1405828 - Crash in mozilla::ipc::IProtocol::OtherPid called from mozilla::dom::asmjscache::PAsmJSCacheEntryParent::SendOnOpenCacheFile

Status: RESOLVED DUPLICATE of bug 1331209

(Core :: IPC, defect)

Description

[[:philipp]]

This bug was filed from the Socorro interface and is 
report bp-8fecdb3a-7ca4-43ae-805d-140d60171004.
=============================================================
Crashing Thread (31), Name: IPDL Background
Frame 	Module 	Signature 	Source
0 	xul.dll 	mozilla::ipc::IProtocol::OtherPid() 	ipc/glue/ProtocolUtils.cpp:468
1 		@0x2871d5b404f 	
2 	xul.dll 	NS_ProcessNextEvent(nsIThread*, bool) 	xpcom/threads/nsThreadUtils.cpp:521
3 	xul.dll 	mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) 	ipc/glue/MessagePump.cpp:368
4 	xul.dll 	MessageLoop::RunHandler() 	ipc/chromium/src/base/message_loop.cc:319
5 	xul.dll 	MessageLoop::Run() 	ipc/chromium/src/base/message_loop.cc:299
6 	xul.dll 	nsThread::ThreadFunc(void*) 	xpcom/threads/nsThread.cpp:427
7 	nss3.dll 	PR_NativeRunThread 	nsprpub/pr/src/threads/combined/pruthr.c:397
8 	nss3.dll 	pr_root 	nsprpub/pr/src/md/windows/w95thred.c:95
9 	ucrtbase.dll 	o__strtoui64 	
10 	kernel32.dll 	BaseThreadInitThunk 	
11 	ntdll.dll 	RtlUserThreadStart

browser crashes with this signature occur cross-platform and are getting a bit more frequent during the 57.0b cycle. a fair number of reports appear to happen in a UAF situation, so marking this as security-sensitive as a precaution...

Comment 1

[Daniel Veditz [:dveditz]]

A better stack to look at (for a security bug) is one that actually shows a UAF: bp-fbfc0eb3-f5cd-4df1-9bc7-ee48a0171005

There are bunch crashing at 0xfffffffffff like comment 0 and they have the stack in comment 0. The UAF ones have 

0 	xul.dll 	mozilla::ipc::IProtocol::OtherPid() 	ipc/glue/ProtocolUtils.cpp:468
1 	xul.dll 	mozilla::dom::asmjscache::PAsmJSCacheEntryParent::SendOnOpenCacheFile(__int64 const&, mozilla::ipc::FileDescriptor const&) 	ipc/ipdl/PAsmJSCacheEntryParent.cpp:72
2 	xul.dll 	mozilla::dom::asmjscache::`anonymous namespace'::ParentRunnable::Run 	dom/asmjscache/AsmJSCache.cpp:930
3 	xul.dll 	nsThread::ProcessNextEvent(bool, bool*) 	xpcom/threads/nsThread.cpp:1039

morphing this bug into the UAF version of this crash with asmjscache in the stack

Naveed: since the asmjscache is involved here can you find someone on your team to look into this?

Comment 3

[Wennie]

Bill, please investigate and fix these bugs or assign them to appropriate developers. Thanks!

Comment 4

[Randell Jesup [:jesup] (needinfo me)]

Note also that 0xffffffffff may be a UAF - windows crashrerporter (per Ted) sometimes can't actually get the crash address, and inserts ffffffff instead.

Comment 5

[Bill McCloskey [inactive unless it's an emergency] (:billm)]

Luke, does this look like one of the AsmJS cache bugs that's been fixed or worked on recently? I kinda lost track.

Comment 7

[Andrew McCreight [:mccr8]]

In the dupe, Luke said this is a possible dupe of bug 1331209.

Comment 8

[Luke Wagner [:luke]]

Yes, I think this is all bug 1331209 which we should really get reviewed and landed...

Comment 10

[Liz Henry (:lizzard) (relman/hg->git project)]

Fixed in 58 in bug 1331209.