Bug 1200004 (CVE-2015-4510)

IDB - Use After Free in WorkerPrivate::NotifyFeatures

VERIFIED FIXED in Firefox 41

Status

()

defect
--
critical
VERIFIED FIXED
4 years ago
2 years ago

People

(Reporter: loobenyang, Assigned: khuey)

Tracking

({csectype-uaf, sec-critical})

43 Branch
mozilla43
Points:
---
Dependency tree / graph
Bug Flags:
sec-bounty +

Firefox Tracking Flags

(firefox40 wontfix, firefox41+ verified, firefox42+ verified, firefox43+ verified, firefox-esr38 unaffected)

Details

(Whiteboard: [adv-main41+])

Attachments

(3 attachments, 1 obsolete attachment)

Use IndexedDB in shared worker can trigger Use After Free in WorkerPrivate::NotifyFeatures.

Reproduction test case (just the shared worker code, for full test case please refer to attachment Uaf_IdbNotifyFeatures.js is attached):

var dbreq0= indexedDB.open("TestDb1",  {version: 2, storage: "persistent"});
close();
if(nonexistvariable!=undefined) {var whatever;};


Steps to reproduce: 
1. Run server side script Uaf_IdbNotifyFeatures.js in Node.js (node Uaf_IdbNotifyFeatures.js).
2. Enter http://localhost:12345 in Firefox browser.


Firefox version: 43.0a1 (2015-08-28)
Full call stack:


(c6c.273c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0806e9b8 ebx=08006c00 ecx=0806e9a8 edx=00000002 esi=08006f0c edi=08006c00
eip=07221f41 esp=084ff3e4 ebp=084ff438 iopl=0         nv up ei pl nz na po cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010203
07221f41 0000            add     byte ptr [eax],al          ds:002b:0806e9b8=60
1:082> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************


FAULTING_IP: 
unknown!noop+0
07221f41 0000            add     byte ptr [eax],al

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 07221f41
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000008
   Parameter[1]: 07221f41
Attempt to execute non-executable address 07221f41

CONTEXT:  00000000 -- (.cxr 0x0;r)
eax=0806e9b8 ebx=08006c00 ecx=0806e9a8 edx=00000002 esi=08006f0c edi=08006c00
eip=07221f41 esp=084ff3e4 ebp=084ff438 iopl=0         nv up ei pl nz na po cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010203
07221f41 0000            add     byte ptr [eax],al          ds:002b:0806e9b8=60

FAULTING_THREAD:  0000273c

DEFAULT_BUCKET_ID:  SOFTWARE_NX_FAULT

PROCESS_NAME:  plugin-container.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_PARAMETER1:  00000008

EXCEPTION_PARAMETER2:  07221f41

WRITE_ADDRESS:  07221f41 

FOLLOWUP_IP: 
unknown!noop+0
07221f41 0000            add     byte ptr [eax],al

FAILED_INSTRUCTION_ADDRESS: 
unknown!noop+0
07221f41 0000            add     byte ptr [eax],al

NTGLOBALFLAG:  70

APPLICATION_VERIFIER_FLAGS:  0

APP:  plugin-container.exe

ANALYSIS_VERSION: 6.3.9600.17029 (debuggers(dbg).140219-1702) x86fre

IP_ON_HEAP:  07221f41
The fault address in not in any loaded module, please check your build's rebase
log at <releasedir>\bin\build_logs\timebuild\ntrebase.log for module which may
contain the address if it were loaded.

PRIMARY_PROBLEM_CLASS:  SOFTWARE_NX_FAULT

BUGCHECK_STR:  APPLICATION_FAULT_SOFTWARE_NX_FAULT

LAST_CONTROL_TRANSFER:  from 1048618f to 07221f41

STACK_TEXT:  
WARNING: Frame IP not in any known module. Following frames may be wrong.
084ff3e0 1048618f 04b52320 00000004 00000000 0x7221f41
084ff438 100761e7 04b52320 00000004 04b52320 xul!mozilla::dom::workers::WorkerPrivate::NotifyFeatures+0x40fefc
084ff4c0 1021ca8a 04b52320 00000004 084ff5dc xul!mozilla::dom::workers::WorkerPrivate::NotifyInternal+0x7b
084ff4d0 10073700 04b52320 08006c00 076394a0 xul!`anonymous namespace'::NotifyRunnable::WorkerRun+0x11
084ff5dc 100764be 076394a0 08006e8c 07fdc968 xul!mozilla::dom::workers::WorkerRunnable::Run+0x1b0
084ff610 10075bb5 04b52320 0808b000 08097c80 xul!mozilla::dom::workers::WorkerPrivate::ProcessAllControlRunnablesLocked+0xa3
084ff65c 0fcbdb7d 04b52320 00000000 0804ff80 xul!mozilla::dom::workers::WorkerPrivate::DoRunLoop+0xbe
084ff774 10015770 08097c80 07f2d7c0 084ff801 xul!`anonymous namespace'::WorkerThreadPrimaryRunnable::Run+0x109
084ff86c 10016792 0804ff80 084ff801 084ff887 xul!nsThread::ProcessNextEvent+0x72c
084ff888 102440bf 07f2d7c0 07f2d7c0 02c15b70 xul!NS_ProcessNextEvent+0x1a
084ff8ac 10013b35 07f2d7c0 d1888788 0804ff80 xul!mozilla::ipc::MessagePumpForNonMainThreads::Run+0xab
084ff8e4 10013bf8 07f2d7c0 00000001 0804ff00 xul!MessageLoop::RunHandler+0x20
084ff904 101a2d9e 776524f0 02c15ac0 02c15b70 xul!MessageLoop::Run+0x19
084ff91c 028c257f 0804ff80 0f78bfb4 07911fc8 xul!nsThread::ThreadFunc+0x8c
084ff938 028c1d04 02c15ac0 084ff97c 0f78c01d nss3!_PR_NativeRunThread+0x8c
084ff944 0f78c01d 02c15ac0 c0408c86 0f78bfb4 nss3!pr_root+0xd
084ff97c 0f78c001 0f78bfb4 084ff99c 77657c04 MSVCR120!_callthreadstartex+0x1b
084ff988 77657c04 07901a68 77657be0 b7a6d8c8 MSVCR120!_threadstartex+0x7c
084ff99c 77dcad1f 07901a68 b7364a4f 00000000 KERNEL32!BaseThreadInitThunk+0x24
084ff9e4 77dcacea ffffffff 77db0228 00000000 ntdll!__RtlUserThreadStart+0x2f
084ff9f4 00000000 0f78bfb4 07901a68 00000000 ntdll!_RtlUserThreadStart+0x1b


STACK_COMMAND:  .cxr 0x0 ; kb

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  unknown!noop+0

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: unknown

IMAGE_NAME:  unknown

DEBUG_FLR_IMAGE_TIMESTAMP:  0

FAILURE_BUCKET_ID:  SOFTWARE_NX_FAULT_c0000005_unknown!noop

BUCKET_ID:  APPLICATION_FAULT_SOFTWARE_NX_FAULT_BAD_IP_unknown!noop+0

ANALYSIS_SOURCE:  UM

FAILURE_ID_HASH_STRING:  um:software_nx_fault_c0000005_unknown!noop

FAILURE_ID_HASH:  {ac0d80f2-b5ab-6e06-97ce-8f3501b5f44a}

Followup: MachineOwner
---------
For your reference, when I ran the  same test case in official Linux asan build, I got:

Firefox: 43.0a1 (2015-08-24)

