Closed Bug 1500310 Opened 2 years ago Closed 2 years ago

AddressSanitizer: heap-use-after-free [@ Length] with READ of size 8

Categories

(Core :: Storage: IndexedDB, defect)

defect
Not set
normal

Tracking

()

VERIFIED FIXED
mozilla65
Tracking Status
firefox-esr60 64+ verified
firefox63 --- wontfix
firefox64 + verified
firefox65 + verified

People

(Reporter: jkratzer, Assigned: janv)

References

(Blocks 3 open bugs)

Details

(4 keywords, Whiteboard: [post-critsmash-triage][adv-main64+][adv-esr60.4+])

Attachments

(3 files, 1 obsolete file)

Testcase found while fuzzing mozilla-central rev 733484af9034.  I'm currently reducing the testcase and will update once complete.

==27984==ERROR: AddressSanitizer: heap-use-after-free on address 0x6060002c24f8 at pc 0x7f7dd83c6f8d bp 0x7ffc9a466470 sp 0x7ffc9a466468
READ of size 8 at 0x6060002c24f8 thread T0 (file:// Content)
    #0 0x7f7dd83c6f8c in Length src/obj-firefox/dist/include/nsTArray.h:372:37
    #1 0x7f7dd83c6f8c in mozilla::dom::IDBObjectStore::GetAddInfo(JSContext*, mozilla::dom::IDBObjectStore::ValueWrapper&, JS::Handle<JS::Value>, mozilla::dom::IDBObjectStore::StructuredCloneWriteInfo&, mozilla::dom::indexedDB::Key&, nsTArray<mozilla::dom::indexedDB::IndexUpdateInfo>&) src/dom/indexedDB/IDBObjectStore.cpp:1589
    #2 0x7f7dd83822ff in mozilla::dom::IDBObjectStore::AddOrPut(JSContext*, mozilla::dom::IDBObjectStore::ValueWrapper&, JS::Handle<JS::Value>, bool, bool, mozilla::ErrorResult&) src/dom/indexedDB/IDBObjectStore.cpp:1662:9
    #3 0x7f7dd60d6370 in Add src/obj-firefox/dist/include/mozilla/dom/IDBObjectStore.h:214:12
    #4 0x7f7dd60d6370 in mozilla::dom::IDBObjectStore_Binding::add(JSContext*, JS::Handle<JSObject*>, mozilla::dom::IDBObjectStore*, JSJitMethodCallArgs const&) src/obj-firefox/dom/bindings/IDBObjectStoreBinding.cpp:504
    #5 0x7f7dd61dd3b0 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3315:13
    #6 0x7f7ddeff160b in CallJSNative src/js/src/vm/Interpreter.cpp:468:15
    #7 0x7f7ddeff160b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:560
    #8 0x7f7ddefda58e in CallFromStack src/js/src/vm/Interpreter.cpp:620:12
    #9 0x7f7ddefda58e in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3462
    #10 0x7f7ddefbf85b in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:447:12
    #11 0x7f7ddeff211e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:587:15
    #12 0x7f7ddeff6185 in InternalCall src/js/src/vm/Interpreter.cpp:614:12
    #13 0x7f7ddeff6185 in Call src/js/src/vm/Interpreter.cpp:633
    #14 0x7f7ddeff6185 in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:760
    #15 0x7f7dde59e568 in CallGetter src/js/src/vm/NativeObject.cpp:2282:16
    #16 0x7f7dde59e568 in GetExistingProperty<js::CanGC> src/js/src/vm/NativeObject.cpp:2337
    #17 0x7f7dde59e568 in NativeGetPropertyInline<js::CanGC> src/js/src/vm/NativeObject.cpp:2567
    #18 0x7f7dde59e568 in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) src/js/src/vm/NativeObject.cpp:2604
    #19 0x7f7ddd5990a7 in GetProperty src/js/src/vm/ObjectOperations-inl.h:122:12
    #20 0x7f7ddd5990a7 in GetProperty src/js/src/vm/ObjectOperations-inl.h:138
    #21 0x7f7ddd5990a7 in JSStructuredCloneWriter::write(JS::Handle<JS::Value>) src/js/src/vm/StructuredClone.cpp:2104
    #22 0x7f7ddd597cbd in WriteStructuredClone(JSContext*, JS::Handle<JS::Value>, JSStructuredCloneData*, JS::StructuredCloneScope, JS::CloneDataPolicy, JSStructuredCloneCallbacks const*, void*, JS::Value const&) src/js/src/vm/StructuredClone.cpp:650:12
    #23 0x7f7ddd5b6ee0 in JS_WriteStructuredClone src/js/src/vm/StructuredClone.cpp:3142:12
    #24 0x7f7ddd5b6ee0 in write src/js/src/vm/StructuredClone.cpp:3284
    #25 0x7f7ddd5b6ee0 in write src/js/src/vm/StructuredClone.cpp:3274
    #26 0x7f7ddd5b6ee0 in JS_StructuredClone(JSContext*, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>, JSStructuredCloneCallbacks const*, void*) src/js/src/vm/StructuredClone.cpp:3186
    #27 0x7f7dd83c657b in mozilla::dom::IDBObjectStore::GetAddInfo(JSContext*, mozilla::dom::IDBObjectStore::ValueWrapper&, JS::Handle<JS::Value>, mozilla::dom::IDBObjectStore::StructuredCloneWriteInfo&, mozilla::dom::indexedDB::Key&, nsTArray<mozilla::dom::indexedDB::IndexUpdateInfo>&) src/dom/indexedDB/IDBObjectStore.cpp:2754:8
    #28 0x7f7dd83822ff in mozilla::dom::IDBObjectStore::AddOrPut(JSContext*, mozilla::dom::IDBObjectStore::ValueWrapper&, JS::Handle<JS::Value>, bool, bool, mozilla::ErrorResult&) src/dom/indexedDB/IDBObjectStore.cpp:1662:9
    #29 0x7f7dd60d6370 in Add src/obj-firefox/dist/include/mozilla/dom/IDBObjectStore.h:214:12
    #30 0x7f7dd60d6370 in mozilla::dom::IDBObjectStore_Binding::add(JSContext*, JS::Handle<JSObject*>, mozilla::dom::IDBObjectStore*, JSJitMethodCallArgs const&) src/obj-firefox/dom/bindings/IDBObjectStoreBinding.cpp:504
    #31 0x7f7dd61dd3b0 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3315:13
    #32 0x7f7ddeff160b in CallJSNative src/js/src/vm/Interpreter.cpp:468:15
    #33 0x7f7ddeff160b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:560
    #34 0x7f7ddefda58e in CallFromStack src/js/src/vm/Interpreter.cpp:620:12
    #35 0x7f7ddefda58e in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3462
    #36 0x7f7ddefbf85b in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:447:12
    #37 0x7f7ddeff211e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:587:15
    #38 0x7f7ddeff3eb2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:633:10
    #39 0x7f7dde0bffbd in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2979:12
    #40 0x7f7dd577703a in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:265:37
    #41 0x7f7dd6a78f8a in void mozilla::dom::EventHandlerNonNull::Call<nsISupports*>(nsISupports* const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:363:12
    #42 0x7f7dd6a7640e in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) src/dom/events/JSEventHandler.cpp:214:12
    #43 0x7f7dd6a2b585 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1106:52
    #44 0x7f7dd6a2d5a3 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) src/dom/events/EventListenerManager.cpp:1308:15
    #45 0x7f7dd6a103ae in HandleEvent src/obj-firefox/dist/include/mozilla/EventListenerManager.h:390:5
    #46 0x7f7dd6a103ae in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:424
    #47 0x7f7dd6a0e653 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:641:16
    #48 0x7f7dd6a15128 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) src/dom/events/EventDispatcher.cpp:1156:11
    #49 0x7f7dd6a1b6e6 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) src/dom/events/EventDispatcher.cpp
    #50 0x7f7dd69cb290 in mozilla::DOMEventTargetHelper::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) src/dom/events/DOMEventTargetHelper.cpp:185:5
    #51 0x7f7dd6a3f259 in mozilla::dom::EventTarget::DispatchEvent(mozilla::dom::Event&, mozilla::ErrorResult&) src/dom/events/EventTarget.cpp:213:13
    #52 0x7f7dd834e6b3 in mozilla::dom::indexedDB::(anonymous namespace)::DispatchSuccessEvent(mozilla::dom::indexedDB::(anonymous namespace)::ResultHelper*, mozilla::dom::Event*) src/dom/indexedDB/ActorsChild.cpp:862:12
    #53 0x7f7dd8353486 in mozilla::dom::indexedDB::BackgroundDatabaseChild::RecvPBackgroundIDBVersionChangeTransactionConstructor(mozilla::dom::indexedDB::PBackgroundIDBVersionChangeTransactionChild*, unsigned long const&, unsigned long const&, long const&, long const&) src/dom/indexedDB/ActorsChild.cpp:2279:3
    #54 0x7f7dd0cc9620 in mozilla::dom::indexedDB::PBackgroundIDBDatabaseChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PBackgroundIDBDatabaseChild.cpp:598:20
    #55 0x7f7dd0a15480 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:2280:28
    #56 0x7f7dd02363b5 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2248:25
    #57 0x7f7dd0231e09 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2175:17
    #58 0x7f7dd02340bd in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:2012:5
    #59 0x7f7dd0234e37 in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:2045:15
    #60 0x7f7dcefdd365 in mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:337:32
    #61 0x7f7dcf01a386 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1252:14
    #62 0x7f7dcf022ead in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:530:10
    #63 0x7f7dd023f463 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21
    #64 0x7f7dd014204c in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10
    #65 0x7f7dd014204c in RunHandler src/ipc/chromium/src/base/message_loop.cc:318
    #66 0x7f7dd014204c in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298
    #67 0x7f7dd8e3d5f3 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:158:27
    #68 0x7f7ddd2fce4e in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:939:22
    #69 0x7f7dd014204c in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10
    #70 0x7f7dd014204c in RunHandler src/ipc/chromium/src/base/message_loop.cc:318
    #71 0x7f7dd014204c in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298
    #72 0x7f7ddd2fbef3 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:765:34
    #73 0x56524599bb91 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #74 0x56524599bb91 in main src/browser/app/nsBrowserApp.cpp:287
    #75 0x7f7df16f782f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #76 0x5652458caf3c in _start (/home/ubuntu/firefox/firefox+0x2cf3c)

0x6060002c24f8 is located 56 bytes inside of 64-byte region [0x6060002c24c0,0x6060002c2500)
freed by thread T0 (file:// Content) here:
    #0 0x56524596b372 in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:68:3
    #1 0x7f7dd838b4d4 in Free src/obj-firefox/dist/include/nsTArray.h:216:34
    #2 0x7f7dd838b4d4 in ~nsTArray_base src/obj-firefox/dist/include/nsTArray-inl.h:22
    #3 0x7f7dd838b4d4 in ~nsTArray_Impl src/obj-firefox/dist/include/nsTArray.h:940
    #4 0x7f7dd838b4d4 in ~DatabaseSpec src/obj-firefox/ipc/ipdl/_ipdlheaders/mozilla/dom/indexedDB/PBackgroundIDBSharedTypes.h:1479
    #5 0x7f7dd838b4d4 in ~nsAutoPtr src/obj-firefox/dist/include/nsAutoPtr.h:78
    #6 0x7f7dd838b4d4 in mozilla::dom::IDBDatabase::RevertToPreviousState() src/dom/indexedDB/IDBDatabase.cpp:349
    #7 0x7f7dd83e05d3 in mozilla::dom::IDBTransaction::AbortInternal(nsresult, already_AddRefed<mozilla::dom::DOMException>) src/dom/indexedDB/IDBTransaction.cpp:667:18
    #8 0x7f7dd83e1bfc in mozilla::dom::IDBTransaction::Abort(mozilla::ErrorResult&) src/dom/indexedDB/IDBTransaction.cpp:780:3
    #9 0x7f7dd60fa8de in mozilla::dom::IDBTransaction_Binding::abort(JSContext*, JS::Handle<JSObject*>, mozilla::dom::IDBTransaction*, JSJitMethodCallArgs const&) src/obj-firefox/dom/bindings/IDBTransactionBinding.cpp:213:9
    #10 0x7f7dd61dd3b0 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3315:13
    #11 0x7f7ddeff160b in CallJSNative src/js/src/vm/Interpreter.cpp:468:15
    #12 0x7f7ddeff160b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:560
    #13 0x7f7ddefda58e in CallFromStack src/js/src/vm/Interpreter.cpp:620:12
    #14 0x7f7ddefda58e in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3462
    #15 0x7f7ddefbf85b in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:447:12
    #16 0x7f7ddeff211e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:587:15
    #17 0x7f7ddeff6185 in InternalCall src/js/src/vm/Interpreter.cpp:614:12
    #18 0x7f7ddeff6185 in Call src/js/src/vm/Interpreter.cpp:633
    #19 0x7f7ddeff6185 in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:760
    #20 0x7f7dde59e568 in CallGetter src/js/src/vm/NativeObject.cpp:2282:16
    #21 0x7f7dde59e568 in GetExistingProperty<js::CanGC> src/js/src/vm/NativeObject.cpp:2337
    #22 0x7f7dde59e568 in NativeGetPropertyInline<js::CanGC> src/js/src/vm/NativeObject.cpp:2567
    #23 0x7f7dde59e568 in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) src/js/src/vm/NativeObject.cpp:2604
    #24 0x7f7ddd5990a7 in GetProperty src/js/src/vm/ObjectOperations-inl.h:122:12
    #25 0x7f7ddd5990a7 in GetProperty src/js/src/vm/ObjectOperations-inl.h:138
    #26 0x7f7ddd5990a7 in JSStructuredCloneWriter::write(JS::Handle<JS::Value>) src/js/src/vm/StructuredClone.cpp:2104
    #27 0x7f7ddd597cbd in WriteStructuredClone(JSContext*, JS::Handle<JS::Value>, JSStructuredCloneData*, JS::StructuredCloneScope, JS::CloneDataPolicy, JSStructuredCloneCallbacks const*, void*, JS::Value const&) src/js/src/vm/StructuredClone.cpp:650:12
    #28 0x7f7ddd5b6ee0 in JS_WriteStructuredClone src/js/src/vm/StructuredClone.cpp:3142:12
    #29 0x7f7ddd5b6ee0 in write src/js/src/vm/StructuredClone.cpp:3284
    #30 0x7f7ddd5b6ee0 in write src/js/src/vm/StructuredClone.cpp:3274
    #31 0x7f7ddd5b6ee0 in JS_StructuredClone(JSContext*, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>, JSStructuredCloneCallbacks const*, void*) src/js/src/vm/StructuredClone.cpp:3186
    #32 0x7f7dd83c657b in mozilla::dom::IDBObjectStore::GetAddInfo(JSContext*, mozilla::dom::IDBObjectStore::ValueWrapper&, JS::Handle<JS::Value>, mozilla::dom::IDBObjectStore::StructuredCloneWriteInfo&, mozilla::dom::indexedDB::Key&, nsTArray<mozilla::dom::indexedDB::IndexUpdateInfo>&) src/dom/indexedDB/IDBObjectStore.cpp:2754:8
    #33 0x7f7dd83822ff in mozilla::dom::IDBObjectStore::AddOrPut(JSContext*, mozilla::dom::IDBObjectStore::ValueWrapper&, JS::Handle<JS::Value>, bool, bool, mozilla::ErrorResult&) src/dom/indexedDB/IDBObjectStore.cpp:1662:9
    #34 0x7f7dd60d6370 in Add src/obj-firefox/dist/include/mozilla/dom/IDBObjectStore.h:214:12
    #35 0x7f7dd60d6370 in mozilla::dom::IDBObjectStore_Binding::add(JSContext*, JS::Handle<JSObject*>, mozilla::dom::IDBObjectStore*, JSJitMethodCallArgs const&) src/obj-firefox/dom/bindings/IDBObjectStoreBinding.cpp:504
    #36 0x7f7dd61dd3b0 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3315:13
    #37 0x7f7ddeff160b in CallJSNative src/js/src/vm/Interpreter.cpp:468:15
    #38 0x7f7ddeff160b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:560

previously allocated by thread T0 (file:// Content) here:
    #0 0x56524596b6b3 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3
    #1 0x56524599cacd in moz_xmalloc src/memory/mozalloc/mozalloc.cpp:70:17
    #2 0x7f7dcedc5aaa in Malloc src/obj-firefox/dist/include/nsTArray.h:210:46
    #3 0x7f7dcedc5aaa in nsTArrayInfallibleAllocator::ResultTypeProxy nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>::EnsureCapacity<nsTArrayInfallibleAllocator>(unsigned long, unsigned long) src/obj-firefox/dist/include/nsTArray-inl.h:153
    #4 0x7f7dd0e5cbd5 in ExtendCapacity<nsTArrayInfallibleAllocator> src/obj-firefox/dist/include/nsTArray-inl.h:125:16
    #5 0x7f7dd0e5cbd5 in mozilla::dom::indexedDB::ObjectStoreSpec* nsTArray_Impl<mozilla::dom::indexedDB::ObjectStoreSpec, nsTArrayInfallibleAllocator>::AppendElements<nsTArrayInfallibleAllocator>(unsigned long) src/obj-firefox/dist/include/nsTArray.h:1776
    #6 0x7f7dd838ca4a in AppendElement<nsTArrayInfallibleAllocator> src/obj-firefox/dist/include/nsTArray.h:1804:12
    #7 0x7f7dd838ca4a in mozilla::dom::IDBDatabase::CreateObjectStore(nsTSubstring<char16_t> const&, mozilla::dom::IDBObjectStoreParameters const&, mozilla::ErrorResult&) src/dom/indexedDB/IDBDatabase.cpp:468
    #8 0x7f7dd5fd2c7e in mozilla::dom::IDBDatabase_Binding::createObjectStore(JSContext*, JS::Handle<JSObject*>, mozilla::dom::IDBDatabase*, JSJitMethodCallArgs const&) src/obj-firefox/dom/bindings/IDBDatabaseBinding.cpp:150:66
    #9 0x7f7dd61dd3b0 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3315:13
    #10 0x7f7ddeff160b in CallJSNative src/js/src/vm/Interpreter.cpp:468:15
    #11 0x7f7ddeff160b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:560
    #12 0x7f7ddefda58e in CallFromStack src/js/src/vm/Interpreter.cpp:620:12
    #13 0x7f7ddefda58e in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3462
    #14 0x7f7ddefbf85b in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:447:12
    #15 0x7f7ddeff211e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:587:15
    #16 0x7f7ddeff3eb2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:633:10
    #17 0x7f7dde0bffbd in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2979:12
    #18 0x7f7dd577703a in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:265:37
    #19 0x7f7dd6a78f8a in void mozilla::dom::EventHandlerNonNull::Call<nsISupports*>(nsISupports* const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:363:12
    #20 0x7f7dd6a7640e in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) src/dom/events/JSEventHandler.cpp:214:12
    #21 0x7f7dd6a2b585 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1106:52
    #22 0x7f7dd6a2d5a3 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) src/dom/events/EventListenerManager.cpp:1308:15
    #23 0x7f7dd6a103ae in HandleEvent src/obj-firefox/dist/include/mozilla/EventListenerManager.h:390:5
    #24 0x7f7dd6a103ae in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:424
    #25 0x7f7dd6a0e653 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:641:16

SUMMARY: AddressSanitizer: heap-use-after-free src/obj-firefox/dist/include/nsTArray.h:372:37 in Length
Shadow bytes around the buggy address:
  0x0c0c80050440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c80050450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c80050460: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c0c80050470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c80050480: fa fa fa fa fa fa fa fa fa fa fa fa fd fd fd fd
=>0x0c0c80050490: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd[fd]
  0x0c0c800504a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c800504b0: fa fa fa fa fa fa fa fa fa fa fa fa 00 00 00 00
  0x0c0c800504c0: 00 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c800504d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c800504e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==27984==ABORTING
Flags: in-testsuite?
Group: core-security
Duplicate of this bug: 1500311
Attached file testcase.html
Please note that the testcase must be served via a local web server.
Group: core-security → dom-core-security
See Also: → 1500696
Assignee: nobody → jvarga
Looking.
Status: NEW → ASSIGNED
Yeah, the crash can be easily reproduced using the attached testcase, working on a fix.
Attached patch patch (obsolete) — Splinter Review
This fixes the problem, but I have to finish investigation in bug 1500696 before requesting a review. These bugs look very similar.
Attached patch patchSplinter Review
Andrew, how does this look to you ?
Attachment #9022892 - Attachment is obsolete: true
Attachment #9023653 - Flags: review?(bugmail)
Comment on attachment 9023653 [details] [diff] [review]
patch

Review of attachment 9023653 [details] [diff] [review]:
-----------------------------------------------------------------

I assume we'll land this at the same time as bug 1501152.  Especially since there are some very nice comments in here!
Attachment #9023653 - Flags: review?(bugmail) → review+
I think it will be better to add comments later.
Attachment #9024016 - Flags: review?(bugmail)
Comment on attachment 9024016 [details] [diff] [review]
patch w/o code comments

[Security Approval Request]

How easily could an exploit be constructed based on the patch?: It would require quite thorough understanding of the code.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No

Which older supported branches are affected by this flaw?: all supported branches

If not all supported branches, which bug introduced the flaw?: None

Do you have backports for the affected branches?: No

If not, how different, hard to create, and risky will they be?: Shouldn't be too hard. The cloning that was introduced in bug 1404274, and is required for this patch, landed on all supported branches.

