Closed
Bug 1183612
Opened 9 years ago
Closed 9 years ago
global-buffer-overflow in DiscardTransferables
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
DUPLICATE
of bug 1180988
People
(Reporter: attekett, Unassigned)
Details
(Keywords: csectype-bounds, regression, sec-high)
Attachments
(1 file)
709 bytes,
text/html
|
Details |
Someone who knows correct Product/Component for this bug, please set it right. Tested on: OS: Ubuntu 14.04 Firefox: ASAN-build from https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-asan/1436695332/ Once the repro-file is loaded in to Firefox give it some time to trigger the crash. Took ~10-15s on my machines. The repro-file has setTimeout(function(){location.reload()},5) from which you might need to change the 5ms timing to reproduce the crash, but the 5ms timeout seemed stable on my desktop(i7-3770k) and laptop(i7-3537U) HW. There is two different stack-traces from the same repro-file: #1 ASAN-trace: IPDL protocol error: Handler for Disentangle returned error code ###!!! [Parent][DispatchAsyncMessage] Error: (msgtype=0x880002,name=PMessagePort::Msg_Disentangle) Processing error: message was deserialized, but the handler returned false (indicating failure) ================================================================= ==21384==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7fb7cd081408 at pc 0x7fb7c562cbf9 bp 0x7ffeb473d580 sp 0x7ffeb473d578 READ of size 8 at 0x7fb7cd081408 thread T0 (Web Content) #0 0x7fb7c562cbf8 in operator[] /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dom/messagechannel/../../dist/include/nsTArray.h:488 #1 0x7fb7c91abb49 in DiscardTransferables /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/StructuredClone.cpp:428 #2 0x7fb7c91bdaf1 in JS_ClearStructuredClone /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/StructuredClone.cpp:1913 #3 0x7fb7c5628840 in FreeStructuredClone /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/messagechannel/MessagePortUtils.cpp:285 #4 0x7fb7c562b0b7 in Release /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/messagechannel/SharedMessagePortMessage.h:21 #5 0x7fb7c56205a0 in ~nsRefPtr /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dom/messagechannel/../../dist/include/nsRefPtr.h:66 #6 0x7fb7c561ca7a in ~MessagePort /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/messagechannel/MessagePort.cpp:314 #7 0x7fb7c561d03d in ~MessagePort /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/messagechannel/MessagePort.cpp:311 #8 0x7fb7c03fb9fd in ~SnowWhiteKiller /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/base/nsCycleCollector.cpp:2638 #9 0x7fb7c03fb62e in FreeSnowWhite /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/base/nsCycleCollector.cpp:2806 #10 0x7fb7c17e0b44 in Run /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/xpconnect/src/XPCJSRuntime.cpp:140 #11 0x7fb7c04fe8c7 in ProcessNextEvent /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsThread.cpp:867 #12 0x7fb7c056cf7a in NS_ProcessNextEvent /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/glue/nsThreadUtils.cpp:277 #13 0x7fb7c0dce879 in Run /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessagePump.cpp:95 #14 0x7fb7c0d5c09c in RunInternal /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:234 #15 0x7fb7c59fb997 in Run /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/widget/nsBaseAppShell.cpp:165 #16 0x7fb7c785f512 in XRE_RunAppShell /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:778 #17 0x7fb7c0d5c09c in RunInternal /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:234 #18 0x7fb7c785ec09 in XRE_InitChildProcess /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:614 #19 0x48d632 in content_process_main /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/app/../contentproc/plugin-container.cpp:236 #20 0x7fb7bdf77ec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287 #21 0x48c98c in _start ??:? 0x7fb7cd081408 is located 0 bytes to the right of global variable 'nsTArrayHeader::sEmptyHdr' from '/builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/xpcom/build/Unified_cpp_xpcom_build1.cpp' (0x7fb7cd081400) of size 8 SUMMARY: AddressSanitizer: global-buffer-overflow ??:0 ?? Shadow bytes around the buggy address: 0x0ff779a08230: 04 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 0x0ff779a08240: 01 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 0x0ff779a08250: 01 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 0x0ff779a08260: 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 0x0ff779a08270: 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 =>0x0ff779a08280: 00[f9]f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00 0x0ff779a08290: 00 00 00 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 0x0ff779a082a0: 01 f9 f9 f9 f9 f9 f9 f9 01 f9 f9 f9 f9 f9 f9 f9 0x0ff779a082b0: 01 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 0x0ff779a082c0: 01 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 0x0ff779a082d0: 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Contiguous container OOB:fc ASan internal: fe ==21384==ABORTING [Parent 21335] WARNING: pipe error (51): Connection reset by peer: file /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 459 ###!!! [Parent][MessageChannel] Error: (msgtype=0x20007F,name=PBrowser::Msg_Destroy) Channel error: cannot send/recv ###!!! [Parent][MessageChannel] Error: (msgtype=0x20007F,name=PBrowser::Msg_Destroy) Channel error: cannot send/recv #2 ASAN-trace: ==21995==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f6f14e67408 at pc 0x7f6f0d412bf9 bp 0x7ffdf76b8560 sp 0x7ffdf76b8558 READ of size 8 at 0x7f6f14e67408 thread T0 (Web Content) #0 0x7f6f0d412bf8 in Hdr /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dom/messagechannel/../../dist/include/nsTArray.h:488:0 #1 0x7f6f0d412bf8 in Elements /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dom/messagechannel/../../dist/include/nsTArray.h:962:0 #2 0x7f6f0d412bf8 in ElementAt /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dom/messagechannel/../../dist/include/nsTArray.h:979:0 #3 0x7f6f0d412bf8 in operator[] /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dom/messagechannel/../../dist/include/nsTArray.h:1013:0 #4 0x7f6f0d412bf8 in mozilla::dom::messageport::(anonymous namespace)::FreeTransfer(unsigned int, JS::TransferableOwnership, void*, unsigned long, void*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/messagechannel/MessagePortUtils.cpp:208:0 #5 0x7f6f10f91b49 in DiscardTransferables(unsigned long*, unsigned long, JSStructuredCloneCallbacks const*, void*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/StructuredClone.cpp:428:0 #6 0x7f6f10fa3af1 in JS_ClearStructuredClone(unsigned long*, unsigned long, JSStructuredCloneCallbacks const*, void*, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/StructuredClone.cpp:1913:0 #7 0x7f6f0d40e840 in FreeStructuredClone /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/messagechannel/MessagePortUtils.cpp:285:0 #8 0x7f6f0d40e840 in mozilla::dom::SharedMessagePortMessage::~SharedMessagePortMessage() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/messagechannel/SharedMessagePortMessage.cpp:26:0 #9 0x7f6f0d4110b7 in mozilla::dom::SharedMessagePortMessage::Release() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/messagechannel/SharedMessagePortMessage.h:21:0 #10 0x7f6f0d4065a0 in ~nsRefPtr /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dom/messagechannel/../../dist/include/nsRefPtr.h:66:0 #11 0x7f6f0d4065a0 in Destruct /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dom/messagechannel/../../dist/include/nsTArray.h:523:0 #12 0x7f6f0d4065a0 in DestructRange /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dom/messagechannel/../../dist/include/nsTArray.h:1995:0 #13 0x7f6f0d4065a0 in Length /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dom/messagechannel/../../dist/include/nsTArray.h:1637:0 #14 0x7f6f0d4065a0 in Clear /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dom/messagechannel/../../dist/include/nsTArray.h:1646:0 #15 0x7f6f0d4065a0 in nsTArray_Impl<nsRefPtr<mozilla::dom::SharedMessagePortMessage>, nsTArrayInfallibleAllocator>::~nsTArray_Impl() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dom/messagechannel/../../dist/include/nsTArray.h:827:0 #16 0x7f6f0d402a7a in mozilla::dom::MessagePort::~MessagePort() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/messagechannel/MessagePort.cpp:314:0 #17 0x7f6f0d40303d in mozilla::dom::MessagePort::~MessagePort() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/messagechannel/MessagePort.cpp:311:0 #18 0x7f6f081e19fd in SnowWhiteKiller::~SnowWhiteKiller() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/base/nsCycleCollector.cpp:2638:0 #19 0x7f6f081e162e in nsCycleCollector::FreeSnowWhite(bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/base/nsCycleCollector.cpp:2806:0 #20 0x7f6f095c6b44 in AsyncFreeSnowWhite::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/xpconnect/src/XPCJSRuntime.cpp:140:0 #21 0x7f6f082e48c7 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsThread.cpp:867:0 #22 0x7f6f08352f7a in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/glue/nsThreadUtils.cpp:277:0 #23 0x7f6f08bb4879 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessagePump.cpp:95:0 #24 0x7f6f08b4209c in RunInternal /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:234:0 #25 0x7f6f08b4209c in RunHandler /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:227:0 #26 0x7f6f08b4209c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:201:0 #27 0x7f6f0d7e1997 in nsBaseAppShell::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/widget/nsBaseAppShell.cpp:165:0 #28 0x7f6f0f645512 in XRE_RunAppShell /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:778:0 #29 0x7f6f08b4209c in RunInternal /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:234:0 #30 0x7f6f08b4209c in RunHandler /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:227:0 #31 0x7f6f08b4209c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:201:0 #32 0x7f6f0f644c09 in XRE_InitChildProcess /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:614:0 #33 0x48d632 in content_process_main(int, char**) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/app/../contentproc/plugin-container.cpp:236:0 #34 0x7f6f05d5dec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287:0 #35 0x48c98c in _start ??:0:0 0x7f6f14e67408 is located 0 bytes to the right of global variable 'nsTArrayHeader::sEmptyHdr' from '/builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/xpcom/build/Unified_cpp_xpcom_build1.cpp' (0x7f6f14e67400) of size 8 SUMMARY: AddressSanitizer: global-buffer-overflow ??:0 ?? Shadow bytes around the buggy address: 0x0fee629c4e30: 04 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 0x0fee629c4e40: 01 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 0x0fee629c4e50: 01 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 0x0fee629c4e60: 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 0x0fee629c4e70: 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 =>0x0fee629c4e80: 00[f9]f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00 0x0fee629c4e90: 00 00 00 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 0x0fee629c4ea0: 01 f9 f9 f9 f9 f9 f9 f9 01 f9 f9 f9 f9 f9 f9 f9 0x0fee629c4eb0: 01 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 0x0fee629c4ec0: 01 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 0x0fee629c4ed0: 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Contiguous container OOB:fc ASan internal: fe ==21995==ABORTING [Parent 21944] WARNING: pipe error (56): Connection reset by peer: file /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 459 ###!!! [Parent][MessageChannel] Error: (msgtype=0x20007F,name=PBrowser::Msg_Destroy) Channel error: cannot send/recv
Updated•9 years ago
|
Component: General → DOM
Flags: needinfo?(amarchesini)
Updated•9 years ago
|
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(amarchesini)
Resolution: --- → DUPLICATE
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•8 years ago
|
Group: core-security-release
Updated•8 years ago
|
Assignee | ||
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•