Closed
Bug 1317807
Opened 8 years ago
Closed 8 years ago
<canvas> fuzzer triggers Nightly crash in PLDHashTable::Search
Categories
(Firefox :: Untriaged, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1317415
Tracking | Status | |
---|---|---|
firefox53 | --- | affected |
People
(Reporter: geeknik, Unassigned)
References
()
Details
(Keywords: crash, reporter-external)
While fuzzing Nightly with lcamtuf's <canvas> fuzzer, a crash in PLDHashTable::Search was triggered. Unfortunately, there is no breakpad crash report for this.
windbg + 5e76768327660437bf3486554ad318e4b70276e1:
(4584.357c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
xul!PLDHashTable::Search+0x1e:
00007ffe`d110c2e2 ff10 call qword ptr [rax] ds:e5e5e5e5`e5e5e5e5=????????????????
2:031> ~* kp
4 Id: 4584.4874 Suspend: 1 Teb: 00007ff7`9af0a000 Unfrozen "StreamTrans #5"
Child-SP RetAddr Call Site
000000a6`00dff588 00007ffe`f3c91118 ntdll!ZwWaitForSingleObject+0xa
000000a6`00dff590 00007ffe`de9d291c KERNELBASE!WaitForSingleObjectEx+0x94
000000a6`00dff630 00007ffe`d13be92c nss3!PR_WaitCondVar(struct PRCondVar * cvar = 0x00000000`4d813b51, unsigned int timeout = 0x636cc868)+0x13c [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\nsprpub\pr\src\threads\combined\prucv.c @ 525]
000000a6`00dff670 00007ffe`d1190243 xul!mozilla::CondVar::Wait(unsigned int aInterval = 0xdff6e8)+0x20 [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\obj-firefox\dist\include\mozilla\condvar.h @ 79]
000000a6`00dff6a0 00007ffe`d118c093 xul!nsThreadPool::Run(void)+0x23f [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\xpcom\threads\nsthreadpool.cpp @ 217]
000000a6`00dff730 00007ffe`d118b7c6 xul!nsThread::ProcessNextEvent(bool aMayWait = true, bool * aResult = 0x00000000`00000000)+0x3df [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\xpcom\threads\nsthread.cpp @ 1216]
000000a6`00dff840 00007ffe`d1189e50 xul!NS_ProcessNextEvent(class nsIThread * aThread = 0x000000a6`06b70101, bool aMayWait = true)+0x22 [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\xpcom\glue\nsthreadutils.cpp @ 361]
000000a6`00dff870 00007ffe`d13762bb xul!mozilla::ipc::MessagePumpForNonMainThreads::Run(class base::MessagePump::Delegate * aDelegate = 0x000000a6`00dff9a8)+0xb0 [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\ipc\glue\messagepump.cpp @ 338]
000000a6`00dff8e0 00007ffe`d137627e xul!MessageLoop::RunHandler(void)+0x1b [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\ipc\chromium\src\base\message_loop.cc @ 226]
000000a6`00dff910 00007ffe`d137541d xul!MessageLoop::Run(void)+0x3e [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\ipc\chromium\src\base\message_loop.cc @ 206]
000000a6`00dff960 00007ffe`de9d38de xul!nsThread::ThreadFunc(void * aArg = 0x00000000`00000000)+0xc1 [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\xpcom\threads\nsthread.cpp @ 469]
000000a6`00dff9d0 00007ffe`de9d332a nss3!_PR_NativeRunThread(void * arg = 0x000000a6`002143e0)+0x10a [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\nsprpub\pr\src\threads\combined\pruthr.c @ 419]
000000a6`00dffa00 00007ffe`e7f7cab0 nss3!pr_root(void * arg = 0x00000000`00000000)+0xa [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\nsprpub\pr\src\md\windows\w95thred.c @ 96]
000000a6`00dffa30 00007ffe`f47113d2 ucrtbase!o__realloc_base+0x60
000000a6`00dffa60 00007ffe`f68654e4 KERNEL32!BaseThreadInitThunk+0x22
000000a6`00dffa90 00000000`00000000 ntdll!RtlUserThreadStart+0x34
^ User interrupted operation error in '~* kp'
2:031> !analyze -v -f
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\System32\msmpeg2vdec.dll -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\mf.dll -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\Stardock\Start8\Start8_64.dll -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\SYSTEM32\nvwgf2umx.dll -
FAULTING_IP:
xul!PLDHashTable::Search+1e [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\xpcom\glue\pldhashtable.cpp @ 520]
00007ffe`d110c2e2 ff10 call qword ptr [rax]
EXCEPTION_RECORD: ffffffffffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 00007ffed110c2e2 (xul!PLDHashTable::Search+0x000000000000001e)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: ffffffffffffffff
Attempt to read from address ffffffffffffffff
FAULTING_THREAD: 000000000000357c
PROCESS_NAME: firefox.exe
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_PARAMETER1: 0000000000000000
EXCEPTION_PARAMETER2: ffffffffffffffff
READ_ADDRESS: ffffffffffffffff
FOLLOWUP_IP:
xul!PLDHashTable::Search+1e [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\xpcom\glue\pldhashtable.cpp @ 520]
00007ffe`d110c2e2 ff10 call qword ptr [rax]
NTGLOBALFLAG: 70
APPLICATION_VERIFIER_FLAGS: 0
BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_READ_CALL_FILL_PATTERN_e5e5e5e5
PRIMARY_PROBLEM_CLASS: INVALID_POINTER_READ_CALL_FILL_PATTERN_e5e5e5e5
DEFAULT_BUCKET_ID: INVALID_POINTER_READ_CALL_FILL_PATTERN_e5e5e5e5
LAST_CONTROL_TRANSFER: from 00007ffed2121358 to 00007ffed110c2e2
STACK_TEXT:
000000a6`54faefe0 00007ffe`d2121358 : 000000a6`03046340 00007ffe`d3f32a80 000000a6`7138ef50 00000000`00000001 : xul!PLDHashTable::Search+0x1e [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\xpcom\glue\pldhashtable.cpp @ 520]
000000a6`54faf010 00007ffe`d1952859 : 000000a6`6fff2f80 000000a6`006de368 000000a6`0010b3e0 00007ffe`d3f32a80 : xul!mozilla::dom::DOMIntersectionObserver::UnlinkTarget+0x24 [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\dom\base\domintersectionobserver.cpp @ 170]
000000a6`54faf040 00007ffe`d10c203a : 000000a6`6fff38e0 000000a6`6fff2fe0 00000000`00000554 00000000`00000012 : xul!nsNodeUtils::LastRelease+0x8917ad [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\dom\base\nsnodeutils.cpp @ 305]
000000a6`54faf0a0 00007ffe`d1519fc0 : 000000a6`54faf100 000000a6`0010d000 000000a6`000b42a0 00000000`00000116 : xul!nsTextNode::Release+0x14e [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\dom\base\nstextnode.cpp @ 100]
000000a6`54faf0e0 00007ffe`d15191df : 00000000`0000050e 000000a6`54faf200 000000a6`000b42a0 00007ffe`f45a08d6 : xul!mozilla::SegmentedVector<nsCOMPtr<nsISupports>,4096,mozilla::MallocAllocPolicy>::PopLastN+0x7c [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\obj-firefox\dist\include\mozilla\segmentedvector.h @ 266]
000000a6`54faf110 00007ffe`d1519147 : 00000000`00c68a77 00000000`00000002 000000a6`005e7070 00007ffe`ed706541 : xul!mozilla::dom::DeferredFinalizerImpl<nsISupports>::DeferredFinalize+0x3f [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\obj-firefox\dist\include\mozilla\dom\bindingutils.h @ 2823]
000000a6`54faf140 00007ffe`d1804dd1 : 00000313`de0f9e00 000000a6`005e7070 00000000`001dfbc8 000000a6`54faf2d9 : xul!mozilla::IncrementalFinalizeRunnable::ReleaseNow+0x11f [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\xpcom\base\cyclecollectedjscontext.cpp @ 1514]
000000a6`54faf1d0 00007ffe`d118c093 : 000000a6`005e7070 000000a6`54faf2d9 000000a6`56b2f168 000000a6`56b8a800 : xul!mozilla::IncrementalFinalizeRunnable::Run+0x31 [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\xpcom\base\cyclecollectedjscontext.cpp @ 1549]
000000a6`54faf230 00007ffe`d118b9d5 : 000000a6`56b12ce0 000000a6`56b12ce0 000000a6`54faf690 000000a6`56b12ce0 : xul!nsThread::ProcessNextEvent+0x3df [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\xpcom\threads\nsthread.cpp @ 1216]
000000a6`54faf340 00007ffe`d1d44ad4 : 000000a6`56b12ce0 000000a6`54faf601 000000a6`54faf601 00000000`0000000c : xul!mozilla::ipc::MessagePump::Run+0x9d [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\ipc\glue\messagepump.cpp @ 96]
000000a6`54faf3c0 00007ffe`d13762bb : 000000a6`54faf690 000000a6`54faf6b0 00000000`00004701 00007ffe`dea11e2d : xul!mozilla::ipc::MessagePumpForChildProcess::Run+0x70 [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\ipc\glue\messagepump.cpp @ 302]
000000a6`54faf3f0 00007ffe`d137627e : 000000a6`54faf478 000000a6`56b02098 00007ffe`d3f09ac0 00007ffe`d11271ca : xul!MessageLoop::RunHandler+0x1b [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\ipc\chromium\src\base\message_loop.cc @ 226]
000000a6`54faf420 00007ffe`d1537c80 : 000000a6`5e4f0ca0 000000a6`5eb18b80 00000000`00004701 000000a6`54faf690 : xul!MessageLoop::Run+0x3e [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\ipc\chromium\src\base\message_loop.cc @ 206]
000000a6`54faf470 00007ffe`d1537940 : 000000a6`5e4f0ca0 00007ffe`d13c2f36 00005f13`7e1351b0 000000a6`5e4f0ca0 : xul!nsBaseAppShell::Run+0x3c [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\widget\nsbaseappshell.cpp @ 158]
000000a6`54faf4a0 00007ffe`d2eb385a : 00000000`00000003 00000000`00004701 000000a6`54faf549 00007ffe`d2eb2ac5 : xul!nsAppShell::Run+0x2c [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\widget\windows\nsappshell.cpp @ 264]
000000a6`54faf4d0 00007ffe`d1d44a8d : 000000a6`5e4f0ca0 00000000`00000000 00000000`00000002 00007ffe`d35350c8 : xul!XRE_RunAppShell+0x2e [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\toolkit\xre\nsembedfunctions.cpp @ 869]
000000a6`54faf500 00007ffe`d13762bb : 000000a6`54faf690 000000a6`54faf6b0 00000000`00004701 000000a6`54faf550 : xul!mozilla::ipc::MessagePumpForChildProcess::Run+0x29 [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\ipc\glue\messagepump.cpp @ 278]
000000a6`54faf530 00007ffe`d137627e : 00005f13`00000fff 000000a6`56b02098 00000000`00000003 00007ffe`d16d9e9a : xul!MessageLoop::RunHandler+0x1b [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\ipc\chromium\src\base\message_loop.cc @ 226]
000000a6`54faf560 00007ffe`d2eb34e3 : 000000a6`5e632400 000000a6`54faf6b0 00000000`00000003 00000000`0000000c : xul!MessageLoop::Run+0x3e [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\ipc\chromium\src\base\message_loop.cc @ 206]
000000a6`54faf5b0 00007ff7`9b33b116 : 00000000`0000000b 000000a6`56b020e0 000000a6`56b02080 00007ff7`9b3568a0 : xul!XRE_InitChildProcess+0x627 [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\toolkit\xre\nsembedfunctions.cpp @ 705]
000000a6`54faf820 00007ff7`9b338669 : 00000000`0000000c 00000000`0000000c 000000a6`56b020e0 00000000`00000480 : firefox!content_process_main+0x8e [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\ipc\contentproc\plugin-container.cpp @ 198]
000000a6`54faf870 00007ff7`9b336615 : 00000000`00000000 00007ff7`9af09000 00000000`00000000 00000000`00000000 : firefox!wmain+0x54f9 [c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\toolkit\xre\nswindowswmain.cpp @ 115]
000000a6`54fafc70 00007ffe`f47113d2 : 00007ff7`9b336670 00007ff7`9af09000 00000000`00000000 00000000`00000000 : firefox!__scrt_common_main_seh+0x11d [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 253]
000000a6`54fafcb0 00007ffe`f68654e4 : 00007ffe`f47113b0 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x22
000000a6`54fafce0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x34
FAULTING_SOURCE_CODE:
No source found for 'c:\builds\moz2_slave\m-cen-w64-ntly-000000000000000\build\src\xpcom\glue\pldhashtable.cpp'
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: xul!PLDHashTable::Search+1e
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: xul
IMAGE_NAME: xul.dll
DEBUG_FLR_IMAGE_TIMESTAMP: 582b18a2
STACK_COMMAND: ~31s ; kb
FAILURE_BUCKET_ID: INVALID_POINTER_READ_CALL_FILL_PATTERN_e5e5e5e5_c0000005_xul.dll!PLDHashTable::Search
BUCKET_ID: X64_APPLICATION_FAULT_INVALID_POINTER_READ_CALL_FILL_PATTERN_e5e5e5e5_xul!PLDHashTable::Search+1e
WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/firefox_exe/53_0_0_6163/582b1264/xul_dll/53_0_0_6163/582b18a2/c0000005/000fc2e2.htm?Retriage=1
Followup: MachineOwner
Updated•8 years ago
|
Flags: sec-bounty?
Comment 1•8 years ago
|
||
Do you have the actual testcase that triggered the crash?
Component: Search → Untriaged
Flags: needinfo?(geeknik)
Reporter | ||
Comment 2•8 years ago
|
||
I'm sorry, but I only have the canvas.html which I downloaded and ran locally. I selected all of the options and within 15 minutes, was rewarded with this crash. I haven't been able to successfully reduce it.
Flags: needinfo?(geeknik)
Updated•8 years ago
|
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
Updated•8 years ago
|
Flags: sec-bounty? → sec-bounty-
Comment 4•8 years ago
|
||
Brian, we had already identified this issue as a use-after-free and were working on it when you reported this one.
Updated•5 years ago
|
Group: firefox-core-security
Updated•4 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•