Closed Bug 1498096 Opened 2 years ago Closed 1 year ago

heap-use-after-free in [@ nsObserverList::NotifyObservers]

Categories

(Core :: Audio/Video, defect, P1)

defect

Tracking

()

RESOLVED WORKSFORME
Tracking Status
firefox64 --- affected

People

(Reporter: tsmith, Assigned: alwu)

References

(Blocks 1 open bug)

Details

(Keywords: crash, csectype-uaf, sec-high)

Found with mozilla-central 20181010-91b4c3687d75

I'm not having any luck reproducing this with the test case.

==20962==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b000197830 at pc 0x7f5de9ffa6cc bp 0x7fff16fe3010 sp 0x7fff16fe3008
WRITE of size 1 at 0x60b000197830 thread T0 (file:// Content)
    #0 0x7f5de9ffa6cb in NotifyShutdown src/obj-firefox/dist/include/mozilla/dom/TextTrackManager.h:99:15
    #1 0x7f5de9ffa6cb in mozilla::dom::TextTrackManager::ShutdownObserverProxy::Observe(nsISupports*, char const*, char16_t const*) src/obj-firefox/dist/include/mozilla/dom/TextTrackManager.h:178
    #2 0x7f5de1fb15b3 in nsObserverList::NotifyObservers(nsISupports*, char const*, char16_t const*) src/xpcom/ds/nsObserverList.cpp:111:19
    #3 0x7f5de1fb4e13 in nsObserverService::NotifyObservers(nsISupports*, char const*, char16_t const*) src/xpcom/ds/nsObserverService.cpp:295:19
    #4 0x7f5de218957c in mozilla::ShutdownXPCOM(nsIServiceManager*) src/xpcom/build/XPCOMInit.cpp:896:26
    #5 0x7f5df03decbd in XRE_TermEmbedding() src/toolkit/xre/nsEmbedFunctions.cpp:227:3
    #6 0x7f5de333c961 in mozilla::ipc::ScopedXREEmbed::Stop() src/ipc/glue/ScopedXREEmbed.cpp:108:5
    #7 0x7f5df03dfb48 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:769:16
    #8 0x56509146ab91 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #9 0x56509146ab91 in main src/browser/app/nsBrowserApp.cpp:287
    #10 0x7f5e047e582f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #11 0x565091399f3c in _start (/home/ubuntu/firefox/firefox+0x2cf3c)

0x60b000197830 is located 96 bytes inside of 104-byte region [0x60b0001977d0,0x60b000197838)
freed by thread T0 (file:// Content) here:
    #0 0x56509143a372 in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:68:3
    #1 0x7f5de1f1c471 in SnowWhiteKiller::~SnowWhiteKiller() src/xpcom/base/nsCycleCollector.cpp:2740:7
    #2 0x7f5de1f19123 in nsPurpleBuffer::RemoveSkippable(nsCycleCollector*, js::SliceBudget&, bool, bool, void (*)()) src/xpcom/base/nsCycleCollector.cpp:2889:3
    #3 0x7f5de1f1ce16 in nsCycleCollector::ForgetSkippable(js::SliceBudget&, bool, bool) src/xpcom/base/nsCycleCollector.cpp:3010:14
    #4 0x7f5de1f2ab77 in nsCycleCollector_forgetSkippable(js::SliceBudget&, bool, bool) src/xpcom/base/nsCycleCollector.cpp:4348:21
    #5 0x7f5de639f58e in FireForgetSkippable(unsigned int, bool, mozilla::TimeStamp) src/dom/base/nsJSEnvironment.cpp:1296:3
    #6 0x7f5de63a622b in CCRunnerFired(mozilla::TimeStamp) src/dom/base/nsJSEnvironment.cpp:1995:7
    #7 0x7f5de20b6d74 in operator() src/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/4.9.4/../../../../include/c++/4.9.4/functional:2440:14
    #8 0x7f5de20b6d74 in mozilla::IdleTaskRunner::Run() src/xpcom/threads/IdleTaskRunner.cpp:63
    #9 0x7f5de2116faf in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1231:14
    #10 0x7f5de211f68d in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:530:10
    #11 0x7f5de2114b4a in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:934:22)> src/obj-firefox/dist/include/nsThreadUtils.h:347:25
    #12 0x7f5de2114b4a in nsThread::Shutdown() src/xpcom/threads/nsThread.cpp:934
    #13 0x7f5de2125ec8 in nsThreadPool::Shutdown() src/xpcom/threads/nsThreadPool.cpp:358:17
    #14 0x7f5de20ecabb in applyImpl<nsIThreadPool, nsresult (nsIThreadPool::*)()> src/obj-firefox/dist/include/nsThreadUtils.h:1191:12
    #15 0x7f5de20ecabb in apply<nsIThreadPool, nsresult (nsIThreadPool::*)()> src/obj-firefox/dist/include/nsThreadUtils.h:1197
    #16 0x7f5de20ecabb in mozilla::detail::RunnableMethodImpl<nsCOMPtr<nsIThreadPool>, nsresult (nsIThreadPool::*)(), true, (mozilla::RunnableKind)0>::Run() src/obj-firefox/dist/include/nsThreadUtils.h:1242
    #17 0x7f5de2116faf in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1231:14
    #18 0x7f5de2152de1 in NS_InvokeByIndex src/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:106
    #19 0x7f5de437aadf in Invoke src/js/xpconnect/src/XPCWrappedNative.cpp:1723:12
    #20 0x7f5de437aadf in Call src/js/xpconnect/src/XPCWrappedNative.cpp:1268
    #21 0x7f5de437aadf in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) src/js/xpconnect/src/XPCWrappedNative.cpp:1232
    #22 0x7f5de438152f in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1019:12
    #23 0x27879974b54f  (<unknown module>)
    #24 0x6210004cc477  (<unknown module>)
    #25 0x2787996794e1  (<unknown module>)

previously allocated by thread T0 (file:// Content) here:
    #0 0x56509143a6b3 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3
    #1 0x56509146bacd in moz_xmalloc src/memory/mozalloc/mozalloc.cpp:70:17
    #2 0x7f5de9f0d636 in operator new src/obj-firefox/dist/include/mozilla/mozalloc.h:139:12
    #3 0x7f5de9f0d636 in GetOrCreateTextTrackManager src/dom/html/HTMLMediaElement.cpp:7590
    #4 0x7f5de9f0d636 in mozilla::dom::HTMLMediaElement::GetTextTracks() src/dom/html/HTMLMediaElement.cpp:7561
    #5 0x7f5de8f1fd66 in mozilla::dom::HTMLMediaElement_Binding::get_textTracks(JSContext*, JS::Handle<JSObject*>, mozilla::dom::HTMLMediaElement*, JSJitGetterCallArgs) src/obj-firefox/dom/bindings/HTMLMediaElementBinding.cpp:1574:65
    #6 0x7f5de92e8ee5 in bool mozilla::dom::binding_detail::GenericGetter<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3191:13
    #7 0x7f5df21e3fbb in CallJSNative src/js/src/vm/Interpreter.cpp:461:15
    #8 0x7f5df21e3fbb in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:553
    #9 0x7f5df21e8b35 in InternalCall src/js/src/vm/Interpreter.cpp:607:12
    #10 0x7f5df21e8b35 in Call src/js/src/vm/Interpreter.cpp:626
    #11 0x7f5df21e8b35 in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:753
    #12 0x7f5df17314e8 in CallGetter src/js/src/vm/NativeObject.cpp:2240:16
    #13 0x7f5df17314e8 in GetExistingProperty<js::CanGC> src/js/src/vm/NativeObject.cpp:2295
    #14 0x7f5df17314e8 in NativeGetPropertyInline<js::CanGC> src/js/src/vm/NativeObject.cpp:2525
    #15 0x7f5df17314e8 in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) src/js/src/vm/NativeObject.cpp:2562
    #16 0x7f5df21f21a6 in GetProperty src/js/src/vm/ObjectOperations-inl.h:122:12
    #17 0x7f5df21f21a6 in GetProperty src/js/src/vm/ObjectOperations-inl.h:130
    #18 0x7f5df21f21a6 in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:4913
    #19 0x7f5df21cfc2a in GetPropertyOperation src/js/src/vm/Interpreter.cpp:223:12
    #20 0x7f5df21cfc2a in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3147
    #21 0x7f5df21b220b in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:440:12
    #22 0x7f5df21e4ace in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:580:15
    #23 0x7f5df21e6862 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:626:10
    #24 0x7f5df125bd8d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2979:12
    #25 0x7f5de6dd89f0 in mozilla::dom::MutationCallback::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Sequence<mozilla::OwningNonNull<nsDOMMutationRecord> > const&, nsDOMMutationObserver&, mozilla::ErrorResult&) src/obj-firefox/dom/bindings/MutationObserverBinding.cpp:674:8
    #26 0x7f5de61fd1f6 in Call<nsDOMMutationObserver *> src/obj-firefox/dist/include/mozilla/dom/MutationObserverBinding.h:200:12
    #27 0x7f5de61fd1f6 in Call<nsDOMMutationObserver *> src/obj-firefox/dist/include/mozilla/dom/MutationObserverBinding.h:222
    #28 0x7f5de61fd1f6 in nsDOMMutationObserver::HandleMutation() src/dom/base/nsDOMMutationObserver.cpp:893
    #29 0x7f5de61f7037 in nsDOMMutationObserver::HandleMutationsInternal(mozilla::AutoSlowOperation&) src/dom/base/nsDOMMutationObserver.cpp:923:26
    #30 0x7f5de1ed5e61 in mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool) src/xpcom/base/CycleCollectedJSContext.cpp:603:17
    #31 0x7f5de9b38f65 in LeaveMicroTask src/obj-firefox/dist/include/mozilla/CycleCollectedJSContext.h:210:7
    #32 0x7f5de9b38f65 in ~nsAutoMicroTask src/obj-firefox/dist/include/mozilla/CycleCollectedJSContext.h:305
    #33 0x7f5de9b38f65 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1108
    #34 0x7f5de9b3ad9c in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) src/dom/events/EventListenerManager.cpp:1308:15
Component: XPCOM → DOM
TextTrackManager is media stuff.
Component: DOM → Audio/Video
Some kind of shutdown race. I'm going to mark it high because maybe it could happen even without shutdown?
Keywords: sec-high
Group: dom-core-security → media-core-security

Alastor, as our VTT expert could you please have a look at this?

Assignee: nobody → alwu
Flags: needinfo?(alwu)

sec-high => P1

Priority: -- → P1

Sure, will take a look.

Flags: needinfo?(alwu)

It seems to me that this crash has been fixed by bug1504365, which has handled the nullptr case [1].

I will close this bug, but please feel free to reopen it if anyone see this crash again.

[1] https://searchfox.org/mozilla-central/rev/2c912888e3b7ae4baf161d98d7a01434f31830aa/dom/html/TextTrackManager.h#172

Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → WORKSFORME
Group: media-core-security
You need to log in before you can comment on or make changes to this bug.