Closed
Bug 1426184
Opened 6 years ago
Closed 6 years ago
AddressSanitizer: heap-buffer-overflow READ of size 3 nsTDependentString (involving hang reporter)
Categories
(Core :: XPCOM, defect)
Core
XPCOM
Tracking
()
RESOLVED
DUPLICATE
of bug 1424766
People
(Reporter: rs, Unassigned)
References
Details
(Keywords: csectype-wildptr, sec-high, testcase-wanted)
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.14 Safari/537.36 Steps to reproduce: No testcase so far, looking if I could reproduce again. Firefox 59.0a1 (2017-12-16) (64-bit) Actual results: ==28024==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6150001d2700 at pc 0x0000004319bb bp 0x7ffe051fe510 sp 0x7ffe051fdcb8 READ of size 3 at 0x6150001d2700 thread T0 (Web Content) #0 0x4319ba in __interceptor_strlen /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:303:5 #1 0x7f65c8f72547 in length /builds/worker/workspace/build/src/obj-firefox/dist/include/nsCharTraits.h:468:12 #2 0x7f65c8f72547 in nsTDependentString /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTDependentString.h:81 #3 0x7f65c8f72547 in IPC::ParamTraits<mozilla::HangStack>::Write(IPC::Message*, mozilla::HangStack const&) /builds/worker/workspace/build/src/toolkit/components/backgroundhangmonitor/HangStack.cpp:223 #4 0x7f65c8f6f3c4 in WriteParam<mozilla::HangStack> /builds/worker/workspace/build/src/ipc/chromium/src/chrome/common/ipc_message_utils.h:111:3 #5 0x7f65c8f6f3c4 in IPC::ParamTraits<mozilla::HangDetails>::Write(IPC::Message*, mozilla::HangDetails const&) /builds/worker/workspace/build/src/toolkit/components/backgroundhangmonitor/HangDetails.cpp:310 #6 0x7f65bf0f6e3a in WriteParam<mozilla::HangDetails> /builds/worker/workspace/build/src/ipc/chromium/src/chrome/common/ipc_message_utils.h:111:3 #7 0x7f65bf0f6e3a in Write<mozilla::HangDetails> /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/_ipdlheaders/mozilla/dom/PContentChild.h:2346 #8 0x7f65bf0f6e3a in mozilla::dom::PContentChild::SendBHRThreadHang(mozilla::HangDetails const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PContentChild.cpp:4546 #9 0x7f65c8f75de9 in operator() /builds/worker/workspace/build/src/toolkit/components/backgroundhangmonitor/HangDetails.cpp:248:23 #10 0x7f65c8f75de9 in mozilla::detail::RunnableFunction<mozilla::nsHangDetails::Submit()::$_0>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:529 #11 0x7f65bd97af60 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:395:25 #12 0x7f65bd9a17d6 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1039:14 #13 0x7f65bd9bd2c0 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:508:10 #14 0x7f65be84458a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21 #15 0x7f65be79b519 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10 #16 0x7f65be79b519 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319 #17 0x7f65be79b519 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299 #18 0x7f65c4d96c2a in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:157:27 #19 0x7f65c94ce6db in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:875:22 #20 0x7f65be79b519 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10 #21 0x7f65be79b519 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319 #22 0x7f65be79b519 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299 #23 0x7f65c94ce0cd in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:701:34 #24 0x4ee965 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:63:30 #25 0x4ee965 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280 #26 0x7f65dc617039 in __libc_start_main (/lib64/libc.so.6+0x21039) #27 0x41dfe8 in _start (/home/fuzzer/browsers/firefox/firefox+0x41dfe8) Address 0x6150001d2700 is a wild pointer. SUMMARY: AddressSanitizer: heap-buffer-overflow /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:303:5 in __interceptor_strlen Shadow bytes around the buggy address: 0x0c2a80032490: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2a800324a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2a800324b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2a800324c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2a800324d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c2a800324e0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2a800324f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2a80032500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2a80032510: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2a80032520: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2a80032530: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==28024==ABORTING
Reporter | ||
Comment 1•6 years ago
|
||
Not sure if related to #1424766
Updated•6 years ago
|
Flags: sec-bounty?
Updated•6 years ago
|
Group: firefox-core-security → core-security
Component: Untriaged → XPCOM
Product: Firefox → Core
Updated•6 years ago
|
Summary: AddressSanitizer: heap-buffer-overflow READ of size 3 nsTDependentString → AddressSanitizer: heap-buffer-overflow READ of size 3 nsTDependentString (involving hang reporter)
Updated•6 years ago
|
Group: core-security → dom-core-security
Comment 2•6 years ago
|
||
duping because it should be fixed by the same patch.
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
Updated•6 years ago
|
Flags: sec-bounty? → sec-bounty-
Comment 3•6 years ago
|
||
Renominating for bounty per Francisco's request: "Different issues in same codebase. At least based on both asan stacktraces. Since code refactor was the solution for both I believe should be considered. thanks"
Flags: sec-bounty- → sec-bounty?
Comment 4•6 years ago
|
||
Although the stack is different, from the other bug we already knew there's memory corruption in this structure and that can lead to different symptoms. Without an actual testcase it's hard to say this pointed out a different bug or simply reinforced the "this is a mess" message. Further apart in time, if a bug report triggers a rewrite and then after that's completely written and checked in a later report finds a different bug in the same code (on a branch before the rewrite) we would not pay a bounty for that now-gone second bug.
Flags: sec-bounty? → sec-bounty-
Comment 3 is private:
false
Updated•3 years ago
|
Group: dom-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•