1203139 - AddressSanitizer: heap-use-after-free on address 0x at pc 0x bp 0x sp 0x heap-use-after-free /builds/slave/m-cen-l64-asan-000000000000000/build/src/security/nss/lib/pki/pkibase.c:156 nssPKIObject_AddRef

Status: RESOLVED WORKSFORME

(NSS :: Libraries, defect)

Description

[Carsten Book [:Tomcat]]

Attachment: bughunter stack

found by bughunter on http://www.pcadvisor.co.uk/how-to/pc-components/how-watch-intel-live-stream-at-ifa-2015-3624358/



==28797==ERROR: AddressSanitizer: heap-use-after-free on address 0x61d001b45f10 at pc 0x7f35eeb44208 bp 0x7ffca2d83900 sp 0x7ffca2d838f8
    #0 0x7f35eeb44207 in nssPKIObject_AddRef /builds/slave/m-cen-l64-asan-000000000000000/build/src/security/nss/lib/pki/pkibase.c:156
    #1 0x7f35eeb3efbf in remove_token_certs /builds/slave/m-cen-l64-asan-000000000000000/build/src/security/nss/lib/pki/tdcache.c:394
    #2 0x7f35eeb6462f in nss_hash_enumerator /builds/slave/m-cen-l64-asan-000000000000000/build/src/security/nss/lib/base/hash.c:345
    #3 0x7f35f2867150 in PL_HashTableEnumerateEntries /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/lib/ds/plhash.c:374
    #4 0x7f35eeb64539 in nssHash_Iterate /builds/slave/m-cen-l64-asan-000000000000000/build/src/security/nss/lib/base/hash.c:368
    #5 0x7f35eeb3ec3b in nssTrustDomain_RemoveTokenCertsFromCache /builds/slave/m-cen-l64-asan-000000000000000/build/src/security/nss/lib/pki/tdcache.c:440
    #6 0x7f35eeb48c49 in STAN_RemoveModuleFromDefaultTrustDomain /builds/slave/m-cen-l64-asan-000000000000000/build/src/security/nss/lib/pki/pki3hack.c:190
    #7 0x7f35eeae0f7d in SECMOD_UnloadUserModule /builds/slave/m-cen-l64-asan-000000000000000/build/src/security/nss/lib/pk11wrap/pk11pars.c:1127
    #8 0x7f35e0e1c14a in mozilla::psm::UnloadLoadableRoots(char const*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/security/certverifier/NSSCertDBTrustDomain.cpp:1035
    #9 0x7f35e810463a in nsNSSComponent::UnloadLoadableRoots() /builds/slave/m-cen-l64-asan-000000000000000/build/src/security/manager/ssl/nsNSSComponent.cpp:562
    #10 0x7f35e8101842 in nsNSSComponent::ShutdownNSS() /builds/slave/m-cen-l64-asan-000000000000000/build/src/security/manager/ssl/nsNSSComponent.cpp:1151
    #11 0x7f35e8109c6d in DoProfileBeforeChange /builds/slave/m-cen-l64-asan-000000000000000/build/src/security/manager/ssl/nsNSSComponent.cpp:1547
    #12 0x7f35e8109c6d in nsNSSComponent::Observe(nsISupports*, char const*, char16_t const*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/security/manager/ssl/nsNSSComponent.cpp:1287
    #13 0x7f35e810ac8c in non-virtual thunk to nsNSSComponent::Observe(nsISupports*, char const*, char16_t const*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/security/manager/ssl/Unified_cpp_security_manager_ssl1.cpp:1392
    #14 0x7f35e0edd68c in NotifyObservers /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/ds/nsObserverList.cpp:113
    #15 0x7f35e0edd68c in nsObserverService::NotifyObservers(nsISupports*, char const*, char16_t const*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/ds/nsObserverService.cpp:315
    #16 0x7f35e8647823 in nsXREDirProvider::DoShutdown() /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsXREDirProvider.cpp:916
    #17 0x7f35e8617946 in ScopedXPCOMStartup::~ScopedXPCOMStartup() /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsAppRunner.cpp:1493
    #18 0x7f35e86288f7 in operator() /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/toolkit/xre/../../dist/include/mozilla/UniquePtr.h:490
    #19 0x7f35e86288f7 in reset /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/toolkit/xre/../../dist/include/mozilla/UniquePtr.h:309
    #20 0x7f35e86288f7 in operator= /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/toolkit/xre/../../dist/include/mozilla/UniquePtr.h:279
    #21 0x7f35e86288f7 in XREMain::XRE_main(int, char**, nsXREAppData const*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsAppRunner.cpp:4415
    #22 0x7f35e86296a5 in XRE_main /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsAppRunner.cpp:4478
    #23 0x48a6a9 in do_main /builds/slave/m-cen-l64-asan-000000000000000/build/src/browser/app/nsBrowserApp.cpp:212
    #24 0x48a6a9 in main /builds/slave/m-cen-l64-asan-000000000000000/build/src/browser/app/nsBrowserApp.cpp:399
    #25 0x3ff061ed5c in __libc_start_main (/lib64/libc.so.6+0x3ff061ed5c)
    #26 0x489c1c in _start (/work/mozilla/builds/nightly-asan/mozilla/firefox-opt/dist/bin/firefox+0x489c1c)

Comment 1

[Andrew McCreight [:mccr8]]

Could you look at this, David? It looks like we're hitting a UAF in NSS in the wild on a particular page and it would be good to get some analysis of this before the page changes.

Comment 2

[Dana Keeler (she/her) (use needinfo) [:keeler]]

Unfortunately, I can't reproduce this. It's pretty clear from the stack that it's another NSS shutdown race, though, so maybe we can figure out how to fix it from that.

Comment 3

[Andrew McCreight [:mccr8]]

Good point. If it is some shutdown race, then it doesn't seem quite as bad, so I'll lower the severity rating.

Comment 4

[Kamil Jozwiak [:kjozwiak]]

Used the following asan m-c build:
- http://inbound-archive.pub.build.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-asan/1441792943/

I opened the suspected website in 20 different tabs with e10s and non-e10s but couldn't reproduce the crash either. I also tried browser.safebrowsing.enabled;false incase it had something to do with a specific ad that was loaded but never received a crash.

Comment 5

[Bob Clary [:bc] (inactive)]

I have attempted to reproduce this error in bughunter's automation and failed to do so. This was seen once on 2015-09-03 23:34:05 on RHEL6. I have also retested the other non-SEGV asan failures and could not reproduce this. There don't appear to be recent patches to NSS that would have fixed this. I think WFM is appropriate unless this can be reproduced.

Comment 6

[Andrew McCreight [:mccr8]]

Nobody has been able to reproduce, so I'm marking this worksforme.