How likely is this patch to cause regressions; how much testing does it need?: Try results look good (we have very good testing infrastructure for IndexedDB).
Attachment #9024016 - Flags: sec-approval?
Comment on attachment 9024016 [details] [diff] [review]
patch w/o code comments

Review of attachment 9024016 [details] [diff] [review]:
-----------------------------------------------------------------

hee hee, the interdiff is very sad here (all the comments being removed)!
Attachment #9024016 - Flags: review?(bugmail) → review+
sec-approval+ for trunk.
I'd like to get beta and ESR60 patches nominated as well.
Comment on attachment 9024016 [details] [diff] [review]
patch w/o code comments

Setting the sec-approval+ since it was clearly intended per comment 12 :)

Also, this grafts cleanly to Beta and ESR60 as-landed, so please go ahead with those approval requests when ready.
Flags: needinfo?(jvarga)
Attachment #9024016 - Flags: sec-approval? → sec-approval+
https://hg.mozilla.org/mozilla-central/rev/91edec50a1cf
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla65
Group: dom-core-security → core-security-release
Comment on attachment 9024016 [details] [diff] [review]
patch w/o code comments

[Beta/Release Uplift Approval Request]

Feature/Bug causing the regression: Long-standing issue

User impact if declined: Leads to a crash and it's a critical security issue.

Is this code covered by automated tests?: Yes

Has the fix been verified in Nightly?: Yes

Needs manual test from QE?: No

If yes, steps to reproduce: 

List of other uplifts needed: None

Risk to taking this patch: Low

Why is the change risky/not risky? (and alternatives if risky): We have thorough testing infrastructure for IndexedDB.

String changes made/needed: None
Flags: needinfo?(jvarga)
Attachment #9024016 - Flags: approval-mozilla-beta?
Comment on attachment 9024016 [details] [diff] [review]
patch w/o code comments

[ESR Uplift Approval Request]

If this is not a sec:{high,crit} bug, please state case for ESR consideration: It's a sec-high bug.

User impact if declined: Leads to a crash and it's a critical security issue.

Fix Landed on Version: 65

Risk to taking this patch: Low

Why is the change risky/not risky? (and alternatives if risky): We have thorough testing infrastructure for IndexedDB.

String or UUID changes made by this patch: None
Attachment #9024016 - Flags: approval-mozilla-esr60?
Comment on attachment 9024016 [details] [diff] [review]
patch w/o code comments

[Triage Comment]
Approved for 64.0b10 and 60.4.0esr, thanks.
Attachment #9024016 - Flags: approval-mozilla-esr60?
Attachment #9024016 - Flags: approval-mozilla-esr60+
Attachment #9024016 - Flags: approval-mozilla-beta?
Attachment #9024016 - Flags: approval-mozilla-beta+
Flags: qe-verify+
Whiteboard: [post-critsmash-triage]
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0

Hi,
I have reproduced this issue on Release 63.0.3 and I have verified the following builds and got these results:

- Firefox Nightly 65.0a1 (id: 20181119100448) - no crash
- Firefox Beta 64.0b10 (id: 20181115150739) - no crash
- Firefox ESR 60.3.0 (id: 20181017185317) - TAB CRASH

Does this mean that the fix is not yet in 60.3.0esr?
No, it's not in 60.3.0esr. You'd need to be using a recent CI build from TreeHerder to test ESR60.
Tested again on esr60 with the build with changeset "b3a439a26186" and build id: 20181116165247. I had no tab crash. Marking everything accordingly.
Status: RESOLVED → VERIFIED
Flags: qe-verify+
Are there any plans to fix this in 63 further down the line?
No, 63 was set to wontfix in comment 12.
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main64+][adv-esr60.4+]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.