Closed Bug 1443067 Opened 6 years ago Closed 6 years ago

heap-buffer-overflow in mozilla::nsRFPService::RandomMidpoint

Categories

(Toolkit :: General, defect)

Product:
Toolkit
Component:
General
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1442984
Tracking Flags:
Tracking Status
firefox60 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, csectype-bounds)

Attachments

(2 files)

testcase.html
1.22 KB, text/html
Details
prefs.js
10.84 KB, application/x-javascript
Details 
Found in m-c version 20180304-190b536928f8

==30080==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6060002ce8d4 at pc 0x7fbfaaa5f2ef bp 0x7fffa880c770 sp 0x7fffa880c768
READ of size 4 at 0x6060002ce8d4 thread T0 (file:// Content)
    #0 0x7fbfaaa5f2ee in mozilla::nsRFPService::RandomMidpoint(long long, long long, long long*, unsigned char*) src/toolkit/components/resistfingerprinting/nsRFPService.cpp:416:41
    #1 0x7fbfaaa6039a in mozilla::nsRFPService::ReduceTimePrecisionImpl(double, mozilla::nsRFPService::TimeScale, double, mozilla::TimerPrecisionType) src/toolkit/components/resistfingerprinting/nsRFPService.cpp:489:9
    #2 0x7fbfa64e2e2f in mozilla::dom::PerformanceResourceTiming::StartTime() const src/dom/performance/PerformanceResourceTiming.cpp:51:18
    #3 0x7fbfa64cfb50 in LessThan src/obj-firefox/dist/include/mozilla/dom/PerformanceEntry.h:115:20
    #4 0x7fbfa64cfb50 in operator()<RefPtr<mozilla::dom::PerformanceEntry> > src/obj-firefox/dist/include/nsTArray.h:803
    #5 0x7fbfa64cfb50 in BinarySearchIf<nsTArray_Impl<RefPtr<mozilla::dom::PerformanceEntry>, nsTArrayInfallibleAllocator>, detail::ItemComparatorFirstElementGT<mozilla::dom::PerformanceEntry *&, mozilla::dom::PerformanceEntryComparator> > src/obj-firefox/dist/include/mozilla/BinarySearch.h:80
    #6 0x7fbfa64cfb50 in IndexOfFirstElementGt<mozilla::dom::PerformanceEntry *&, mozilla::dom::PerformanceEntryComparator> src/obj-firefox/dist/include/nsTArray.h:1538
    #7 0x7fbfa64cfb50 in RefPtr<mozilla::dom::PerformanceEntry>* nsTArray_Impl<RefPtr<mozilla::dom::PerformanceEntry>, nsTArrayInfallibleAllocator>::InsertElementSorted<mozilla::dom::PerformanceEntry*&, mozilla::dom::PerformanceEntryComparator, nsTArrayInfallibleAllocator>(mozilla::dom::PerformanceEntry*&, mozilla::dom::PerformanceEntryComparator const&) src/obj-firefox/dist/include/nsTArray.h:1557
    #8 0x7fbfa64d4b10 in InsertResourceEntry src/dom/performance/Performance.cpp:411:20
    #9 0x7fbfa64d4b10 in mozilla::dom::PerformanceMainThread::AddEntry(nsIHttpChannel*, nsITimedChannel*) src/dom/performance/PerformanceMainThread.cpp:138
    #10 0x7fbf9f768569 in mozilla::net::HttpChannelChild::DoPreOnStopRequest(nsresult) src/netwerk/protocol/http/HttpChannelChild.cpp:1222:27
    #11 0x7fbf9f772ce7 in mozilla::net::HttpChannelChild::OnStopRequest(nsresult const&, mozilla::net::ResourceTimingStruct const&, mozilla::net::nsHttpHeaderArray const&) src/netwerk/protocol/http/HttpChannelChild.cpp:1160:3
    #12 0x7fbf9f981eb0 in mozilla::net::ChannelEventQueue::FlushQueue() src/netwerk/ipc/ChannelEventQueue.cpp:93:12
    #13 0x7fbf9f98c4ae in MaybeFlushQueue src/obj-firefox/dist/include/mozilla/net/ChannelEventQueue.h:329:5
    #14 0x7fbf9f98c4ae in CompleteResume src/obj-firefox/dist/include/mozilla/net/ChannelEventQueue.h:306
    #15 0x7fbf9f98c4ae in mozilla::net::ChannelEventQueue::ResumeInternal()::CompleteResumeRunnable::Run() src/netwerk/ipc/ChannelEventQueue.cpp:161
    #16 0x7fbf9ecd5650 in mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:413:25
    #17 0x7fbf9ecfdc34 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1040:14
    #18 0x7fbf9ed19bf0 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:517:10
    #19 0x7fbfa60269ec in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at src/dom/ipc/ContentChild.cpp:1088:24)> src/obj-firefox/dist/include/nsThreadUtils.h:323:25
    #20 0x7fbfa60269ec in mozilla::dom::ContentChild::ProvideWindowCommon(mozilla::dom::TabChild*, mozIDOMWindowProxy*, bool, unsigned int, bool, bool, bool, nsIURI*, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, bool, nsIDocShellLoadInfo*, bool*, mozIDOMWindowProxy**) src/dom/ipc/ContentChild.cpp:1088
    #21 0x7fbfa60b24ec in mozilla::dom::TabChild::ProvideWindow(mozIDOMWindowProxy*, unsigned int, bool, bool, bool, nsIURI*, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, bool, nsIDocShellLoadInfo*, bool*, mozIDOMWindowProxy**) src/dom/ipc/TabChild.cpp:1039:16
    #22 0x7fbfaabde426 in nsWindowWatcher::OpenWindowInternal(mozIDOMWindowProxy*, char const*, char const*, char const*, bool, bool, bool, nsIArray*, bool, bool, nsIDocShellLoadInfo*, mozIDOMWindowProxy**) src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:851:24
    #23 0x7fbfaabe3ddc in OpenWindow2 src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:443:10
    #24 0x7fbfaabe3ddc in non-virtual thunk to nsWindowWatcher::OpenWindow2(mozIDOMWindowProxy*, char const*, char const*, char const*, bool, bool, bool, nsISupports*, bool, bool, nsIDocShellLoadInfo*, mozIDOMWindowProxy**) src/toolkit/components/windowwatcher/nsWindowWatcher.cpp
    #25 0x7fbfa1cf6b75 in nsGlobalWindowOuter::OpenInternal(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, bool, bool, bool, bool, bool, nsIArray*, nsISupports*, nsIDocShellLoadInfo*, bool, nsPIDOMWindowOuter**) src/dom/base/nsGlobalWindowOuter.cpp:7183:21
    #26 0x7fbfa1cf599d in OpenJS src/dom/base/nsGlobalWindowOuter.cpp:5595:10
    #27 0x7fbfa1cf599d in nsGlobalWindowOuter::OpenOuter(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) src/dom/base/nsGlobalWindowOuter.cpp:5570
    #28 0x7fbfa1c929f2 in nsGlobalWindowInner::Open(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) src/dom/base/nsGlobalWindowInner.cpp:4021:3
    #29 0x7fbfa37b169b in mozilla::dom::WindowBinding::open(JSContext*, JS::Handle<JSObject*>, nsGlobalWindowInner*, JSJitMethodCallArgs const&) src/obj-firefox/dom/bindings/WindowBinding.cpp:2296:56
    #30 0x7fbfa37af0f2 in mozilla::dom::WindowBinding::genericMethod(JSContext*, unsigned int, JS::Value*) src/obj-firefox/dom/bindings/WindowBinding.cpp:16070:13
    #31 0x7fbfaaf8bb9e in CallJSNative src/js/src/vm/JSContext-inl.h:290:15
    #32 0x7fbfaaf8bb9e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:467
    #33 0x7fbfaaf74560 in CallFromStack src/js/src/vm/Interpreter.cpp:522:12
    #34 0x7fbfaaf74560 in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3085
    #35 0x7fbfaaf56734 in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:417:12
    #36 0x7fbfaaf8b997 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:489:15
    #37 0x7fbfaaf8c703 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:535:10
    #38 0x7fbfabb9396f in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:3028:12
    #39 0x7fbfa3bef46f in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) src/obj-firefox/dom/bindings/EventListenerBinding.cpp:47:8
    #40 0x7fbfa4bcc283 in HandleEvent<mozilla::dom::EventTarget *> src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:66:12
    #41 0x7fbfa4bcc283 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1108
    #42 0x7fbfa4bcd9be in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) src/dom/events/EventListenerManager.cpp:1286:20
    #43 0x7fbfa4bb7217 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:527:16
    #44 0x7fbfa4bbaf73 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) src/dom/events/EventDispatcher.cpp:915:9
    #45 0x7fbfa4bbd26c in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) src/dom/events/EventDispatcher.cpp:994:12
    #46 0x7fbfa20c1d44 in nsINode::DispatchEvent(nsIDOMEvent*, bool*) src/dom/base/nsINode.cpp:1270:5
    #47 0x7fbfa1bcd3ae in nsContentUtils::DispatchEvent(nsIDocument*, nsISupports*, nsTSubstring<char16_t> const&, bool, bool, bool, bool*, bool) src/dom/base/nsContentUtils.cpp:4608:18
    #48 0x7fbfa1bcd164 in nsContentUtils::DispatchTrustedEvent(nsIDocument*, nsISupports*, nsTSubstring<char16_t> const&, bool, bool, bool*) src/dom/base/nsContentUtils.cpp:4576:10
    #49 0x7fbfa1fd0134 in nsDocument::DispatchContentLoadedEvents() src/dom/base/nsDocument.cpp:5273:3
    #50 0x7fbfa2036734 in applyImpl<nsDocument, void (nsDocument::*)()> src/obj-firefox/dist/include/nsThreadUtils.h:1149:12
    #51 0x7fbfa2036734 in apply<nsDocument, void (nsDocument::*)()> src/obj-firefox/dist/include/nsThreadUtils.h:1155
    #52 0x7fbfa2036734 in mozilla::detail::RunnableMethodImpl<nsDocument*, void (nsDocument::*)(), true, (mozilla::RunnableKind)0>::Run() src/obj-firefox/dist/include/nsThreadUtils.h:1200
    #53 0x7fbf9ecd5650 in mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:413:25
    #54 0x7fbf9ecfdc34 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1040:14
    #55 0x7fbf9ed19bf0 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:517:10
    #56 0x7fbf9fbda7fa in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21
    #57 0x7fbf9fb2a759 in RunInternal src/ipc/chromium/src/base/message_loop.cc:326:10
    #58 0x7fbf9fb2a759 in RunHandler src/ipc/chromium/src/base/message_loop.cc:319
    #59 0x7fbf9fb2a759 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299
    #60 0x7fbfa67f1c7a in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:157:27
    #61 0x7fbfaac8578b in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:892:22
    #62 0x7fbf9fb2a759 in RunInternal src/ipc/chromium/src/base/message_loop.cc:326:10
    #63 0x7fbf9fb2a759 in RunHandler src/ipc/chromium/src/base/message_loop.cc:319
    #64 0x7fbf9fb2a759 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299
    #65 0x7fbfaac8516a in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:718:34
    #66 0x4f6f2c in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #67 0x4f6f2c in main src/browser/app/nsBrowserApp.cpp:280
    #68 0x7fbfbe47482f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #69 0x4265bc in _start (/home/ubuntu/firefox/firefox+0x4265bc)

0x6060002ce8d4 is located 12 bytes to the left of 64-byte region [0x6060002ce8e0,0x6060002ce920)
allocated by thread T0 (file:// Content) here:
    #0 0x4c7303 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3
    #1 0x7fbf9eb2e431 in Alloc src/xpcom/string/nsSubstring.cpp:257:22
    #2 0x7fbf9eb2e431 in nsTSubstring<char>::MutatePrep(unsigned int, char**, mozilla::detail::StringDataFlags*) src/xpcom/string/nsTSubstring.cpp:166
    #3 0x7fbf9eb4083b in nsTSubstring<char>::ReplacePrepInternal(unsigned int, unsigned int, unsigned int, unsigned int) src/xpcom/string/nsTSubstring.cpp:229:8
    #4 0x7fbf9eb3d1a8 in nsTSubstring<char>::Assign(char const*, unsigned int, std::nothrow_t const&) src/xpcom/string/nsTSubstring.cpp:390:8
    #5 0x7fbf9eb2a3c7 in nsTSubstring<char>::Assign(char const*, unsigned int) src/xpcom/string/nsTSubstring.cpp:366:8
    #6 0x7fbfaa6755d6 in nsCryptoHash::Finish(bool, nsTSubstring<char>&) src/security/manager/ssl/nsCryptoHash.cpp:190:11
    #7 0x7fbfaaa5eb01 in mozilla::nsRFPService::RandomMidpoint(long long, long long, long long*, unsigned char*) src/toolkit/components/resistfingerprinting/nsRFPService.cpp:405:19
    #8 0x7fbfaaa6039a in mozilla::nsRFPService::ReduceTimePrecisionImpl(double, mozilla::nsRFPService::TimeScale, double, mozilla::TimerPrecisionType) src/toolkit/components/resistfingerprinting/nsRFPService.cpp:489:9
    #9 0x7fbfa6ffb6b9 in GetPerformanceNow src/layout/base/PresShell.cpp:8789:19
    #10 0x7fbfa6ffb6b9 in WillDoReflow src/layout/base/PresShell.cpp:8759
    #11 0x7fbfa6ffb6b9 in mozilla::PresShell::ProcessReflowCommands(bool) src/layout/base/PresShell.cpp:9092
    #12 0x7fbfa6ffa3b2 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) src/layout/base/PresShell.cpp:4259:11
    #13 0x7fbfa6f6a82b in FlushPendingNotifications src/obj-firefox/dist/include/nsIPresShell.h:581:5
    #14 0x7fbfa6f6a82b in nsRefreshDriver::Tick(long, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:1944
    #15 0x7fbfa6f7a3a0 in TickDriver src/layout/base/nsRefreshDriver.cpp:340:13
    #16 0x7fbfa6f7a3a0 in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/layout/base/nsRefreshDriver.cpp:310
    #17 0x7fbfa6f79f66 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:332:5
    #18 0x7fbfa6f7ccde in RunRefreshDrivers src/layout/base/nsRefreshDriver.cpp:773:5
    #19 0x7fbfa6f7ccde in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:686
    #20 0x7fbfa6f7c8de in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:587:9
    #21 0x7fbfa785909f in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) src/layout/ipc/VsyncChild.cpp:68:16
    #22 0x7fbfa0174e79 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:155:20
    #23 0x7fbfa00058ee in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:1943:28
    #24 0x7fbf9fbd26de in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2133:25
    #25 0x7fbf9fbcf757 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2063:17
    #26 0x7fbf9fbd0e5c in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1909:5
    #27 0x7fbf9fbd14b8 in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1942:15
    #28 0x7fbf9ecfdc34 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1040:14
    #29 0x7fbf9ed19bf0 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:517:10
    #30 0x7fbf9fbda7fa in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21
    #31 0x7fbf9fb2a759 in RunInternal src/ipc/chromium/src/base/message_loop.cc:326:10
    #32 0x7fbf9fb2a759 in RunHandler src/ipc/chromium/src/base/message_loop.cc:319
    #33 0x7fbf9fb2a759 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299
    #34 0x7fbfa67f1c7a in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:157:27
    #35 0x7fbfaac8578b in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:892:22
    #36 0x7fbf9fb2a759 in RunInternal src/ipc/chromium/src/base/message_loop.cc:326:10
    #37 0x7fbf9fb2a759 in RunHandler src/ipc/chromium/src/base/message_loop.cc:319
    #38 0x7fbf9fb2a759 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299
    #39 0x7fbfaac8516a in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:718:34
I do have a testcase but reducing it seems to break it.
status-firefox60: --- → affected
Attached file testcase.html 
fairly reduced testcase
Attached file prefs.js 
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
Group: toolkit-core-security

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: