) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jscntxt.cpp:185
    #10 0x7ff57791eea8 in (anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/RuntimeService.cpp:2823
    #11 0x7ff5729df784 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:846
    #12 0x7ff572a585ba in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:265
    #13 0x7ff57329a378 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:355
    #14 0x7ff573226a0c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:233
    #15 0x7ff573226a0c in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:226
    #16 0x7ff573226a0c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:200
    #17 0x7ff5729dc2c8 in nsThread::ThreadFunc(void*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:359
    #18 0x7ff57f4b0135 in _pt_root /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:212
    #19 0x7ff57faf0181 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8181)

previously allocated by thread T22 (DOM Worker) here:
    #0 0x474c01 in __interceptor_malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:74
    #1 0x4921cd in moz_xmalloc /builds/slave/m-cen-l64-asan-000000000000000/build/src/memory/mozalloc/mozalloc.cpp:83
    #2 0x7ff5779aab85 in operator new /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/workers/../../dist/include/mozilla/mozalloc.h:186
    #3 0x7ff5779aab85 in mozilla::dom::workers::XMLHttpRequest::Constructor(mozilla::dom::GlobalObject const&, mozilla::dom::MozXMLHttpRequestParameters const&, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/XMLHttpRequest.cpp:1655
    #4 0x7ff575e21b70 in mozilla::dom::XMLHttpRequestBinding_workers::_constructor(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/bindings/./XMLHttpRequestBinding.cpp:3175
    #5 0x7ff57b2dcb4e in CallJSNative /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jscntxtinlines.h:235
    #6 0x7ff57b2dcb4e in CallJSNativeConstructor /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jscntxtinlines.h:268
    #7 0x7ff57b2dcb4e in js::InvokeConstructor(JSContext*, JS::CallArgs) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:822
    #8 0x7ff57b2b935f in Interpret(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:2953
    #9 0x7ff57b28ca69 in js::RunScript(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:677
    #10 0x7ff57b2de0dd in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::AbstractFramePtr, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:903
    #11 0x7ff57b2de724 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:942
    #12 0x7ff57bd755fa in Evaluate(JSContext*, JS::Handle<JSObject*>, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsapi.cpp:4257
    #13 0x7ff577916121 in (anonymous namespace)::ScriptExecutorRunnable::WorkerRun(JSContext*, mozilla::dom::workers::WorkerPrivate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/ScriptLoader.cpp:1638
    #14 0x7ff57799b3a4 in mozilla::dom::workers::WorkerRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerRunnable.cpp:357
    #15 0x7ff5729df784 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:846
    #16 0x7ff572a585ba in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:265
    #17 0x7ff577984817 in mozilla::dom::workers::WorkerPrivate::RunCurrentSyncLoop() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:6022
    #18 0x7ff5778ff324 in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.h:1461
    #19 0x7ff5778ff324 in (anonymous namespace)::LoadAllScripts(JSContext*, mozilla::dom::workers::WorkerPrivate*, nsTArray<(anonymous namespace)::ScriptLoadInfo>&, bool, mozilla::dom::workers::WorkerScriptType) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/ScriptLoader.cpp:1719
    #20 0x7ff5778fed35 in mozilla::dom::workers::scriptloader::LoadMainScript(JSContext*, nsAString_internal const&, mozilla::dom::workers::WorkerScriptType) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/ScriptLoader.cpp:1814
    #21 0x7ff5779db5e1 in (anonymous namespace)::CompileScriptRunnable::WorkerRun(JSContext*, mozilla::dom::workers::WorkerPrivate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:1057
    #22 0x7ff57799b3a4 in mozilla::dom::workers::WorkerRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerRunnable.cpp:357
    #23 0x7ff5729df784 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:846
    #24 0x7ff572a585ba in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:265
    #25 0x7ff57797b363 in mozilla::dom::workers::WorkerPrivate::DoRunLoop(JSContext*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:5200
    #26 0x7ff57791edf2 in (anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/RuntimeService.cpp:2803
    #27 0x7ff5729df784 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:846
    #28 0x7ff572a585ba in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:265
    #29 0x7ff57329a378 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:355
    #30 0x7ff573226a0c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:233
    #31 0x7ff573226a0c in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:226
    #32 0x7ff573226a0c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:200
    #33 0x7ff5729dc2c8 in nsThread::ThreadFunc(void*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:359
    #34 0x7ff57f4b0135 in _pt_root /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:212
    #35 0x7ff57faf0181 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8181)

