Closed Bug 1252330 (CVE-2016-2811) Opened 9 years ago Closed 9 years ago

Service Worker - Use After Free in BeginReading()

Categories

(Core :: DOM: Service Workers, defect)

Product:
Core
Component:
DOM: Service Workers
Version:
47 Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox45 --- wontfix
firefox46 + fixed
firefox47 + verified
firefox48 + fixed
firefox-esr38 --- unaffected
firefox-esr45 --- disabled

People

(Reporter: loobenyang, Assigned: bkelly)

Details

(4 keywords, Whiteboard: btpp-fixnow, [fixed in bug 1256411][post-critsmash-triage][adv-main46+])

Attachments

(2 files, 1 obsolete file)

UAF_BeginReading_Repro.js
5.83 KB, text/plain
Details
UAF_BeginReading_Repro2.zip
3.31 KB, application/zip
Details
Firefox version: 47.0a1 (2016-02-28) ================================================================= ==5198==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b00080aea8 at pc 0x7f0b32eb6c30 bp 0x7fff95e16fc0 sp 0x7fff95e16fb8 READ of size 8 at 0x60b00080aea8 thread T0 #0 0x7f0b32eb6c2f in BeginReading /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dist/include/nsTSubstring.h:104 #1 0x7f0b32eb6c2f in HashString /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dist/include/nsHashKeys.h:41 #2 0x7f0b32eb6c2f in HashKey /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dist/include/nsHashKeys.h:185 #3 0x7f0b32eb6c2f in nsTHashtable<nsBaseHashtableET<nsCStringHashKey, nsAutoPtr<nsTArray<nsIInterceptedChannel*> > > >::s_HashKey(PLDHashTable*, void const*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dist/include/nsTHashtable.h:375 #4 0x7f0b2d56f809 in ComputeKeyHash /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/glue/PLDHashTable.cpp:504 #5 0x7f0b2d56f809 in PLDHashTable::Add(void const*, mozilla::fallible_t const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/glue/PLDHashTable.cpp:573 #6 0x7f0b2d56fdbe in PLDHashTable::Add(void const*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/glue/PLDHashTable.cpp:594 #7 0x7f0b32e3366f in PutEntry /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dist/include/nsTHashtable.h:153 #8 0x7f0b32e3366f in LookupOrAdd /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dist/include/nsClassHashtable.h:79 #9 0x7f0b32e3366f in mozilla::dom::workers::ServiceWorkerManager::AddNavigationInterception(nsACString_internal const&, nsIInterceptedChannel*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/workers/ServiceWorkerManager.cpp:4925 #10 0x7f0b32e328f7 in mozilla::dom::workers::ServiceWorkerManager::DispatchFetchEvent(mozilla::PrincipalOriginAttributes const&, nsIDocument*, nsAString_internal const&, nsIInterceptedChannel*, bool, bool, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/workers/ServiceWorkerManager.cpp:3698 #11 0x7f0b3497cab5 in nsDocShell::ChannelIntercepted(nsIInterceptedChannel*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/docshell/base/nsDocShell.cpp:14266 #12 0x7f0b2daf9b36 in DoNotifyController /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/netwerk/protocol/http/InterceptedChannel.cpp:76 #13 0x7f0b2daf9b36 in mozilla::net::InterceptedChannelChrome::NotifyController() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/netwerk/protocol/http/InterceptedChannel.cpp:170 #14 0x7f0b2db84bcf in mozilla::net::nsHttpChannel::OpenCacheEntry(bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/netwerk/protocol/http/nsHttpChannel.cpp:3034 #15 0x7f0b2db81e27 in mozilla::net::nsHttpChannel::Connect() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/netwerk/protocol/http/nsHttpChannel.cpp:357 #16 0x7f0b2dbbd9ae in mozilla::net::nsHttpChannel::ContinueBeginConnectWithResult() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/netwerk/protocol/http/nsHttpChannel.cpp:5482 #17 0x7f0b2dbbc13f in mozilla::net::nsHttpChannel::BeginConnect() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/netwerk/protocol/http/nsHttpChannel.cpp:5385 #18 0x7f0b2dbbee32 in mozilla::net::nsHttpChannel::OnProxyAvailable(nsICancelable*, nsIChannel*, nsIProxyInfo*, nsresult) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/netwerk/protocol/http/nsHttpChannel.cpp:5552 #19 0x7f0b2d721cfc in nsAsyncResolveRequest::DoCallback() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/netwerk/base/nsProtocolProxyService.cpp:277 #20 0x7f0b2d712038 in Run /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/netwerk/base/nsProtocolProxyService.cpp:159 #21 0x7f0b2d712038 in nsProtocolProxyService::AsyncResolveInternal(nsIChannel*, unsigned int, nsIProtocolProxyCallback*, nsICancelable**, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/netwerk/base/nsProtocolProxyService.cpp:1294 #22 0x7f0b2dba52f5 in mozilla::net::nsHttpChannel::ResolveProxy() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/netwerk/protocol/http/nsHttpChannel.cpp:2200 #23 0x7f0b2dbb8256 in mozilla::net::nsHttpChannel::AsyncOpen(nsIStreamListener*, nsISupports*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/netwerk/protocol/http/nsHttpChannel.cpp:5092 #24 0x7f0b2ef33d14 in nsURILoader::OpenURI(nsIChannel*, unsigned int, nsIInterfaceRequestor*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/uriloader/base/nsURILoader.cpp:825 #25 0x7f0b34909997 in nsDocShell::DoChannelLoad(nsIChannel*, nsIURILoader*, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/docshell/base/nsDocShell.cpp:11058 #26 0x7f0b34963709 in nsDocShell::DoURILoad(nsIURI*, nsIURI*, bool, nsIURI*, bool, unsigned int, nsISupports*, char const*, nsAString_internal const&, nsIInputStream*, nsIInputStream*, bool, nsIDocShell**, nsIRequest**, bool, bool, bool, nsAString_internal const&, nsIURI*, unsigned int) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/docshell/base/nsDocShell.cpp:10872 #27 0x7f0b349083ba in nsDocShell::InternalLoad(nsIURI*, nsIURI*, bool, nsIURI*, unsigned int, nsISupports*, unsigned int, char16_t const*, char const*, nsAString_internal const&, nsIInputStream*, nsIInputStream*, unsigned int, nsISHEntry*, bool, nsAString_internal const&, nsIDocShell*, nsIURI*, nsIDocShell**, nsIRequest**) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/docshell/base/nsDocShell.cpp:10389 #28 0x7f0b3490027e in nsDocShell::LoadHistoryEntry(nsISHEntry*, unsigned int) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/docshell/base/nsDocShell.cpp:12175 #29 0x7f0b34933278 in nsDocShell::Reload(unsigned int) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/docshell/base/nsDocShell.cpp:5330 #30 0x7f0b2fe0594a in nsLocation::Reload(bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsLocation.cpp:887 #31 0x7f0b303eac98 in Reload /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsLocation.h:67 #32 0x7f0b303eac98 in mozilla::dom::LocationBinding::reload(JSContext*, JS::Handle<JSObject*>, nsLocation*, JSJitMethodCallArgs const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dom/bindings/LocationBinding.cpp:745 #33 0x7f0b3197eb56 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/bindings/BindingUtils.cpp:2731 #34 0x7f0b376ed3e9 in CallJSNative /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/jscntxtinlines.h:235 #35 0x7f0b376ed3e9 in js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:478 #36 0x7f0b376d89b2 in Interpret(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:2802 #37 0x7f0b376b98ee in js::RunScript(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:428 #38 0x7f0b376ed9d4 in js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:496 #39 0x7f0b376ee3d4 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:530 #40 0x7f0b371e49ef in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/jsapi.cpp:2892 #41 0x7f0b31605372 in mozilla::dom::Function::Call(JSContext*, JS::Handle<JS::Value>, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dom/bindings/FunctionBinding.cpp:36 #42 0x7f0b2f9feae8 in Call<nsCOMPtr<nsISupports> > /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dist/include/mozilla/dom/FunctionBinding.h:58 #43 0x7f0b2f9feae8 in nsGlobalWindow::RunTimeoutHandler(nsTimeout*, nsIScriptContext*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsGlobalWindow.cpp:11933 #44 0x7f0b2f9dde8f in nsGlobalWindow::RunTimeout(nsTimeout*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsGlobalWindow.cpp:12168 #45 0x7f0b2f97dd51 in nsGlobalWindow::TimerCallback(nsITimer*, void*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsGlobalWindow.cpp:12414 #46 0x7f0b2d530bb5 in nsTimerImpl::Fire() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsTimerImpl.cpp:526 #47 0x7f0b2d50b025 in nsTimerEvent::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/TimerThread.cpp:286 #48 0x7f0b2d517440 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsThread.cpp:1018 #49 0x7f0b2d590bca in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/glue/nsThreadUtils.cpp:297 #50 0x7f0b2df32f39 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessagePump.cpp:95 #51 0x7f0b2de9a0ac in RunInternal /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:234 #52 0x7f0b2de9a0ac in RunHandler /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:227 #53 0x7f0b2de9a0ac in MessageLoop::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:201 #54 0x7f0b333a66b7 in nsBaseAppShell::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/widget/nsBaseAppShell.cpp:156 #55 0x7f0b3521d008 in nsAppStartup::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/toolkit/components/startup/nsAppStartup.cpp:281 #56 0x7f0b3531324a in XREMain::XRE_mainRun() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/toolkit/xre/nsAppRunner.cpp:4281 #57 0x7f0b353144b6 in XREMain::XRE_main(int, char**, nsXREAppData const*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/toolkit/xre/nsAppRunner.cpp:4378 #58 0x7f0b353152fe in XRE_main /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/toolkit/xre/nsAppRunner.cpp:4480 #59 0x48a793 in do_main /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/browser/app/nsBrowserApp.cpp:220 #60 0x48a793 in main /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/browser/app/nsBrowserApp.cpp:360 #61 0x7f0b46799ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4) #62 0x489bcc in _start (/home/parnell/FirefoxBuilds/firefox/firefox+0x489bcc) 0x60b00080aea8 is located 40 bytes inside of 104-byte region [0x60b00080ae80,0x60b00080aee8) freed by thread T0 here: #0 0x471fe1 in __interceptor_free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64 #1 0x7f0b32eb8c5f in Release /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/workers/ServiceWorkerManager.cpp:453 #2 0x7f0b32eb8c5f in Release /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:39 #3 0x7f0b32eb8c5f in Release /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:377 #4 0x7f0b32eb8c5f in assign_assuming_AddRef /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:64 #5 0x7f0b32eb8c5f in assign_with_AddRef /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:55 #6 0x7f0b32eb8c5f in operator= /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:174 #7 0x7f0b32eb8c5f in mozilla::dom::workers::ServiceWorkerJobBase::EnsureAndVerifyRegistration() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/workers/ServiceWorkerManager.cpp:997 #8 0x7f0b32e196a1 in mozilla::dom::workers::ServiceWorkerInstallJob::ContinueAfterInstallEvent(bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/workers/ServiceWorkerManager.cpp:1201 #9 0x7f0b32ee62c8 in mozilla::dom::workers::ContinueLifecycleRunnable::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/workers/ServiceWorkerManager.cpp:689 #10 0x7f0b2d517440 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsThread.cpp:1018 #11 0x7f0b2d590bca in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/glue/nsThreadUtils.cpp:297 #12 0x7f0b2df32f39 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessagePump.cpp:95 #13 0x7f0b2de9a0ac in RunInternal /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:234 #14 0x7f0b2de9a0ac in RunHandler /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:227 #15 0x7f0b2de9a0ac in MessageLoop::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:201 #16 0x7f0b333a66b7 in nsBaseAppShell::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/widget/nsBaseAppShell.cpp:156 #17 0x7f0b3521d008 in nsAppStartup::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/toolkit/components/startup/nsAppStartup.cpp:281 #18 0x7f0b3531324a in XREMain::XRE_mainRun() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/toolkit/xre/nsAppRunner.cpp:4281 #19 0x7f0b353144b6 in XREMain::XRE_main(int, char**, nsXREAppData const*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/toolkit/xre/nsAppRunner.cpp:4378 #20 0x7f0b353152fe in XRE_main /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/toolkit/xre/nsAppRunner.cpp:4480 #21 0x48a793 in do_main /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/browser/app/nsBrowserApp.cpp:220 #22 0x48a793 in main /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/browser/app/nsBrowserApp.cpp:360 #23 0x7f0b46799ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4) previously allocated by thread T0 here: #0 0x4721e1 in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:74 #1 0x48b8dd in moz_xmalloc /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/memory/mozalloc/mozalloc.cpp:83 #2 0x7f0b32eac69d in operator new /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:186 #3 0x7f0b32eac69d in operator nsIPrincipal * /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/workers/ServiceWorkerManager.cpp:4304 #4 0x7f0b32eac69d in mozilla::dom::workers::ServiceWorkerRegisterJob::Start() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/workers/ServiceWorkerManager.cpp:1335 #5 0x7f0b32ee9408 in mozilla::dom::workers::ServiceWorkerJobQueue::Pop(mozilla::dom::workers::ServiceWorkerJobQueue::QueueData&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/workers/ServiceWorkerManager.cpp:292 #6 0x7f0b32ee20b0 in apply<mozilla::dom::workers::ServiceWorkerUnregisterJob, void (mozilla::dom::workers::ServiceWorkerUnregisterJob::*)()> /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dist/include/nsThreadUtils.h:663 #7 0x7f0b32ee20b0 in nsRunnableMethodImpl<void (mozilla::dom::workers::ServiceWorkerUnregisterJob::*)(), true>::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dist/include/nsThreadUtils.h:870 #8 0x7f0b2d517440 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsThread.cpp:1018 #9 0x7f0b2d590bca in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/glue/nsThreadUtils.cpp:297 #10 0x7f0b2df32f39 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessagePump.cpp:95 #11 0x7f0b2de9a0ac in RunInternal /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:234 #12 0x7f0b2de9a0ac in RunHandler /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:227 #13 0x7f0b2de9a0ac in MessageLoop::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:201 #14 0x7f0b333a66b7 in nsBaseAppShell::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/widget/nsBaseAppShell.cpp:156 #15 0x7f0b3521d008 in nsAppStartup::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/toolkit/components/startup/nsAppStartup.cpp:281 #16 0x7f0b3531324a in XREMain::XRE_mainRun() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/toolkit/xre/nsAppRunner.cpp:4281 #17 0x7f0b353144b6 in XREMain::XRE_main(int, char**, nsXREAppData const*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/toolkit/xre/nsAppRunner.cpp:4378 #18 0x7f0b353152fe in XRE_main /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/toolkit/xre/nsAppRunner.cpp:4480 #19 0x48a793 in do_main /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/browser/app/nsBrowserApp.cpp:220 #20 0x48a793 in main /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/browser/app/nsBrowserApp.cpp:360 #21 0x7f0b46799ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4) SUMMARY: AddressSanitizer: heap-use-after-free /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dist/include/nsTSubstring.h:104 BeginReading Shadow bytes around the buggy address: 0x0c16800f9580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c16800f9590: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c16800f95a0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd 0x0c16800f95b0: fd fa fa fa fa fa fa fa fa fa 00 00 00 00 00 00 0x0c16800f95c0: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa =>0x0c16800f95d0: fd fd fd fd fd[fd]fd fd fd fd fd fd fd fa fa fa 0x0c16800f95e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c16800f95f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c16800f9600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c16800f9610: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c16800f9620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: =5198==ABORTING
Steps to reproduce: 1. Run server side script UAF_BeginReading_Repro.js in Node.js (node UAF_BeginReading_Repro.js ). 2. Enter http://localhost:12345 in Firefox browser. 3. Asan reports Use After Free in BeginReading(). Firefox version: 47.0a1 (2016-02-28) ================================================================= ==7310==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b000502368 at pc 0x7fe94d1aec30 bp 0x7fff18b4aee0 sp 0x7fff18b4aed8 READ of size 8 at 0x60b000502368 thread T0 #0 0x7fe94d1aec2f in BeginReading /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dist/include/nsTSubstring.h:104 #1 0x7fe94d1aec2f in HashString /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dist/include/nsHashKeys.h:41 #2 0x7fe94d1aec2f in HashKey /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dist/include/nsHashKeys.h:185 #3 0x7fe94d1aec2f in nsTHashtable<nsBaseHashtableET<nsCStringHashKey, nsAutoPtr<nsTArray<nsIInterceptedChannel*> > > >::s_HashKey(PLDHashTable*, void const*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dist/include/nsTHashtable.h:375 #4 0x7fe947867809 in ComputeKeyHash /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/glue/PLDHashTable.cpp:504 #5 0x7fe947867809 in PLDHashTable::Add(void const*, mozilla::fallible_t const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/glue/PLDHashTable.cpp:573 #6 0x7fe947867dbe in PLDHashTable::Add(void const*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/glue/PLDHashTable.cpp:594 #7 0x7fe94d12b66f in PutEntry /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dist/include/nsTHashtable.h:153 #8 0x7fe94d12b66f in LookupOrAdd /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dist/include/nsClassHashtable.h:79 #9 0x7fe94d12b66f in mozilla::dom::workers::ServiceWorkerManager::AddNavigationInterception(nsACString_internal const&, nsIInterceptedChannel*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/workers/ServiceWorkerManager.cpp:4925 #10 0x7fe94d12a8f7 in mozilla::dom::workers::ServiceWorkerManager::DispatchFetchEvent(mozilla::PrincipalOriginAttributes const&, nsIDocument*, nsAString_internal const&, nsIInterceptedChannel*, bool, bool, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/workers/ServiceWorkerManager.cpp:3698 #11 0x7fe94ec74ab5 in nsDocShell::ChannelIntercepted(nsIInterceptedChannel*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/docshell/base/nsDocShell.cpp:14266 #12 0x7fe947df1b36 in DoNotifyController /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/netwerk/protocol/http/InterceptedChannel.cpp:76 #13 0x7fe947df1b36 in mozilla::net::InterceptedChannelChrome::NotifyController() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/netwerk/protocol/http/InterceptedChannel.cpp:170 #14 0x7fe947e7cbcf in mozilla::net::nsHttpChannel::OpenCacheEntry(bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/netwerk/protocol/http/nsHttpChannel.cpp:3034 #15 0x7fe947e79e27 in mozilla::net::nsHttpChannel::Connect() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/netwerk/protocol/http/nsHttpChannel.cpp:357 #16 0x7fe947eb59ae in mozilla::net::nsHttpChannel::ContinueBeginConnectWithResult() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/netwerk/protocol/http/nsHttpChannel.cpp:5482 #17 0x7fe947eb413f in mozilla::net::nsHttpChannel::BeginConnect() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/netwerk/protocol/http/nsHttpChannel.cpp:5385 #18 0x7fe947eb6e32 in mozilla::net::nsHttpChannel::OnProxyAvailable(nsICancelable*, nsIChannel*, nsIProxyInfo*, nsresult) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/netwerk/protocol/http/nsHttpChannel.cpp:5552 #19 0x7fe947a19cfc in nsAsyncResolveRequest::DoCallback() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/netwerk/base/nsProtocolProxyService.cpp:277 #20 0x7fe947a0a038 in Run /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/netwerk/base/nsProtocolProxyService.cpp:159 #21 0x7fe947a0a038 in nsProtocolProxyService::AsyncResolveInternal(nsIChannel*, unsigned int, nsIProtocolProxyCallback*, nsICancelable**, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/netwerk/base/nsProtocolProxyService.cpp:1294 #22 0x7fe947e9d2f5 in mozilla::net::nsHttpChannel::ResolveProxy() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/netwerk/protocol/http/nsHttpChannel.cpp:2200 #23 0x7fe947eb0256 in mozilla::net::nsHttpChannel::AsyncOpen(nsIStreamListener*, nsISupports*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/netwerk/protocol/http/nsHttpChannel.cpp:5092 #24 0x7fe94922bd14 in nsURILoader::OpenURI(nsIChannel*, unsigned int, nsIInterfaceRequestor*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/uriloader/base/nsURILoader.cpp:825 #25 0x7fe94ec01997 in nsDocShell::DoChannelLoad(nsIChannel*, nsIURILoader*, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/docshell/base/nsDocShell.cpp:11058 #26 0x7fe94ec5b709 in nsDocShell::DoURILoad(nsIURI*, nsIURI*, bool, nsIURI*, bool, unsigned int, nsISupports*, char const*, nsAString_internal const&, nsIInputStream*, nsIInputStream*, bool, nsIDocShell**, nsIRequest**, bool, bool, bool, nsAString_internal const&, nsIURI*, unsigned int) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/docshell/base/nsDocShell.cpp:10872 #27 0x7fe94ec003ba in nsDocShell::InternalLoad(nsIURI*, nsIURI*, bool, nsIURI*, unsigned int, nsISupports*, unsigned int, char16_t const*, char const*, nsAString_internal const&, nsIInputStream*, nsIInputStream*, unsigned int, nsISHEntry*, bool, nsAString_internal const&, nsIDocShell*, nsIURI*, nsIDocShell**, nsIRequest**) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/docshell/base/nsDocShell.cpp:10389 #28 0x7fe94ebf827e in nsDocShell::LoadHistoryEntry(nsISHEntry*, unsigned int) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/docshell/base/nsDocShell.cpp:12175 #29 0x7fe94ec2b278 in nsDocShell::Reload(unsigned int) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/docshell/base/nsDocShell.cpp:5330 #30 0x7fe94a0fd94a in nsLocation::Reload(bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsLocation.cpp:887 #31 0x7fe94a6e2c98 in Reload /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsLocation.h:67 #32 0x7fe94a6e2c98 in mozilla::dom::LocationBinding::reload(JSContext*, JS::Handle<JSObject*>, nsLocation*, JSJitMethodCallArgs const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dom/bindings/LocationBinding.cpp:745 #33 0x7fe94bc76b56 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/bindings/BindingUtils.cpp:2731 #34 0x7fe9519e53e9 in CallJSNative /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/jscntxtinlines.h:235 #35 0x7fe9519e53e9 in js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:478 #36 0x7fe9519d09b2 in Interpret(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:2802 #37 0x7fe9519b18ee in js::RunScript(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:428 #38 0x7fe9519e59d4 in js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:496 #39 0x7fe9519e63d4 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:530 #40 0x7fe9514dc9ef in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/jsapi.cpp:2892 #41 0x7fe94b8fd372 in mozilla::dom::Function::Call(JSContext*, JS::Handle<JS::Value>, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dom/bindings/FunctionBinding.cpp:36 #42 0x7fe949cf6ae8 in Call<nsCOMPtr<nsISupports> > /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dist/include/mozilla/dom/FunctionBinding.h:58 #43 0x7fe949cf6ae8 in nsGlobalWindow::RunTimeoutHandler(nsTimeout*, nsIScriptContext*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsGlobalWindow.cpp:11933 #44 0x7fe949cd5e8f in nsGlobalWindow::RunTimeout(nsTimeout*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsGlobalWindow.cpp:12168 #45 0x7fe949c75d51 in nsGlobalWindow::TimerCallback(nsITimer*, void*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsGlobalWindow.cpp:12414 #46 0x7fe947828bb5 in nsTimerImpl::Fire() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsTimerImpl.cpp:526 #47 0x7fe947803025 in nsTimerEvent::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/TimerThread.cpp:286 #48 0x7fe94780f440 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsThread.cpp:1018 #49 0x7fe947888bca in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/glue/nsThreadUtils.cpp:297 #50 0x7fe94822af39 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessagePump.cpp:95 #51 0x7fe9481920ac in RunInternal /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:234 #52 0x7fe9481920ac in RunHandler /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:227 #53 0x7fe9481920ac in MessageLoop::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:201 #54 0x7fe94d69e6b7 in nsBaseAppShell::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/widget/nsBaseAppShell.cpp:156 #55 0x7fe94f515008 in nsAppStartup::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/toolkit/components/startup/nsAppStartup.cpp:281 #56 0x7fe94f60b24a in XREMain::XRE_mainRun() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/toolkit/xre/nsAppRunner.cpp:4281 #57 0x7fe94f60c4b6 in XREMain::XRE_main(int, char**, nsXREAppData const*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/toolkit/xre/nsAppRunner.cpp:4378 #58 0x7fe94f60d2fe in XRE_main /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/toolkit/xre/nsAppRunner.cpp:4480 #59 0x48a793 in do_main /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/browser/app/nsBrowserApp.cpp:220 #60 0x48a793 in main /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/browser/app/nsBrowserApp.cpp:360 #61 0x7fe960a91ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4) #62 0x489bcc in _start (/home/parnell/FirefoxBuilds/firefox/firefox+0x489bcc) AddressSanitizer can not describe address in more detail (wild memory access suspected). SUMMARY: AddressSanitizer: heap-use-after-free /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dist/include/nsTSubstring.h:104 BeginReading Shadow bytes around the buggy address: 0x0c1680098410: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c1680098420: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c1680098430: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c1680098440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c1680098450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c1680098460: fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa 0x0c1680098470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c1680098480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c1680098490: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c16800984a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c16800984b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzon==7310==ABORTING
Could you look at this, Ben? Thanks.
Flags: needinfo?(bkelly)
Keywords: csectype-uaf, sec-critical, testcase
Group: core-security → dom-core-security
Whiteboard: btpp-followup-2016-03-04
I will take a look. Probably not for a day or two, though.
Assignee: nobody → bkelly
Status: NEW → ASSIGNED
Flags: sec-bounty?
Looben, how long do you have to run the proof-of-concept test before triggering the failure? I've built an ASAN build locally, but can't reproduce. It may be timing related, of course.
Flags: needinfo?(bkelly) → needinfo?(loobenyang)
Also, do you have any proxy settings enabled in the browser? I see the stack going through nsProtocolProxyService.
I let this test run for 45 minutes to an hour and saw the browser run out of file descriptors. That is probably unrelated, though.
(In reply to Ben Kelly [:bkelly] from comment #5) > Also, do you have any proxy settings enabled in the browser? I see the > stack going through nsProtocolProxyService. I don't have any proxy settings enabled in the browser. The proxy in the stack is probably the Service Worker, which by design, to act as proxy, and intercept network request: #10 0x7f0b32e328f7 in mozilla::dom::workers::ServiceWorkerManager::DispatchFetchEvent #12 0x7f0b2daf9b36 in DoNotifyController #13 0x7f0b2daf9b36 in mozilla::net::InterceptedChannelChrome::NotifyController() #14 0x7f0b2db84bcf in mozilla::net::nsHttpChannel::OpenCacheEntry(bool) #15 0x7f0b2db81e27 in mozilla::net::nsHttpChannel::Connect() #16 0x7f0b2dbbd9ae in mozilla::net::nsHttpChannel::ContinueBeginConnectWithResult() #17 0x7f0b2dbbc13f in mozilla::net::nsHttpChannel::BeginConnect() #18 0x7f0b2dbbee32 in mozilla::net::nsHttpChannel::OnProxyAvailable #19 0x7f0b2d721cfc in nsAsyncResolveRequest::DoCallback()
Flags: needinfo?(loobenyang)
Whiteboard: btpp-followup-2016-03-04 → btpp-fixnow
Ben, it may take a few minutes or up to one hour to reproduce. Would you try test case 2 (UAF_BeginReading_Repro2.zip, unzip the files to the same folder) to see if you can reproduce it easier on your side? 47.0a1 (2016-02-28) ================================================================= ==11752==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b0001e34b8 at pc 0x7fbf5f656c30 bp 0x7fffe9b28e60 sp 0x7fffe9b28e58 READ of size 8 at 0x60b0001e34b8 thread T0 #0 0x7fbf5f656c2f in BeginReading /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dist/include/nsTSubstring.h:104 #1 0x7fbf5f656c2f in HashString /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dist/include/nsHashKeys.h:41 #2 0x7fbf5f656c2f in HashKey /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dist/include/nsHashKeys.h:185 #3 0x7fbf5f656c2f in nsTHashtable<nsBaseHashtableET<nsCStringHashKey, nsAutoPtr<nsTArray<nsIInterceptedChannel*> > > >::s_HashKey(PLDHashTable*, void const*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dist/include/nsTHashtable.h:375 #4 0x7fbf59d0f809 in ComputeKeyHash /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/glue/PLDHashTable.cpp:504 #5 0x7fbf59d0f809 in PLDHashTable::Add(void const*, mozilla::fallible_t const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/glue/PLDHashTable.cpp:573 #6 0x7fbf59d0fdbe in PLDHashTable::Add(void const*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/glue/PLDHashTable.cpp:594 #7 0x7fbf5f5d366f in PutEntry /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dist/include/nsTHashtable.h:153 #8 0x7fbf5f5d366f in LookupOrAdd /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dist/include/nsClassHashtable.h:79 #9 0x7fbf5f5d366f in mozilla::dom::workers::ServiceWorkerManager::AddNavigationInterception(nsACString_internal const&, nsIInterceptedChannel*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/workers/ServiceWorkerManager.cpp:4925 #10 0x7fbf5f5d28f7 in mozilla::dom::workers::ServiceWorkerManager::DispatchFetchEvent(mozilla::PrincipalOriginAttributes const&, nsIDocument*, nsAString_internal const&, nsIInterceptedChannel*, bool, bool, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/workers/ServiceWorkerManager.cpp:3698 #11 0x7fbf6111cab5 in nsDocShell::ChannelIntercepted(nsIInterceptedChannel*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/docshell/base/nsDocShell.cpp:14266 #12 0x7fbf5a299b36 in DoNotifyController /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/netwerk/protocol/http/InterceptedChannel.cpp:76 #13 0x7fbf5a299b36 in mozilla::net::InterceptedChannelChrome::NotifyController() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/netwerk/protocol/http/InterceptedChannel.cpp:170 #14 0x7fbf5a324bcf in mozilla::net::nsHttpChannel::OpenCacheEntry(bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/netwerk/protocol/http/nsHttpChannel.cpp:3034 #15 0x7fbf5a321e27 in mozilla::net::nsHttpChannel::Connect() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/netwerk/protocol/http/nsHttpChannel.cpp:357 #16 0x7fbf5a35d9ae in mozilla::net::nsHttpChannel::ContinueBeginConnectWithResult() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/netwerk/protocol/http/nsHttpChannel.cpp:5482 #17 0x7fbf5a35c13f in mozilla::net::nsHttpChannel::BeginConnect() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/netwerk/protocol/http/nsHttpChannel.cpp:5385 #18 0x7fbf5a35ee32 in mozilla::net::nsHttpChannel::OnProxyAvailable(nsICancelable*, nsIChannel*, nsIProxyInfo*, nsresult) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/netwerk/protocol/http/nsHttpChannel.cpp:5552 #19 0x7fbf59ec1cfc in nsAsyncResolveRequest::DoCallback() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/netwerk/base/nsProtocolProxyService.cpp:277 #20 0x7fbf59eb2038 in Run /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/netwerk/base/nsProtocolProxyService.cpp:159 #21 0x7fbf59eb2038 in nsProtocolProxyService::AsyncResolveInternal(nsIChannel*, unsigned int, nsIProtocolProxyCallback*, nsICancelable**, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/netwerk/base/nsProtocolProxyService.cpp:1294 #22 0x7fbf5a3452f5 in mozilla::net::nsHttpChannel::ResolveProxy() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/netwerk/protocol/http/nsHttpChannel.cpp:2200 #23 0x7fbf5a358256 in mozilla::net::nsHttpChannel::AsyncOpen(nsIStreamListener*, nsISupports*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/netwerk/protocol/http/nsHttpChannel.cpp:5092 #24 0x7fbf5b6d3d14 in nsURILoader::OpenURI(nsIChannel*, unsigned int, nsIInterfaceRequestor*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/uriloader/base/nsURILoader.cpp:825 #25 0x7fbf610a9997 in nsDocShell::DoChannelLoad(nsIChannel*, nsIURILoader*, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/docshell/base/nsDocShell.cpp:11058 #26 0x7fbf61103709 in nsDocShell::DoURILoad(nsIURI*, nsIURI*, bool, nsIURI*, bool, unsigned int, nsISupports*, char const*, nsAString_internal const&, nsIInputStream*, nsIInputStream*, bool, nsIDocShell**, nsIRequest**, bool, bool, bool, nsAString_internal const&, nsIURI*, unsigned int) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/docshell/base/nsDocShell.cpp:10872 #27 0x7fbf610a83ba in nsDocShell::InternalLoad(nsIURI*, nsIURI*, bool, nsIURI*, unsigned int, nsISupports*, unsigned int, char16_t const*, char const*, nsAString_internal const&, nsIInputStream*, nsIInputStream*, unsigned int, nsISHEntry*, bool, nsAString_internal const&, nsIDocShell*, nsIURI*, nsIDocShell**, nsIRequest**) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/docshell/base/nsDocShell.cpp:10389 #28 0x7fbf610a027e in nsDocShell::LoadHistoryEntry(nsISHEntry*, unsigned int) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/docshell/base/nsDocShell.cpp:12175 #29 0x7fbf610d3278 in nsDocShell::Reload(unsigned int) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/docshell/base/nsDocShell.cpp:5330 #30 0x7fbf5c5a594a in nsLocation::Reload(bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsLocation.cpp:887 #31 0x7fbf5cb8ac98 in Reload /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsLocation.h:67 #32 0x7fbf5cb8ac98 in mozilla::dom::LocationBinding::reload(JSContext*, JS::Handle<JSObject*>, nsLocation*, JSJitMethodCallArgs const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dom/bindings/LocationBinding.cpp:745 #33 0x7fbf5e11eb56 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/bindings/BindingUtils.cpp:2731 #34 0x7fbf63e8d3e9 in CallJSNative /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/jscntxtinlines.h:235 #35 0x7fbf63e8d3e9 in js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:478 #36 0x7fbf63e789b2 in Interpret(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:2802 #37 0x7fbf63e598ee in js::RunScript(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:428 #38 0x7fbf63e8d9d4 in js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:496 #39 0x7fbf63e8e3d4 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:530 #40 0x7fbf639849ef in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/jsapi.cpp:2892 #41 0x7fbf5dda5372 in mozilla::dom::Function::Call(JSContext*, JS::Handle<JS::Value>, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dom/bindings/FunctionBinding.cpp:36 #42 0x7fbf5c19eae8 in Call<nsCOMPtr<nsISupports> > /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dist/include/mozilla/dom/FunctionBinding.h:58 #43 0x7fbf5c19eae8 in nsGlobalWindow::RunTimeoutHandler(nsTimeout*, nsIScriptContext*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsGlobalWindow.cpp:11933 #44 0x7fbf5c17de8f in nsGlobalWindow::RunTimeout(nsTimeout*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsGlobalWindow.cpp:12168 #45 0x7fbf5c11dd51 in nsGlobalWindow::TimerCallback(nsITimer*, void*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsGlobalWindow.cpp:12414 #46 0x7fbf59cd0bb5 in nsTimerImpl::Fire() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsTimerImpl.cpp:526 #47 0x7fbf59cab025 in nsTimerEvent::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/TimerThread.cpp:286 #48 0x7fbf59cb7440 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsThread.cpp:1018 #49 0x7fbf59d30bca in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/glue/nsThreadUtils.cpp:297 #50 0x7fbf5a6d2f39 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessagePump.cpp:95 #51 0x7fbf5a63a0ac in RunInternal /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:234 #52 0x7fbf5a63a0ac in RunHandler /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:227 #53 0x7fbf5a63a0ac in MessageLoop::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:201 #54 0x7fbf5fb466b7 in nsBaseAppShell::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/widget/nsBaseAppShell.cpp:156 #55 0x7fbf619bd008 in nsAppStartup::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/toolkit/components/startup/nsAppStartup.cpp:281 #56 0x7fbf61ab324a in XREMain::XRE_mainRun() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/toolkit/xre/nsAppRunner.cpp:4281 #57 0x7fbf61ab44b6 in XREMain::XRE_main(int, char**, nsXREAppData const*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/toolkit/xre/nsAppRunner.cpp:4378 #58 0x7fbf61ab52fe in XRE_main /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/toolkit/xre/nsAppRunner.cpp:4480 #59 0x48a793 in do_main /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/browser/app/nsBrowserApp.cpp:220 #60 0x48a793 in main /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/browser/app/nsBrowserApp.cpp:360 #61 0x7fbf72f39ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4) #62 0x489bcc in _start (/home/parnell/FirefoxBuilds/firefox/firefox+0x489bcc) AddressSanitizer can not describe address in more detail (wild memory access suspected). SUMMARY: AddressSanitizer: heap-use-after-free /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dist/include/nsTSubstring.h:104 BeginReading Shadow bytes around the buggy address: 0x0c1680034640: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa 0x0c1680034650: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c1680034660: fa fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00 0x0c1680034670: 00 00 01 fa fa fa fa fa fa fa fa fa 00 00 00 00 0x0c1680034680: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa =>0x0c1680034690: fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa 0x0c16800346a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c16800346b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c16800346c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c16800346d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c16800346e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Fre==11752==ABORTING
I'm trying to reproduce this again with the new poc provided in comment 8.
I have a theory about what is happening, though. - A ServiceWorkerRegistrationInfo has strong points to one or more ServiceWorkerInfo objects - The ServiceWorkerInfo objects have weak pointers back to the registration - ServiceWorkerInfo::Scope() calls mRegistration->Scope() - The ServiceWorkerInfo::Scope() is used as the key into the hash table call that is blowing up in the stack. I think somehow a ServiceWorkerInfo object is being kept alive beyond the life of its owning registration. So when Scope() gets calls its de-referencing a bad registration pointer. The simple fix here is to simply remove the ServiceWorkerInfo weak ref to the registration. It can just directly own the principal and scope. These are passed by reference, so the size of objects won't change dramatically.
Attached patch cleanup (obsolete) — Splinter Review
This is a bit speculative, but I think its a reasonable defensive patch. There is very minimal benefit to maintaining the weak pointer here and it opens the door to bad failures. The lame commit message is so I can do a try push without referencing this bug: https://treeherder.mozilla.org/#/jobs?repo=try&revision=69b0a31392d1 I can also land this speculative patch under a non-closed bug if you prefer.
Attachment #8730342 - Flags: review?(ehsan)
Attachment #8730342 - Attachment is patch: true
Comment on attachment 8730342 [details] [diff] [review] cleanup At Ehsan's request I have moved the speculative patch over to a public bug. See bug 1256411, but please don't link it here.
Attachment #8730342 - Attachment is obsolete: true
Attachment #8730342 - Flags: review?(ehsan)
(In reply to Ben Kelly [:bkelly] from comment #11) > Created attachment 8730342 [details] [diff] [review] > cleanup > > This is a bit speculative, but I think its a reasonable defensive patch. > There is very minimal benefit to maintaining the weak pointer here and it > opens the door to bad failures. > > The lame commit message is so I can do a try push without referencing this > bug: > > https://treeherder.mozilla.org/#/jobs?repo=try&revision=69b0a31392d1 > > I can also land this speculative patch under a non-closed bug if you prefer. Tried with this Asan build (http://archive.mozilla.org/pub/firefox/try-builds/bkelly@mozilla.com-69b0a31392d10934802a2bfc8a97e10b178aeb20/try-linux64-asan/), could not reproduce it.
Thanks Looben! I landed bug 1256411 in inbound this morning. I'll request that it get uplifted to beta and aurora.
Whiteboard: btpp-fixnow → btpp-fixnow, [fixed in bug 1256411]
Thanks everybody for the report and the fix. This also needs to go to ESR45.
status-firefox45: --- → wontfix
status-firefox46: --- → affected
status-firefox48: --- → affected
status-firefox-esr45: --- → affected
(In reply to Andrew McCreight [:mccr8] from comment #15) > Thanks everybody for the report and the fix. > > This also needs to go to ESR45. We have service workers disabled on ESR45.
Oops, right, I forgot about that.
status-firefox-esr45: affecteddisabled
This was fixed in bug 1256411 which was also uplifted to 46 and 47.
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
status-firefox46: affectedfixed
status-firefox47: affectedfixed
status-firefox48: affectedfixed
Resolution: --- → FIXED
Lowering severity to sec-high based on the indeterminacy / length of time (comment 6, comment 8)
Flags: sec-bounty? → sec-bounty+
Keywords: sec-criticalsec-high
Group: dom-core-security → core-security-release
Marking verified for Fx47 based on comment 13.
status-firefox47: fixedverified
Whiteboard: btpp-fixnow, [fixed in bug 1256411] → btpp-fixnow, [fixed in bug 1256411][post-critsmash-triage]
Whiteboard: btpp-fixnow, [fixed in bug 1256411][post-critsmash-triage] → btpp-fixnow, [fixed in bug 1256411][post-critsmash-triage][adv-main46+]
Alias: CVE-2016-2811
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: