Closed Bug 1499719 Opened 6 years ago Closed 6 years ago

AddressSanitizer: heap-use-after-free [@ isSome] with READ of size 1

Categories

(Core :: Storage: IndexedDB, defect, P1)

defect

Tracking

()

RESOLVED FIXED
mozilla68
Tracking Status
firefox-esr60 67+ fixed
firefox64 --- wontfix
firefox66 --- wontfix
firefox67 --- fixed
firefox68 --- fixed

People

(Reporter: jkratzer, Assigned: janv)

References

(Blocks 3 open bugs)

Details

(4 keywords, Whiteboard: [fixed by bug 1538619][adv-main67+][adv-esr60.7+])

Attachments

(1 obsolete file)

Found while fuzzing mozilla-central rev 31724aea10ca. I don't currently have a working testcase but will update if/when one becomes available. ==23284==ERROR: AddressSanitizer: heap-use-after-free on address 0x6160001a7528 at pc 0x7fb5bc2e5924 bp 0x7fb5986afeb0 sp 0x7fb5986afea8 READ of size 1 at 0x6160001a7528 thread T33 (IPDL Background) #0 0x7fb5bc2e5923 in isSome src/obj-firefox/dist/include/mozilla/Maybe.h:314:32 #1 0x7fb5bc2e5923 in operator bool src/obj-firefox/dist/include/mozilla/Maybe.h:313 #2 0x7fb5bc2e5923 in IsOwnedByProcess src/dom/indexedDB/ActorsParent.cpp:6388 #3 0x7fb5bc2e5923 in mozilla::dom::indexedDB::(anonymous namespace)::QuotaClient::AbortOperationsForProcess(mozilla::dom::IdType<mozilla::dom::ContentParent>) src/dom/indexedDB/ActorsParent.cpp:17685 #4 0x7fb5bbd977b2 in AbortOperationsForProcess src/dom/quota/ActorsParent.cpp:3977:13 #5 0x7fb5bbd977b2 in mozilla::dom::quota::(anonymous namespace)::AbortOperationsRunnable::Run() src/dom/quota/QuotaManagerService.cpp:831 #6 0x7fb5b2fd1ce6 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1252:14 #7 0x7fb5b2fda80d in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:530:10 #8 0x7fb5b41f3572 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:334:20 #9 0x7fb5b40f47bc in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10 #10 0x7fb5b40f47bc in RunHandler src/ipc/chromium/src/base/message_loop.cc:318 #11 0x7fb5b40f47bc in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298 #12 0x7fb5b2fca173 in nsThread::ThreadFunc(void*) src/xpcom/threads/nsThread.cpp:505:11 #13 0x7fb5d6ab5008 in _pt_root src/nsprpub/pr/src/pthreads/ptthread.c:201:5 #14 0x7fb5d66fd6b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9) #15 0x7fb5d577a41c in clone /build/glibc-Cl5G7W/glibc-2.23/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:109 0x6160001a7528 is located 424 bytes inside of 528-byte region [0x6160001a7380,0x6160001a7590) freed by thread T33 (IPDL Background) here: #0 0x55b0bdfa8372 in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:68:3 #1 0x7fb5bc2b09e8 in mozilla::dom::indexedDB::(anonymous namespace)::VersionChangeTransaction::~VersionChangeTransaction() src/dom/indexedDB/ActorsParent.cpp:15706:1 #2 0x7fb5bc23de56 in mozilla::dom::indexedDB::(anonymous namespace)::TransactionDatabaseOperationBase::SendPreprocessInfoOrResults(bool) src/dom/indexedDB/ActorsParent.cpp:23511:5 #3 0x7fb5bc235448 in mozilla::dom::indexedDB::(anonymous namespace)::TransactionDatabaseOperationBase::Run() src/dom/indexedDB/ActorsParent.cpp #4 0x7fb5b2fd1ce6 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1252:14 #5 0x7fb5b2fda80d in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:530:10 #6 0x7fb5b41f3572 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:334:20 #7 0x7fb5b40f47bc in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10 #8 0x7fb5b40f47bc in RunHandler src/ipc/chromium/src/base/message_loop.cc:318 #9 0x7fb5b40f47bc in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298 #10 0x7fb5b2fca173 in nsThread::ThreadFunc(void*) src/xpcom/threads/nsThread.cpp:505:11 #11 0x7fb5d6ab5008 in _pt_root src/nsprpub/pr/src/pthreads/ptthread.c:201:5 #12 0x7fb5d66fd6b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9) previously allocated by thread T33 (IPDL Background) here: #0 0x55b0bdfa86b3 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3 #1 0x55b0bdfd9acd in moz_xmalloc src/memory/mozalloc/mozalloc.cpp:70:17 #2 0x7fb5bc22a9e4 in operator new src/obj-firefox/dist/include/mozilla/mozalloc.h:139:12 #3 0x7fb5bc22a9e4 in mozilla::dom::indexedDB::(anonymous namespace)::OpenDatabaseOp::EnsureDatabaseActor() src/dom/indexedDB/ActorsParent.cpp:22292 #4 0x7fb5bc209b12 in mozilla::dom::indexedDB::(anonymous namespace)::OpenDatabaseOp::BeginVersionChange() src/dom/indexedDB/ActorsParent.cpp:21939:3 #5 0x7fb5bc1fd457 in mozilla::dom::indexedDB::(anonymous namespace)::FactoryOp::Run() src/dom/indexedDB/ActorsParent.cpp #6 0x7fb5b2fd1ce6 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1252:14 #7 0x7fb5b2fda80d in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:530:10 #8 0x7fb5b41f3572 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:334:20 #9 0x7fb5b40f47bc in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10 #10 0x7fb5b40f47bc in RunHandler src/ipc/chromium/src/base/message_loop.cc:318 #11 0x7fb5b40f47bc in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298 #12 0x7fb5b2fca173 in nsThread::ThreadFunc(void*) src/xpcom/threads/nsThread.cpp:505:11 #13 0x7fb5d6ab5008 in _pt_root src/nsprpub/pr/src/pthreads/ptthread.c:201:5 #14 0x7fb5d66fd6b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9) Thread T33 (IPDL Background) created by T0 here: #0 0x55b0bdf9173d in __interceptor_pthread_create /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:204:3 #1 0x7fb5d6ab1d45 in _PR_CreateThread src/nsprpub/pr/src/pthreads/ptthread.c:433:14 #2 0x7fb5d6ab192e in PR_CreateThread src/nsprpub/pr/src/pthreads/ptthread.c:518:12 #3 0x7fb5b2fcd108 in nsThread::Init(nsTSubstring<char> const&) src/xpcom/threads/nsThread.cpp:719:8 #4 0x7fb5b2fd94fe in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) src/xpcom/threads/nsThreadManager.cpp:485:22 #5 0x7fb5b2fdde07 in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, nsIRunnable*, unsigned int) src/xpcom/threads/nsThreadUtils.cpp:143:45 #6 0x7fb5b41b8e72 in NS_NewNamedThread<16> src/obj-firefox/dist/include/nsThreadUtils.h:75:10 #7 0x7fb5b41b8e72 in (anonymous namespace)::ParentImpl::CreateBackgroundThread() src/ipc/glue/BackgroundImpl.cpp:1015 #8 0x7fb5b41be6ca in RunOnMainThread src/ipc/glue/BackgroundImpl.cpp:1330:30 #9 0x7fb5b41be6ca in (anonymous namespace)::ParentImpl::CreateActorHelper::Run() src/ipc/glue/BackgroundImpl.cpp:1351 #10 0x7fb5b2fd1ce6 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1252:14 #11 0x7fb5b2fda80d in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:530:10 #12 0x7fb5b2fcf87a in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:953:22)> src/obj-firefox/dist/include/nsThreadUtils.h:347:25 #13 0x7fb5b2fcf87a in nsThread::Shutdown() src/xpcom/threads/nsThread.cpp:953 #14 0x7fb5b5141d1b in applyImpl<nsIThread, nsresult (nsIThread::*)()> src/obj-firefox/dist/include/nsThreadUtils.h:1191:12 #15 0x7fb5b5141d1b in apply<nsIThread, nsresult (nsIThread::*)()> src/obj-firefox/dist/include/nsThreadUtils.h:1197 #16 0x7fb5b5141d1b in mozilla::detail::RunnableMethodImpl<RefPtr<nsIThread>, nsresult (nsIThread::*)(), true, (mozilla::RunnableKind)0>::Run() src/obj-firefox/dist/include/nsThreadUtils.h:1242 #17 0x7fb5b2fd1ce6 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1252:14 #18 0x7fb5b2fda80d in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:530:10 #19 0x7fb5b2fd9dee in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThreadManager.cpp:558:36)> src/obj-firefox/dist/include/nsThreadUtils.h:347:25 #20 0x7fb5b2fd9dee in nsThreadManager::SpinEventLoopUntilInternal(nsINestedEventLoopCondition*, bool) src/xpcom/threads/nsThreadManager.cpp:558 #21 0x7fb5b300df71 in NS_InvokeByIndex src/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:106 #22 0x7fb5b5243eef in Invoke src/js/xpconnect/src/XPCWrappedNative.cpp:1723:12 #23 0x7fb5b5243eef in Call src/js/xpconnect/src/XPCWrappedNative.cpp:1268 #24 0x7fb5b5243eef in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) src/js/xpconnect/src/XPCWrappedNative.cpp:1232 #25 0x7fb5b524a93f in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1019:12 #26 0x7fb5c2f9315b in CallJSNative src/js/src/vm/Interpreter.cpp:468:15 #27 0x7fb5c2f9315b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:560 #28 0x7fb5c2f7c0de in CallFromStack src/js/src/vm/Interpreter.cpp:620:12 #29 0x7fb5c2f7c0de in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3458 #30 0x7fb5c2f613ab in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:447:12 #31 0x7fb5c2f93c6e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:587:15 #32 0x7fb5c2f95a02 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:633:10 #33 0x7fb5c243e832 in js::fun_apply(JSContext*, unsigned int, JS::Value*) src/js/src/vm/JSFunction.cpp:1381:12 #34 0x7fb5c2f9315b in CallJSNative src/js/src/vm/Interpreter.cpp:468:15 #35 0x7fb5c2f9315b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:560 #36 0x7fb5c2f7c0de in CallFromStack src/js/src/vm/Interpreter.cpp:620:12 #37 0x7fb5c2f7c0de in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3458 #38 0x7fb5c2f613ab in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:447:12 #39 0x7fb5c2f93c6e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:587:15 #40 0x7fb5c2f95a02 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:633:10 #41 0x7fb5c20663e0 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2915:12 #42 0x7fb5b522445f in nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) src/js/xpconnect/src/XPCWrappedJSClass.cpp:1206:23 #43 0x7fb5b300f678 in PrepareAndDispatch src/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:127:37 #44 0x7fb5b300e54a in SharedStub (/home/ubuntu/firefox/libxul.so+0x470354a) #45 0x7fb5c12c70c3 in nsXREDirProvider::DoStartup() src/toolkit/xre/nsXREDirProvider.cpp:1090:11 #46 0x7fb5c129c1ce in XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:4607:16 #47 0x7fb5c129fbdb in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/nsAppRunner.cpp:4922:8 #48 0x7fb5c12a1793 in XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/nsAppRunner.cpp:5014:21 #49 0x55b0bdfd89ac in do_main src/browser/app/nsBrowserApp.cpp:233:22 #50 0x55b0bdfd89ac in main src/browser/app/nsBrowserApp.cpp:315 #51 0x7fb5d569382f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 SUMMARY: AddressSanitizer: heap-use-after-free src/obj-firefox/dist/include/mozilla/Maybe.h:314:32 in isSome Shadow bytes around the buggy address: 0x0c2c8002ce50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 fa 0x0c2c8002ce60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2c8002ce70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2c8002ce80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2c8002ce90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd =>0x0c2c8002cea0: fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd 0x0c2c8002ceb0: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2c8002cec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2c8002ced0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2c8002cee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2c8002cef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==23284==ABORTING
Group: core-security → dom-core-security
Keywords: sec-high
Assignee: nobody → jvarga
From a cursory look it seems that a pointer to the Database object remains in gLiveDatabaseHashtable even after its refcount reaches 0 and it gets deleted.
Yes, that's right. The million dollar question is where is the spot in the code that should also update gLiveDatabaseHashtable when a Database object is going to be destroyed. Normally, we do that in Database::CleanupMetadata.
Priority: -- → P1
Assignee: jvarga → ytausky
Status: NEW → ASSIGNED
I couldn't figure out the exact set of conditions that causes this, and it's probably not worth it to put more efforts into it's. I'll try to use weak pointers in gLiveDatabaseHashtable to catch the problem before it blows up.
Attached file Use WeakPtr in IndexedDB (obsolete) —

This might get fixed in bug 1538619.

Attachment #9037290 - Attachment is obsolete: true
Depends on: 1538619
Assignee: ytausky → jvarga

This should be fixed by patch in bug 1538619.

Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla68
Group: dom-core-security → core-security-release
Whiteboard: [fixed by bug 1538619]

The patch in bug 1538619 was uplifted to beta 67 as well.

Whiteboard: [fixed by bug 1538619] → [fixed by bug 1538619][adv-main67+][adv-esr60.7+]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: