Closed Bug 1282992 (CVE-2016-5259) Opened 4 years ago Closed 4 years ago

Yet another Use After Free in CanonicalizeXPCOMParticipant()

Categories

(Core :: DOM: Workers, defect, critical)

44 Branch
x86
All
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla50
Tracking Status
firefox47 --- wontfix
firefox48 + verified
firefox49 + verified
firefox-esr45 48+ verified
firefox50 + verified

People

(Reporter: loobenyang, Assigned: baku)

References

Details

(Keywords: csectype-uaf, regression, sec-critical, Whiteboard: [adv-main48+][adv-esr45.3+])

Attachments

(3 files)

Steps to reproduce:
1. Run server side script YA_UAF_CanonicalizeXPCOMParticipant_Repro.js in Node.js (node YA_UAF_CanonicalizeXPCOMParticipant_Repro.js ).
2. Enter http://localhost:12345 in Firefox browser.
3. Firefox crashes at corrupted address because of a Use After Free:


Firefox version: 50.0a1 (2016-06-28)

(150.1258): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=152fe148 ebx=00000000 ecx=1d1be1a0 edx=1f9ff5ac esi=658d82ec edi=1a280520
eip=63b4eafa esp=1f9ff570 ebp=1f9ff5a0 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
xul!CanonicalizeXPCOMParticipant+0xf [inlined in xul!CCGraphBuilder::NoteXPCOMChild+0x57]:
63b4eafa ff10            call    dword ptr [eax]      ds:002b:152fe148=????????
0:071> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************

*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\SysWOW64\nvwgf2um.dll - 

FAULTING_IP: 
xul!CCGraphBuilder::NoteXPCOMChild+57 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\xpcom\base\nscyclecollector.cpp @ 2377]
63b4eafa ff10            call    dword ptr [eax]

EXCEPTION_RECORD:  (.exr -1)
ExceptionAddress: 63b4eafa (xul!CanonicalizeXPCOMParticipant+0x0000000f)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 152fe148
Attempt to read from address 152fe148

FAULTING_THREAD:  00001258

PROCESS_NAME:  firefox.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_PARAMETER1:  00000000

EXCEPTION_PARAMETER2:  152fe148

READ_ADDRESS:  152fe148 

FOLLOWUP_IP: 
xul!CCGraphBuilder::NoteXPCOMChild+57 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\xpcom\base\nscyclecollector.cpp @ 2377]
63b4eafa ff10            call    dword ptr [eax]

NTGLOBALFLAG:  400

APPLICATION_VERIFIER_FLAGS:  0

APP:  firefox.exe

ANALYSIS_VERSION: 10.0.10240.9 x86fre

BUGCHECK_STR:  INVALID_POINTER_READ_IN_CALL

DEFAULT_BUCKET_ID:  INVALID_POINTER_READ_IN_CALL

LAST_CONTROL_TRANSFER:  from 63c7962c to 63b4eafa

STACK_TEXT:  
1f9ff5a0 63c7962c 1a280520 00000000 1f9ff898 xul!CCGraphBuilder::NoteXPCOMChild+0x57
1f9ff5c4 63c79328 66080974 21b17100 1a280520 xul!mozilla::CycleCollectedJSRuntime::NoteGCThingXPCOMChildren+0x7f
1f9ff610 63c791ca 1f9ff5e8 21b17100 21b17100 xul!mozilla::CycleCollectedJSRuntime::TraverseGCThing+0x148
1f9ff624 63c790e7 1f9ff8d0 21b17100 1a280520 xul!mozilla::JSGCThingParticipant::Traverse+0x42
1f9ff644 63e0886c 1ec02af0 1138e000 00000000 xul!CCGraphBuilder::BuildGraph+0x53
1f9ff65c 63e08449 1f9ff6c0 1af45b40 00000000 xul!nsCycleCollector::MarkRoots+0x1d
1f9ff698 63c8e79f 00000001 1f9ff6c0 00000000 xul!nsCycleCollector::Collect+0xc8
1f9ff6e4 63c8e302 1f9ff6fc 63c8e2d0 00000001 xul!nsCycleCollector_collect+0x68
1f9ff6ec 63c8e2d0 00000001 1f9ff77c 1f9ff708 xul!`anonymous namespace'::WorkerJSRuntime::CustomGCCallback+0x19
1f9ff6fc 63c8e279 00000001 1f9ff71c 63c8e264 xul!mozilla::CycleCollectedJSRuntime::OnGC+0x55
1f9ff708 63c8e264 1a3cd0e8 00000001 1f9ff898 xul!mozilla::CycleCollectedJSRuntime::GCCallback+0xe
1f9ff71c 63c8e008 00000001 1a3cd2f8 1a3cd428 xul!js::gc::GCRuntime::callGCCallback+0x1a
1f9ff738 63c8df7d 00000000 00000001 1a3cd2f8 xul!`anonymous namespace'::AutoNotifyGCActivity::~AutoNotifyGCActivity+0x37
1f9ff784 63c712a1 00000001 1f9ff820 00000000 xul!js::gc::GCRuntime::gcCycle+0x17b
1f9ff810 63dbe101 00000001 00000000 ffffffff xul!js::gc::GCRuntime::collect+0xbd
1f9ff868 63dbe018 00000000 00000000 00000000 xul!js::gc::GCRuntime::gc+0x49
1f9ff878 63dbe884 1e920aa0 00000000 00000000 xul!JS_GC+0x17
1f9ffa44 63c7e2b1 1a2c5c20 1f133f00 8000ff01 xul!`anonymous namespace'::WorkerThreadPrimaryRunnable::Run+0x176
1f9ffab0 63c7f8c8 1e920aa0 8000ff01 1f9ffacb xul!nsThread::ProcessNextEvent+0x150
1f9ffacc 63dba72d 1f133f00 1f133f00 1f133f00 xul!NS_ProcessNextEvent+0x16
1f9ffaec 63dba625 00133f00 7e6dce61 1e920aa0 xul!mozilla::ipc::MessagePumpForNonMainThreads::Run+0xc0
1f9ffb24 63dba5f4 1e920aac 00000001 1d6c1b00 xul!MessageLoop::RunHandler+0x20
1f9ffb44 63dba891 0300e350 1d6c1b40 1d6c1b40 xul!MessageLoop::Run+0x19
1f9ffb6c 66d22b52 1e920aac 165518b8 66d226fb xul!nsThread::ThreadFunc+0xab
1f9ffb8c 66d22708 1d6c1b40 1f9ffbd4 6af762a4 nss3!_PR_NativeRunThread+0x9a
1f9ffb98 6af762a4 1d6c1b40 7210c316 6af76250 nss3!pr_root+0xd
1f9ffbd4 76b838f4 165518b8 76b838d0 6e2ef4c7 ucrtbase!_crt_at_quick_exit+0x104
1f9ffbe8 77265de3 165518b8 6fdc0efd 00000000 KERNEL32!BaseThreadInitThunk+0x24
1f9ffc30 77265dae ffffffff 7728b7b7 00000000 ntdll!__RtlUserThreadStart+0x2f
1f9ffc40 00000000 6af76250 165518b8 00000000 ntdll!_RtlUserThreadStart+0x1b


FAULTING_SOURCE_LINE:  c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\xpcom\base\nscyclecollector.cpp

FAULTING_SOURCE_FILE:  c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\xpcom\base\nscyclecollector.cpp

FAULTING_SOURCE_LINE_NUMBER:  2377

FAULTING_SOURCE_CODE:  
   947: static nsISupports*
   948: CanonicalizeXPCOMParticipant(nsISupports* aIn)
   949: {
   950:   nsISupports* out = nullptr;
>  951:   aIn->QueryInterface(NS_GET_IID(nsCycleCollectionISupports),
   952:                       reinterpret_cast<void**>(&out));
   953:   return out;
   954: }
   955: 
   956: static inline void


SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  xul!CCGraphBuilder::NoteXPCOMChild+57

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: xul

IMAGE_NAME:  xul.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  57726fac

STACK_COMMAND:  ~71s ; kb

BUCKET_ID:  INVALID_POINTER_READ_IN_CALL_xul!CCGraphBuilder::NoteXPCOMChild+57

PRIMARY_PROBLEM_CLASS:  INVALID_POINTER_READ_IN_CALL_xul!CCGraphBuilder::NoteXPCOMChild+57

FAILURE_PROBLEM_CLASS:  INVALID_POINTER_READ_IN_CALL

FAILURE_EXCEPTION_CODE:  c0000005

FAILURE_IMAGE_NAME:  xul.dll

FAILURE_FUNCTION_NAME:  CCGraphBuilder::NoteXPCOMChild

FAILURE_SYMBOL_NAME:  xul.dll!CCGraphBuilder::NoteXPCOMChild

FAILURE_BUCKET_ID:  INVALID_POINTER_READ_IN_CALL_c0000005_xul.dll!CCGraphBuilder::NoteXPCOMChild

ANALYSIS_SOURCE:  UM

FAILURE_ID_HASH_STRING:  um:invalid_pointer_read_in_call_c0000005_xul.dll!ccgraphbuilder::notexpcomchild

FAILURE_ID_HASH:  {29422043-bdfa-afdd-324c-83eab1baa572}

Followup:     MachineOwner
---------
Ran the exact same test case YA_UAF_CanonicalizeXPCOMParticipant_Repro.js in official Linux ASAN instrumented build, I got:


Firefox version: 50.0a1 (2016-06-26)

=================================================================
==2160==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000008380 at pc 0x7f751d215293 bp 0x7f74e6859530 sp 0x7f74e6859528
READ of size 8 at 0x611000008380 thread T56 (DOM Worker)
    #0 0x7f751d215292 in CanonicalizeXPCOMParticipant /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/base/nsCycleCollector.cpp:951:3
    #1 0x7f751d215292 in CCGraphBuilder::NoteXPCOMChild(nsISupports*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/base/nsCycleCollector.cpp:2377
    #2 0x7f751d203d40 in mozilla::CycleCollectedJSRuntime::NoteGCThingXPCOMChildren(js::Class const*, JSObject*, nsCycleCollectionTraversalCallback&) const /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/base/CycleCollectedJSRuntime.cpp:654:5
    #3 0x7f751d1fc9f9 in mozilla::CycleCollectedJSRuntime::TraverseGCThing(mozilla::CycleCollectedJSRuntime::TraverseSelect, JS::GCCellPtr, nsCycleCollectionTraversalCallback&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/base/CycleCollectedJSRuntime.cpp:697:5
    #4 0x7f751d1fc60a in mozilla::JSGCThingParticipant::Traverse(void*, nsCycleCollectionTraversalCallback&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/base/CycleCollectedJSRuntime.cpp:304:3
    #5 0x7f751d2130b4 in CCGraphBuilder::BuildGraph(js::SliceBudget&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/base/nsCycleCollector.cpp:2284:21
    #6 0x7f751d21940b in nsCycleCollector::MarkRoots(js::SliceBudget&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/base/nsCycleCollector.cpp:2896:23
    #7 0x7f751d21e9f2 in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/base/nsCycleCollector.cpp:3670:9
    #8 0x7f751d221ca6 in nsCycleCollector_collect(nsICycleCollectorListener*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/base/nsCycleCollector.cpp:4160:3
    #9 0x7f751d205094 in mozilla::CycleCollectedJSRuntime::OnGC(JSGCStatus) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/base/CycleCollectedJSRuntime.cpp:1627:3
    #10 0x7f7527935b6f in callGCCallback /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/jsgc.cpp:1391:9
    #11 0x7f7527935b6f in ~AutoNotifyGCActivity /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/jsgc.cpp:1422
    #12 0x7f7527935b6f in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget&, JS::gcreason::Reason) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/jsgc.cpp:6226
    #13 0x7f7527936a5b in js::gc::GCRuntime::collect(bool, js::SliceBudget, JS::gcreason::Reason) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/jsgc.cpp:6312:25
    #14 0x7f7527937654 in js::gc::GCRuntime::gc(JSGCInvocationKind, JS::gcreason::Reason) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/jsgc.cpp:6379:5
    #15 0x7f752345aae2 in (anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/workers/RuntimeService.cpp:2619:5
    #16 0x7f751d33b896 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsThread.cpp:1073:7
    #17 0x7f751d3ba1ec in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/glue/nsThreadUtils.cpp:290:10
    #18 0x7f751e11a8df in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessagePump.cpp:384:5
    #19 0x7f751e08df28 in RunInternal /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:235:3
    #20 0x7f751e08df28 in RunHandler /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:228
    #21 0x7f751e08df28 in MessageLoop::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:208
    #22 0x7f751d336ba1 in nsThread::ThreadFunc(void*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsThread.cpp:468:5
    #23 0x7f7534319378 in _pt_root /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:216:5
    #24 0x7f753788b181 in start_thread /build/buildd/eglibc-2.19/nptl/pthread_create.c:312
    #25 0x7f753698c47c in clone /build/buildd/eglibc-2.19/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:111

0x611000008380 is located 0 bytes inside of 240-byte region [0x611000008380,0x611000008470)
freed by thread T56 (DOM Worker) here:
    #0 0x4b215b in __interceptor_free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:38:3
    #1 0x7f751d218f34 in SnowWhiteKiller::~SnowWhiteKiller() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/base/nsCycleCollector.cpp:2685:9
    #2 0x7f751d218b26 in nsCycleCollector::FreeSnowWhite(bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/base/nsCycleCollector.cpp:2859:3
    #3 0x7f751d21f1e5 in nsCycleCollector::BeginCollection(ccType, nsICycleCollectorListener*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/base/nsCycleCollector.cpp:3841:3
    #4 0x7f751d21e99c in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/base/nsCycleCollector.cpp:3666:9
    #5 0x7f751d221ca6 in nsCycleCollector_collect(nsICycleCollectorListener*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/base/nsCycleCollector.cpp:4160:3
    #6 0x7f751d205094 in mozilla::CycleCollectedJSRuntime::OnGC(JSGCStatus) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/base/CycleCollectedJSRuntime.cpp:1627:3
    #7 0x7f7527935b6f in callGCCallback /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/jsgc.cpp:1391:9
    #8 0x7f7527935b6f in ~AutoNotifyGCActivity /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/jsgc.cpp:1422
    #9 0x7f7527935b6f in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget&, JS::gcreason::Reason) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/jsgc.cpp:6226
    #10 0x7f7527936a5b in js::gc::GCRuntime::collect(bool, js::SliceBudget, JS::gcreason::Reason) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/jsgc.cpp:6312:25
    #11 0x7f7527937654 in js::gc::GCRuntime::gc(JSGCInvocationKind, JS::gcreason::Reason) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/jsgc.cpp:6379:5
    #12 0x7f752345aae2 in (anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/workers/RuntimeService.cpp:2619:5
    #13 0x7f751d33b896 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsThread.cpp:1073:7
    #14 0x7f751d3ba1ec in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/glue/nsThreadUtils.cpp:290:10
    #15 0x7f751e11a8df in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessagePump.cpp:384:5
    #16 0x7f751e08df28 in RunInternal /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:235:3
    #17 0x7f751e08df28 in RunHandler /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:228
    #18 0x7f751e08df28 in MessageLoop::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:208
    #19 0x7f751d336ba1 in nsThread::ThreadFunc(void*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsThread.cpp:468:5
    #20 0x7f7534319378 in _pt_root /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:216:5
    #21 0x7f753788b181 in start_thread /build/buildd/eglibc-2.19/nptl/pthread_create.c:312

previously allocated by thread T56 (DOM Worker) here:
    #0 0x4b247b in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52:3
    #1 0x4e078d in moz_xmalloc /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/memory/mozalloc/mozalloc.cpp:83:17
    #2 0x7f7523532c39 in operator new /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:193:12
    #3 0x7f7523532c39 in mozilla::dom::workers::XMLHttpRequest::Constructor(mozilla::dom::GlobalObject const&, mozilla::dom::MozXMLHttpRequestParameters const&, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/workers/XMLHttpRequest.cpp:1627
    #4 0x7f752165ab40 in mozilla::dom::XMLHttpRequestBinding_workers::_constructor(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dom/bindings/XMLHttpRequestBinding.cpp:3295:73
    #5 0x7f7527cd80f4 in CallJSNative /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/jscntxtinlines.h:227:15
    #6 0x7f7527cd80f4 in CallJSNativeConstructor /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/jscntxtinlines.h:260
    #7 0x7f7527cd80f4 in InternalConstruct(JSContext*, js::AnyConstructArgs const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:553
    #8 0x7f7527cbe15d in ConstructFromStack /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:580:12
    #9 0x7f7527cbe15d in Interpret(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:2865
    #10 0x7f7527ca4188 in js::RunScript(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:398:12
    #11 0x7f7527cd9af0 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:676:15
    #12 0x7f7527cda21e in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:708:12
    #13 0x7f752783243a in Evaluate(JSContext*, JS::Handle<JSObject*>, JS::Handle<js::StaticScope*>, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/jsapi.cpp:4424:19
    #14 0x7f7527832b65 in JS::Evaluate(JSContext*, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/jsapi.cpp:4505:12
    #15 0x7f7523463f0d in (anonymous namespace)::ScriptExecutorRunnable::WorkerRun(JSContext*, mozilla::dom::workers::WorkerPrivate*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/workers/ScriptLoader.cpp:1859:10
    #16 0x7f752351fb58 in mozilla::dom::workers::WorkerRunnable::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/workers/WorkerRunnable.cpp:417:12
    #17 0x7f751d33b896 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsThread.cpp:1073:7
    #18 0x7f751d3ba1ec in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/glue/nsThreadUtils.cpp:290:10
    #19 0x7f752350560b in mozilla::dom::workers::WorkerPrivate::RunCurrentSyncLoop() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/workers/WorkerPrivate.cpp:5460:7
    #20 0x7f752341a472 in Run /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/workers/WorkerPrivate.h:1514:12
    #21 0x7f752341a472 in (anonymous namespace)::LoadAllScripts(mozilla::dom::workers::WorkerPrivate*, nsTArray<(anonymous namespace)::ScriptLoadInfo>&, bool, mozilla::dom::workers::WorkerScriptType, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/workers/ScriptLoader.cpp:2014
    #22 0x7f752341ad1d in mozilla::dom::workers::scriptloader::Load(mozilla::dom::workers::WorkerPrivate*, nsTArray<nsString> const&, mozilla::dom::workers::WorkerScriptType, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/workers/ScriptLoader.cpp:2156:3
    #23 0x7f75216274ef in mozilla::dom::WorkerGlobalScopeBinding_workers::importScripts(JSContext*, JS::Handle<JSObject*>, mozilla::dom::workers::WorkerGlobalScope*, JSJitMethodCallArgs const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dom/bindings/WorkerGlobalScopeBinding.cpp:380:3
    #24 0x7f75216260e2 in mozilla::dom::WorkerGlobalScopeBinding_workers::genericMethod(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dom/bindings/WorkerGlobalScopeBinding.cpp:1373:13
    #25 0x7f7527cd6ff0 in CallJSNative /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/jscntxtinlines.h:227:15
    #26 0x7f7527cd6ff0 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:452
    #27 0x7f7527cbe1f0 in CallFromStack /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:503:12
    #28 0x7f7527cbe1f0 in Interpret(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:2873
    #29 0x7f7527ca4188 in js::RunScript(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:398:12
    #30 0x7f7527cd76b8 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:470:15
    #31 0x7f7527cd7d91 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:516:10
    #32 0x7f7527820988 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/jsapi.cpp:2858:12
    #33 0x7f7521975400 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:259:37
    #34 0x7f752229f716 in Call<nsISupports *> /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:361:12
    #35 0x7f752229f716 in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/events/JSEventHandler.cpp:214
    #36 0x7f752226c85f in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/events/EventListenerManager.cpp:1122:16
    #37 0x7f752226e3dd in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/events/EventListenerManager.cpp:1294:17

Thread T56 (DOM Worker) created by T0 here:
    #0 0x49a839 in __interceptor_pthread_create /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:238:3
    #1 0x7f7534315f3f in _PR_CreateThread /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:457:14
    #2 0x7f7534315b4a in PR_CreateThread /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:548:12
    #3 0x7f751d338313 in nsThread::Init() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsThread.cpp:639:8
    #4 0x7f752352afb7 in mozilla::dom::workers::WorkerThread::Create(mozilla::dom::workers::WorkerThreadFriendKey const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/workers/WorkerThread.cpp:92:7
    #5 0x7f752341001a in mozilla::dom::workers::RuntimeService::ScheduleWorker(mozilla::dom::workers::WorkerPrivate*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/workers/RuntimeService.cpp:1643:14
    #6 0x7f752340e591 in mozilla::dom::workers::RuntimeService::RegisterWorker(mozilla::dom::workers::WorkerPrivate*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/workers/RuntimeService.cpp:1494:19
    #7 0x7f75234fa046 in mozilla::dom::workers::WorkerPrivate::Constructor(JSContext*, nsAString_internal const&, bool, mozilla::dom::WorkerType, nsACString_internal const&, mozilla::dom::workers::WorkerLoadInfo*, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/workers/WorkerPrivate.cpp:4189:8
    #8 0x7f75234143ba in mozilla::dom::workers::RuntimeService::CreateSharedWorkerFromLoadInfo(JSContext*, mozilla::dom::workers::WorkerLoadInfo*, nsAString_internal const&, nsACString_internal const&, mozilla::dom::workers::SharedWorker**) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/workers/RuntimeService.cpp:2212:7
    #9 0x7f7523413dcd in mozilla::dom::workers::RuntimeService::CreateSharedWorker(mozilla::dom::GlobalObject const&, nsAString_internal const&, nsACString_internal const&, mozilla::dom::workers::SharedWorker**) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/workers/RuntimeService.cpp:2166:10
    #10 0x7f75234b9ba4 in mozilla::dom::workers::SharedWorker::Constructor(mozilla::dom::GlobalObject const&, JSContext*, nsAString_internal const&, mozilla::dom::Optional<nsAString_internal> const&, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/workers/SharedWorker.cpp:68:17
    #11 0x7f75211688d7 in mozilla::dom::SharedWorkerBinding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dom/bindings/SharedWorkerBinding.cpp:241:67
    #12 0x7f7527cd80f4 in CallJSNative /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/jscntxtinlines.h:227:15
    #13 0x7f7527cd80f4 in CallJSNativeConstructor /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/jscntxtinlines.h:260
    #14 0x7f7527cd80f4 in InternalConstruct(JSContext*, js::AnyConstructArgs const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:553
    #15 0x7f7527cbe15d in ConstructFromStack /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:580:12
    #16 0x7f7527cbe15d in Interpret(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:2865
    #17 0x7f7527ca4188 in js::RunScript(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:398:12
    #18 0x7f7527cd9af0 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:676:15
    #19 0x7f7527cda21e in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:708:12
    #20 0x7f752783243a in Evaluate(JSContext*, JS::Handle<JSObject*>, JS::Handle<js::StaticScope*>, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/jsapi.cpp:4424:19
    #21 0x7f7527832fb1 in Evaluate /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/jsapi.cpp:4451:12
    #22 0x7f7527832fb1 in JS::Evaluate(JSContext*, JS::AutoVectorRooter<JSObject*>&, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/jsapi.cpp:4512
    #23 0x7f75200bf1d8 in nsJSUtils::EvaluateString(JSContext*, JS::SourceBufferHolder&, JS::Handle<JSObject*>, JS::CompileOptions&, nsJSUtils::EvaluateOptions const&, JS::MutableHandle<JS::Value>, void**) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsJSUtils.cpp:206:12
    #24 0x7f75200bfccf in nsJSUtils::EvaluateString(JSContext*, JS::SourceBufferHolder&, JS::Handle<JSObject*>, JS::CompileOptions&, void**) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsJSUtils.cpp:266:10
    #25 0x7f7520149fca in nsScriptLoader::EvaluateScript(nsScriptLoadRequest*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsScriptLoader.cpp:2010:12
    #26 0x7f7520146dc3 in nsScriptLoader::ProcessRequest(nsScriptLoadRequest*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsScriptLoader.cpp:1808:10
    #27 0x7f7520130632 in nsScriptLoader::ProcessScriptElement(nsIScriptElement*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsScriptLoader.cpp:1546:10
    #28 0x7f752012cd32 in nsScriptElement::MaybeProcessScript() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsScriptElement.cpp:141:10
    #29 0x7f751f302004 in AttemptToExecute /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsIScriptElement.h:221:18
    #30 0x7f751f302004 in nsHtml5TreeOpExecutor::RunScript(nsIContent*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:664
    #31 0x7f751f3007d1 in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:488:7
    #32 0x7f751f30508b in nsHtml5ExecutorFlusher::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/parser/html/nsHtml5StreamParser.cpp:128:9
    #33 0x7f751d33b896 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsThread.cpp:1073:7
    #34 0x7f751d3ba1ec in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/glue/nsThreadUtils.cpp:290:10
    #35 0x7f751e11934f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessagePump.cpp:100:21
    #36 0x7f751e08df28 in RunInternal /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:235:3
    #37 0x7f751e08df28 in RunHandler /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:228
    #38 0x7f751e08df28 in MessageLoop::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:208
    #39 0x7f7523a7878f in nsBaseAppShell::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/widget/nsBaseAppShell.cpp:156:3
    #40 0x7f75259b1881 in nsAppStartup::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/toolkit/components/startup/nsAppStartup.cpp:284:19
    #41 0x7f7525afd133 in XREMain::XRE_mainRun() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/toolkit/xre/nsAppRunner.cpp:4390:10
    #42 0x7f7525afe6ce in XREMain::XRE_main(int, char**, nsXREAppData const*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/toolkit/xre/nsAppRunner.cpp:4494:8
    #43 0x7f7525aff59f in XRE_main /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/toolkit/xre/nsAppRunner.cpp:4599:16
    #44 0x4dfbfb in do_main /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/browser/app/nsBrowserApp.cpp:254:10
    #45 0x4dfbfb in main /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/browser/app/nsBrowserApp.cpp:427
    #46 0x7f75368b3ec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287

SUMMARY: AddressSanitizer: heap-use-after-free /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/base/nsCycleCollector.cpp:951:3 in CanonicalizeXPCOMParticipant
Shadow bytes around the buggy address:
  0x0c227fff9020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227fff9030: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
  0x0c227fff9040: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c227fff9050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227fff9060: 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c227fff9070:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c227fff9080: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
  0x0c227fff9090: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c227fff90a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227fff90b0: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
  0x0c227fff90c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2160==ABORTING
coder@TheCoderPC:~/FirefoxBuilds/new/firefox$
Attachment #8766143 - Attachment mime type: application/javascript → text/plain
Could you please look at this, Andrea? It looks like a JS reflector has a reference to a dead worker XHR object. The test case involves SharedWorker and BroadcastChannel.
Flags: needinfo?(amarchesini)
Group: core-security → dom-core-security
Flags: sec-bounty?
Assignee: nobody → amarchesini
Flags: needinfo?(amarchesini)
Attached patch crash2.patchSplinter Review
Attachment #8766733 - Flags: review?(khuey)
If you could change the summary to something more specific that would be good, Andrea.
Comment on attachment 8766733 [details] [diff] [review]
crash2.patch

Review of attachment 8766733 [details] [diff] [review]:
-----------------------------------------------------------------

r- for providing no explanation of what the bug is or how this patch fixes it.
Attachment #8766733 - Flags: review?(khuey) → review-
Attached file smaller test case
Here a smaller test case that shows what the problem is about: nested sync event loops in workers.
What it happens here is that we have a worker loading a script. This script closes the worker calling close(). onclose callback is executed and it does a sync XHR.

Here some gdb log: https://pastebin.mozilla.org/8880943

From a event loop point of view we have this scenario:

1. importScript creates a sync event loop. We execute the script and it call close(). At the end of this sync event loop we call ClearMainEventQueue() because of DestroySyncLoop().

2. From here, one of the event is the CloseEventRunnable. We execute the onclose code.

3. In onclose we do a sync XHR - a new sync event loop. This event loop ends as well and we end up calling ClearMainEventQueue again.

This should not happen and the reason why it happens is that we still think that there is a mPendingEventQueueClearing operation to do. Check this code:

  if (mSyncLoopStack.IsEmpty() && mPendingEventQueueClearing) {
    ClearMainEventQueue(WorkerRan);
    mPendingEventQueueClearing = false;
  }

The fix is about changing when mPendingEventQueueClearing has to be set to false:


  if (mSyncLoopStack.IsEmpty() && mPendingEventQueueClearing) {
    mPendingEventQueueClearing = false;
    ClearMainEventQueue(WorkerRan);
  }
Attachment #8766733 - Flags: review- → review?(khuey)
Comment on attachment 8766733 [details] [diff] [review]
crash2.patch

Review of attachment 8766733 [details] [diff] [review]:
-----------------------------------------------------------------

Ok.  So this is a regression from bug 1208687, right?
Attachment #8766733 - Flags: review?(khuey) → review+
Depends on: 1208687
Comment on attachment 8766733 [details] [diff] [review]
crash2.patch

[Security approval request comment]
How easily could an exploit be constructed based on the patch?

I don't think it's possible to exploit this bug. But for sure it's easy to reproduce.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?

No. We just improve how a method is executed recursively.

Which older supported branches are affected by this flaw?

All. The bug has been introduced by 1208687.

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?

It's easy to backport.

How likely is this patch to cause regressions; how much testing does it need?

No regressions.
Attachment #8766733 - Flags: sec-approval?
Blocks: 1208687
No longer depends on: 1208687
Regression from 44, tracking for current versions.  Given that comment 9 says it is not easy and may not be possible to exploit this bug we probably don't need to consider this for 47.
Version: 50 Branch → 44 Branch
Keywords: regression
sec-approval+ for trunk.

Once it is there, we'll want it on Aurora, Beta, and ESR45. Please prepare and nominate patches for those branches.
Attachment #8766733 - Flags: sec-approval? → sec-approval+
Comment on attachment 8766733 [details] [diff] [review]
crash2.patch

[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration:
User impact if declined: FF crashs
Fix Landed on Version: current m-i.
Risk to taking this patch (and alternatives if risky): no risks at all. We just move 1 boolean flag.
String or UUID changes made by this patch: none


Approval Request Comment
[Feature/regressing bug #]: bug 1208687
[User impact if declined]: FF crashes when nested event loops are used in workers.
[Describe test coverage new/current, TreeHerder]: no tests.
[Risks and why]: no risks. This patch moves 1 boolean in order to avoid a recursion.
[String/UUID change made/needed]: none
Attachment #8766733 - Flags: approval-mozilla-esr45?
Attachment #8766733 - Flags: approval-mozilla-beta?
Attachment #8766733 - Flags: approval-mozilla-aurora?
https://hg.mozilla.org/mozilla-central/rev/98590457779d
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla50
Group: dom-core-security → core-security-release
Comment on attachment 8766733 [details] [diff] [review]
crash2.patch

Sec-crit, Beta48+, Aurora49+, ESR45+
Attachment #8766733 - Flags: approval-mozilla-esr45?
Attachment #8766733 - Flags: approval-mozilla-esr45+
Attachment #8766733 - Flags: approval-mozilla-beta?
Attachment #8766733 - Flags: approval-mozilla-beta+
Attachment #8766733 - Flags: approval-mozilla-aurora?
Attachment #8766733 - Flags: approval-mozilla-aurora+
Flags: sec-bounty? → sec-bounty+
Reproduced the issue using the following platforms/builds:

Windows 10 x64 VM (Reproduced Issue)
====================================

** Build Used: https://archive.mozilla.org/pub/firefox/nightly/2016/06/2016-06-28-03-02-38-mozilla-central/
** https://crash-stats.mozilla.com/report/index/d265b9c1-f809-4f54-b5c7-7b4a22160721
** https://crash-stats.mozilla.com/report/index/761ef303-845a-405e-a886-a641d2160721

Ubuntu 14.04.4 LTS VM (Reproduced Issue)
========================================

* Build Used: https://tools.taskcluster.net/index/artifacts/#gecko.v2.mozilla-central.nightly.2016.06.28.latest.firefox/gecko.v2.mozilla-central.nightly.2016.06.28.latest.firefox.linux64-asan

=================================================================
==4468==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000429040 at pc 0x7f8a04e78343 bp 0x7f89e115b230 sp 0x7f89e115b228
READ of size 8 at 0x611000429040 thread T28 (DOM Worker)
    #0 0x7f8a04e78342 in CanonicalizeXPCOMParticipant nsCycleCollector.cpp:951
    #1 0x7f8a04e66df0 in NoteGCThingXPCOMChildren CycleCollectedJSRuntime.cpp:654 (discriminator 1)
    #2 0x7f8a04e5faa9 in TraverseGCThing CycleCollectedJSRuntime.cpp:697 (discriminator 1)
    #3 0x7f8a04e5f6ba in Traverse CycleCollectedJSRuntime.cpp:304 (discriminator 1)
    #4 0x7f8a04e76164 in BuildGraph nsCycleCollector.cpp:2284 (discriminator 1)
    #5 0x7f8a04e7c4bb in MarkRoots nsCycleCollector.cpp:2896 (discriminator 2)
    #6 0x7f8a04e81aa2 in Collect nsCycleCollector.cpp:3670

Went through verification using the following builds:

* https://archive.mozilla.org/pub/firefox/nightly/2016/06/2016-06-28-03-02-38-mozilla-central/
* https://tools.taskcluster.net/index/artifacts/#gecko.v2.mozilla-central.latest.firefox/gecko.v2.mozilla-central.latest.firefox.linux64-asan
* https://archive.mozilla.org/pub/firefox/nightly/2016/07/2016-07-21-00-40-19-mozilla-aurora/
* https://archive.mozilla.org/pub/firefox/candidates/48.0b9-candidates/build1/win32/en-US/

Windows 10 x64 VM: PASSED
=========================

* fx50.0a1, buildId: 20160721030216, changeset: d224fc999cb6 - PASSED
* fx49.0a2, buildId: 20160721004019, changeset: aa3cda908cd8 - PASSED
* fx48.0b9, buildId: 20160718142219, changeset: d2ab9c39bd10 - PASSED

Ubuntu 14.04.4 LTS VM: PASSED
=============================

* fx50.0a1, buildId: 20160721072522 (ASan build linked above) - PASSED
* fx49.0a2, buildId: 20160721004019, changeset: aa3cda908cd8 - PASSED
* fx48.0b9, buildId: 20160718142219, changeset: d2ab9c39bd10 - PASSED

The esr 45.3 candidates are not available yet, I'll go through those verifications once the builds are available.
Alias: CVE-2016-5259
Whiteboard: [adv-main48+][adv-esr45.3+]
Went through verification using the following builds:
* https://archive.mozilla.org/pub/firefox/candidates/45.3.0esr-candidates/build1/win32/en-US/
* https://archive.mozilla.org/pub/firefox/candidates/45.3.0esr-candidates/build1/linux-x86_64/en-US/

Windows 10 x64 VM: PASSED
=========================

* fx45.3.0esr, buildId: 20160725105554, changeset: 0a590ea8e1cc - PASSED

Ubuntu 14.04.4 LTS VM: PASSED
=============================

* fx45.3.0esr, buildId: 20160725105554, changeset: 0a590ea8e1cc - PASSED
Status: RESOLVED → VERIFIED
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.