1477704 - heap-use-after-free in mozilla::dom::AudioListener::SendListenerEngineEvent

Reporter

Description

•

6 years ago

Attached file crash.html (minimised testcase) — Details

The following testcases crashes the latest ASAN build of Firefox (SourceStamp=143984185dcece46031c970179ddea4837a6c01d). It requires a fuzzing build (--enable-fuzzing) and the pref fuzzing.enabled=true.

crash.html:
<script>
o317=new AudioContext();
o379=o317.listener;
o379.setPosition(256,14680065,1048576);
o379=null;o317=null;
FuzzingFunctions.garbageCollect();FuzzingFunctions.cycleCollect();FuzzingFunctions.garbageCollect();FuzzingFunctions.cycleCollect();
</script>

ASAN output:
=================================================================
==5145==ERROR: AddressSanitizer: heap-use-after-free on address 0x6070000b5a00 at pc 0x0000004c47eb bp 0x7fd42f8199e0 sp 0x7fd42f819190
WRITE of size 24 at 0x6070000b5a00 thread T33 (MediaStreamGrph)
    #0 0x4c47ea in __asan_memcpy /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:23:3
    #1 0x7fd48b8e38fc in mozilla::dom::AudioListener::SendListenerEngineEvent(mozilla::dom::AudioListenerEngine::AudioListenerParameter, mozilla::dom::ThreeDPoint const&)::Message::Run() /builds/worker/workspace/build/src/dom/media/webaudio/AudioListener.cpp
    #2 0x7fd48b238bfa in mozilla::MediaStreamGraphImpl::RunMessagesInQueue() /builds/worker/workspace/build/src/dom/media/MediaStreamGraph.cpp:1141:20
    #3 0x7fd48b23e6d6 in mozilla::MediaStreamGraphImpl::OneIteration(long) /builds/worker/workspace/build/src/dom/media/MediaStreamGraph.cpp:1349:3
    #4 0x7fd48af2dccb in mozilla::ThreadedDriver::RunThread() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:346:40
    #5 0x7fd48af60c96 in mozilla::MediaStreamGraphInitThreadRunnable::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:225:14
    #6 0x7fd4830e68b9 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1166:14
    #7 0x7fd4830ef0f5 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
    #8 0x7fd4842bb97f in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:334:20
    #9 0x7fd4841bf2cc in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10
    #10 0x7fd4841bf2cc in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318
    #11 0x7fd4841bf2cc in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298
    #12 0x7fd4830df13d in nsThread::ThreadFunc(void*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:525:11
    #13 0x7fd4a41d6dc8 in _pt_root /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #14 0x7fd4a7b7e6b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
    #15 0x7fd4a6c073dc in clone (/lib/x86_64-linux-gnu/libc.so.6+0x1073dc)

0x6070000b5a00 is located 0 bytes inside of 72-byte region [0x6070000b5a00,0x6070000b5a48)
freed by thread T0 (file:// Content) here:
    #0 0x4c5282 in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:68:3
    #1 0x7fd48b8cb295 in operator delete /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:160:12
    #2 0x7fd48b8cb295 in operator() /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/UniquePtr.h:528
    #3 0x7fd48b8cb295 in reset /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/UniquePtr.h:343
    #4 0x7fd48b8cb295 in ~UniquePtr /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/UniquePtr.h:288
    #5 0x7fd48b8cb295 in ~AudioListener /builds/worker/workspace/build/src/dom/media/webaudio/AudioListener.h:75
    #6 0x7fd48b8cb295 in DeleteCycleCollectable /builds/worker/workspace/build/src/dom/media/webaudio/AudioListener.h:53
    #7 0x7fd48b8cb295 in mozilla::dom::AudioListener::cycleCollection::DeleteCycleCollectable(void*) /builds/worker/workspace/build/src/dom/media/webaudio/AudioListener.h:53
    #8 0x7fd482efb32b in SnowWhiteKiller::~SnowWhiteKiller() /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2736:25
    #9 0x7fd482f05ff7 in FreeSnowWhite /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2924:3
    #10 0x7fd482f05ff7 in nsCycleCollector::BeginCollection(ccType, nsICycleCollectorListener*) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3934
    #11 0x7fd482f04f42 in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3755:9
    #12 0x7fd482f0a693 in nsCycleCollector_collect(nsICycleCollectorListener*) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:4328:21
    #13 0x7fd4871fa54e in nsJSContext::CycleCollectNow(nsICycleCollectorListener*) /builds/worker/workspace/build/src/dom/base/nsJSEnvironment.cpp:1507:3
    #14 0x7fd489905851 in mozilla::dom::FuzzingFunctions_Binding::cycleCollect(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/FuzzingFunctionsBinding.cpp:54:3
    #15 0x7fd49122ed3e in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:444:15
    #16 0x7fd49122ed3e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:532
    #17 0x7fd4912196ea in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:589:12
    #18 0x7fd4912196ea in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3237
    #19 0x7fd4911ff65a in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:424:12
    #20 0x7fd4912336d8 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:772:15
    #21 0x7fd491233e66 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:804:12
    #22 0x7fd491e7fe9d in ExecuteScript(JSContext*, JS::AutoVector<JSObject*>&, JS::Handle<JSScript*>, JS::Value*) /builds/worker/workspace/build/src/js/src/jsapi.cpp:4676:12
    #23 0x7fd487219b69 in nsJSUtils::ExecutionContext::CompileAndExec(JS::CompileOptions&, JS::SourceBufferHolder&, JS::MutableHandle<JSScript*>) /builds/worker/workspace/build/src/dom/base/nsJSUtils.cpp:250:8
    #24 0x7fd48c88824f in mozilla::dom::ScriptLoader::EvaluateScript(mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:2363:27
    #25 0x7fd48c880ce5 in mozilla::dom::ScriptLoader::ProcessRequest(mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1986:10
    #26 0x7fd48c87cdc6 in mozilla::dom::ScriptLoader::ProcessInlineScript(nsIScriptElement*, mozilla::dom::ScriptKind) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1607:10
    #27 0x7fd48c8557e9 in mozilla::dom::ScriptLoader::ProcessScriptElement(nsIScriptElement*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1326:10
    #28 0x7fd48c8541d5 in mozilla::dom::ScriptElement::MaybeProcessScript() /builds/worker/workspace/build/src/dom/script/ScriptElement.cpp:141:18
    #29 0x7fd4859eb1f4 in AttemptToExecute /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIScriptElement.h:258:18
    #30 0x7fd4859eb1f4 in nsHtml5TreeOpExecutor::RunScript(nsIContent*) /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:738
    #31 0x7fd4859e4673 in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:537:7
    #32 0x7fd4859f05db in nsHtml5ExecutorFlusher::Run() /builds/worker/workspace/build/src/parser/html/nsHtml5StreamParser.cpp:121:18
    #33 0x7fd4830ab4d2 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
    #34 0x7fd4830e68b9 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1166:14
    #35 0x7fd4830ef0f5 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
    #36 0x7fd4842ba2d4 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:125:5
    #37 0x7fd4841bf2cc in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10
    #38 0x7fd4841bf2cc in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318
    #39 0x7fd4841bf2cc in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298
    #40 0x7fd48cc0ca36 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27
    #41 0x7fd490f0dbde in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:938:22

previously allocated by thread T0 (file:// Content) here:
    #0 0x4c55c3 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3
    #1 0x4f693d in moz_xmalloc /builds/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:70:17
    #2 0x7fd48b891d5a in operator new /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:136:12
    #3 0x7fd48b891d5a in MakeUnique<mozilla::dom::AudioListenerEngine> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/UniquePtr.h:680
    #4 0x7fd48b891d5a in AudioListener /builds/worker/workspace/build/src/dom/media/webaudio/AudioListener.cpp:65
    #5 0x7fd48b891d5a in mozilla::dom::AudioContext::Listener() /builds/worker/workspace/build/src/dom/media/webaudio/AudioContext.cpp:535
    #6 0x7fd4875a83a6 in mozilla::dom::BaseAudioContext_Binding::get_listener(JSContext*, JS::Handle<JSObject*>, mozilla::dom::AudioContext*, JSJitGetterCallArgs) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/BaseAudioContextBinding.cpp:245:65
    #7 0x7fd48a00fcee in bool mozilla::dom::binding_detail::GenericGetter<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3187:13
    #8 0x7fd49122ed3e in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:444:15
    #9 0x7fd49122ed3e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:532
    #10 0x7fd4912326f5 in InternalCall /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:583:12
    #11 0x7fd4912326f5 in Call /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:602
    #12 0x7fd4912326f5 in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:722
    #13 0x7fd4922c4a74 in CallGetter /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2149:16
    #14 0x7fd4922c4a74 in GetExistingProperty<js::CanGC> /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2202
    #15 0x7fd4922c4a74 in NativeGetPropertyInline<js::CanGC> /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2415
    #16 0x7fd4922c4a74 in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2451
    #17 0x7fd49123bef6 in GetProperty /builds/worker/workspace/build/src/js/src/vm/NativeObject.h:1692:12
    #18 0x7fd49123bef6 in GetProperty /builds/worker/workspace/build/src/js/src/vm/JSObject.h:787
    #19 0x7fd49123bef6 in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:4579
    #20 0x7fd49121c344 in GetPropertyOperation /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:218:12
    #21 0x7fd49121c344 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2954
    #22 0x7fd4911ff65a in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:424:12
    #23 0x7fd4912336d8 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:772:15
    #24 0x7fd491233e66 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:804:12
    #25 0x7fd491e7fe9d in ExecuteScript(JSContext*, JS::AutoVector<JSObject*>&, JS::Handle<JSScript*>, JS::Value*) /builds/worker/workspace/build/src/js/src/jsapi.cpp:4676:12
    #26 0x7fd487219b69 in nsJSUtils::ExecutionContext::CompileAndExec(JS::CompileOptions&, JS::SourceBufferHolder&, JS::MutableHandle<JSScript*>) /builds/worker/workspace/build/src/dom/base/nsJSUtils.cpp:250:8
    #27 0x7fd48c88824f in mozilla::dom::ScriptLoader::EvaluateScript(mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:2363:27
    #28 0x7fd48c880ce5 in mozilla::dom::ScriptLoader::ProcessRequest(mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1986:10
    #29 0x7fd48c87cdc6 in mozilla::dom::ScriptLoader::ProcessInlineScript(nsIScriptElement*, mozilla::dom::ScriptKind) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1607:10
    #30 0x7fd48c8557e9 in mozilla::dom::ScriptLoader::ProcessScriptElement(nsIScriptElement*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1326:10
    #31 0x7fd48c8541d5 in mozilla::dom::ScriptElement::MaybeProcessScript() /builds/worker/workspace/build/src/dom/script/ScriptElement.cpp:141:18
    #32 0x7fd4859eb1f4 in AttemptToExecute /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIScriptElement.h:258:18
    #33 0x7fd4859eb1f4 in nsHtml5TreeOpExecutor::RunScript(nsIContent*) /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:738
    #34 0x7fd4859e4673 in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:537:7
    #35 0x7fd4859f05db in nsHtml5ExecutorFlusher::Run() /builds/worker/workspace/build/src/parser/html/nsHtml5StreamParser.cpp:121:18
    #36 0x7fd4830ab4d2 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
    #37 0x7fd4830e68b9 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1166:14
    #38 0x7fd4830ef0f5 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
    #39 0x7fd4842ba2d4 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:125:5
    #40 0x7fd4841bf2cc in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10
    #41 0x7fd4841bf2cc in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318
    #42 0x7fd4841bf2cc in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298
    #43 0x7fd48cc0ca36 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27
    #44 0x7fd490f0dbde in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:938:22

Thread T33 (MediaStreamGrph) created by T32 (CubebOp~tion #1) here:
    #0 0x4ae64d in __interceptor_pthread_create /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:204:3
    #1 0x7fd4a41d3b05 in _PR_CreateThread /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:433:14
    #2 0x7fd4a41d36ee in PR_CreateThread /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:518:12
    #3 0x7fd4830e238f in nsThread::Init(nsTSubstring<char> const&) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:700:8
    #4 0x7fd4830edbce in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) /builds/worker/workspace/build/src/xpcom/threads/nsThreadManager.cpp:471:22
    #5 0x7fd4830f2a8e in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, nsIRunnable*, unsigned int) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:143:45
    #6 0x7fd48af2cc7c in NS_NewNamedThread<16> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:73:10
    #7 0x7fd48af2cc7c in mozilla::ThreadedDriver::Start() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:243
    #8 0x7fd48af2bdb5 in mozilla::GraphDriver::SwitchToNextDriver() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:107:17
    #9 0x7fd48af3076e in mozilla::AudioCallbackDriver::Init() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:644:5
    #10 0x7fd48af2f89a in mozilla::AsyncCubebTask::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:504:21
    #11 0x7fd4830f3b22 in nsThreadPool::Run() /builds/worker/workspace/build/src/xpcom/threads/nsThreadPool.cpp:231:14
    #12 0x7fd4830f47c4 in non-virtual thunk to nsThreadPool::Run() /builds/worker/workspace/build/src/xpcom/threads/nsThreadPool.cpp
    #13 0x7fd4830e68b9 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1166:14
    #14 0x7fd4830ef0f5 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
    #15 0x7fd4842bb97f in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:334:20
    #16 0x7fd4841bf2cc in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10
    #17 0x7fd4841bf2cc in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318
    #18 0x7fd4841bf2cc in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298
    #19 0x7fd4830df13d in nsThread::ThreadFunc(void*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:525:11
    #20 0x7fd4a41d6dc8 in _pt_root /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #21 0x7fd4a7b7e6b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)

Thread T32 (CubebOp~tion #1) created by T0 (file:// Content) here:
    #0 0x4ae64d in __interceptor_pthread_create /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:204:3
    #1 0x7fd4a41d3b05 in _PR_CreateThread /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:433:14
    #2 0x7fd4a41d36ee in PR_CreateThread /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:518:12
    #3 0x7fd4830e238f in nsThread::Init(nsTSubstring<char> const&) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:700:8
    #4 0x7fd4830edbce in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) /builds/worker/workspace/build/src/xpcom/threads/nsThreadManager.cpp:471:22
    #5 0x7fd4830f22ea in NS_NewNamedThread /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:143:45
    #6 0x7fd4830f22ea in nsThreadPool::PutEvent(already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/workspace/build/src/xpcom/threads/nsThreadPool.cpp:109
    #7 0x7fd4830f4a16 in nsThreadPool::Dispatch(already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/workspace/build/src/xpcom/threads/nsThreadPool.cpp:280:5
    #8 0x7fd48af342d7 in Dispatch /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIEventTarget.h:37:14
    #9 0x7fd48af342d7 in Dispatch /builds/worker/workspace/build/src/dom/media/GraphDriver.h:613
    #10 0x7fd48af342d7 in mozilla::AudioCallbackDriver::Start() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:770
    #11 0x7fd48b241380 in mozilla::MediaStreamGraphImpl::RunInStableState(bool) /builds/worker/workspace/build/src/dom/media/MediaStreamGraph.cpp:1693:17
    #12 0x7fd48b271620 in mozilla::(anonymous namespace)::MediaStreamGraphStableStateRunnable::Run() /builds/worker/workspace/build/src/dom/media/MediaStreamGraph.cpp:1548:15
    #13 0x7fd482eb2f26 in mozilla::CycleCollectedJSContext::ProcessStableStateQueue() /builds/worker/workspace/build/src/xpcom/base/CycleCollectedJSContext.cpp:331:12
    #14 0x7fd482eb5662 in mozilla::CycleCollectedJSContext::AfterProcessTask(unsigned int) /builds/worker/workspace/build/src/xpcom/base/CycleCollectedJSContext.cpp:396:3
    #15 0x7fd4851fa3f5 in XPCJSContext::AfterProcessTask(unsigned int) /builds/worker/workspace/build/src/js/xpconnect/src/XPCJSContext.cpp:1213:30
    #16 0x7fd4830e736d in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1201:24
    #17 0x7fd4830ef0f5 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
    #18 0x7fd4842ba2d4 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:125:5
    #19 0x7fd4841bf2cc in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10
    #20 0x7fd4841bf2cc in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318
    #21 0x7fd4841bf2cc in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298
    #22 0x7fd48cc0ca36 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27
    #23 0x7fd490f0dbde in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:938:22
    #24 0x7fd4841bf2cc in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10
    #25 0x7fd4841bf2cc in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318
    #26 0x7fd4841bf2cc in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298
    #27 0x7fd490f0cc92 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:764:34
    #28 0x4f5a91 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #29 0x4f5a91 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:287
    #30 0x7fd4a6b2082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:23:3 in __asan_memcpy
Shadow bytes around the buggy address:
  0x0c0e8000eaf0: 00 00 00 00 00 fa fa fa fa fa 00 00 00 00 00 00
  0x0c0e8000eb00: 00 00 00 fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c0e8000eb10: fd fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00
  0x0c0e8000eb20: fa fa fa fa 00 00 00 00 00 00 00 00 03 fa fa fa
  0x0c0e8000eb30: fa fa 00 00 00 00 00 00 00 00 00 01 fa fa fa fa
=>0x0c0e8000eb40:[fd]fd fd fd fd fd fd fd fd fa fa fa fa fa fd fd
  0x0c0e8000eb50: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
  0x0c0e8000eb60: fd fd fd fd fd fd fa fa fa fa fd fd fd fd fd fd
  0x0c0e8000eb70: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c0e8000eb80: fd fd fa fa fa fa fd fd fd fd fd fd fd fd fd fd
  0x0c0e8000eb90: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==5145==ABORTING

Nils

Reporter

Comment 1

•

6 years ago

Attached file ASAN output — Details

Paul Adenot (:padenot)

Assignee

Comment 2

•

6 years ago

The same mistakes, every time... Patch incoming.

Paul Adenot (:padenot)

Assignee

Updated

•

6 years ago

Assignee: nobody → padenot

Paul Adenot (:padenot)

Assignee

Comment 3

•

6 years ago

Attached patch fix — Details — Splinter Review

This should do it.

Attachment #8994218 - Flags: review?(karlt)

Daniel Veditz [:dveditz]

Updated

•

6 years ago

Group: core-security → dom-core-security

Flags: sec-bounty?

Keywords: csectype-uaf, sec-high

Karl Tomlinson (:karlt)

Updated

•

6 years ago

Attachment #8994218 - Flags: review?(karlt) → review+

Karl Tomlinson (:karlt)

Comment 4

•

6 years ago

Comment on attachment 8994218 [details] [diff] [review]
fix

> class AudioListenerEngine final
> {
> public:
>+  NS_INLINE_DECL_THREADSAFE_REFCOUNTING(AudioListenerEngine)
>+
>+  AudioListenerEngine();
>+
>   enum class AudioListenerParameter
>   {
>     POSITION,
>     FRONT, // unit length
>     RIGHT // unit length, orthogonal to FRONT
>   };
>-  AudioListenerEngine();
>   void RecvListenerEngineEvent(
>     AudioListenerEngine::AudioListenerParameter aParameter,
>     const ThreeDPoint& aValue);
>   const ThreeDPoint& Position() const;
>   const ThreeDPoint& FrontVector() const;
>   const ThreeDPoint& RightVector() const;
> 
> private:
>+  virtual ~AudioListenerEngine() = default;

No need for virtual here.  This class is final.

Paul Adenot (:padenot)

Assignee

Comment 5

•

6 years ago

https://hg.mozilla.org/integration/mozilla-inbound/rev/ee06f4056982656265513921a5df821b4c1304a2

Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)

Comment 6

•

6 years ago

https://hg.mozilla.org/mozilla-central/rev/ee06f4056982

Group: dom-core-security → core-security-release

Status: NEW → RESOLVED

Closed: 6 years ago

status-firefox63: affected → fixed

Resolution: --- → FIXED

Target Milestone: --- → mozilla63

Andrei Vaida [:avaida]

Updated

•

6 years ago

Flags: qe-verify+

Whiteboard: [post-critsmash-triage]

Karl Tomlinson (:karlt)

Updated

•

6 years ago

Flags: in-testsuite?

Daniel Veditz [:dveditz]

Updated

•

6 years ago

Flags: sec-bounty? → sec-bounty+

David Olah

Comment 7

•

6 years ago

I managed to reproduce the bug on Ubuntu 16.04, Nightly 63.0a1 (2018-07-23).

I verified the issue on Ubuntu 16.04, Nightly 63.0a1 (2018-08-02) and it is not reproducing anymore.

Marking the issue as Verified - Fixed.

Status: RESOLVED → VERIFIED

status-firefox63: fixed → verified

Flags: qe-verify+

Ryan VanderMeulen [:RyanVM]

Updated

•

6 years ago

Blocks: 1476744

status-firefox61: --- → unaffected

status-firefox62: --- → unaffected

status-firefox-esr52: --- → unaffected

status-firefox-esr60: --- → unaffected

Daniel Veditz [:dveditz]

Updated

•

4 years ago

Group: core-security-release

crash.html (minimised testcase) 6 years ago Nils 258 bytes, text/html		Details
ASAN output 6 years ago Nils 23.66 KB, text/plain		Details
fix 6 years ago Paul Adenot (:padenot) 5.76 KB, patch	karlt : review+	Details \| Diff \| Splinter Review

Bugzilla

Quick Search

heap-use-after-free in mozilla::dom::AudioListener::SendListenerEngineEvent

Categories

(Core :: Audio/Video: MediaStreamGraph, defect)

Tracking

()

People

(Reporter: nils, Assigned: padenot)

References

Details

(Keywords: csectype-uaf, sec-high, Whiteboard: [post-critsmash-triage])

Crash Data

Security

(public)

User Story

Attachments

(3 files)

Description

Comment 1

Comment 2

Updated

Comment 3

Updated

Updated

Comment 4

Comment 5

Comment 6

Updated

Updated

Updated

Comment 7

Updated

Updated

Attachment

General

Description

File Name

Content Type