Closed
Bug 1500696
Opened 6 years ago
Closed 6 years ago
AddressSanitizer: heap-use-after-free [@ IsCurrentThread] with READ of size 8
Categories
(Core :: Storage: IndexedDB, defect)
Core
Storage: IndexedDB
Tracking
()
People
(Reporter: jkratzer, Assigned: janv)
References
(Blocks 3 open bugs)
Details
(4 keywords, Whiteboard: [adv-main64+][adv-esr60.4+])
Attachments
(1 file)
|
753 bytes,
text/html
|
Details |
Testcase found while fuzzing mozilla-central rev 488862902869. I'm currently reducing the testcase and will update once complete.
=================================================================
==19124==ERROR: AddressSanitizer: heap-use-after-free on address 0x6110002a8a80 at pc 0x7f2c7ee73390 bp 0x7ffea78f51f0 sp 0x7ffea78f51e8
READ of size 8 at 0x6110002a8a80 thread T0 (file:// Content)
#0 0x7f2c7ee7338f in IsCurrentThread src/xpcom/base/nsISupportsImpl.cpp:53:10
#1 0x7f2c7ee7338f in nsAutoOwningThread::AssertCurrentThreadOwnsMe(char const*) const src/xpcom/base/nsISupportsImpl.cpp:44
#2 0x7f2c869cd228 in AssertOwnership<37> src/obj-firefox/dist/include/nsISupportsImpl.h:64:5
#3 0x7f2c869cd228 in mozilla::DOMEventTargetHelper::AddRef() src/dom/events/DOMEventTargetHelper.cpp:84
#4 0x7f2c884293f4 in AddRef src/dom/indexedDB/IDBWrapperCache.cpp:41:1
#5 0x7f2c884293f4 in AddRef src/dom/indexedDB/IDBDatabase.cpp:1179
#6 0x7f2c884293f4 in AddRef src/obj-firefox/dist/include/mozilla/RefPtr.h:44
#7 0x7f2c884293f4 in AddRef src/obj-firefox/dist/include/mozilla/RefPtr.h:415
#8 0x7f2c884293f4 in RefPtr src/obj-firefox/dist/include/mozilla/RefPtr.h:118
#9 0x7f2c884293f4 in mozilla::dom::(anonymous namespace)::DatabaseFile::ActorDestroy(mozilla::ipc::IProtocol::ActorDestroyReason) src/dom/indexedDB/IDBDatabase.cpp:121
#10 0x7f2c80d02a50 in DestroySubtree src/obj-firefox/ipc/ipdl/PBackgroundIDBDatabaseFileChild.cpp:123:5
#11 0x7f2c80d02a50 in mozilla::dom::indexedDB::PBackgroundIDBDatabaseChild::DestroySubtree(mozilla::ipc::IProtocol::ActorDestroyReason) src/obj-firefox/ipc/ipdl/PBackgroundIDBDatabaseChild.cpp:710
#12 0x7f2c80d01a1e in mozilla::dom::indexedDB::PBackgroundIDBDatabaseChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PBackgroundIDBDatabaseChild.cpp:438:22
#13 0x7f2c80a4c710 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:2280:28
#14 0x7f2c8026d645 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2259:25
#15 0x7f2c80269099 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2186:17
#16 0x7f2c8026b34d in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:2023:5
#17 0x7f2c8026c0c7 in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:2056:15
#18 0x7f2c7f014365 in mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:337:32
#19 0x7f2c7f051386 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1245:14
#20 0x7f2c7f059ead in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:530:10
#21 0x7f2c88a41d34 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp:2997:31)> src/obj-firefox/dist/include/nsThreadUtils.h:347:25
#22 0x7f2c88a41d34 in mozilla::dom::XMLHttpRequestMainThread::SendInternal(mozilla::dom::BodyExtractorBase const*, bool) src/dom/xhr/XMLHttpRequestMainThread.cpp:2997
#23 0x7f2c88a3f8ec in mozilla::dom::XMLHttpRequestMainThread::Send(JSContext*, mozilla::dom::Nullable<mozilla::dom::DocumentOrBlobOrArrayBufferViewOrArrayBufferOrFormDataOrURLSearchParamsOrUSVString> const&, mozilla::ErrorResult&) src/dom/xhr/XMLHttpRequestMainThread.cpp:2776:11
#24 0x7f2c8545e041 in mozilla::dom::XMLHttpRequest_Binding::send(JSContext*, JS::Handle<JSObject*>, mozilla::dom::XMLHttpRequest*, JSJitMethodCallArgs const&) src/obj-firefox/dom/bindings/XMLHttpRequestBinding.cpp:1290:9
#25 0x7f2c86215130 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3315:13
#26 0x7f2c8f01faeb in CallJSNative src/js/src/vm/Interpreter.cpp:468:15
#27 0x7f2c8f01faeb in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:560
#28 0x7f2c8d8320b2 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) src/js/src/jit/BaselineIC.cpp:3685:14
#29 0x39b7307c9de7 (<unknown module>)
0x6110002a8a80 is located 64 bytes inside of 256-byte region [0x6110002a8a40,0x6110002a8b40)
freed by thread T0 (file:// Content) here:
#0 0x556b3b3e8372 in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:68:3
#1 0x7f2c7ee54d51 in SnowWhiteKiller::~SnowWhiteKiller() src/xpcom/base/nsCycleCollector.cpp:2740:7
#2 0x7f2c7ee53500 in nsCycleCollector::FreeSnowWhite(bool) src/xpcom/base/nsCycleCollector.cpp:2963:3
#3 0x7f2c7ee5f9af in nsCycleCollector::BeginCollection(ccType, nsICycleCollectorListener*) src/xpcom/base/nsCycleCollector.cpp:3996:3
#4 0x7f2c7ee5ec84 in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) src/xpcom/base/nsCycleCollector.cpp:3817:9
#5 0x7f2c7ee63c13 in nsCycleCollector_collect(nsICycleCollectorListener*) src/xpcom/base/nsCycleCollector.cpp:4408:21
#6 0x7f2c832e8c1e in nsJSContext::CycleCollectNow(nsICycleCollectorListener*) src/dom/base/nsJSEnvironment.cpp:1526:3
#7 0x7f2c85aca091 in mozilla::dom::FuzzingFunctions_Binding::cycleCollect(JSContext*, unsigned int, JS::Value*) src/obj-firefox/dom/bindings/FuzzingFunctionsBinding.cpp:60:3
#8 0x7f2c8f01faeb in CallJSNative src/js/src/vm/Interpreter.cpp:468:15
#9 0x7f2c8f01faeb in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:560
#10 0x7f2c8d8320b2 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) src/js/src/jit/BaselineIC.cpp:3685:14
#11 0x39b7307c9de7 (<unknown module>)
#12 0x6210009a78b7 (<unknown module>)
#13 0x39b7307c44e1 (<unknown module>)
#14 0x7f2c8d86998d in EnterBaseline src/js/src/jit/BaselineJIT.cpp:163:9
#15 0x7f2c8d86998d in js::jit::EnterBaselineAtBranch(JSContext*, js::InterpreterFrame*, unsigned char*) src/js/src/jit/BaselineJIT.cpp:240
#16 0x7f2c8f01400c in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:2335:28
#17 0x7f2c8efedd3b in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:447:12
#18 0x7f2c8f0205fe in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:587:15
#19 0x7f2c8f022392 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:633:10
#20 0x7f2c8e0f529d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2979:12
#21 0x7f2c857b45ce in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) src/obj-firefox/dom/bindings/EventListenerBinding.cpp:52:8
previously allocated by thread T0 (file:// Content) here:
#0 0x556b3b3e86b3 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3
#1 0x556b3b419acd in moz_xmalloc src/memory/mozalloc/mozalloc.cpp:70:17
#2 0x7f2c8838a83b in operator new src/obj-firefox/dist/include/mozilla/mozalloc.h:139:12
#3 0x7f2c8838a83b in mozilla::dom::IDBDatabase::Create(mozilla::dom::IDBOpenDBRequest*, mozilla::dom::IDBFactory*, mozilla::dom::indexedDB::BackgroundDatabaseChild*, mozilla::dom::indexedDB::DatabaseSpec*) src/dom/indexedDB/IDBDatabase.cpp:210
#4 0x7f2c8838b427 in mozilla::dom::indexedDB::BackgroundDatabaseChild::RecvPBackgroundIDBVersionChangeTransactionConstructor(mozilla::dom::indexedDB::PBackgroundIDBVersionChangeTransactionChild*, unsigned long const&, unsigned long const&, long const&, long const&) src/dom/indexedDB/ActorsChild.cpp:2116:5
#5 0x7f2c80d008b0 in mozilla::dom::indexedDB::PBackgroundIDBDatabaseChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PBackgroundIDBDatabaseChild.cpp:598:20
#6 0x7f2c80a4c710 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:2280:28
#7 0x7f2c8026d645 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2259:25
#8 0x7f2c80269099 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2186:17
#9 0x7f2c8026b34d in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:2023:5
#10 0x7f2c8026c0c7 in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:2056:15
#11 0x7f2c7f014365 in mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:337:32
#12 0x7f2c7f051386 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1245:14
#13 0x7f2c7f059ead in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:530:10
#14 0x7f2c88a41d34 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp:2997:31)> src/obj-firefox/dist/include/nsThreadUtils.h:347:25
#15 0x7f2c88a41d34 in mozilla::dom::XMLHttpRequestMainThread::SendInternal(mozilla::dom::BodyExtractorBase const*, bool) src/dom/xhr/XMLHttpRequestMainThread.cpp:2997
#16 0x7f2c88a3f8ec in mozilla::dom::XMLHttpRequestMainThread::Send(JSContext*, mozilla::dom::Nullable<mozilla::dom::DocumentOrBlobOrArrayBufferViewOrArrayBufferOrFormDataOrURLSearchParamsOrUSVString> const&, mozilla::ErrorResult&) src/dom/xhr/XMLHttpRequestMainThread.cpp:2776:11
#17 0x7f2c8545e041 in mozilla::dom::XMLHttpRequest_Binding::send(JSContext*, JS::Handle<JSObject*>, mozilla::dom::XMLHttpRequest*, JSJitMethodCallArgs const&) src/obj-firefox/dom/bindings/XMLHttpRequestBinding.cpp:1290:9
#18 0x7f2c86215130 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3315:13
#19 0x7f2c8f01faeb in CallJSNative src/js/src/vm/Interpreter.cpp:468:15
#20 0x7f2c8f01faeb in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:560
#21 0x7f2c8d8320b2 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) src/js/src/jit/BaselineIC.cpp:3685:14
#22 0x39b7307c9de7 (<unknown module>)
SUMMARY: AddressSanitizer: heap-use-after-free src/xpcom/base/nsISupportsImpl.cpp:53:10 in IsCurrentThread
Shadow bytes around the buggy address:
0x0c228004d100: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c228004d110: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
0x0c228004d120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c228004d130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
0x0c228004d140: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c228004d150:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c228004d160: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
0x0c228004d170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c228004d180: 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa
0x0c228004d190: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c228004d1a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==19124==ABORTING
Flags: in-testsuite?
|
||
Updated•6 years ago
|
Group: core-security → dom-core-security
|
Reporter | |
Comment 1•6 years ago
|
||
Please note that the attached testcase must be served via local web server.
|
|
Reporter | |
Comment 2•6 years ago
|
||
Due to the similarity in testcases, this may be the same issue as bug 1500310.
|
||
Updated•6 years ago
|
Keywords: sec-critical
|
||
Updated•6 years ago
|
Assignee: nobody → jvarga
|
||
Updated•6 years ago
|
status-firefox65:
--- → ?
|
Assignee | |
Comment 4•6 years ago
|
||
I have a patch in bug 1500310 which might fix this issue too.
|
||
Comment 5•6 years ago
|
||
(In reply to Jan Varga [:janv] from comment #4)
> I have a patch in bug 1500310 which might fix this issue too.
Did the patch in 1500310 fix this?
Flags: needinfo?(jvarga)
|
|
Assignee | |
Comment 6•6 years ago
|
||
I'm testing it.
|
|
Assignee | |
Comment 7•6 years ago
|
||
Yeah, fortunately the patch in bug 1500310 fixes this too.
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Flags: needinfo?(jvarga)
Resolution: --- → WORKSFORME
|
|
||
Updated•6 years ago
|
status-firefox-esr60:
--- → fixed
tracking-firefox-esr60:
--- → 64+
|
||
Updated•6 years ago
|
Resolution: WORKSFORME → FIXED
Whiteboard: [adv-main64+][adv-esr60.4+]
|
||
Updated•6 years ago
|
Group: dom-core-security → core-security-release
|
|
||
Updated•5 years ago
|
Group: core-security-release
|
||
Updated•5 years ago
|
Blocks: asan-maintenance
You need to log in
before you can comment on or make changes to this bug.
Description
•