Closed
Bug 1500310
Opened 7 years ago
Closed 6 years ago
AddressSanitizer: heap-use-after-free [@ Length] with READ of size 8
Categories
(Core :: Storage: IndexedDB, defect)
Core
Storage: IndexedDB
Tracking
()
VERIFIED
FIXED
mozilla65
People
(Reporter: jkratzer, Assigned: janv)
References
(Blocks 3 open bugs)
Details
(4 keywords, Whiteboard: [post-critsmash-triage][adv-main64+][adv-esr60.4+])
Attachments
(3 files, 1 obsolete file)
681 bytes,
text/html
|
Details | |
4.70 KB,
patch
|
asuth
:
review+
|
Details | Diff | Splinter Review |
3.33 KB,
patch
|
asuth
:
review+
RyanVM
:
approval-mozilla-beta+
RyanVM
:
approval-mozilla-esr60+
RyanVM
:
sec-approval+
|
Details | Diff | Splinter Review |
Testcase found while fuzzing mozilla-central rev 733484af9034. I'm currently reducing the testcase and will update once complete.
==27984==ERROR: AddressSanitizer: heap-use-after-free on address 0x6060002c24f8 at pc 0x7f7dd83c6f8d bp 0x7ffc9a466470 sp 0x7ffc9a466468
READ of size 8 at 0x6060002c24f8 thread T0 (file:// Content)
#0 0x7f7dd83c6f8c in Length src/obj-firefox/dist/include/nsTArray.h:372:37
#1 0x7f7dd83c6f8c in mozilla::dom::IDBObjectStore::GetAddInfo(JSContext*, mozilla::dom::IDBObjectStore::ValueWrapper&, JS::Handle<JS::Value>, mozilla::dom::IDBObjectStore::StructuredCloneWriteInfo&, mozilla::dom::indexedDB::Key&, nsTArray<mozilla::dom::indexedDB::IndexUpdateInfo>&) src/dom/indexedDB/IDBObjectStore.cpp:1589
#2 0x7f7dd83822ff in mozilla::dom::IDBObjectStore::AddOrPut(JSContext*, mozilla::dom::IDBObjectStore::ValueWrapper&, JS::Handle<JS::Value>, bool, bool, mozilla::ErrorResult&) src/dom/indexedDB/IDBObjectStore.cpp:1662:9
#3 0x7f7dd60d6370 in Add src/obj-firefox/dist/include/mozilla/dom/IDBObjectStore.h:214:12
#4 0x7f7dd60d6370 in mozilla::dom::IDBObjectStore_Binding::add(JSContext*, JS::Handle<JSObject*>, mozilla::dom::IDBObjectStore*, JSJitMethodCallArgs const&) src/obj-firefox/dom/bindings/IDBObjectStoreBinding.cpp:504
#5 0x7f7dd61dd3b0 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3315:13
#6 0x7f7ddeff160b in CallJSNative src/js/src/vm/Interpreter.cpp:468:15
#7 0x7f7ddeff160b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:560
#8 0x7f7ddefda58e in CallFromStack src/js/src/vm/Interpreter.cpp:620:12
#9 0x7f7ddefda58e in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3462
#10 0x7f7ddefbf85b in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:447:12
#11 0x7f7ddeff211e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:587:15
#12 0x7f7ddeff6185 in InternalCall src/js/src/vm/Interpreter.cpp:614:12
#13 0x7f7ddeff6185 in Call src/js/src/vm/Interpreter.cpp:633
#14 0x7f7ddeff6185 in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:760
#15 0x7f7dde59e568 in CallGetter src/js/src/vm/NativeObject.cpp:2282:16
#16 0x7f7dde59e568 in GetExistingProperty<js::CanGC> src/js/src/vm/NativeObject.cpp:2337
#17 0x7f7dde59e568 in NativeGetPropertyInline<js::CanGC> src/js/src/vm/NativeObject.cpp:2567
#18 0x7f7dde59e568 in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) src/js/src/vm/NativeObject.cpp:2604
#19 0x7f7ddd5990a7 in GetProperty src/js/src/vm/ObjectOperations-inl.h:122:12
#20 0x7f7ddd5990a7 in GetProperty src/js/src/vm/ObjectOperations-inl.h:138
#21 0x7f7ddd5990a7 in JSStructuredCloneWriter::write(JS::Handle<JS::Value>) src/js/src/vm/StructuredClone.cpp:2104
#22 0x7f7ddd597cbd in WriteStructuredClone(JSContext*, JS::Handle<JS::Value>, JSStructuredCloneData*, JS::StructuredCloneScope, JS::CloneDataPolicy, JSStructuredCloneCallbacks const*, void*, JS::Value const&) src/js/src/vm/StructuredClone.cpp:650:12
#23 0x7f7ddd5b6ee0 in JS_WriteStructuredClone src/js/src/vm/StructuredClone.cpp:3142:12
#24 0x7f7ddd5b6ee0 in write src/js/src/vm/StructuredClone.cpp:3284
#25 0x7f7ddd5b6ee0 in write src/js/src/vm/StructuredClone.cpp:3274
#26 0x7f7ddd5b6ee0 in JS_StructuredClone(JSContext*, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>, JSStructuredCloneCallbacks const*, void*) src/js/src/vm/StructuredClone.cpp:3186
#27 0x7f7dd83c657b in mozilla::dom::IDBObjectStore::GetAddInfo(JSContext*, mozilla::dom::IDBObjectStore::ValueWrapper&, JS::Handle<JS::Value>, mozilla::dom::IDBObjectStore::StructuredCloneWriteInfo&, mozilla::dom::indexedDB::Key&, nsTArray<mozilla::dom::indexedDB::IndexUpdateInfo>&) src/dom/indexedDB/IDBObjectStore.cpp:2754:8
#28 0x7f7dd83822ff in mozilla::dom::IDBObjectStore::AddOrPut(JSContext*, mozilla::dom::IDBObjectStore::ValueWrapper&, JS::Handle<JS::Value>, bool, bool, mozilla::ErrorResult&) src/dom/indexedDB/IDBObjectStore.cpp:1662:9
#29 0x7f7dd60d6370 in Add src/obj-firefox/dist/include/mozilla/dom/IDBObjectStore.h:214:12
#30 0x7f7dd60d6370 in mozilla::dom::IDBObjectStore_Binding::add(JSContext*, JS::Handle<JSObject*>, mozilla::dom::IDBObjectStore*, JSJitMethodCallArgs const&) src/obj-firefox/dom/bindings/IDBObjectStoreBinding.cpp:504
#31 0x7f7dd61dd3b0 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3315:13
#32 0x7f7ddeff160b in CallJSNative src/js/src/vm/Interpreter.cpp:468:15
#33 0x7f7ddeff160b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:560
#34 0x7f7ddefda58e in CallFromStack src/js/src/vm/Interpreter.cpp:620:12
#35 0x7f7ddefda58e in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3462
#36 0x7f7ddefbf85b in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:447:12
#37 0x7f7ddeff211e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:587:15
#38 0x7f7ddeff3eb2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:633:10
#39 0x7f7dde0bffbd in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2979:12
#40 0x7f7dd577703a in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:265:37
#41 0x7f7dd6a78f8a in void mozilla::dom::EventHandlerNonNull::Call<nsISupports*>(nsISupports* const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:363:12
#42 0x7f7dd6a7640e in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) src/dom/events/JSEventHandler.cpp:214:12
#43 0x7f7dd6a2b585 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1106:52
#44 0x7f7dd6a2d5a3 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) src/dom/events/EventListenerManager.cpp:1308:15
#45 0x7f7dd6a103ae in HandleEvent src/obj-firefox/dist/include/mozilla/EventListenerManager.h:390:5
#46 0x7f7dd6a103ae in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:424
#47 0x7f7dd6a0e653 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:641:16
#48 0x7f7dd6a15128 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) src/dom/events/EventDispatcher.cpp:1156:11
#49 0x7f7dd6a1b6e6 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) src/dom/events/EventDispatcher.cpp
#50 0x7f7dd69cb290 in mozilla::DOMEventTargetHelper::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) src/dom/events/DOMEventTargetHelper.cpp:185:5
#51 0x7f7dd6a3f259 in mozilla::dom::EventTarget::DispatchEvent(mozilla::dom::Event&, mozilla::ErrorResult&) src/dom/events/EventTarget.cpp:213:13
#52 0x7f7dd834e6b3 in mozilla::dom::indexedDB::(anonymous namespace)::DispatchSuccessEvent(mozilla::dom::indexedDB::(anonymous namespace)::ResultHelper*, mozilla::dom::Event*) src/dom/indexedDB/ActorsChild.cpp:862:12
#53 0x7f7dd8353486 in mozilla::dom::indexedDB::BackgroundDatabaseChild::RecvPBackgroundIDBVersionChangeTransactionConstructor(mozilla::dom::indexedDB::PBackgroundIDBVersionChangeTransactionChild*, unsigned long const&, unsigned long const&, long const&, long const&) src/dom/indexedDB/ActorsChild.cpp:2279:3
#54 0x7f7dd0cc9620 in mozilla::dom::indexedDB::PBackgroundIDBDatabaseChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PBackgroundIDBDatabaseChild.cpp:598:20
#55 0x7f7dd0a15480 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:2280:28
#56 0x7f7dd02363b5 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2248:25
#57 0x7f7dd0231e09 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2175:17
#58 0x7f7dd02340bd in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:2012:5
#59 0x7f7dd0234e37 in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:2045:15
#60 0x7f7dcefdd365 in mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:337:32
#61 0x7f7dcf01a386 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1252:14
#62 0x7f7dcf022ead in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:530:10
#63 0x7f7dd023f463 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21
#64 0x7f7dd014204c in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10
#65 0x7f7dd014204c in RunHandler src/ipc/chromium/src/base/message_loop.cc:318
#66 0x7f7dd014204c in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298
#67 0x7f7dd8e3d5f3 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:158:27
#68 0x7f7ddd2fce4e in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:939:22
#69 0x7f7dd014204c in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10
#70 0x7f7dd014204c in RunHandler src/ipc/chromium/src/base/message_loop.cc:318
#71 0x7f7dd014204c in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298
#72 0x7f7ddd2fbef3 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:765:34
#73 0x56524599bb91 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
#74 0x56524599bb91 in main src/browser/app/nsBrowserApp.cpp:287
#75 0x7f7df16f782f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#76 0x5652458caf3c in _start (/home/ubuntu/firefox/firefox+0x2cf3c)
0x6060002c24f8 is located 56 bytes inside of 64-byte region [0x6060002c24c0,0x6060002c2500)
freed by thread T0 (file:// Content) here:
#0 0x56524596b372 in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:68:3
#1 0x7f7dd838b4d4 in Free src/obj-firefox/dist/include/nsTArray.h:216:34
#2 0x7f7dd838b4d4 in ~nsTArray_base src/obj-firefox/dist/include/nsTArray-inl.h:22
#3 0x7f7dd838b4d4 in ~nsTArray_Impl src/obj-firefox/dist/include/nsTArray.h:940
#4 0x7f7dd838b4d4 in ~DatabaseSpec src/obj-firefox/ipc/ipdl/_ipdlheaders/mozilla/dom/indexedDB/PBackgroundIDBSharedTypes.h:1479
#5 0x7f7dd838b4d4 in ~nsAutoPtr src/obj-firefox/dist/include/nsAutoPtr.h:78
#6 0x7f7dd838b4d4 in mozilla::dom::IDBDatabase::RevertToPreviousState() src/dom/indexedDB/IDBDatabase.cpp:349
#7 0x7f7dd83e05d3 in mozilla::dom::IDBTransaction::AbortInternal(nsresult, already_AddRefed<mozilla::dom::DOMException>) src/dom/indexedDB/IDBTransaction.cpp:667:18
#8 0x7f7dd83e1bfc in mozilla::dom::IDBTransaction::Abort(mozilla::ErrorResult&) src/dom/indexedDB/IDBTransaction.cpp:780:3
#9 0x7f7dd60fa8de in mozilla::dom::IDBTransaction_Binding::abort(JSContext*, JS::Handle<JSObject*>, mozilla::dom::IDBTransaction*, JSJitMethodCallArgs const&) src/obj-firefox/dom/bindings/IDBTransactionBinding.cpp:213:9
#10 0x7f7dd61dd3b0 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3315:13
#11 0x7f7ddeff160b in CallJSNative src/js/src/vm/Interpreter.cpp:468:15
#12 0x7f7ddeff160b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:560
#13 0x7f7ddefda58e in CallFromStack src/js/src/vm/Interpreter.cpp:620:12
#14 0x7f7ddefda58e in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3462
#15 0x7f7ddefbf85b in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:447:12
#16 0x7f7ddeff211e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:587:15
#17 0x7f7ddeff6185 in InternalCall src/js/src/vm/Interpreter.cpp:614:12
#18 0x7f7ddeff6185 in Call src/js/src/vm/Interpreter.cpp:633
#19 0x7f7ddeff6185 in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:760
#20 0x7f7dde59e568 in CallGetter src/js/src/vm/NativeObject.cpp:2282:16
#21 0x7f7dde59e568 in GetExistingProperty<js::CanGC> src/js/src/vm/NativeObject.cpp:2337
#22 0x7f7dde59e568 in NativeGetPropertyInline<js::CanGC> src/js/src/vm/NativeObject.cpp:2567
#23 0x7f7dde59e568 in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) src/js/src/vm/NativeObject.cpp:2604
#24 0x7f7ddd5990a7 in GetProperty src/js/src/vm/ObjectOperations-inl.h:122:12
#25 0x7f7ddd5990a7 in GetProperty src/js/src/vm/ObjectOperations-inl.h:138
#26 0x7f7ddd5990a7 in JSStructuredCloneWriter::write(JS::Handle<JS::Value>) src/js/src/vm/StructuredClone.cpp:2104
#27 0x7f7ddd597cbd in WriteStructuredClone(JSContext*, JS::Handle<JS::Value>, JSStructuredCloneData*, JS::StructuredCloneScope, JS::CloneDataPolicy, JSStructuredCloneCallbacks const*, void*, JS::Value const&) src/js/src/vm/StructuredClone.cpp:650:12
#28 0x7f7ddd5b6ee0 in JS_WriteStructuredClone src/js/src/vm/StructuredClone.cpp:3142:12
#29 0x7f7ddd5b6ee0 in write src/js/src/vm/StructuredClone.cpp:3284
#30 0x7f7ddd5b6ee0 in write src/js/src/vm/StructuredClone.cpp:3274
#31 0x7f7ddd5b6ee0 in JS_StructuredClone(JSContext*, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>, JSStructuredCloneCallbacks const*, void*) src/js/src/vm/StructuredClone.cpp:3186
#32 0x7f7dd83c657b in mozilla::dom::IDBObjectStore::GetAddInfo(JSContext*, mozilla::dom::IDBObjectStore::ValueWrapper&, JS::Handle<JS::Value>, mozilla::dom::IDBObjectStore::StructuredCloneWriteInfo&, mozilla::dom::indexedDB::Key&, nsTArray<mozilla::dom::indexedDB::IndexUpdateInfo>&) src/dom/indexedDB/IDBObjectStore.cpp:2754:8
#33 0x7f7dd83822ff in mozilla::dom::IDBObjectStore::AddOrPut(JSContext*, mozilla::dom::IDBObjectStore::ValueWrapper&, JS::Handle<JS::Value>, bool, bool, mozilla::ErrorResult&) src/dom/indexedDB/IDBObjectStore.cpp:1662:9
#34 0x7f7dd60d6370 in Add src/obj-firefox/dist/include/mozilla/dom/IDBObjectStore.h:214:12
#35 0x7f7dd60d6370 in mozilla::dom::IDBObjectStore_Binding::add(JSContext*, JS::Handle<JSObject*>, mozilla::dom::IDBObjectStore*, JSJitMethodCallArgs const&) src/obj-firefox/dom/bindings/IDBObjectStoreBinding.cpp:504
#36 0x7f7dd61dd3b0 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3315:13
#37 0x7f7ddeff160b in CallJSNative src/js/src/vm/Interpreter.cpp:468:15
#38 0x7f7ddeff160b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:560
previously allocated by thread T0 (file:// Content) here:
#0 0x56524596b6b3 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3
#1 0x56524599cacd in moz_xmalloc src/memory/mozalloc/mozalloc.cpp:70:17
#2 0x7f7dcedc5aaa in Malloc src/obj-firefox/dist/include/nsTArray.h:210:46
#3 0x7f7dcedc5aaa in nsTArrayInfallibleAllocator::ResultTypeProxy nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>::EnsureCapacity<nsTArrayInfallibleAllocator>(unsigned long, unsigned long) src/obj-firefox/dist/include/nsTArray-inl.h:153
#4 0x7f7dd0e5cbd5 in ExtendCapacity<nsTArrayInfallibleAllocator> src/obj-firefox/dist/include/nsTArray-inl.h:125:16
#5 0x7f7dd0e5cbd5 in mozilla::dom::indexedDB::ObjectStoreSpec* nsTArray_Impl<mozilla::dom::indexedDB::ObjectStoreSpec, nsTArrayInfallibleAllocator>::AppendElements<nsTArrayInfallibleAllocator>(unsigned long) src/obj-firefox/dist/include/nsTArray.h:1776
#6 0x7f7dd838ca4a in AppendElement<nsTArrayInfallibleAllocator> src/obj-firefox/dist/include/nsTArray.h:1804:12
#7 0x7f7dd838ca4a in mozilla::dom::IDBDatabase::CreateObjectStore(nsTSubstring<char16_t> const&, mozilla::dom::IDBObjectStoreParameters const&, mozilla::ErrorResult&) src/dom/indexedDB/IDBDatabase.cpp:468
#8 0x7f7dd5fd2c7e in mozilla::dom::IDBDatabase_Binding::createObjectStore(JSContext*, JS::Handle<JSObject*>, mozilla::dom::IDBDatabase*, JSJitMethodCallArgs const&) src/obj-firefox/dom/bindings/IDBDatabaseBinding.cpp:150:66
#9 0x7f7dd61dd3b0 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3315:13
#10 0x7f7ddeff160b in CallJSNative src/js/src/vm/Interpreter.cpp:468:15
#11 0x7f7ddeff160b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:560
#12 0x7f7ddefda58e in CallFromStack src/js/src/vm/Interpreter.cpp:620:12
#13 0x7f7ddefda58e in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3462
#14 0x7f7ddefbf85b in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:447:12
#15 0x7f7ddeff211e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:587:15
#16 0x7f7ddeff3eb2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:633:10
#17 0x7f7dde0bffbd in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2979:12
#18 0x7f7dd577703a in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:265:37
#19 0x7f7dd6a78f8a in void mozilla::dom::EventHandlerNonNull::Call<nsISupports*>(nsISupports* const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:363:12
#20 0x7f7dd6a7640e in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) src/dom/events/JSEventHandler.cpp:214:12
#21 0x7f7dd6a2b585 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1106:52
#22 0x7f7dd6a2d5a3 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) src/dom/events/EventListenerManager.cpp:1308:15
#23 0x7f7dd6a103ae in HandleEvent src/obj-firefox/dist/include/mozilla/EventListenerManager.h:390:5
#24 0x7f7dd6a103ae in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:424
#25 0x7f7dd6a0e653 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:641:16
SUMMARY: AddressSanitizer: heap-use-after-free src/obj-firefox/dist/include/nsTArray.h:372:37 in Length
Shadow bytes around the buggy address:
0x0c0c80050440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c80050450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c80050460: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c0c80050470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c80050480: fa fa fa fa fa fa fa fa fa fa fa fa fd fd fd fd
=>0x0c0c80050490: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd[fd]
0x0c0c800504a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c800504b0: fa fa fa fa fa fa fa fa fa fa fa fa 00 00 00 00
0x0c0c800504c0: 00 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c800504d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c800504e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==27984==ABORTING
Flags: in-testsuite?
Reporter | ||
Updated•7 years ago
|
Group: core-security
Reporter | ||
Comment 2•7 years ago
|
||
Please note that the testcase must be served via a local web server.
Updated•7 years ago
|
Group: core-security → dom-core-security
Assignee | ||
Updated•7 years ago
|
Assignee: nobody → jvarga
Updated•7 years ago
|
Keywords: sec-critical
Assignee | ||
Comment 4•7 years ago
|
||
Yeah, the crash can be easily reproduced using the attached testcase, working on a fix.
Assignee | ||
Comment 5•7 years ago
|
||
This fixes the problem, but I have to finish investigation in bug 1500696 before requesting a review. These bugs look very similar.
Assignee | ||
Comment 6•7 years ago
|
||
Andrew, how does this look to you ?
Attachment #9022892 -
Attachment is obsolete: true
Attachment #9023653 -
Flags: review?(bugmail)
Comment 7•7 years ago
|
||
Comment on attachment 9023653 [details] [diff] [review]
patch
Review of attachment 9023653 [details] [diff] [review]:
-----------------------------------------------------------------
I assume we'll land this at the same time as bug 1501152. Especially since there are some very nice comments in here!
Attachment #9023653 -
Flags: review?(bugmail) → review+
Assignee | ||
Comment 8•7 years ago
|
||
I think it will be better to add comments later.
Attachment #9024016 -
Flags: review?(bugmail)
Assignee | ||
Comment 9•7 years ago
|
||
Comment on attachment 9024016 [details] [diff] [review]
patch w/o code comments
[Security Approval Request]
How easily could an exploit be constructed based on the patch?: It would require quite thorough understanding of the code.
Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
Which older supported branches are affected by this flaw?: all supported branches
If not all supported branches, which bug introduced the flaw?: None
Do you have backports for the affected branches?: No
If not, how different, hard to create, and risky will they be?: Shouldn't be too hard. The cloning that was introduced in bug 1404274, and is required for this patch, landed on all supported branches.
How likely is this patch to cause regressions; how much testing does it need?: Try results look good (we have very good testing infrastructure for IndexedDB).
Attachment #9024016 -
Flags: sec-approval?
Comment 10•7 years ago
|
||
Comment on attachment 9024016 [details] [diff] [review]
patch w/o code comments
Review of attachment 9024016 [details] [diff] [review]:
-----------------------------------------------------------------
hee hee, the interdiff is very sad here (all the comments being removed)!
Attachment #9024016 -
Flags: review?(bugmail) → review+
Assignee | ||
Comment 11•7 years ago
|
||
Comment 12•6 years ago
|
||
sec-approval+ for trunk.
I'd like to get beta and ESR60 patches nominated as well.
status-firefox63:
--- → wontfix
status-firefox65:
--- → affected
status-firefox-esr60:
--- → affected
tracking-firefox64:
--- → +
tracking-firefox65:
--- → +
tracking-firefox-esr60:
--- → 64+
Assignee | ||
Comment 13•6 years ago
|
||
Comment 14•6 years ago
|
||
Comment on attachment 9024016 [details] [diff] [review]
patch w/o code comments
Setting the sec-approval+ since it was clearly intended per comment 12 :)
Also, this grafts cleanly to Beta and ESR60 as-landed, so please go ahead with those approval requests when ready.
Flags: needinfo?(jvarga)
Attachment #9024016 -
Flags: sec-approval? → sec-approval+
![]() |
||
Comment 15•6 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla65
![]() |
||
Updated•6 years ago
|
Group: dom-core-security → core-security-release
Assignee | ||
Comment 16•6 years ago
|
||
Comment on attachment 9024016 [details] [diff] [review]
patch w/o code comments
[Beta/Release Uplift Approval Request]
Feature/Bug causing the regression: Long-standing issue
User impact if declined: Leads to a crash and it's a critical security issue.
Is this code covered by automated tests?: Yes
Has the fix been verified in Nightly?: Yes
Needs manual test from QE?: No
If yes, steps to reproduce:
List of other uplifts needed: None
Risk to taking this patch: Low
Why is the change risky/not risky? (and alternatives if risky): We have thorough testing infrastructure for IndexedDB.
String changes made/needed: None
Flags: needinfo?(jvarga)
Attachment #9024016 -
Flags: approval-mozilla-beta?
Assignee | ||
Comment 17•6 years ago
|
||
Comment on attachment 9024016 [details] [diff] [review]
patch w/o code comments
[ESR Uplift Approval Request]
If this is not a sec:{high,crit} bug, please state case for ESR consideration: It's a sec-high bug.
User impact if declined: Leads to a crash and it's a critical security issue.
Fix Landed on Version: 65
Risk to taking this patch: Low
Why is the change risky/not risky? (and alternatives if risky): We have thorough testing infrastructure for IndexedDB.
String or UUID changes made by this patch: None
Attachment #9024016 -
Flags: approval-mozilla-esr60?
Comment 18•6 years ago
|
||
Comment on attachment 9024016 [details] [diff] [review]
patch w/o code comments
[Triage Comment]
Approved for 64.0b10 and 60.4.0esr, thanks.
Attachment #9024016 -
Flags: approval-mozilla-esr60?
Attachment #9024016 -
Flags: approval-mozilla-esr60+
Attachment #9024016 -
Flags: approval-mozilla-beta?
Attachment #9024016 -
Flags: approval-mozilla-beta+
Comment 19•6 years ago
|
||
uplift |
Comment 20•6 years ago
|
||
uplift |
Updated•6 years ago
|
Flags: qe-verify+
Whiteboard: [post-critsmash-triage]
Comment 21•6 years ago
|
||
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0
Hi,
I have reproduced this issue on Release 63.0.3 and I have verified the following builds and got these results:
- Firefox Nightly 65.0a1 (id: 20181119100448) - no crash
- Firefox Beta 64.0b10 (id: 20181115150739) - no crash
- Firefox ESR 60.3.0 (id: 20181017185317) - TAB CRASH
Does this mean that the fix is not yet in 60.3.0esr?
Comment 22•6 years ago
|
||
No, it's not in 60.3.0esr. You'd need to be using a recent CI build from TreeHerder to test ESR60.
Comment 23•6 years ago
|
||
Tested again on esr60 with the build with changeset "b3a439a26186" and build id: 20181116165247. I had no tab crash. Marking everything accordingly.
Status: RESOLVED → VERIFIED
Flags: qe-verify+
Comment 24•6 years ago
|
||
Are there any plans to fix this in 63 further down the line?
Comment 25•6 years ago
|
||
No, 63 was set to wontfix in comment 12.
Updated•6 years ago
|
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main64+][adv-esr60.4+]
Updated•5 years ago
|
Group: core-security-release
Updated•5 years ago
|
Blocks: asan-maintenance
You need to log in
before you can comment on or make changes to this bug.
Description
•