=================================================================
==6674==ERROR: AddressSanitizer: heap-use-after-free on address 0x60800007fab8 at pc 0x7f3216c9aa60 bp 0x7f31f2d6d7d0 sp 0x7f31f2d6d7c8
READ of size 8 at 0x60800007fab8 thread T23 (DOM Worker)
    #0 0x7f3216c9aa5f in mozilla::dom::workers::WorkerPrivate::NotifyFeatures(JSContext*, mozilla::dom::workers::Status) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:5811
    #1 0x7f3216c96e38 in mozilla::dom::workers::WorkerPrivate::NotifyInternal(JSContext*, mozilla::dom::workers::Status) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:6272
    #2 0x7f3216cb58c4 in mozilla::dom::workers::WorkerRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerRunnable.cpp:359
    #3 0x7f3216c96985 in mozilla::dom::workers::WorkerPrivate::ProcessAllControlRunnablesLocked() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:5610
    #4 0x7f3216c9474c in mozilla::dom::workers::WorkerPrivate::DoRunLoop(JSContext*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:5073
    #5 0x7f3216c2b1d7 in (anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/RuntimeService.cpp:2875
    #6 0x7f3211999574 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:864
    #7 0x7f3211a0fb8a in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:277
    #8 0x7f32122871c8 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:355
    #9 0x7f3212212e1c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:234
    #10 0x7f3212212e1c in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:227
    #11 0x7f3212212e1c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:201
    #12 0x7f3211995a35 in nsThread::ThreadFunc(void*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:359
    #13 0x7f321eb704b5 in _pt_root /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:212
    #14 0x7f321f1b8181 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8181)
    #15 0x7f320f48b30c (/lib/x86_64-linux-gnu/libc.so.6+0xfb30c)

0x60800007fab8 is located 24 bytes inside of 88-byte region [0x60800007faa0,0x60800007faf8)
freed by thread T23 (DOM Worker) here:
    #0 0x474de1 in __interceptor_free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64
    #1 0x7f3211a0ebdc in nsRunnable::Release() /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:32
    #2 0x7f3216a72956 in Release /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/indexedDB/../../dist/include/mozilla/nsRefPtr.h:366
    #3 0x7f3216a72956 in ~nsRefPtr /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/indexedDB/../../dist/include/mozilla/nsRefPtr.h:57
    #4 0x7f3216a72956 in mozilla::dom::indexedDB::BackgroundFactoryRequestChild::RecvPermissionChallenge(mozilla::ipc::PrincipalInfo const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/indexedDB/ActorsChild.cpp:1393
    #5 0x7f3212358283 in mozilla::dom::indexedDB::PBackgroundIDBFactoryRequestChild::OnMessageReceived(IPC::Message const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/ipc/ipdl/./PBackgroundIDBFactoryRequestChild.cpp:214
    #6 0x7f3212319b8c in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/ipc/ipdl/./PBackgroundChild.cpp:1314
    #7 0x7f321227f482 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessageChannel.cpp:1382
    #8 0x7f321227cfa2 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessageChannel.cpp:1302
    #9 0x7f32122707f2 in mozilla::ipc::MessageChannel::OnMaybeDequeueOne() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessageChannel.cpp:1273
    #10 0x7f3212214294 in RunTask /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:364
    #11 0x7f3212214294 in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:372
    #12 0x7f3212215347 in MessageLoop::DoWork() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:459
    #13 0x7f3212286a82 in mozilla::ipc::DoWorkRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:220
    #14 0x7f3211999574 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:864
    #15 0x7f3211a0fb8a in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:277
    #16 0x7f3216c94c73 in mozilla::dom::workers::WorkerPrivate::DoRunLoop(JSContext*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:5165
    #17 0x7f3216c2b1d7 in (anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/RuntimeService.cpp:2875
    #18 0x7f3211999574 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:864
    #19 0x7f3211a0fb8a in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:277
    #20 0x7f32122871c8 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:355
    #21 0x7f3212212e1c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:234
    #22 0x7f3212212e1c in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:227
    #23 0x7f3212212e1c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:201
    #24 0x7f3211995a35 in nsThread::ThreadFunc(void*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:359
    #25 0x7f321eb704b5 in _pt_root /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:212
    #26 0x7f321f1b8181 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8181)

previously allocated by thread T23 (DOM Worker) here:
    #0 0x474fe1 in __interceptor_malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:74
    #1 0x48dc8d in moz_xmalloc /builds/slave/m-cen-l64-asan-000000000000000/build/src/memory/mozalloc/mozalloc.cpp:83
    #2 0x7f3216a72745 in operator new /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/indexedDB/../../dist/include/mozilla/mozalloc.h:186
    #3 0x7f3216a72745 in mozilla::dom::indexedDB::BackgroundFactoryRequestChild::RecvPermissionChallenge(mozilla::ipc::PrincipalInfo const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/indexedDB/ActorsChild.cpp:1380
    #4 0x7f3212358283 in mozilla::dom::indexedDB::PBackgroundIDBFactoryRequestChild::OnMessageReceived(IPC::Message const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/ipc/ipdl/./PBackgroundIDBFactoryRequestChild.cpp:214
    #5 0x7f3212319b8c in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/ipc/ipdl/./PBackgroundChild.cpp:1314
    #6 0x7f321227f482 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessageChannel.cpp:1382
    #7 0x7f321227cfa2 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessageChannel.cpp:1302
    #8 0x7f32122707f2 in mozilla::ipc::MessageChannel::OnMaybeDequeueOne() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessageChannel.cpp:1273
    #9 0x7f3212214294 in RunTask /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:364
    #10 0x7f3212214294 in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:372
    #11 0x7f3212215347 in MessageLoop::DoWork() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:459
    #12 0x7f3212286a82 in mozilla::ipc::DoWorkRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:220
    #13 0x7f3211999574 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:864
    #14 0x7f3211a0fb8a in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:277
    #15 0x7f3216c94c73 in mozilla::dom::workers::WorkerPrivate::DoRunLoop(JSContext*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:5165
    #16 0x7f3216c2b1d7 in (anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/RuntimeService.cpp:2875
    #17 0x7f3211999574 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:864
    #18 0x7f3211a0fb8a in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:277
    #19 0x7f32122871c8 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:355
    #20 0x7f3212212e1c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:234
    #21 0x7f3212212e1c in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:227
    #22 0x7f3212212e1c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:201
    #23 0x7f3211995a35 in nsThread::ThreadFunc(void*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:359
    #24 0x7f321eb704b5 in _pt_root /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:212
    #25 0x7f321f1b8181 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8181)

Thread T23 (DOM Worker) created by T0 (Web Content) here:
    #0 0x461855 in pthread_create /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:175
    #1 0x7f321eb6ce3d in _PR_CreateThread /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:453
    #2 0x7f321eb6c9ba in PR_CreateThread /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:544
    #3 0x7f321199703d in nsThread::Init() /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:470
    #4 0x7f3216d0389a in mozilla::dom::workers::WorkerThread::Create(mozilla::dom::workers::WorkerThreadFriendKey const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerThread.cpp:90
    #5 0x7f3216bfe3b0 in mozilla::dom::workers::RuntimeService::ScheduleWorker(JSContext*, mozilla::dom::workers::WorkerPrivate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/RuntimeService.cpp:1753
    #6 0x7f3216bfb6d4 in mozilla::dom::workers::RuntimeService::RegisterWorker(JSContext*, mozilla::dom::workers::WorkerPrivate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/RuntimeService.cpp:1592
    #7 0x7f3216c93602 in mozilla::dom::workers::WorkerPrivate::Constructor(JSContext*, nsAString_internal const&, bool, mozilla::dom::WorkerType, nsACString_internal const&, mozilla::dom::workers::WorkerLoadInfo*, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:4726
    #8 0x7f3216c04823 in mozilla::dom::workers::RuntimeService::CreateSharedWorkerFromLoadInfo(JSContext*, mozilla::dom::workers::WorkerLoadInfo*, nsAString_internal const&, nsACString_internal const&, mozilla::dom::WorkerType, mozilla::dom::workers::SharedWorker**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/RuntimeService.cpp:2499
    #9 0x7f3216c040bf in mozilla::dom::workers::RuntimeService::CreateSharedWorkerInternal(mozilla::dom::GlobalObject const&, nsAString_internal const&, nsACString_internal const&, mozilla::dom::WorkerType, mozilla::dom::workers::SharedWorker**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/RuntimeService.cpp:2450
    #10 0x7f3216c7a1ea in CreateSharedWorker /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/RuntimeService.h:157
    #11 0x7f3216c7a1ea in mozilla::dom::workers::SharedWorker::Constructor(mozilla::dom::GlobalObject const&, JSContext*, nsAString_internal const&, mozilla::dom::Optional<nsAString_internal> const&, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/SharedWorker.cpp:69
    #12 0x7f3214d440f3 in mozilla::dom::SharedWorkerBinding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/bindings/./SharedWorkerBinding.cpp:240
    #13 0x7f321a7b4ed3 in CallJSNative /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jscntxtinlines.h:235
    #14 0x7f321a7b4ed3 in CallJSNativeConstructor /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jscntxtinlines.h:268
    #15 0x7f321a7b4ed3 in InternalConstruct(JSContext*, JS::CallArgs const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:855
    #16 0x7f321a7a36d6 in ConstructFromStack /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:882
    #17 0x7f321a7a36d6 in Interpret(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:3051
    #18 0x7f321a782d87 in js::RunScript(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:704
    #19 0x7f321a7b5ef8 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, JS::Value const&, js::ExecuteType, js::AbstractFramePtr, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:978
    #20 0x7f321a7b6558 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:1011
    #21 0x7f321b2eb4f6 in Evaluate(JSContext*, JS::Handle<JSObject*>, JS::Handle<js::ScopeObject*>, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsapi.cpp:4443
    #22 0x7f321b2ebd1b in Evaluate(JSContext*, JS::AutoVectorRooter<JSObject*>&, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsapi.cpp:4470
    #23 0x7f3213ec6684 in nsJSUtils::EvaluateString(JSContext*, JS::SourceBufferHolder&, JS::Handle<JSObject*>, JS::CompileOptions&, nsJSUtils::EvaluateOptions const&, JS::MutableHandle<JS::Value>, void**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsJSUtils.cpp:224
    #24 0x7f3213ec72e1 in nsJSUtils::EvaluateString(JSContext*, JS::SourceBufferHolder&, JS::Handle<JSObject*>, JS::CompileOptions&, void**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsJSUtils.cpp:286
    #25 0x7f3213f4c15f in nsScriptLoader::EvaluateScript(nsScriptLoadRequest*, JS::SourceBufferHolder&, void**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsScriptLoader.cpp:1171
    #26 0x7f3213f49885 in nsScriptLoader::ProcessRequest(nsScriptLoadRequest*, void**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsScriptLoader.cpp:998
    #27 0x7f3213f42d33 in nsScriptLoader::ProcessScriptElement(nsIScriptElement*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsScriptLoader.cpp:792
    #28 0x7f3213f3e7ae in nsScriptElement::MaybeProcessScript() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsScriptElement.cpp:142
    #29 0x7f32132f2964 in operator-> /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsIScriptElement.h:221
    #30 0x7f32132f2964 in nsHtml5TreeOpExecutor::RunScript(nsIContent*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:662
    #31 0x7f32132f0f9f in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/slave/m-cen-l64-asan-000000000000000/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:487
    #32 0x7f32132f70eb in nsHtml5ExecutorFlusher::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/parser/html/nsHtml5StreamParser.cpp:127
    #33 0x7f3211999574 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:864
    #34 0x7f3211a0fb8a in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:277
    #35 0x7f32122860b9 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:95
    #36 0x7f3212212e1c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:234
    #37 0x7f3212212e1c in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:227
    #38 0x7f3212212e1c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:201
    #39 0x7f321717d8f7 in nsBaseAppShell::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/widget/nsBaseAppShell.cpp:156
    #40 0x7f3218fe7062 in XRE_RunAppShell /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:785
    #41 0x7f3212212e1c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:234
    #42 0x7f3212212e1c in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:227
    #43 0x7f3212212e1c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:201
    #44 0x7f3218fe6759 in XRE_InitChildProcess /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:621
    #45 0x48d670 in content_process_main(int, char**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/app/../contentproc/plugin-container.cpp:237
    #46 0x7f320f3b1ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)

SUMMARY: AddressSanitizer: heap-use-after-free /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:5811 mozilla::dom::workers::WorkerPrivate::NotifyFeatures(JSContext*, mozilla::dom::workers::Status)
Shadow bytes around the buggy address:
  0x0c1080007f00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1080007f10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1080007f20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1080007f30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1080007f40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c1080007f50: fa fa fa fa fd fd fd[fd]fd fd fd fd fd fd fd fa
  0x0c1080007f60: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
  0x0c1080007f70: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1080007f80: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
  0x0c1080007f90: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c1080007fa0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap regi==6674==ABORTING

###!!! [Parent][MessageChannel] Error: (msgtype=0x200084,name=PBrowser::Msg_Destroy) Channel error: cannot send/recv

[Parent 6571] WARNING: pipe error (57): Connection reset by peer: file /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 459
The object we're UAFing on is probably a WorkerPermissionChallenge.
(In reply to Kyle Huey [:khuey] (khuey@mozilla.com) from comment #3)
> The object we're UAFing on is probably a WorkerPermissionChallenge.

Correct. WorkerPermissionOperationCompleted runnable is not dispatched because the worker is shutting down. This means that IDBFactory is not released on the correct thread. A quick fix is to dispatch a 'control' runnable just to release the resources on the correct thread.
But would be nice to have a more generic way to do it because this is not the first time I see a similar bug and I prefer to centralize this logic instead spread similar control runnables in any race condition release operation.
I agree that we've seen that pattern a couple times, but why isn't WorkerPermissionOperationCompleted a control runnable to begin with?  All it really does is dispatch stuff to the PBackground thread anyways.  There shouldn't be any ordering issues.
Posted patch crash.patch (obsolete) — Splinter Review
Attachment #8654667 - Flags: review?(khuey)
Why not do that unconditionally?
Flags: needinfo?(amarchesini)
(In reply to Kyle Huey [:khuey] (khuey@mozilla.com) from comment #7)
> Why not do that unconditionally?

Because the other runnable does more things. Right? The 'regular' runnable completes the operation, the control runnable avoids the releasing of IDBFactory+Feature in the wrong thread.
Flags: needinfo?(amarchesini)
Comment on attachment 8654667 [details] [diff] [review]
crash.patch

All the method call does is (potentially) GC, send a message to the PBackground thread, remove the feature and drop a reference to the factory.  There's no reason not to do it from a control runnable.
Attachment #8654667 - Flags: review?(khuey) → review-
Posted patch TestsSplinter Review
There's a related, but not exploitable, issue involving page navigation causing us to return false from the RecvPermissionChallenge handler and abort the process.
Attachment #8654667 - Attachment is obsolete: true
Attachment #8655154 - Flags: review?(amarchesini)
Posted patch PatchSplinter Review
Assignee: nobody → khuey
Status: NEW → ASSIGNED
Attachment #8655155 - Flags: review?(amarchesini)
Attachment #8655155 - Flags: review?(amarchesini) → review+
Attachment #8655154 - Flags: review?(amarchesini) → review+
Comment on attachment 8655155 [details] [diff] [review]
Patch

[Security approval request comment]
How easily could an exploit be constructed based on the patch?

It's not immediately obvious what's going on, but somebody who is familiar with this code could figure it out fairly quickly. Constructing an exploit based on that is significantly harder though (it took me a while to get the tests just right). Still, I think it could be done.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?

Tests are separate.  The check-in comment and code comments do tell you what general area to explore.

Which older supported branches are affected by this flaw?

Gecko 35 and higher.

If not all supported branches, which bug introduced the flaw?

It was introduced with the IndexedDB rewrite (bug 994190)

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?

This code hasn't changed much, if it all, since it was written, so backporting should be easy.

How likely is this patch to cause regressions; how much testing does it need?

Unlikely to cause regressions.  I'm confident in the patch.
Attachment #8655155 - Flags: sec-approval?
Comment on attachment 8655155 [details] [diff] [review]
Patch

sec-approval+ for trunk.

We'll want patches for Aurora, Beta, and ESR38 made and nominated as well.
Attachment #8655155 - Flags: sec-approval? → sec-approval+
Group: core-security → dom-core-security
checkin-needed for the patch *only* (no tests) since the tree has been closed the last three times I've wanted to push this.
Keywords: checkin-needed
(In reply to Kyle Huey [:khuey] (khuey@mozilla.com) from comment #14)
> checkin-needed for the patch *only* (no tests) since the tree has been
> closed the last three times I've wanted to push this.

done - https://hg.mozilla.org/integration/mozilla-inbound/rev/44acf95a79fd
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/44acf95a79fd
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla43
Group: dom-core-security → core-security-release
Flags: sec-bounty?
Baku, would you be able to nominate patch for uplift to Beta? Kyle is on PTO and we will gtb 41 RC in a few days, so the sooner this lands the better.
Flags: needinfo?(amarchesini)
Comment on attachment 8655155 [details] [diff] [review]
Patch

Approval Request Comment
[Feature/regressing bug #]: IDB in workers
[User impact if declined]: easy to make this code crash.
[Describe test coverage new/current, TreeHerder]: We have a test ready in the second patch.
[Risks and why]: This patch user a control worker runnable instead a normal one. This makes the cleanup procedure always executed. 
[String/UUID change made/needed]: none
Flags: needinfo?(amarchesini)
Attachment #8655155 - Flags: approval-mozilla-aurora?
Comment on attachment 8655155 [details] [diff] [review]
Patch

See previous comment.
Attachment #8655155 - Flags: approval-mozilla-beta?
Comment on attachment 8655155 [details] [diff] [review]
Patch

It's a sec-critical fix, Beta41+, Aurora42+
Attachment #8655155 - Flags: approval-mozilla-beta?
Attachment #8655155 - Flags: approval-mozilla-beta+
Attachment #8655155 - Flags: approval-mozilla-aurora?
Attachment #8655155 - Flags: approval-mozilla-aurora+
Many Thanks! This also impact esr38. Should we consider taking a fix for ESR38.3.0?
Flags: needinfo?(amarchesini)
Comment on attachment 8655155 [details] [diff] [review]
Patch

[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration:
User impact if declined: A crash, easy to reproduce.
Fix Landed on Version: 42 ?
Risk to taking this patch (and alternatives if risky): The patch is very simple. I don't see big risks.
String or UUID changes made by this patch:  none
Flags: needinfo?(amarchesini)
Attachment #8655155 - Flags: approval-mozilla-esr38?
Comment on attachment 8655155 [details] [diff] [review]
Patch

Crash fix, taking this for esr38 as well.
Attachment #8655155 - Flags: approval-mozilla-esr38? → approval-mozilla-esr38+
Flags: sec-bounty? → sec-bounty+
This doesn't appear to apply to esr38.
Flags: needinfo?(khuey)
I was wrong about which branches were affected, this code was actually introduced in bug 1151495, which landed in 40.  So ESR is unaffected.
Flags: needinfo?(khuey)
Whiteboard: [adv-main41+]
Alias: CVE-2015-4510
Reproduced the original issue using the following builds:
- https://archive.mozilla.org/pub/firefox/nightly/2015-08-30-03-02-24-mozilla-central/
- http://inbound-archive.pub.build.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-asan/1440963948/

- https://crash-stats.mozilla.com/report/index/81f02d72-2106-45bc-a007-141ff2150917
- https://crash-stats.mozilla.com/report/index/de9f9df4-89c7-444a-94b7-f2d692150917

==4481==ERROR: AddressSanitizer: heap-use-after-free on address 0x608000133ab8 at pc 0x7f2a64b5ba10 bp 0x7f2a3c8247d0 sp 0x7f2a3c8247c8
READ of size 8 at 0x608000133ab8 thread T28 (DOM Worker)
    #0 0x7f2a64b5ba0f in NotifyFeatures WorkerPrivate.cpp:5277
    #1 0x7f2a64b57de8 in NotifyInternal WorkerPrivate.cpp:5737
    #2 0x7f2a64b754d4 in Run WorkerRunnable.cpp:359
    #3 0x7f2a64b57935 in ProcessAllControlRunnablesLocked WorkerPrivate.cpp:5076
    #4 0x7f2a64b556fc in DoRunLoop WorkerPrivate.cpp:4539
    #5 0x7f2a64aebcb7 in Run RuntimeService.cpp:2875
    #6 0x7f2a5f8590a4 in ProcessNextEvent nsThread.cpp:874
    #7 0x7f2a5f8cfb5a in NS_ProcessNextEvent nsThreadUtils.cpp:277
    #8 0x7f2a60147def in Run MessagePump.cpp:326
    #9 0x7f2a600d3b1c in RunInternal message_loop.cc:234
    #10 0x7f2a5f855565 in ThreadFunc nsThread.cpp:363

etc....

Went through verification using the following builds:
- https://archive.mozilla.org/pub/firefox/nightly/2015-09-17-03-02-29-mozilla-central/
- https://archive.mozilla.org/pub/firefox/nightly/2015-09-17-00-40-25-mozilla-aurora/
- https://archive.mozilla.org/pub/firefox/candidates/41.0-candidates/build2/
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.