Closed Bug 1500310 Opened 7 years ago Closed 6 years ago

AddressSanitizer: heap-use-after-free [@ Length] with READ of size 8

Categories

(Core :: Storage: IndexedDB, defect)

Product:
Core
Component:
Storage: IndexedDB
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla65
Tracking Flags:
Tracking Status
firefox-esr60 64+ verified
firefox63 --- wontfix
firefox64 + verified
firefox65 + verified

People

(Reporter: jkratzer, Assigned: janv)

References

(Blocks 3 open bugs)

Details

(4 keywords, Whiteboard: [post-critsmash-triage][adv-main64+][adv-esr60.4+])

Attachments

(3 files, 1 obsolete file)

testcase.html
681 bytes, text/html
Details
patch
4.70 KB, patch
asuth
: review+
Details | Diff | Splinter Review
patch w/o code comments
3.33 KB, patch
asuth
: review+
RyanVM
: approval-mozilla-beta+
RyanVM
: approval-mozilla-esr60+
RyanVM
: sec-approval+
Details | Diff | Splinter Review
Testcase found while fuzzing mozilla-central rev 733484af9034. I'm currently reducing the testcase and will update once complete. ==27984==ERROR: AddressSanitizer: heap-use-after-free on address 0x6060002c24f8 at pc 0x7f7dd83c6f8d bp 0x7ffc9a466470 sp 0x7ffc9a466468 READ of size 8 at 0x6060002c24f8 thread T0 (file:// Content) #0 0x7f7dd83c6f8c in Length src/obj-firefox/dist/include/nsTArray.h:372:37 #1 0x7f7dd83c6f8c in mozilla::dom::IDBObjectStore::GetAddInfo(JSContext*, mozilla::dom::IDBObjectStore::ValueWrapper&, JS::Handle<JS::Value>, mozilla::dom::IDBObjectStore::StructuredCloneWriteInfo&, mozilla::dom::indexedDB::Key&, nsTArray<mozilla::dom::indexedDB::IndexUpdateInfo>&) src/dom/indexedDB/IDBObjectStore.cpp:1589 #2 0x7f7dd83822ff in mozilla::dom::IDBObjectStore::AddOrPut(JSContext*, mozilla::dom::IDBObjectStore::ValueWrapper&, JS::Handle<JS::Value>, bool, bool, mozilla::ErrorResult&) src/dom/indexedDB/IDBObjectStore.cpp:1662:9 #3 0x7f7dd60d6370 in Add src/obj-firefox/dist/include/mozilla/dom/IDBObjectStore.h:214:12 #4 0x7f7dd60d6370 in mozilla::dom::IDBObjectStore_Binding::add(JSContext*, JS::Handle<JSObject*>, mozilla::dom::IDBObjectStore*, JSJitMethodCallArgs const&) src/obj-firefox/dom/bindings/IDBObjectStoreBinding.cpp:504 #5 0x7f7dd61dd3b0 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3315:13 #6 0x7f7ddeff160b in CallJSNative src/js/src/vm/Interpreter.cpp:468:15 #7 0x7f7ddeff160b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:560 #8 0x7f7ddefda58e in CallFromStack src/js/src/vm/Interpreter.cpp:620:12 #9 0x7f7ddefda58e in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3462 #10 0x7f7ddefbf85b in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:447:12 #11 0x7f7ddeff211e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:587:15 #12 0x7f7ddeff6185 in InternalCall src/js/src/vm/Interpreter.cpp:614:12 #13 0x7f7ddeff6185 in Call src/js/src/vm/Interpreter.cpp:633 #14 0x7f7ddeff6185 in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:760 #15 0x7f7dde59e568 in CallGetter src/js/src/vm/NativeObject.cpp:2282:16 #16 0x7f7dde59e568 in GetExistingProperty<js::CanGC> src/js/src/vm/NativeObject.cpp:2337 #17 0x7f7dde59e568 in NativeGetPropertyInline<js::CanGC> src/js/src/vm/NativeObject.cpp:2567 #18 0x7f7dde59e568 in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) src/js/src/vm/NativeObject.cpp:2604 #19 0x7f7ddd5990a7 in GetProperty src/js/src/vm/ObjectOperations-inl.h:122:12 #20 0x7f7ddd5990a7 in GetProperty src/js/src/vm/ObjectOperations-inl.h:138 #21 0x7f7ddd5990a7 in JSStructuredCloneWriter::write(JS::Handle<JS::Value>) src/js/src/vm/StructuredClone.cpp:2104 #22 0x7f7ddd597cbd in WriteStructuredClone(JSContext*, JS::Handle<JS::Value>, JSStructuredCloneData*, JS::StructuredCloneScope, JS::CloneDataPolicy, JSStructuredCloneCallbacks const*, void*, JS::Value const&) src/js/src/vm/StructuredClone.cpp:650:12 #23 0x7f7ddd5b6ee0 in JS_WriteStructuredClone src/js/src/vm/StructuredClone.cpp:3142:12 #24 0x7f7ddd5b6ee0 in write src/js/src/vm/StructuredClone.cpp:3284 #25 0x7f7ddd5b6ee0 in write src/js/src/vm/StructuredClone.cpp:3274 #26 0x7f7ddd5b6ee0 in JS_StructuredClone(JSContext*, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>, JSStructuredCloneCallbacks const*, void*) src/js/src/vm/StructuredClone.cpp:3186 #27 0x7f7dd83c657b in mozilla::dom::IDBObjectStore::GetAddInfo(JSContext*, mozilla::dom::IDBObjectStore::ValueWrapper&, JS::Handle<JS::Value>, mozilla::dom::IDBObjectStore::StructuredCloneWriteInfo&, mozilla::dom::indexedDB::Key&, nsTArray<mozilla::dom::indexedDB::IndexUpdateInfo>&) src/dom/indexedDB/IDBObjectStore.cpp:2754:8 #28 0x7f7dd83822ff in mozilla::dom::IDBObjectStore::AddOrPut(JSContext*, mozilla::dom::IDBObjectStore::ValueWrapper&, JS::Handle<JS::Value>, bool, bool, mozilla::ErrorResult&) src/dom/indexedDB/IDBObjectStore.cpp:1662:9 #29 0x7f7dd60d6370 in Add src/obj-firefox/dist/include/mozilla/dom/IDBObjectStore.h:214:12 #30 0x7f7dd60d6370 in mozilla::dom::IDBObjectStore_Binding::add(JSContext*, JS::Handle<JSObject*>, mozilla::dom::IDBObjectStore*, JSJitMethodCallArgs const&) src/obj-firefox/dom/bindings/IDBObjectStoreBinding.cpp:504 #31 0x7f7dd61dd3b0 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3315:13 #32 0x7f7ddeff160b in CallJSNative src/js/src/vm/Interpreter.cpp:468:15 #33 0x7f7ddeff160b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:560 #34 0x7f7ddefda58e in CallFromStack src/js/src/vm/Interpreter.cpp:620:12 #35 0x7f7ddefda58e in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3462 #36 0x7f7ddefbf85b in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:447:12 #37 0x7f7ddeff211e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:587:15 #38 0x7f7ddeff3eb2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:633:10 #39 0x7f7dde0bffbd in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2979:12 #40 0x7f7dd577703a in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:265:37 #41 0x7f7dd6a78f8a in void mozilla::dom::EventHandlerNonNull::Call<nsISupports*>(nsISupports* const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:363:12 #42 0x7f7dd6a7640e in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) src/dom/events/JSEventHandler.cpp:214:12 #43 0x7f7dd6a2b585 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1106:52 #44 0x7f7dd6a2d5a3 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) src/dom/events/EventListenerManager.cpp:1308:15 #45 0x7f7dd6a103ae in HandleEvent src/obj-firefox/dist/include/mozilla/EventListenerManager.h:390:5 #46 0x7f7dd6a103ae in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:424 #47 0x7f7dd6a0e653 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:641:16 #48 0x7f7dd6a15128 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) src/dom/events/EventDispatcher.cpp:1156:11 #49 0x7f7dd6a1b6e6 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) src/dom/events/EventDispatcher.cpp #50 0x7f7dd69cb290 in mozilla::DOMEventTargetHelper::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) src/dom/events/DOMEventTargetHelper.cpp:185:5 #51 0x7f7dd6a3f259 in mozilla::dom::EventTarget::DispatchEvent(mozilla::dom::Event&, mozilla::ErrorResult&) src/dom/events/EventTarget.cpp:213:13 #52 0x7f7dd834e6b3 in mozilla::dom::indexedDB::(anonymous namespace)::DispatchSuccessEvent(mozilla::dom::indexedDB::(anonymous namespace)::ResultHelper*, mozilla::dom::Event*) src/dom/indexedDB/ActorsChild.cpp:862:12 #53 0x7f7dd8353486 in mozilla::dom::indexedDB::BackgroundDatabaseChild::RecvPBackgroundIDBVersionChangeTransactionConstructor(mozilla::dom::indexedDB::PBackgroundIDBVersionChangeTransactionChild*, unsigned long const&, unsigned long const&, long const&, long const&) src/dom/indexedDB/ActorsChild.cpp:2279:3 #54 0x7f7dd0cc9620 in mozilla::dom::indexedDB::PBackgroundIDBDatabaseChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PBackgroundIDBDatabaseChild.cpp:598:20 #55 0x7f7dd0a15480 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:2280:28 #56 0x7f7dd02363b5 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2248:25 #57 0x7f7dd0231e09 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2175:17 #58 0x7f7dd02340bd in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:2012:5 #59 0x7f7dd0234e37 in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:2045:15 #60 0x7f7dcefdd365 in mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:337:32 #61 0x7f7dcf01a386 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1252:14 #62 0x7f7dcf022ead in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:530:10 #63 0x7f7dd023f463 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21 #64 0x7f7dd014204c in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10 #65 0x7f7dd014204c in RunHandler src/ipc/chromium/src/base/message_loop.cc:318 #66 0x7f7dd014204c in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298 #67 0x7f7dd8e3d5f3 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:158:27 #68 0x7f7ddd2fce4e in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:939:22 #69 0x7f7dd014204c in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10 #70 0x7f7dd014204c in RunHandler src/ipc/chromium/src/base/message_loop.cc:318 #71 0x7f7dd014204c in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298 #72 0x7f7ddd2fbef3 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:765:34 #73 0x56524599bb91 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30 #74 0x56524599bb91 in main src/browser/app/nsBrowserApp.cpp:287 #75 0x7f7df16f782f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 #76 0x5652458caf3c in _start (/home/ubuntu/firefox/firefox+0x2cf3c) 0x6060002c24f8 is located 56 bytes inside of 64-byte region [0x6060002c24c0,0x6060002c2500) freed by thread T0 (file:// Content) here: #0 0x56524596b372 in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:68:3 #1 0x7f7dd838b4d4 in Free src/obj-firefox/dist/include/nsTArray.h:216:34 #2 0x7f7dd838b4d4 in ~nsTArray_base src/obj-firefox/dist/include/nsTArray-inl.h:22 #3 0x7f7dd838b4d4 in ~nsTArray_Impl src/obj-firefox/dist/include/nsTArray.h:940 #4 0x7f7dd838b4d4 in ~DatabaseSpec src/obj-firefox/ipc/ipdl/_ipdlheaders/mozilla/dom/indexedDB/PBackgroundIDBSharedTypes.h:1479 #5 0x7f7dd838b4d4 in ~nsAutoPtr src/obj-firefox/dist/include/nsAutoPtr.h:78 #6 0x7f7dd838b4d4 in mozilla::dom::IDBDatabase::RevertToPreviousState() src/dom/indexedDB/IDBDatabase.cpp:349 #7 0x7f7dd83e05d3 in mozilla::dom::IDBTransaction::AbortInternal(nsresult, already_AddRefed<mozilla::dom::DOMException>) src/dom/indexedDB/IDBTransaction.cpp:667:18 #8 0x7f7dd83e1bfc in mozilla::dom::IDBTransaction::Abort(mozilla::ErrorResult&) src/dom/indexedDB/IDBTransaction.cpp:780:3 #9 0x7f7dd60fa8de in mozilla::dom::IDBTransaction_Binding::abort(JSContext*, JS::Handle<JSObject*>, mozilla::dom::IDBTransaction*, JSJitMethodCallArgs const&) src/obj-firefox/dom/bindings/IDBTransactionBinding.cpp:213:9 #10 0x7f7dd61dd3b0 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3315:13 #11 0x7f7ddeff160b in CallJSNative src/js/src/vm/Interpreter.cpp:468:15 #12 0x7f7ddeff160b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:560 #13 0x7f7ddefda58e in CallFromStack src/js/src/vm/Interpreter.cpp:620:12 #14 0x7f7ddefda58e in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3462 #15 0x7f7ddefbf85b in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:447:12 #16 0x7f7ddeff211e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:587:15 #17 0x7f7ddeff6185 in InternalCall src/js/src/vm/Interpreter.cpp:614:12 #18 0x7f7ddeff6185 in Call src/js/src/vm/Interpreter.cpp:633 #19 0x7f7ddeff6185 in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:760 #20 0x7f7dde59e568 in CallGetter src/js/src/vm/NativeObject.cpp:2282:16 #21 0x7f7dde59e568 in GetExistingProperty<js::CanGC> src/js/src/vm/NativeObject.cpp:2337 #22 0x7f7dde59e568 in NativeGetPropertyInline<js::CanGC> src/js/src/vm/NativeObject.cpp:2567 #23 0x7f7dde59e568 in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) src/js/src/vm/NativeObject.cpp:2604 #24 0x7f7ddd5990a7 in GetProperty src/js/src/vm/ObjectOperations-inl.h:122:12 #25 0x7f7ddd5990a7 in GetProperty src/js/src/vm/ObjectOperations-inl.h:138 #26 0x7f7ddd5990a7 in JSStructuredCloneWriter::write(JS::Handle<JS::Value>) src/js/src/vm/StructuredClone.cpp:2104 #27 0x7f7ddd597cbd in WriteStructuredClone(JSContext*, JS::Handle<JS::Value>, JSStructuredCloneData*, JS::StructuredCloneScope, JS::CloneDataPolicy, JSStructuredCloneCallbacks const*, void*, JS::Value const&) src/js/src/vm/StructuredClone.cpp:650:12 #28 0x7f7ddd5b6ee0 in JS_WriteStructuredClone src/js/src/vm/StructuredClone.cpp:3142:12 #29 0x7f7ddd5b6ee0 in write src/js/src/vm/StructuredClone.cpp:3284 #30 0x7f7ddd5b6ee0 in write src/js/src/vm/StructuredClone.cpp:3274 #31 0x7f7ddd5b6ee0 in JS_StructuredClone(JSContext*, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>, JSStructuredCloneCallbacks const*, void*) src/js/src/vm/StructuredClone.cpp:3186 #32 0x7f7dd83c657b in mozilla::dom::IDBObjectStore::GetAddInfo(JSContext*, mozilla::dom::IDBObjectStore::ValueWrapper&, JS::Handle<JS::Value>, mozilla::dom::IDBObjectStore::StructuredCloneWriteInfo&, mozilla::dom::indexedDB::Key&, nsTArray<mozilla::dom::indexedDB::IndexUpdateInfo>&) src/dom/indexedDB/IDBObjectStore.cpp:2754:8 #33 0x7f7dd83822ff in mozilla::dom::IDBObjectStore::AddOrPut(JSContext*, mozilla::dom::IDBObjectStore::ValueWrapper&, JS::Handle<JS::Value>, bool, bool, mozilla::ErrorResult&) src/dom/indexedDB/IDBObjectStore.cpp:1662:9 #34 0x7f7dd60d6370 in Add src/obj-firefox/dist/include/mozilla/dom/IDBObjectStore.h:214:12 #35 0x7f7dd60d6370 in mozilla::dom::IDBObjectStore_Binding::add(JSContext*, JS::Handle<JSObject*>, mozilla::dom::IDBObjectStore*, JSJitMethodCallArgs const&) src/obj-firefox/dom/bindings/IDBObjectStoreBinding.cpp:504 #36 0x7f7dd61dd3b0 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3315:13 #37 0x7f7ddeff160b in CallJSNative src/js/src/vm/Interpreter.cpp:468:15 #38 0x7f7ddeff160b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:560 previously allocated by thread T0 (file:// Content) here: #0 0x56524596b6b3 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3 #1 0x56524599cacd in moz_xmalloc src/memory/mozalloc/mozalloc.cpp:70:17 #2 0x7f7dcedc5aaa in Malloc src/obj-firefox/dist/include/nsTArray.h:210:46 #3 0x7f7dcedc5aaa in nsTArrayInfallibleAllocator::ResultTypeProxy nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>::EnsureCapacity<nsTArrayInfallibleAllocator>(unsigned long, unsigned long) src/obj-firefox/dist/include/nsTArray-inl.h:153 #4 0x7f7dd0e5cbd5 in ExtendCapacity<nsTArrayInfallibleAllocator> src/obj-firefox/dist/include/nsTArray-inl.h:125:16 #5 0x7f7dd0e5cbd5 in mozilla::dom::indexedDB::ObjectStoreSpec* nsTArray_Impl<mozilla::dom::indexedDB::ObjectStoreSpec, nsTArrayInfallibleAllocator>::AppendElements<nsTArrayInfallibleAllocator>(unsigned long) src/obj-firefox/dist/include/nsTArray.h:1776 #6 0x7f7dd838ca4a in AppendElement<nsTArrayInfallibleAllocator> src/obj-firefox/dist/include/nsTArray.h:1804:12 #7 0x7f7dd838ca4a in mozilla::dom::IDBDatabase::CreateObjectStore(nsTSubstring<char16_t> const&, mozilla::dom::IDBObjectStoreParameters const&, mozilla::ErrorResult&) src/dom/indexedDB/IDBDatabase.cpp:468 #8 0x7f7dd5fd2c7e in mozilla::dom::IDBDatabase_Binding::createObjectStore(JSContext*, JS::Handle<JSObject*>, mozilla::dom::IDBDatabase*, JSJitMethodCallArgs const&) src/obj-firefox/dom/bindings/IDBDatabaseBinding.cpp:150:66 #9 0x7f7dd61dd3b0 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3315:13 #10 0x7f7ddeff160b in CallJSNative src/js/src/vm/Interpreter.cpp:468:15 #11 0x7f7ddeff160b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:560 #12 0x7f7ddefda58e in CallFromStack src/js/src/vm/Interpreter.cpp:620:12 #13 0x7f7ddefda58e in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3462 #14 0x7f7ddefbf85b in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:447:12 #15 0x7f7ddeff211e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:587:15 #16 0x7f7ddeff3eb2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:633:10 #17 0x7f7dde0bffbd in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2979:12 #18 0x7f7dd577703a in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:265:37 #19 0x7f7dd6a78f8a in void mozilla::dom::EventHandlerNonNull::Call<nsISupports*>(nsISupports* const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:363:12 #20 0x7f7dd6a7640e in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) src/dom/events/JSEventHandler.cpp:214:12 #21 0x7f7dd6a2b585 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1106:52 #22 0x7f7dd6a2d5a3 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) src/dom/events/EventListenerManager.cpp:1308:15 #23 0x7f7dd6a103ae in HandleEvent src/obj-firefox/dist/include/mozilla/EventListenerManager.h:390:5 #24 0x7f7dd6a103ae in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:424 #25 0x7f7dd6a0e653 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:641:16 SUMMARY: AddressSanitizer: heap-use-after-free src/obj-firefox/dist/include/nsTArray.h:372:37 in Length Shadow bytes around the buggy address: 0x0c0c80050440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c80050450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c80050460: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c0c80050470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c80050480: fa fa fa fa fa fa fa fa fa fa fa fa fd fd fd fd =>0x0c0c80050490: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd[fd] 0x0c0c800504a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c800504b0: fa fa fa fa fa fa fa fa fa fa fa fa 00 00 00 00 0x0c0c800504c0: 00 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c800504d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c800504e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==27984==ABORTING
Flags: in-testsuite?
Group: core-security
Attached file testcase.html
Please note that the testcase must be served via a local web server.
Group: core-security → dom-core-security
See Also: → 1500696
Assignee: nobody → jvarga
Looking.
Status: NEW → ASSIGNED
Yeah, the crash can be easily reproduced using the attached testcase, working on a fix.
Attached patch patch (obsolete) — Splinter Review
This fixes the problem, but I have to finish investigation in bug 1500696 before requesting a review. These bugs look very similar.
Attached patch patchSplinter Review
Andrew, how does this look to you ?
Attachment #9022892 - Attachment is obsolete: true
Attachment #9023653 - Flags: review?(bugmail)
Comment on attachment 9023653 [details] [diff] [review] patch Review of attachment 9023653 [details] [diff] [review]: ----------------------------------------------------------------- I assume we'll land this at the same time as bug 1501152. Especially since there are some very nice comments in here!
Attachment #9023653 - Flags: review?(bugmail) → review+
I think it will be better to add comments later.
Attachment #9024016 - Flags: review?(bugmail)
Comment on attachment 9024016 [details] [diff] [review] patch w/o code comments [Security Approval Request] How easily could an exploit be constructed based on the patch?: It would require quite thorough understanding of the code. Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No Which older supported branches are affected by this flaw?: all supported branches If not all supported branches, which bug introduced the flaw?: None Do you have backports for the affected branches?: No If not, how different, hard to create, and risky will they be?: Shouldn't be too hard. The cloning that was introduced in bug 1404274, and is required for this patch, landed on all supported branches. How likely is this patch to cause regressions; how much testing does it need?: Try results look good (we have very good testing infrastructure for IndexedDB).
Attachment #9024016 - Flags: sec-approval?
Comment on attachment 9024016 [details] [diff] [review] patch w/o code comments Review of attachment 9024016 [details] [diff] [review]: ----------------------------------------------------------------- hee hee, the interdiff is very sad here (all the comments being removed)!
Attachment #9024016 - Flags: review?(bugmail) → review+
sec-approval+ for trunk. I'd like to get beta and ESR60 patches nominated as well.
status-firefox63: --- → wontfix
status-firefox65: --- → affected
status-firefox-esr60: --- → affected
tracking-firefox64: --- → +
tracking-firefox65: --- → +
tracking-firefox-esr60: --- → 64+
Comment on attachment 9024016 [details] [diff] [review] patch w/o code comments Setting the sec-approval+ since it was clearly intended per comment 12 :) Also, this grafts cleanly to Beta and ESR60 as-landed, so please go ahead with those approval requests when ready.
Flags: needinfo?(jvarga)
Attachment #9024016 - Flags: sec-approval? → sec-approval+
https://hg.mozilla.org/mozilla-central/rev/91edec50a1cf
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
status-firefox65: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla65
Group: dom-core-security → core-security-release
Comment on attachment 9024016 [details] [diff] [review] patch w/o code comments [Beta/Release Uplift Approval Request] Feature/Bug causing the regression: Long-standing issue User impact if declined: Leads to a crash and it's a critical security issue. Is this code covered by automated tests?: Yes Has the fix been verified in Nightly?: Yes Needs manual test from QE?: No If yes, steps to reproduce: List of other uplifts needed: None Risk to taking this patch: Low Why is the change risky/not risky? (and alternatives if risky): We have thorough testing infrastructure for IndexedDB. String changes made/needed: None
Flags: needinfo?(jvarga)
Attachment #9024016 - Flags: approval-mozilla-beta?
Comment on attachment 9024016 [details] [diff] [review] patch w/o code comments [ESR Uplift Approval Request] If this is not a sec:{high,crit} bug, please state case for ESR consideration: It's a sec-high bug. User impact if declined: Leads to a crash and it's a critical security issue. Fix Landed on Version: 65 Risk to taking this patch: Low Why is the change risky/not risky? (and alternatives if risky): We have thorough testing infrastructure for IndexedDB. String or UUID changes made by this patch: None
Attachment #9024016 - Flags: approval-mozilla-esr60?
Comment on attachment 9024016 [details] [diff] [review] patch w/o code comments [Triage Comment] Approved for 64.0b10 and 60.4.0esr, thanks.
Attachment #9024016 - Flags: approval-mozilla-esr60?
Attachment #9024016 - Flags: approval-mozilla-esr60+
Attachment #9024016 - Flags: approval-mozilla-beta?
Attachment #9024016 - Flags: approval-mozilla-beta+
Flags: qe-verify+
Whiteboard: [post-critsmash-triage]
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0 Hi, I have reproduced this issue on Release 63.0.3 and I have verified the following builds and got these results: - Firefox Nightly 65.0a1 (id: 20181119100448) - no crash - Firefox Beta 64.0b10 (id: 20181115150739) - no crash - Firefox ESR 60.3.0 (id: 20181017185317) - TAB CRASH Does this mean that the fix is not yet in 60.3.0esr?
No, it's not in 60.3.0esr. You'd need to be using a recent CI build from TreeHerder to test ESR60.
Tested again on esr60 with the build with changeset "b3a439a26186" and build id: 20181116165247. I had no tab crash. Marking everything accordingly.
Status: RESOLVED → VERIFIED
status-firefox64: fixedverified
status-firefox65: fixedverified
status-firefox-esr60: fixedverified
Flags: qe-verify+
Are there any plans to fix this in 63 further down the line?
No, 63 was set to wontfix in comment 12.
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main64+][adv-esr60.4+]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: