Closed Bug 1426184 Opened 6 years ago Closed 6 years ago

AddressSanitizer: heap-buffer-overflow READ of size 3 nsTDependentString (involving hang reporter)

Categories

(Core :: XPCOM, defect)

Product:
Core
Component:
XPCOM
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1424766

People

(Reporter: rs, Unassigned)

References

Details

(Keywords: csectype-wildptr, sec-high, testcase-wanted) 

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.14 Safari/537.36

Steps to reproduce:

No testcase so far, looking if I could reproduce again. Firefox 59.0a1 (2017-12-16) (64-bit)



Actual results:

==28024==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6150001d2700 at pc 0x0000004319bb bp 0x7ffe051fe510 sp 0x7ffe051fdcb8
READ of size 3 at 0x6150001d2700 thread T0 (Web Content)
    #0 0x4319ba in __interceptor_strlen /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:303:5
    #1 0x7f65c8f72547 in length /builds/worker/workspace/build/src/obj-firefox/dist/include/nsCharTraits.h:468:12
    #2 0x7f65c8f72547 in nsTDependentString /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTDependentString.h:81
    #3 0x7f65c8f72547 in IPC::ParamTraits<mozilla::HangStack>::Write(IPC::Message*, mozilla::HangStack const&) /builds/worker/workspace/build/src/toolkit/components/backgroundhangmonitor/HangStack.cpp:223
    #4 0x7f65c8f6f3c4 in WriteParam<mozilla::HangStack> /builds/worker/workspace/build/src/ipc/chromium/src/chrome/common/ipc_message_utils.h:111:3
    #5 0x7f65c8f6f3c4 in IPC::ParamTraits<mozilla::HangDetails>::Write(IPC::Message*, mozilla::HangDetails const&) /builds/worker/workspace/build/src/toolkit/components/backgroundhangmonitor/HangDetails.cpp:310
    #6 0x7f65bf0f6e3a in WriteParam<mozilla::HangDetails> /builds/worker/workspace/build/src/ipc/chromium/src/chrome/common/ipc_message_utils.h:111:3
    #7 0x7f65bf0f6e3a in Write<mozilla::HangDetails> /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/_ipdlheaders/mozilla/dom/PContentChild.h:2346
    #8 0x7f65bf0f6e3a in mozilla::dom::PContentChild::SendBHRThreadHang(mozilla::HangDetails const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PContentChild.cpp:4546
    #9 0x7f65c8f75de9 in operator() /builds/worker/workspace/build/src/toolkit/components/backgroundhangmonitor/HangDetails.cpp:248:23
    #10 0x7f65c8f75de9 in mozilla::detail::RunnableFunction<mozilla::nsHangDetails::Submit()::$_0>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:529
    #11 0x7f65bd97af60 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:395:25
    #12 0x7f65bd9a17d6 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1039:14
    #13 0x7f65bd9bd2c0 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:508:10
    #14 0x7f65be84458a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #15 0x7f65be79b519 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #16 0x7f65be79b519 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #17 0x7f65be79b519 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #18 0x7f65c4d96c2a in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:157:27
    #19 0x7f65c94ce6db in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:875:22
    #20 0x7f65be79b519 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #21 0x7f65be79b519 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #22 0x7f65be79b519 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #23 0x7f65c94ce0cd in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:701:34
    #24 0x4ee965 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:63:30
    #25 0x4ee965 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280
    #26 0x7f65dc617039 in __libc_start_main (/lib64/libc.so.6+0x21039)
    #27 0x41dfe8 in _start (/home/fuzzer/browsers/firefox/firefox+0x41dfe8)

Address 0x6150001d2700 is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:303:5 in __interceptor_strlen
Shadow bytes around the buggy address:
  0x0c2a80032490: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a800324a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a800324b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a800324c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a800324d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c2a800324e0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a800324f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a80032500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a80032510: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a80032520: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a80032530: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==28024==ABORTING
Not sure if related to #1424766
Flags: sec-bounty?
Group: firefox-core-security → core-security
Component: Untriaged → XPCOM
Product: Firefox → Core
See Also: → 1424766
Keywords: csectype-wildptr, sec-high, testcase-wanted
Summary: AddressSanitizer: heap-buffer-overflow READ of size 3 nsTDependentString → AddressSanitizer: heap-buffer-overflow READ of size 3 nsTDependentString (involving hang reporter)
Group: core-security → dom-core-security
duping because it should be fixed by the same patch.
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
Flags: sec-bounty? → sec-bounty-
Renominating for bounty per Francisco's request:
"Different issues in same codebase. At least based on both asan stacktraces. Since code refactor was the solution for both I believe should be considered. thanks"
Flags: sec-bounty- → sec-bounty?
Although the stack is different, from the other bug we already knew there's memory corruption in this structure and that can lead to different symptoms. Without an actual testcase it's hard to say this pointed out a different bug or simply reinforced the "this is a mess" message.

Further apart in time, if a bug report triggers a rewrite and then after that's completely written and checked in a later report finds a different bug in the same code (on a branch before the rewrite) we would not pay a bounty for that now-gone second bug.
Flags: sec-bounty? → sec-bounty-
Comment 3 is private: false
Group: dom-core-security
You need to log in before you can comment on or make changes to this bug.