Thread T22 (DOM Worker) created by T0 (Web Content) here:
    #0 0x461475 in pthread_create /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:175
    #1 0x7ff57f4acabd in _PR_CreateThread /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:453
    #2 0x7ff57f4ac63a in PR_CreateThread /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:544
    #3 0x7ff5729dd74b in nsThread::Init() /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:469
    #4 0x7ff5779a54aa in mozilla::dom::workers::WorkerThread::Create(mozilla::dom::workers::WorkerThreadFriendKey const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerThread.cpp:90
    #5 0x7ff5778f30e6 in mozilla::dom::workers::RuntimeService::ScheduleWorker(JSContext*, mozilla::dom::workers::WorkerPrivate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/RuntimeService.cpp:1751
    #6 0x7ff5778f0844 in mozilla::dom::workers::RuntimeService::RegisterWorker(JSContext*, mozilla::dom::workers::WorkerPrivate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/RuntimeService.cpp:1605
    #7 0x7ff577979d2d in mozilla::dom::workers::WorkerPrivate::Constructor(JSContext*, nsAString_internal const&, bool, mozilla::dom::WorkerType, nsACString_internal const&, mozilla::dom::workers::WorkerLoadInfo*, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:4774
    #8 0x7ff577979536 in Constructor /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:4709
    #9 0x7ff577979536 in mozilla::dom::workers::WorkerPrivate::Constructor(mozilla::dom::GlobalObject const&, nsAString_internal const&, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:4650
    #10 0x7ff575e55586 in mozilla::dom::WorkerBinding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/bindings/./WorkerBinding.cpp:747
    #11 0x7ff57b2dcb4e in CallJSNative /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jscntxtinlines.h:235
    #12 0x7ff57b2dcb4e in CallJSNativeConstructor /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jscntxtinlines.h:268
    #13 0x7ff57b2dcb4e in js::InvokeConstructor(JSContext*, JS::CallArgs) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:822
    #14 0x7ff57b2b935f in Interpret(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:2953
    #15 0x7ff57b28ca69 in js::RunScript(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:677
    #16 0x7ff57b2de0dd in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::AbstractFramePtr, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:903
    #17 0x7ff57b2de724 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:942
    #18 0x7ff57bd755fa in Evaluate(JSContext*, JS::Handle<JSObject*>, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsapi.cpp:4257
    #19 0x7ff57bd75d5f in Evaluate /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsapi.cpp:4284
    #20 0x7ff57bd75d5f in JS::Evaluate(JSContext*, JS::AutoVectorRooter<JSObject*>&, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsapi.cpp:4339
    #21 0x7ff574d5816a in nsJSUtils::EvaluateString(JSContext*, JS::SourceBufferHolder&, JS::Handle<JSObject*>, JS::CompileOptions&, nsJSUtils::EvaluateOptions const&, JS::MutableHandle<JS::Value>, void**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsJSUtils.cpp:265
    #22 0x7ff574d5909b in nsJSUtils::EvaluateString(JSContext*, JS::SourceBufferHolder&, JS::Handle<JSObject*>, JS::CompileOptions&, void**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsJSUtils.cpp:337
    #23 0x7ff574ddc312 in nsScriptLoader::EvaluateScript(nsScriptLoadRequest*, JS::SourceBufferHolder&, void**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsScriptLoader.cpp:1146
    #24 0x7ff574dd9a31 in nsScriptLoader::ProcessRequest(nsScriptLoadRequest*, void**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsScriptLoader.cpp:975
    #25 0x7ff574dd3177 in nsScriptLoader::ProcessScriptElement(nsIScriptElement*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsScriptLoader.cpp:764
    #26 0x7ff574dce7de in nsScriptElement::MaybeProcessScript() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsScriptElement.cpp:141
    #27 0x7ff5742079c4 in operator-> /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsIScriptElement.h:221
    #28 0x7ff5742079c4 in nsHtml5TreeOpExecutor::RunScript(nsIContent*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:662
    #29 0x7ff574205eb1 in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/slave/m-cen-l64-asan-000000000000000/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:487
    #30 0x7ff57420c8eb in nsHtml5ExecutorFlusher::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/parser/html/nsHtml5StreamParser.cpp:127
    #31 0x7ff5729df784 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:846
    #32 0x7ff572a585ba in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:265
    #33 0x7ff573299399 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:95
    #34 0x7ff573226a0c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:233
    #35 0x7ff573226a0c in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:226
    #36 0x7ff573226a0c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:200
    #37 0x7ff577e045f7 in nsBaseAppShell::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/widget/nsBaseAppShell.cpp:165
    #38 0x7ff579bdf662 in XRE_RunAppShell /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:745
    #39 0x7ff573226a0c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:233
    #40 0x7ff573226a0c in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:226
    #41 0x7ff573226a0c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:200
    #42 0x7ff579bded5b in XRE_InitChildProcess /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:581
    #43 0x48d292 in content_process_main(int, char**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/app/../contentproc/plugin-container.cpp:236
    #44 0x7ff5704b1ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)

SUMMARY: AddressSanitizer: heap-use-after-free /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/base/nsCycleCollector.cpp:930 CanonicalizeXPCOMParticipant
Shadow bytes around the buggy address:
  0x0c2280045620: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c2280045630: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2280045640: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c2280045650: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2280045660: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c2280045670: fa fa fa fa fa fa fa fa[fd]fd fd fd fd fd fd fd
  0x0c2280045680: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2280045690: fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa
  0x0c22800456a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c22800456b0: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c22800456c0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzon==8659==ABORTING

###!!! [Parent][MessageChannel] Error: (msgtype=0x200079,name=PBrowser::Msg_Destroy) Channel error: cannot send/recv

[Parent 8482] WARNING: pipe error (49): Connection reset by peer: file /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 459



The stack above shows that it's dedicated worker instead of shared worker:

    #10 0x7ff575e55586 in mozilla::dom::WorkerBinding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/bindings/./WorkerBinding.cpp:747

The line number indicates that the fix for Bug 1166924   was already in it:

    #3 0x7ff5779aab85 in mozilla::dom::workers::XMLHttpRequest::Constructor(mozilla::dom::GlobalObject const&, mozilla::dom::MozXMLHttpRequestParameters const&, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/XMLHttpRequest.cpp:1655
Flags: sec-bounty?
baku: since you worked on bug 1166924 are you the right assignee for this one too? If not who?
Flags: needinfo?(amarchesini)
I take this bug.
Assignee: nobody → amarchesini
Flags: needinfo?(amarchesini)
Attached patch crash2.patch (obsolete) — Splinter Review
I use mProxy after releasing it. This is why we crash. This code can easily land on m-i because the other bug has just landed last week.
Attachment #8613543 - Flags: review?(ehsan)
[Tracking Requested - why for this release]: Copying tracking flags from bug 1169979.
Attachment #8613543 - Flags: review?(ehsan) → review+
Comment on attachment 8613543 [details] [diff] [review]
crash2.patch

[Security approval request comment]
How easily could an exploit be constructed based on the patch?

Yes.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?

Yes. The bug is trivial to see.

Which older supported branches are affected by this flaw?

All of them.

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?

It's easy to backport.

How likely is this patch to cause regressions; how much testing does it need?

none.
Attachment #8613543 - Flags: sec-approval?
sec-approval+ for trunk.

We'll want this on:
Aurora
Beta
ESR38
ESR31

as well.

If you could create and nominate patches after it lands on Trunk, it would be appreciated.
Attachment #8613543 - Flags: sec-approval? → sec-approval+
Comment on attachment 8613543 [details] [diff] [review]
crash2.patch

[Approval Request Comment]
User impact if declined: FF crashes.
Fix Landed on Version: m-i
Risk to taking this patch (and alternatives if risky): none.
String or UUID changes made by this patch: none.
Attachment #8613543 - Flags: approval-mozilla-esr38?
Attachment #8613543 - Flags: approval-mozilla-esr31?
Attachment #8613543 - Flags: approval-mozilla-beta?
Attachment #8613543 - Flags: approval-mozilla-aurora?
Keywords: checkin-needed
Attachment #8613543 - Flags: approval-mozilla-esr38?
Attachment #8613543 - Flags: approval-mozilla-esr38+
Attachment #8613543 - Flags: approval-mozilla-esr31?
Attachment #8613543 - Flags: approval-mozilla-esr31+
Attachment #8613543 - Flags: approval-mozilla-beta?
Attachment #8613543 - Flags: approval-mozilla-beta+
Attachment #8613543 - Flags: approval-mozilla-aurora?
Attachment #8613543 - Flags: approval-mozilla-aurora+
When I first saw the patch crash2.patch, I was thinking it probably did not fix the problem at all.

Now the patch is in trunk and I can verify.   Run the same test case (Uaf_CanonicalizeXPCOMParticipant_DedicatedWorker_repro.js) with latest code, I got:

First-chance exception at 0x65707974 in firefox.exe: 0xC0000005: Access violation executing location 0x65707974.
Unhandled exception at 0x65707974 in firefox.exe: 0xC0000005: Access violation executing location 0x65707974.


Firefox version: 41.0a1 (2015-06-05)

Call Stack:

 	65707974()	Unknown
 	[Frames below may be incorrect and/or missing]	
>	xul.dll!CanonicalizeXPCOMParticipant(nsISupports * aIn) Line 931	C++
 	xul.dll!CCGraphBuilder::NoteXPCOMChild(nsISupports * aChild) Line 2331	C++
 	xul.dll!mozilla::CycleCollectedJSRuntime::NoteGCThingXPCOMChildren(const js::Class * aClasp, JSObject * aObj, nsCycleCollectionTraversalCallback & aCb) Line 605	C++
 	xul.dll!mozilla::CycleCollectedJSRuntime::TraverseGCThing(mozilla::CycleCollectedJSRuntime::TraverseSelect aTs, JS::GCCellPtr aThing, nsCycleCollectionTraversalCallback & aCb) Line 638	C++
 	xul.dll!mozilla::JSGCThingParticipant::Traverse(void * aPtr, nsCycleCollectionTraversalCallback & aCb) Line 335	C++
 	xul.dll!CCGraphBuilder::BuildGraph(js::SliceBudget & aBudget) Line 2239	C++
 	xul.dll!nsCycleCollector::MarkRoots(js::SliceBudget & aBudget) Line 2840	C++
 	xul.dll!nsCycleCollector::Collect(ccType aCCType, js::SliceBudget & aBudget, nsICycleCollectorListener * aManualListener, bool aPreferShorterSlices) Line 3611	C++
 	xul.dll!nsCycleCollector_collect(nsICycleCollectorListener * aManualListener) Line 4098	C++
 	xul.dll!`anonymous namespace'::WorkerJSRuntime::CustomGCCallback(JSGCStatus aStatus) Line 998	C++
 	xul.dll!mozilla::CycleCollectedJSRuntime::OnGC(JSGCStatus aStatus) Line 1240	C++
 	xul.dll!mozilla::CycleCollectedJSRuntime::GCCallback(JSRuntime * aRuntime, JSGCStatus aStatus, void * aData) Line 732	C++
 	xul.dll!js::gc::GCRuntime::collect(bool incremental, js::SliceBudget budget, JS::gcreason::Reason reason) Line 6147	C++
 	xul.dll!js::gc::GCRuntime::gc(JSGCInvocationKind gckind, JS::gcreason::Reason reason) Line 6204	C++
 	xul.dll!js::DestroyContext(JSContext * cx, js::DestroyContextMode mode) Line 187	C++
 	xul.dll!JS_DestroyContext(JSContext * cx) Line 738	C++
 	xul.dll!`anonymous namespace'::WorkerThreadPrimaryRunnable::Run() Line 2800	C++
 	xul.dll!nsThread::ProcessNextEvent(bool aMayWait, bool * aResult) Line 846	C++
 	xul.dll!NS_ProcessNextEvent(nsIThread * aThread, bool aMayWait) Line 265	C++
 	xul.dll!mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate * aDelegate) Line 355	C++
 	xul.dll!MessageLoop::RunHandler() Line 227	C++
 	xul.dll!MessageLoop::Run() Line 201	C++
 	xul.dll!nsThread::ThreadFunc(void * aArg) Line 361	C++
 	nss3.dll!_PR_NativeRunThread(void * arg) Line 419	C
 	nss3.dll!pr_root(void * arg) Line 90	C
 	[External Code]	



Variables:

-		aIn	0x0f44e160 {...}	nsISupports *
+		__vfptr	xul.dll!0x5a5a5a5a {0x65707974, DWrite.dll!0x6f5b0000, 0x63656a62}	void * *
+		out	0x00000000 <NULL>	nsISupports *


Registers:

EAX = 0F44E160 EBX = 00000000 ECX = 5A5A5A5A EDX = 16DCF8F0 ESI = 5A2D41AC EDI = 0FE38940 EIP = 58954E86 ESP = 16DCF8E4 EBP = 00000000 EFL = 00000000 

0xfffffffc = 00000000
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Flags: needinfo?(amarchesini)
Can you also reproduce this with 40 and 39?
Flags: needinfo?(loobenyang)
(In reply to Liz Henry (:lizzard) from comment #15)
> Can you also reproduce this with 40 and 39?

Yes. Just checked out the beta code and ran it in Visual Studio with the same test case (Uaf_CanonicalizeXPCOMParticipant_DedicatedWorker_repro.js), got:

First-chance exception at 0x50F82E67 (xul.dll) in firefox.exe: 0xC0000005: Access violation reading location 0x5A5A5A5A.
Unhandled exception at 0x50F82E67 (xul.dll) in firefox.exe: 0xC0000005: Access violation reading location 0x5A5A5A5A.

Firefox version: 39.0

Variables:
-		aIn	0x14c14020 {...}	nsISupports *
+		__vfptr	0x5a5a5a5a {???, ???, ???}	void * *
+		out	0x00000000 <NULL>	nsISupports *

Stack:

>	xul.dll!CanonicalizeXPCOMParticipant(nsISupports * aIn) Line 931	C++
 	xul.dll!CCGraphBuilder::NoteXPCOMChild(nsISupports * aChild) Line 2356	C++
 	xul.dll!mozilla::CycleCollectedJSRuntime::NoteGCThingXPCOMChildren(const js::Class * aClasp, JSObject * aObj, nsCycleCollectionTraversalCallback & aCb) Line 630	C++
 	xul.dll!mozilla::CycleCollectedJSRuntime::TraverseGCThing(mozilla::CycleCollectedJSRuntime::TraverseSelect aTs, JS::GCCellPtr aThing, nsCycleCollectionTraversalCallback & aCb) Line 663	C++
 	xul.dll!mozilla::JSGCThingParticipant::Traverse(void * aPtr, nsCycleCollectionTraversalCallback & aCb) Line 352	C++
 	xul.dll!CCGraphBuilder::BuildGraph(js::SliceBudget & aBudget) Line 2259	C++
 	xul.dll!nsCycleCollector::MarkRoots(js::SliceBudget & aBudget) Line 2865	C++
 	xul.dll!nsCycleCollector::Collect(ccType aCCType, js::SliceBudget & aBudget, nsICycleCollectorListener * aManualListener, bool aPreferShorterSlices) Line 3617	C++
 	xul.dll!nsCycleCollector_collect(nsICycleCollectorListener * aManualListener) Line 4090	C++
 	xul.dll!`anonymous namespace'::WorkerJSRuntime::CustomGCCallback(JSGCStatus aStatus) Line 971	C++
 	xul.dll!mozilla::CycleCollectedJSRuntime::OnGC(JSGCStatus aStatus) Line 1244	C++
 	xul.dll!mozilla::CycleCollectedJSRuntime::GCCallback(JSRuntime * aRuntime, JSGCStatus aStatus, void * aData) Line 757	C++
 	xul.dll!js::gc::GCRuntime::collect(bool incremental, js::SliceBudget budget, JS::gcreason::Reason reason) Line 6113	C++
 	xul.dll!js::gc::GCRuntime::gc(JSGCInvocationKind gckind, JS::gcreason::Reason reason) Line 6170	C++
 	xul.dll!js::DestroyContext(JSContext * cx, js::DestroyContextMode mode) Line 188	C++
 	xul.dll!JS_DestroyContext(JSContext * cx) Line 681	C++
 	xul.dll!`anonymous namespace'::WorkerThreadPrimaryRunnable::Run() Line 2746	C++
 	xul.dll!nsThread::ProcessNextEvent(bool aMayWait, bool * aResult) Line 855	C++
 	xul.dll!NS_ProcessNextEvent(nsIThread * aThread, bool aMayWait) Line 265	C++
 	xul.dll!mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate * aDelegate) Line 368	C++
 	xul.dll!MessageLoop::RunHandler() Line 227	C++
 	xul.dll!MessageLoop::Run() Line 201	C++
 	xul.dll!nsThread::ThreadFunc(void * aArg) Line 358	C++
 	nss3.dll!_PR_NativeRunThread(void * arg) Line 419	C
 	nss3.dll!pr_root(void * arg) Line 90	C
 	[External Code]	
 	[Frames below may be incorrect and/or missing, no symbols loaded for msvcr120.dll]
Flags: needinfo?(loobenyang)
OK. Thanks Looben. Looks like we need to mark this as still not fixed for 39 and 40 then.
Should this be verified also on ESR 31 and 38, or is it safe to assume those would be affected as well?
I think we can assume they're affected, yes.
Attached patch crash2.patch (obsolete) — Splinter Review
Flags: needinfo?(amarchesini)
Attachment #8617392 - Flags: review?(bent.mozilla)
Comment on attachment 8617392 [details] [diff] [review]
crash2.patch

Review of attachment 8617392 [details] [diff] [review]:
-----------------------------------------------------------------

::: dom/workers/XMLHttpRequest.cpp
@@ +1877,5 @@
>    mProxy->mOuterChannelId++;
>  
>    JSContext* cx = mWorkerPrivate->GetJSContext();
>  
> +  nsRefPtr<XMLHttpRequest> kungFuDeathGrip(this);

This really shouldn't be needed because the binding object should be holding this object alive. We need to figure out why that isn't happening.

I suggest inspecting the binding object when we crash. It should be on the stack. And see if the binding object still has a pointer to the c++ object in its private slot.
Attachment #8617392 - Flags: review?(bent.mozilla) → review-
Attached patch crash2.patch (obsolete) — Splinter Review
You are right, I don't have to keep the obj alive.
Attachment #8613543 - Attachment is obsolete: true
Attachment #8617392 - Attachment is obsolete: true
Attachment #8617836 - Flags: review?(bent.mozilla)
Comment on attachment 8617836 [details] [diff] [review]
crash2.patch

Review of attachment 8617836 [details] [diff] [review]:
-----------------------------------------------------------------

::: dom/workers/XMLHttpRequest.cpp
@@ +1882,5 @@
>      new SendRunnable(mWorkerPrivate, mProxy, aStringBody, Move(aBody),
>                       aClonedObjects, syncLoopTarget, hasUploadListeners);
>    if (!runnable->Dispatch(cx)) {
> +    // If we are not rooted now, it seems that the worker thread is going away
> +    // soon and we have been unpinned by the feature.

Maybe say:

  Dispatch() may have spun the event loop and we may have already
  unrooted. If so we don't want autoUnpin to try again.
Attachment #8617836 - Flags: review?(bent.mozilla) → review+
Attached patch crash2.patchSplinter Review
Attachment #8617836 - Attachment is obsolete: true
Comment on attachment 8620914 [details] [diff] [review]
crash2.patch

Read comment 6.
Attachment #8620914 - Flags: sec-approval?
Comment on attachment 8620914 [details] [diff] [review]
crash2.patch

sec-approval+ for trunk.

We'll want patches for all affected branches as well.
Attachment #8620914 - Flags: sec-approval? → sec-approval+
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/281a5a64be5e
Status: REOPENED → RESOLVED
Closed: 9 years ago9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla41
Thanks Andrea for the prompt fix!

- Looben
Looben, can you verify that this fixed across the board now?
Flags: sec-bounty?
Flags: sec-bounty+
Flags: needinfo?(loobenyang)
(In reply to Al Billings [:abillings] from comment #33)
> Looben, can you verify that this fixed across the board now?

I've already verified it's fixed in trunk and latest official linux asan build. Thanks for the quick turnaround.
Flags: needinfo?(loobenyang)
Whiteboard: [adv-main39+][adv-esr38.1+][adv-esr31.8+]
Alias: CVE-2015-2733
Whiteboard: [adv-main39+][adv-esr38.1+][adv-esr31.8+] → [adv-main39+][adv-esr38.1+][adv-esr31.8+][b2g-adv-main2.2+]
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.