Closed Bug 1449308 Opened 2 years ago Closed 2 years ago

UAF in Windows test plugin

Categories

(Core :: Plug-ins, defect, P3)

defect

Tracking

()

RESOLVED FIXED
mozilla61
Tracking Status
firefox61 --- fixed

People

(Reporter: dmajor, Assigned: dmajor)

Details

(Whiteboard: [test code])

Attachments

(1 file)

STR:
1. Build Windows ASan: https://developer.mozilla.org/en-US/docs/Mozilla/Testing/Firefox_and_Address_Sanitizer#Creating_local_builds_on_Windows
2. mach test dom/html/test/test_fullscreen-api.html

 0:35.88 GECKO(596) ==5772==ERROR: AddressSanitizer: heap-use-after-free on address 0x11c205000ee0 at pc 0x7ffa9e88286b bp 0x0014661fcea0 sp 0x0014661fcea8
 0:35.88 GECKO(596) WRITE of size 4 at 0x11c205000ee0 thread T0
 0:35.96 GECKO(596)     #0 0x7ffa9e88286a in handleEventInternal e:\src\mc\dom\plugins\test\testplugin\nptest_windows.cpp:703
 0:35.96 GECKO(596)     #1 0x7ffa9e882df2 in PluginWndProc(struct HWND__ *,unsigned int,unsigned __int64,__int64) e:\src\mc\dom\plugins\test\testplugin\nptest_windows.cpp:812
 0:35.98 GECKO(596)     #2 0x7ffab59cb85c in UserCallWinProcCheckWow(struct _ACTIVATION_CONTEXT *,__int64 (*)(struct tagWND *,unsigned int,unsigned __int64,__int64),struct HWND__ *,enum _WM_VALUE,unsigned __int64,__int64,void *,int) (C:\Windows\System32\user32.dll+0x18000b85c)
 0:35.98 GECKO(596)     #3 0x7ffab59cb54b in DispatchClientMessage (C:\Windows\System32\user32.dll+0x18000b54b)
 0:35.98 GECKO(596)     #4 0x7ffab59e630f in __fnINLPWINDOWPOS (C:\Windows\System32\user32.dll+0x18002630f)
 0:35.99 GECKO(596)     #5 0x7ffab5f33b53 in KiUserCallbackDispatch (C:\Windows\SYSTEM32\ntdll.dll+0x1800a3b53)
 0:35.99 GECKO(596)     #6 0x7ffab2b923c3 in NtUserDestroyWindow (C:\Windows\System32\win32u.dll+0x1800023c3)
 0:36.62 GECKO(596)     #7 0x7ffa5eb5146a in mozilla::plugins::PluginInstanceChild::Destroy(void) e:\src\mc\dom\plugins\ipc\PluginInstanceChild.cpp:4239
 0:36.62 GECKO(596)     #8 0x7ffa5eb52156 in mozilla::plugins::PluginInstanceChild::AnswerNPP_Destroy(short *) e:\src\mc\dom\plugins\ipc\PluginInstanceChild.cpp:4255
 0:36.62 GECKO(596)     #9 0x7ffa57ad1c65 in mozilla::plugins::PPluginInstanceChild::OnCallReceived(class IPC::Message const &,class IPC::Message * &) e:\src\mc\obj\asan64\ipc\ipdl\PPluginInstanceChild.cpp:2952
 0:36.62 GECKO(596)     #10 0x7ffa57b09e41 in mozilla::plugins::PPluginModuleChild::OnCallReceived(class IPC::Message const &,class IPC::Message * &) e:\src\mc\obj\asan64\ipc\ipdl\PPluginModuleChild.cpp:981
 0:36.62 GECKO(596)     #11 0x7ffa57642803 in ?DispatchInterruptMessage@MessageChannel@ipc@mozilla@@AEAAX$$QEAVMessage@IPC@@_K@Z e:\src\mc\ipc\glue\MessageChannel.cpp:2167
 0:36.62 GECKO(596)     #12 0x7ffa576416a8 in ?DispatchMessageW@MessageChannel@ipc@mozilla@@AEAAX$$QEAVMessage@IPC@@@Z e:\src\mc\ipc\glue\MessageChannel.cpp:2063
 0:36.62 GECKO(596)     #13 0x7ffa5764330f in mozilla::ipc::MessageChannel::RunMessage(class mozilla::ipc::MessageChannel::MessageTask &) e:\src\mc\ipc\glue\MessageChannel.cpp:1911
 0:36.62 GECKO(596)     #14 0x7ffa57643af5 in mozilla::ipc::MessageChannel::MessageTask::Run(void) e:\src\mc\ipc\glue\MessageChannel.cpp:1944
 0:36.63 GECKO(596)     #15 0x7ffa575b1843 in ?DeferOrRunPendingTask@MessageLoop@@IEAA_N$$QEAUPendingTask@1@@Z e:\src\mc\ipc\chromium\src\base\message_loop.cc:460
 0:36.63 GECKO(596)     #16 0x7ffa575b300e in MessageLoop::DoWork(void) e:\src\mc\ipc\chromium\src\base\message_loop.cc:535
 0:36.63 GECKO(596)     #17 0x7ffa57582202 in base::MessagePumpForUI::DoRunLoop(void) e:\src\mc\ipc\chromium\src\base\message_pump_win.cc:210
 0:36.63 GECKO(596)     #18 0x7ffa57584659 in base::MessagePumpWin::Run(class base::MessagePump::Delegate *) e:\src\mc\ipc\chromium\src\base\message_pump_win.h:80
 0:36.63 GECKO(596)     #19 0x7ffa575b059f in MessageLoop::RunHandler(void) e:\src\mc\ipc\chromium\src\base\message_loop.cc:312
 0:36.63 GECKO(596)     #20 0x7ffa575b0367 in MessageLoop::Run(void) e:\src\mc\ipc\chromium\src\base\message_loop.cc:299
 0:36.63 GECKO(596)     #21 0x7ffa63e8fdad in XRE_InitChildProcess(int,char * * const,struct XREChildData const *) e:\src\mc\toolkit\xre\nsEmbedFunctions.cpp:719
 0:36.63 GECKO(596)     #22 0x7ff6f74a187d in NS_internal_main(int,char * *) e:\src\mc\ipc\app\MozillaRuntimeMain.cpp:25
 0:36.63 GECKO(596)     #23 0x7ff6f74a1452 in wmain e:\src\mc\toolkit\xre\nsWindowsWMain.cpp:125
 0:36.63 GECKO(596)     #24 0x7ff6f74d9583 in __scrt_common_main_seh f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:283
 0:36.63 GECKO(596)     #25 0x7ffab37a1fe3 in BaseThreadInitThunk (C:\Windows\System32\KERNEL32.DLL+0x180011fe3)
 0:36.65 GECKO(596)     #26 0x7ffab5efefc0 in RtlUserThreadStart (C:\Windows\SYSTEM32\ntdll.dll+0x18006efc0)
 0:36.65 GECKO(596) 0x11c205000ee0 is located 96 bytes inside of 680-byte region [0x11c205000e80,0x11c205001128)
 0:36.65 GECKO(596) freed by thread T0 here:
 0:36.68 GECKO(596)     #0 0x7ffa703b3f71 in operator delete(void *) d:\src\llvm-svn\projects\compiler-rt\lib\asan\asan_new_delete.cc:149
 0:36.68 GECKO(596)     #1 0x7ffa9e877a7e in NPP_Destroy e:\src\mc\dom\plugins\test\testplugin\nptest.cpp:1047
 0:36.68 GECKO(596)     #2 0x7ffa5eb50c1d in mozilla::plugins::PluginInstanceChild::Destroy(void) e:\src\mc\dom\plugins\ipc\PluginInstanceChild.cpp:4203
 0:36.68 GECKO(596)     #3 0x7ffa5eb52156 in mozilla::plugins::PluginInstanceChild::AnswerNPP_Destroy(short *) e:\src\mc\dom\plugins\ipc\PluginInstanceChild.cpp:4255
 0:36.68 GECKO(596)     #4 0x7ffa57ad1c65 in mozilla::plugins::PPluginInstanceChild::OnCallReceived(class IPC::Message const &,class IPC::Message * &) e:\src\mc\obj\asan64\ipc\ipdl\PPluginInstanceChild.cpp:2952
 0:36.68 GECKO(596)     #5 0x7ffa57b09e41 in mozilla::plugins::PPluginModuleChild::OnCallReceived(class IPC::Message const &,class IPC::Message * &) e:\src\mc\obj\asan64\ipc\ipdl\PPluginModuleChild.cpp:981
 0:36.68 GECKO(596)     #6 0x7ffa57642803 in ?DispatchInterruptMessage@MessageChannel@ipc@mozilla@@AEAAX$$QEAVMessage@IPC@@_K@Z e:\src\mc\ipc\glue\MessageChannel.cpp:2167
 0:36.68 GECKO(596)     #7 0x7ffa576416a8 in ?DispatchMessageW@MessageChannel@ipc@mozilla@@AEAAX$$QEAVMessage@IPC@@@Z e:\src\mc\ipc\glue\MessageChannel.cpp:2063
 0:36.68 GECKO(596)     #8 0x7ffa5764330f in mozilla::ipc::MessageChannel::RunMessage(class mozilla::ipc::MessageChannel::MessageTask &) e:\src\mc\ipc\glue\MessageChannel.cpp:1911
 0:36.68 GECKO(596)     #9 0x7ffa57643af5 in mozilla::ipc::MessageChannel::MessageTask::Run(void) e:\src\mc\ipc\glue\MessageChannel.cpp:1944
 0:36.68 GECKO(596)     #10 0x7ffa575b1843 in ?DeferOrRunPendingTask@MessageLoop@@IEAA_N$$QEAUPendingTask@1@@Z e:\src\mc\ipc\chromium\src\base\message_loop.cc:460
 0:36.68 GECKO(596)     #11 0x7ffa575b300e in MessageLoop::DoWork(void) e:\src\mc\ipc\chromium\src\base\message_loop.cc:535
 0:36.68 GECKO(596)     #12 0x7ffa57582202 in base::MessagePumpForUI::DoRunLoop(void) e:\src\mc\ipc\chromium\src\base\message_pump_win.cc:210
 0:36.68 GECKO(596)     #13 0x7ffa57584659 in base::MessagePumpWin::Run(class base::MessagePump::Delegate *) e:\src\mc\ipc\chromium\src\base\message_pump_win.h:80
 0:36.68 GECKO(596)     #14 0x7ffa575b059f in MessageLoop::RunHandler(void) e:\src\mc\ipc\chromium\src\base\message_loop.cc:312
 0:36.68 GECKO(596)     #15 0x7ffa575b0367 in MessageLoop::Run(void) e:\src\mc\ipc\chromium\src\base\message_loop.cc:299
 0:36.68 GECKO(596)     #16 0x7ffa63e8fdad in XRE_InitChildProcess(int,char * * const,struct XREChildData const *) e:\src\mc\toolkit\xre\nsEmbedFunctions.cpp:719
 0:36.68 GECKO(596)     #17 0x7ff6f74a187d in NS_internal_main(int,char * *) e:\src\mc\ipc\app\MozillaRuntimeMain.cpp:25
 0:36.68 GECKO(596)     #18 0x7ff6f74a1452 in wmain e:\src\mc\toolkit\xre\nsWindowsWMain.cpp:125
 0:36.68 GECKO(596)     #19 0x7ff6f74d9583 in __scrt_common_main_seh f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:283
 0:36.68 GECKO(596)     #20 0x7ffab37a1fe3 in BaseThreadInitThunk (C:\Windows\System32\KERNEL32.DLL+0x180011fe3)
 0:36.68 GECKO(596)     #21 0x7ffab5efefc0 in RtlUserThreadStart (C:\Windows\SYSTEM32\ntdll.dll+0x18006efc0)
 0:36.68 GECKO(596) previously allocated by thread T0 here:
 0:36.68 GECKO(596)     #0 0x7ffa703b39d2 in operator new(unsigned __int64) d:\src\llvm-svn\projects\compiler-rt\lib\asan\asan_new_delete.cc:92
 0:36.68 GECKO(596)     #1 0x7ffa9e872fc1 in NPP_New e:\src\mc\dom\plugins\test\testplugin\nptest.cpp:752
 0:36.68 GECKO(596)     #2 0x7ffa5eb36528 in mozilla::plugins::PluginInstanceChild::DoNPP_New(void) e:\src\mc\dom\plugins\ipc\PluginInstanceChild.cpp:251
 0:36.68 GECKO(596)     #3 0x7ffa5eb93e6e in mozilla::plugins::PluginModuleChild::AnswerSyncNPP_New(class mozilla::plugins::PPluginInstanceChild *,short *) e:\src\mc\dom\plugins\ipc\PluginModuleChild.cpp:1870
 0:36.68 GECKO(596)     #4 0x7ffa57b0ba02 in mozilla::plugins::PPluginModuleChild::OnCallReceived(class IPC::Message const &,class IPC::Message * &) e:\src\mc\obj\asan64\ipc\ipdl\PPluginModuleChild.cpp:1106
 0:36.68 GECKO(596)     #5 0x7ffa57642803 in ?DispatchInterruptMessage@MessageChannel@ipc@mozilla@@AEAAX$$QEAVMessage@IPC@@_K@Z e:\src\mc\ipc\glue\MessageChannel.cpp:2167
 0:36.68 GECKO(596)     #6 0x7ffa576416a8 in ?DispatchMessageW@MessageChannel@ipc@mozilla@@AEAAX$$QEAVMessage@IPC@@@Z e:\src\mc\ipc\glue\MessageChannel.cpp:2063
 0:36.68 GECKO(596)     #7 0x7ffa5764330f in mozilla::ipc::MessageChannel::RunMessage(class mozilla::ipc::MessageChannel::MessageTask &) e:\src\mc\ipc\glue\MessageChannel.cpp:1911
 0:36.68 GECKO(596)     #8 0x7ffa57643af5 in mozilla::ipc::MessageChannel::MessageTask::Run(void) e:\src\mc\ipc\glue\MessageChannel.cpp:1944
 0:36.68 GECKO(596)     #9 0x7ffa575b1843 in ?DeferOrRunPendingTask@MessageLoop@@IEAA_N$$QEAUPendingTask@1@@Z e:\src\mc\ipc\chromium\src\base\message_loop.cc:460
 0:36.68 GECKO(596)     #10 0x7ffa575b300e in MessageLoop::DoWork(void) e:\src\mc\ipc\chromium\src\base\message_loop.cc:535
 0:36.68 GECKO(596)     #11 0x7ffa57582202 in base::MessagePumpForUI::DoRunLoop(void) e:\src\mc\ipc\chromium\src\base\message_pump_win.cc:210
 0:36.68 GECKO(596)     #12 0x7ffa57584659 in base::MessagePumpWin::Run(class base::MessagePump::Delegate *) e:\src\mc\ipc\chromium\src\base\message_pump_win.h:80
 0:36.68 GECKO(596)     #13 0x7ffa575b059f in MessageLoop::RunHandler(void) e:\src\mc\ipc\chromium\src\base\message_loop.cc:312
 0:36.68 GECKO(596)     #14 0x7ffa575b0367 in MessageLoop::Run(void) e:\src\mc\ipc\chromium\src\base\message_loop.cc:299
 0:36.68 GECKO(596)     #15 0x7ffa63e8fdad in XRE_InitChildProcess(int,char * * const,struct XREChildData const *) e:\src\mc\toolkit\xre\nsEmbedFunctions.cpp:719
 0:36.68 GECKO(596)     #16 0x7ff6f74a187d in NS_internal_main(int,char * *) e:\src\mc\ipc\app\MozillaRuntimeMain.cpp:25
 0:36.68 GECKO(596)     #17 0x7ff6f74a1452 in wmain e:\src\mc\toolkit\xre\nsWindowsWMain.cpp:125
 0:36.68 GECKO(596)     #18 0x7ff6f74d9583 in __scrt_common_main_seh f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:283
 0:36.68 GECKO(596)     #19 0x7ffab37a1fe3 in BaseThreadInitThunk (C:\Windows\System32\KERNEL32.DLL+0x180011fe3)
 0:36.68 GECKO(596)     #20 0x7ffab5efefc0 in RtlUserThreadStart (C:\Windows\SYSTEM32\ntdll.dll+0x18006efc0)
 0:36.68 GECKO(596) SUMMARY: AddressSanitizer: heap-use-after-free e:\src\mc\dom\plugins\test\testplugin\nptest_windows.cpp:703 in handleEventInternal
 0:36.68 GECKO(596) Shadow bytes around the buggy address:
 0:36.68 GECKO(596)   0x03cc45a00180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 0:36.68 GECKO(596)   0x03cc45a00190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 0:36.68 GECKO(596)   0x03cc45a001a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 0:36.68 GECKO(596)   0x03cc45a001b0: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
 0:36.68 GECKO(596)   0x03cc45a001c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 0:36.70 GECKO(596) =>0x03cc45a001d0: fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd
 0:36.71 GECKO(596)   0x03cc45a001e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 0:36.71 GECKO(596)   0x03cc45a001f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 0:36.71 GECKO(596)   0x03cc45a00200: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 0:36.71 GECKO(596)   0x03cc45a00210: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 0:36.71 GECKO(596)   0x03cc45a00220: fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa
 0:36.71 GECKO(596) Shadow byte legend (one shadow byte represents 8 application bytes):
 0:36.71 GECKO(596)   Addressable:           00
 0:36.71 GECKO(596)   Partially addressable: 01 02 03 04 05 06 07
 0:36.71 GECKO(596)   Heap left redzone:       fa
 0:36.71 GECKO(596)   Freed heap region:       fd
 0:36.71 GECKO(596)   Stack left redzone:      f1
 0:36.71 GECKO(596)   Stack mid redzone:       f2
 0:36.71 GECKO(596)   Stack right redzone:     f3
 0:36.71 GECKO(596)   Stack after return:      f5
 0:36.71 GECKO(596)   Stack use after scope:   f8
 0:36.71 GECKO(596)   Global redzone:          f9
 0:36.71 GECKO(596)   Global init order:       f6
 0:36.71 GECKO(596)   Poisoned by user:        f7
 0:36.71 GECKO(596)   Container overflow:      fc
 0:36.71 GECKO(596)   Array cookie:            ac
 0:36.71 GECKO(596)   Intra object redzone:    bb
 0:36.71 GECKO(596)   ASan internal:           fe
 0:36.71 GECKO(596)   Left alloca redzone:     ca
 0:36.71 GECKO(596)   Right alloca redzone:    cb
 0:36.71 GECKO(596) ==5772==ABORTING
Jim, is this your team's area?

At first glance I'm not sure if this is real or just an issue in nptest_window.cpp, but the fact that `DestroyPluginWindow()` happens after `static_cast<PluginModuleChild *>(Manager())->NPP_Destroy(this);` in PluginInstanceChild::Destroy seems suspicious.
Flags: needinfo?(jmathies)
I have no idea if this is valid but it seems to fix the problem:

--- a/dom/plugins/test/testplugin/nptest_windows.cpp
+++ b/dom/plugins/test/testplugin/nptest_windows.cpp
@@ -318,6 +318,7 @@ pluginInstanceShutdown(InstanceData* ins
   }
   NPN_MemFree(instanceData->platformData);
   instanceData->platformData = 0;
+  ClearSubclass((HWND)instanceData->window.window);
 }
Group: core-security → dom-core-security
This seems to be crashing in the test plugin code, and you've put the fix there. Is this a Firefox security problem or just a test bug?
Flags: needinfo?(dmajor)
It could very well be that this is just a test bug, but like I said, I don't know what I'm doing here. I'd like an area expert to weigh in.
Flags: needinfo?(dmajor)
This looks like a test plugin bug. Runtime calls NPP_Destroy in which the test plugin code deletes its instance data. Later we destroy the plugin window which generates a native event which is delivered to the test plugin window procedure where the test plugin ties to access the instance data again. 

I'll work on a fix. I don't think this needs to be a security bug.
Flags: needinfo?(jmathies)
Group: dom-core-security
Whiteboard: [test code]
Summary: UAF in PluginInstanceChild.cpp → UAF in Windows test plugin
Priority: -- → P3
Jim, any updates on this? If the fix is as simple as comment 2, I'm happy to take it myself and send it to you for review.
Comment on attachment 8970652 [details] [diff] [review]
Bug 1449308: Clean up instancedata when the nptest plugin shuts down.

Review of attachment 8970652 [details] [diff] [review]:
-----------------------------------------------------------------

Thanks!
Attachment #8970652 - Flags: review?(jmathies) → review+
Pushed by dmajor@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/26bd94570503
Clean up instancedata when the nptest plugin shuts down. r=jimm
https://hg.mozilla.org/mozilla-central/rev/26bd94570503
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla61
Assignee: nobody → dmajor
You need to log in before you can comment on or make changes to this bug.