Closed Bug 1183612 Opened 9 years ago Closed 9 years ago

global-buffer-overflow in DiscardTransferables

Categories

(Core :: DOM: Core & HTML, defect)

defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 1180988

People

(Reporter: attekett, Unassigned)

Details

(Keywords: csectype-bounds, regression, sec-high)

Attachments

(1 file)

Attached file repro-file.html
Someone who knows correct Product/Component for this bug, please set it right.

Tested on:

OS: Ubuntu 14.04

Firefox: ASAN-build from https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-asan/1436695332/

Once the repro-file is loaded in to Firefox give it some time to trigger the crash. Took ~10-15s on my machines.

The repro-file has setTimeout(function(){location.reload()},5) from which you might need to change the 5ms timing to reproduce the crash, but the 5ms timeout seemed stable on my desktop(i7-3770k) and laptop(i7-3537U) HW.

There is two different stack-traces from the same repro-file:

#1 ASAN-trace:

IPDL protocol error: Handler for Disentangle returned error code

###!!! [Parent][DispatchAsyncMessage] Error: (msgtype=0x880002,name=PMessagePort::Msg_Disentangle) Processing error: message was deserialized, but the handler returned false (indicating failure)

=================================================================
==21384==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7fb7cd081408 at pc 0x7fb7c562cbf9 bp 0x7ffeb473d580 sp 0x7ffeb473d578
READ of size 8 at 0x7fb7cd081408 thread T0 (Web Content)
    #0 0x7fb7c562cbf8 in operator[] /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dom/messagechannel/../../dist/include/nsTArray.h:488
    #1 0x7fb7c91abb49 in DiscardTransferables /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/StructuredClone.cpp:428
    #2 0x7fb7c91bdaf1 in JS_ClearStructuredClone /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/StructuredClone.cpp:1913
    #3 0x7fb7c5628840 in FreeStructuredClone /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/messagechannel/MessagePortUtils.cpp:285
    #4 0x7fb7c562b0b7 in Release /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/messagechannel/SharedMessagePortMessage.h:21
    #5 0x7fb7c56205a0 in ~nsRefPtr /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dom/messagechannel/../../dist/include/nsRefPtr.h:66
    #6 0x7fb7c561ca7a in ~MessagePort /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/messagechannel/MessagePort.cpp:314
    #7 0x7fb7c561d03d in ~MessagePort /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/messagechannel/MessagePort.cpp:311
    #8 0x7fb7c03fb9fd in ~SnowWhiteKiller /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/base/nsCycleCollector.cpp:2638
    #9 0x7fb7c03fb62e in FreeSnowWhite /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/base/nsCycleCollector.cpp:2806
    #10 0x7fb7c17e0b44 in Run /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/xpconnect/src/XPCJSRuntime.cpp:140
    #11 0x7fb7c04fe8c7 in ProcessNextEvent /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsThread.cpp:867
    #12 0x7fb7c056cf7a in NS_ProcessNextEvent /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/glue/nsThreadUtils.cpp:277
    #13 0x7fb7c0dce879 in Run /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessagePump.cpp:95
    #14 0x7fb7c0d5c09c in RunInternal /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:234
    #15 0x7fb7c59fb997 in Run /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/widget/nsBaseAppShell.cpp:165
    #16 0x7fb7c785f512 in XRE_RunAppShell /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:778
    #17 0x7fb7c0d5c09c in RunInternal /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:234
    #18 0x7fb7c785ec09 in XRE_InitChildProcess /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:614
    #19 0x48d632 in content_process_main /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/app/../contentproc/plugin-container.cpp:236
    #20 0x7fb7bdf77ec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287
    #21 0x48c98c in _start ??:?

0x7fb7cd081408 is located 0 bytes to the right of global variable 'nsTArrayHeader::sEmptyHdr' from '/builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/xpcom/build/Unified_cpp_xpcom_build1.cpp' (0x7fb7cd081400) of size 8
SUMMARY: AddressSanitizer: global-buffer-overflow ??:0 ??
Shadow bytes around the buggy address:
  0x0ff779a08230: 04 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
  0x0ff779a08240: 01 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
  0x0ff779a08250: 01 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
  0x0ff779a08260: 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
  0x0ff779a08270: 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
=>0x0ff779a08280: 00[f9]f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x0ff779a08290: 00 00 00 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
  0x0ff779a082a0: 01 f9 f9 f9 f9 f9 f9 f9 01 f9 f9 f9 f9 f9 f9 f9
  0x0ff779a082b0: 01 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
  0x0ff779a082c0: 01 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
  0x0ff779a082d0: 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==21384==ABORTING
[Parent 21335] WARNING: pipe error (51): Connection reset by peer: file /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 459

###!!! [Parent][MessageChannel] Error: (msgtype=0x20007F,name=PBrowser::Msg_Destroy) Channel error: cannot send/recv


###!!! [Parent][MessageChannel] Error: (msgtype=0x20007F,name=PBrowser::Msg_Destroy) Channel error: cannot send/recv

#2 ASAN-trace:

==21995==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f6f14e67408 at pc 0x7f6f0d412bf9 bp 0x7ffdf76b8560 sp 0x7ffdf76b8558
READ of size 8 at 0x7f6f14e67408 thread T0 (Web Content)
    #0 0x7f6f0d412bf8 in Hdr /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dom/messagechannel/../../dist/include/nsTArray.h:488:0
    #1 0x7f6f0d412bf8 in Elements /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dom/messagechannel/../../dist/include/nsTArray.h:962:0
    #2 0x7f6f0d412bf8 in ElementAt /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dom/messagechannel/../../dist/include/nsTArray.h:979:0
    #3 0x7f6f0d412bf8 in operator[] /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dom/messagechannel/../../dist/include/nsTArray.h:1013:0
    #4 0x7f6f0d412bf8 in mozilla::dom::messageport::(anonymous namespace)::FreeTransfer(unsigned int, JS::TransferableOwnership, void*, unsigned long, void*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/messagechannel/MessagePortUtils.cpp:208:0
    #5 0x7f6f10f91b49 in DiscardTransferables(unsigned long*, unsigned long, JSStructuredCloneCallbacks const*, void*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/StructuredClone.cpp:428:0
    #6 0x7f6f10fa3af1 in JS_ClearStructuredClone(unsigned long*, unsigned long, JSStructuredCloneCallbacks const*, void*, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/StructuredClone.cpp:1913:0
    #7 0x7f6f0d40e840 in FreeStructuredClone /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/messagechannel/MessagePortUtils.cpp:285:0
    #8 0x7f6f0d40e840 in mozilla::dom::SharedMessagePortMessage::~SharedMessagePortMessage() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/messagechannel/SharedMessagePortMessage.cpp:26:0
    #9 0x7f6f0d4110b7 in mozilla::dom::SharedMessagePortMessage::Release() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/messagechannel/SharedMessagePortMessage.h:21:0
    #10 0x7f6f0d4065a0 in ~nsRefPtr /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dom/messagechannel/../../dist/include/nsRefPtr.h:66:0
    #11 0x7f6f0d4065a0 in Destruct /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dom/messagechannel/../../dist/include/nsTArray.h:523:0
    #12 0x7f6f0d4065a0 in DestructRange /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dom/messagechannel/../../dist/include/nsTArray.h:1995:0
    #13 0x7f6f0d4065a0 in Length /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dom/messagechannel/../../dist/include/nsTArray.h:1637:0
    #14 0x7f6f0d4065a0 in Clear /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dom/messagechannel/../../dist/include/nsTArray.h:1646:0
    #15 0x7f6f0d4065a0 in nsTArray_Impl<nsRefPtr<mozilla::dom::SharedMessagePortMessage>, nsTArrayInfallibleAllocator>::~nsTArray_Impl() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dom/messagechannel/../../dist/include/nsTArray.h:827:0
    #16 0x7f6f0d402a7a in mozilla::dom::MessagePort::~MessagePort() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/messagechannel/MessagePort.cpp:314:0
    #17 0x7f6f0d40303d in mozilla::dom::MessagePort::~MessagePort() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/messagechannel/MessagePort.cpp:311:0
    #18 0x7f6f081e19fd in SnowWhiteKiller::~SnowWhiteKiller() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/base/nsCycleCollector.cpp:2638:0
    #19 0x7f6f081e162e in nsCycleCollector::FreeSnowWhite(bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/base/nsCycleCollector.cpp:2806:0
    #20 0x7f6f095c6b44 in AsyncFreeSnowWhite::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/xpconnect/src/XPCJSRuntime.cpp:140:0
    #21 0x7f6f082e48c7 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsThread.cpp:867:0
    #22 0x7f6f08352f7a in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/glue/nsThreadUtils.cpp:277:0
    #23 0x7f6f08bb4879 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessagePump.cpp:95:0
    #24 0x7f6f08b4209c in RunInternal /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:234:0
    #25 0x7f6f08b4209c in RunHandler /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:227:0
    #26 0x7f6f08b4209c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:201:0
    #27 0x7f6f0d7e1997 in nsBaseAppShell::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/widget/nsBaseAppShell.cpp:165:0
    #28 0x7f6f0f645512 in XRE_RunAppShell /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:778:0
    #29 0x7f6f08b4209c in RunInternal /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:234:0
    #30 0x7f6f08b4209c in RunHandler /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:227:0
    #31 0x7f6f08b4209c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:201:0
    #32 0x7f6f0f644c09 in XRE_InitChildProcess /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:614:0
    #33 0x48d632 in content_process_main(int, char**) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/app/../contentproc/plugin-container.cpp:236:0
    #34 0x7f6f05d5dec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287:0
    #35 0x48c98c in _start ??:0:0

0x7f6f14e67408 is located 0 bytes to the right of global variable 'nsTArrayHeader::sEmptyHdr' from '/builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/xpcom/build/Unified_cpp_xpcom_build1.cpp' (0x7f6f14e67400) of size 8
SUMMARY: AddressSanitizer: global-buffer-overflow ??:0 ??
Shadow bytes around the buggy address:
  0x0fee629c4e30: 04 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
  0x0fee629c4e40: 01 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
  0x0fee629c4e50: 01 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
  0x0fee629c4e60: 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
  0x0fee629c4e70: 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
=>0x0fee629c4e80: 00[f9]f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x0fee629c4e90: 00 00 00 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
  0x0fee629c4ea0: 01 f9 f9 f9 f9 f9 f9 f9 01 f9 f9 f9 f9 f9 f9 f9
  0x0fee629c4eb0: 01 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
  0x0fee629c4ec0: 01 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
  0x0fee629c4ed0: 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==21995==ABORTING
[Parent 21944] WARNING: pipe error (56): Connection reset by peer: file /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 459

###!!! [Parent][MessageChannel] Error: (msgtype=0x20007F,name=PBrowser::Msg_Destroy) Channel error: cannot send/recv
Component: General → DOM
Flags: needinfo?(amarchesini)
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(amarchesini)
Resolution: --- → DUPLICATE
Group: core-security → core-security-release
Group: core-security-release
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: