Closed Bug 1317807 Opened 8 years ago Closed 8 years ago

<canvas> fuzzer triggers Nightly crash in PLDHashTable::Search

Categories

(Firefox :: Untriaged, defect)

x86_64
Windows 8.1
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 1317415
Tracking Status
firefox53 --- affected

People

(Reporter: geeknik, Unassigned)

References

()

Details

(Keywords: crash, reporter-external)

While fuzzing Nightly with lcamtuf's <canvas> fuzzer, a crash in PLDHashTable::Search was triggered. Unfortunately, there is no breakpad crash report for this. windbg + 5e76768327660437bf3486554ad318e4b70276e1: (4584.357c): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. xul!PLDHashTable::Search+0x1e: 00007ffe`d110c2e2 ff10 call qword ptr [rax] ds:e5e5e5e5`e5e5e5e5=???????????????? 2:031> ~* kp 4 Id: 4584.4874 Suspend: 1 Teb: 00007ff7`9af0a000 Unfrozen "StreamTrans #5" Child-SP RetAddr Call Site 000000a6`00dff588 00007ffe`f3c91118 ntdll!ZwWaitForSingleObject+0xa 000000a6`00dff590 00007ffe`de9d291c KERNELBASE!WaitForSingleObjectEx+0x94 000000a6`00dff630 00007ffe`d13be92c nss3!PR_WaitCondVar(struct PRCondVar * cvar = 0x00000000`4d813b51, unsigned int timeout = 0x636cc868)+0x13c [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\nsprpub\pr\src\threads\combined\prucv.c @ 525] 000000a6`00dff670 00007ffe`d1190243 xul!mozilla::CondVar::Wait(unsigned int aInterval = 0xdff6e8)+0x20 [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\obj-firefox\dist\include\mozilla\condvar.h @ 79] 000000a6`00dff6a0 00007ffe`d118c093 xul!nsThreadPool::Run(void)+0x23f [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\xpcom\threads\nsthreadpool.cpp @ 217] 000000a6`00dff730 00007ffe`d118b7c6 xul!nsThread::ProcessNextEvent(bool aMayWait = true, bool * aResult = 0x00000000`00000000)+0x3df [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\xpcom\threads\nsthread.cpp @ 1216] 000000a6`00dff840 00007ffe`d1189e50 xul!NS_ProcessNextEvent(class nsIThread * aThread = 0x000000a6`06b70101, bool aMayWait = true)+0x22 [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\xpcom\glue\nsthreadutils.cpp @ 361] 000000a6`00dff870 00007ffe`d13762bb xul!mozilla::ipc::MessagePumpForNonMainThreads::Run(class base::MessagePump::Delegate * aDelegate = 0x000000a6`00dff9a8)+0xb0 [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\ipc\glue\messagepump.cpp @ 338] 000000a6`00dff8e0 00007ffe`d137627e xul!MessageLoop::RunHandler(void)+0x1b [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\ipc\chromium\src\base\message_loop.cc @ 226] 000000a6`00dff910 00007ffe`d137541d xul!MessageLoop::Run(void)+0x3e [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\ipc\chromium\src\base\message_loop.cc @ 206] 000000a6`00dff960 00007ffe`de9d38de xul!nsThread::ThreadFunc(void * aArg = 0x00000000`00000000)+0xc1 [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\xpcom\threads\nsthread.cpp @ 469] 000000a6`00dff9d0 00007ffe`de9d332a nss3!_PR_NativeRunThread(void * arg = 0x000000a6`002143e0)+0x10a [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\nsprpub\pr\src\threads\combined\pruthr.c @ 419] 000000a6`00dffa00 00007ffe`e7f7cab0 nss3!pr_root(void * arg = 0x00000000`00000000)+0xa [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\nsprpub\pr\src\md\windows\w95thred.c @ 96] 000000a6`00dffa30 00007ffe`f47113d2 ucrtbase!o__realloc_base+0x60 000000a6`00dffa60 00007ffe`f68654e4 KERNEL32!BaseThreadInitThunk+0x22 000000a6`00dffa90 00000000`00000000 ntdll!RtlUserThreadStart+0x34 ^ User interrupted operation error in '~* kp' 2:031> !analyze -v -f ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\System32\msmpeg2vdec.dll - *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\mf.dll - *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\Stardock\Start8\Start8_64.dll - *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\SYSTEM32\nvwgf2umx.dll - FAULTING_IP: xul!PLDHashTable::Search+1e [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\xpcom\glue\pldhashtable.cpp @ 520] 00007ffe`d110c2e2 ff10 call qword ptr [rax] EXCEPTION_RECORD: ffffffffffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 00007ffed110c2e2 (xul!PLDHashTable::Search+0x000000000000001e) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 0000000000000000 Parameter[1]: ffffffffffffffff Attempt to read from address ffffffffffffffff FAULTING_THREAD: 000000000000357c PROCESS_NAME: firefox.exe ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. EXCEPTION_PARAMETER1: 0000000000000000 EXCEPTION_PARAMETER2: ffffffffffffffff READ_ADDRESS: ffffffffffffffff FOLLOWUP_IP: xul!PLDHashTable::Search+1e [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\xpcom\glue\pldhashtable.cpp @ 520] 00007ffe`d110c2e2 ff10 call qword ptr [rax] NTGLOBALFLAG: 70 APPLICATION_VERIFIER_FLAGS: 0 BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_READ_CALL_FILL_PATTERN_e5e5e5e5 PRIMARY_PROBLEM_CLASS: INVALID_POINTER_READ_CALL_FILL_PATTERN_e5e5e5e5 DEFAULT_BUCKET_ID: INVALID_POINTER_READ_CALL_FILL_PATTERN_e5e5e5e5 LAST_CONTROL_TRANSFER: from 00007ffed2121358 to 00007ffed110c2e2 STACK_TEXT: 000000a6`54faefe0 00007ffe`d2121358 : 000000a6`03046340 00007ffe`d3f32a80 000000a6`7138ef50 00000000`00000001 : xul!PLDHashTable::Search+0x1e [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\xpcom\glue\pldhashtable.cpp @ 520] 000000a6`54faf010 00007ffe`d1952859 : 000000a6`6fff2f80 000000a6`006de368 000000a6`0010b3e0 00007ffe`d3f32a80 : xul!mozilla::dom::DOMIntersectionObserver::UnlinkTarget+0x24 [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\dom\base\domintersectionobserver.cpp @ 170] 000000a6`54faf040 00007ffe`d10c203a : 000000a6`6fff38e0 000000a6`6fff2fe0 00000000`00000554 00000000`00000012 : xul!nsNodeUtils::LastRelease+0x8917ad [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\dom\base\nsnodeutils.cpp @ 305] 000000a6`54faf0a0 00007ffe`d1519fc0 : 000000a6`54faf100 000000a6`0010d000 000000a6`000b42a0 00000000`00000116 : xul!nsTextNode::Release+0x14e [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\dom\base\nstextnode.cpp @ 100] 000000a6`54faf0e0 00007ffe`d15191df : 00000000`0000050e 000000a6`54faf200 000000a6`000b42a0 00007ffe`f45a08d6 : xul!mozilla::SegmentedVector<nsCOMPtr<nsISupports>,4096,mozilla::MallocAllocPolicy>::PopLastN+0x7c [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\obj-firefox\dist\include\mozilla\segmentedvector.h @ 266] 000000a6`54faf110 00007ffe`d1519147 : 00000000`00c68a77 00000000`00000002 000000a6`005e7070 00007ffe`ed706541 : xul!mozilla::dom::DeferredFinalizerImpl<nsISupports>::DeferredFinalize+0x3f [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\obj-firefox\dist\include\mozilla\dom\bindingutils.h @ 2823] 000000a6`54faf140 00007ffe`d1804dd1 : 00000313`de0f9e00 000000a6`005e7070 00000000`001dfbc8 000000a6`54faf2d9 : xul!mozilla::IncrementalFinalizeRunnable::ReleaseNow+0x11f [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\xpcom\base\cyclecollectedjscontext.cpp @ 1514] 000000a6`54faf1d0 00007ffe`d118c093 : 000000a6`005e7070 000000a6`54faf2d9 000000a6`56b2f168 000000a6`56b8a800 : xul!mozilla::IncrementalFinalizeRunnable::Run+0x31 [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\xpcom\base\cyclecollectedjscontext.cpp @ 1549] 000000a6`54faf230 00007ffe`d118b9d5 : 000000a6`56b12ce0 000000a6`56b12ce0 000000a6`54faf690 000000a6`56b12ce0 : xul!nsThread::ProcessNextEvent+0x3df [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\xpcom\threads\nsthread.cpp @ 1216] 000000a6`54faf340 00007ffe`d1d44ad4 : 000000a6`56b12ce0 000000a6`54faf601 000000a6`54faf601 00000000`0000000c : xul!mozilla::ipc::MessagePump::Run+0x9d [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\ipc\glue\messagepump.cpp @ 96] 000000a6`54faf3c0 00007ffe`d13762bb : 000000a6`54faf690 000000a6`54faf6b0 00000000`00004701 00007ffe`dea11e2d : xul!mozilla::ipc::MessagePumpForChildProcess::Run+0x70 [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\ipc\glue\messagepump.cpp @ 302] 000000a6`54faf3f0 00007ffe`d137627e : 000000a6`54faf478 000000a6`56b02098 00007ffe`d3f09ac0 00007ffe`d11271ca : xul!MessageLoop::RunHandler+0x1b [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\ipc\chromium\src\base\message_loop.cc @ 226] 000000a6`54faf420 00007ffe`d1537c80 : 000000a6`5e4f0ca0 000000a6`5eb18b80 00000000`00004701 000000a6`54faf690 : xul!MessageLoop::Run+0x3e [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\ipc\chromium\src\base\message_loop.cc @ 206] 000000a6`54faf470 00007ffe`d1537940 : 000000a6`5e4f0ca0 00007ffe`d13c2f36 00005f13`7e1351b0 000000a6`5e4f0ca0 : xul!nsBaseAppShell::Run+0x3c [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\widget\nsbaseappshell.cpp @ 158] 000000a6`54faf4a0 00007ffe`d2eb385a : 00000000`00000003 00000000`00004701 000000a6`54faf549 00007ffe`d2eb2ac5 : xul!nsAppShell::Run+0x2c [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\widget\windows\nsappshell.cpp @ 264] 000000a6`54faf4d0 00007ffe`d1d44a8d : 000000a6`5e4f0ca0 00000000`00000000 00000000`00000002 00007ffe`d35350c8 : xul!XRE_RunAppShell+0x2e [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\toolkit\xre\nsembedfunctions.cpp @ 869] 000000a6`54faf500 00007ffe`d13762bb : 000000a6`54faf690 000000a6`54faf6b0 00000000`00004701 000000a6`54faf550 : xul!mozilla::ipc::MessagePumpForChildProcess::Run+0x29 [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\ipc\glue\messagepump.cpp @ 278] 000000a6`54faf530 00007ffe`d137627e : 00005f13`00000fff 000000a6`56b02098 00000000`00000003 00007ffe`d16d9e9a : xul!MessageLoop::RunHandler+0x1b [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\ipc\chromium\src\base\message_loop.cc @ 226] 000000a6`54faf560 00007ffe`d2eb34e3 : 000000a6`5e632400 000000a6`54faf6b0 00000000`00000003 00000000`0000000c : xul!MessageLoop::Run+0x3e [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\ipc\chromium\src\base\message_loop.cc @ 206] 000000a6`54faf5b0 00007ff7`9b33b116 : 00000000`0000000b 000000a6`56b020e0 000000a6`56b02080 00007ff7`9b3568a0 : xul!XRE_InitChildProcess+0x627 [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\toolkit\xre\nsembedfunctions.cpp @ 705] 000000a6`54faf820 00007ff7`9b338669 : 00000000`0000000c 00000000`0000000c 000000a6`56b020e0 00000000`00000480 : firefox!content_process_main+0x8e [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\ipc\contentproc\plugin-container.cpp @ 198] 000000a6`54faf870 00007ff7`9b336615 : 00000000`00000000 00007ff7`9af09000 00000000`00000000 00000000`00000000 : firefox!wmain+0x54f9 [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\toolkit\xre\nswindowswmain.cpp @ 115] 000000a6`54fafc70 00007ffe`f47113d2 : 00007ff7`9b336670 00007ff7`9af09000 00000000`00000000 00000000`00000000 : firefox!__scrt_common_main_seh+0x11d [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 253] 000000a6`54fafcb0 00007ffe`f68654e4 : 00007ffe`f47113b0 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x22 000000a6`54fafce0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x34 FAULTING_SOURCE_CODE: No source found for 'c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\xpcom\glue\pldhashtable.cpp' SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: xul!PLDHashTable::Search+1e FOLLOWUP_NAME: MachineOwner MODULE_NAME: xul IMAGE_NAME: xul.dll DEBUG_FLR_IMAGE_TIMESTAMP: 582b18a2 STACK_COMMAND: ~31s ; kb FAILURE_BUCKET_ID: INVALID_POINTER_READ_CALL_FILL_PATTERN_e5e5e5e5_c0000005_xul.dll!PLDHashTable::Search BUCKET_ID: X64_APPLICATION_FAULT_INVALID_POINTER_READ_CALL_FILL_PATTERN_e5e5e5e5_xul!PLDHashTable::Search+1e WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/firefox_exe/53_0_0_6163/582b1264/xul_dll/53_0_0_6163/582b18a2/c0000005/000fc2e2.htm?Retriage=1 Followup: MachineOwner
Flags: sec-bounty?
Do you have the actual testcase that triggered the crash?
Component: Search → Untriaged
Flags: needinfo?(geeknik)
I'm sorry, but I only have the canvas.html which I downloaded and ran locally. I selected all of the options and within 15 minutes, was rewarded with this crash. I haven't been able to successfully reduce it.
Flags: needinfo?(geeknik)
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
Flags: sec-bounty? → sec-bounty-
Brian, we had already identified this issue as a use-after-free and were working on it when you reported this one.
Group: firefox-core-security
You need to log in before you can comment on or make changes to this bug.