Closed Bug 1518774 Opened 5 years ago Closed 5 years ago

ASan: intermittent heap-use-after-free in nsHtml5StreamParser::SniffStreamBytes

Categories

(Core :: Networking: HTTP, defect, P2)

Product:
Core
Component:
Networking: HTTP
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla67
Tracking Flags:
Tracking Status
firefox-esr60 66+ fixed
firefox64 --- wontfix
firefox65 --- wontfix
firefox66 + fixed
firefox67 + fixed

People

(Reporter: jfkthame, Assigned: mayhemer)

References

Details

(Keywords: csectype-uaf, intermittent-failure, sec-high, Whiteboard: [necko-triaged][adv-main66+][adv-esr60.6+])

Attachments

(4 files, 1 obsolete file)

Bug 1518774, r=dragana
47 bytes, text/x-phabricator-request
Details | Review
Bug 1518774 - Disable test_invalid_mime_type_blob.html on android, r?smaug
47 bytes, text/x-phabricator-request
Details | Review
beta
7.82 KB, patch
lizzard
: approval-mozilla-beta+
Details | Diff | Splinter Review
esr60
7.37 KB, patch
RyanVM
: approval-mozilla-esr60+
Details | Diff | Splinter Review

Seen in https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=220789467&repo=mozilla-inbound&lineNumber=10492

Log excerpt:

==1179==ERROR: AddressSanitizer: heap-use-after-free on address 0x603001289b98 at pc 0x55e47cdac9f6 bp 0x7f170ad9b710 sp 0x7f170ad9aec0
READ of size 9 at 0x603001289b98 thread T22 (HTML5 Parser)
    #0 0x55e47cdac9f5 in __asan_memcpy /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:23:3
    #1 0x7f171c8cb328 in nsHtml5StreamParser::SniffStreamBytes(mozilla::Span<unsigned char const, 18446744073709551615ul>) /builds/worker/workspace/build/src/parser/html/nsHtml5StreamParser.cpp:761:3
    #2 0x7f171c8cc7b5 in nsHtml5StreamParser::DoDataAvailable(mozilla::Span<unsigned char const, 18446744073709551615ul>) /builds/worker/workspace/build/src/parser/html/nsHtml5StreamParser.cpp:1247:10
    #3 0x7f171c8d16b1 in nsHtml5StreamParser::CopySegmentsToParser(nsIInputStream*, void*, char const*, unsigned int, unsigned int, unsigned int*) /builds/worker/workspace/build/src/parser/html/nsHtml5StreamParser.cpp:1362:11
    #4 0x7f171a6cf49b in nsStringInputStream::ReadSegments(nsresult (*)(nsIInputStream*, void*, char const*, unsigned int, unsigned int, unsigned int*), void*, unsigned int, unsigned int*) /builds/worker/workspace/build/src/xpcom/io/nsStringStream.cpp:233:17
    #5 0x7f171a67d9a9 in mozilla::NonBlockingAsyncInputStream::ReadSegments(nsresult (*)(nsIInputStream*, void*, char const*, unsigned int, unsigned int, unsigned int*), void*, unsigned int, unsigned int*) /builds/worker/workspace/build/src/xpcom/io/NonBlockingAsyncInputStream.cpp:220:24
    #6 0x7f171c8c1246 in nsHtml5StreamParser::OnDataAvailable(nsIRequest*, nsISupports*, nsIInputStream*, unsigned long, unsigned int) /builds/worker/workspace/build/src/parser/html/nsHtml5StreamParser.cpp:1351:19
    #7 0x7f171a900e99 in nsBaseChannel::OnDataAvailable(nsIRequest*, nsISupports*, nsIInputStream*, unsigned long, unsigned int) /builds/worker/workspace/build/src/netwerk/base/nsBaseChannel.cpp:825:18
    #8 0x7f171a944f53 in nsInputStreamPump::OnStateTransfer() /builds/worker/workspace/build/src/netwerk/base/nsInputStreamPump.cpp:555:23
    #9 0x7f171a943c37 in nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) /builds/worker/workspace/build/src/netwerk/base/nsInputStreamPump.cpp:400:21
    #10 0x7f171a67d62d in RunAsyncWaitCallback /builds/worker/workspace/build/src/xpcom/io/NonBlockingAsyncInputStream.cpp:371:13
    #11 0x7f171a67d62d in mozilla::NonBlockingAsyncInputStream::AsyncWaitRunnable::Run() /builds/worker/workspace/build/src/xpcom/io/NonBlockingAsyncInputStream.cpp:29
    #12 0x7f171a743b33 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1157:14
    #13 0x7f171a74acb8 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:468:10
    #14 0x7f171b6f9ec0 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:333:5
    #15 0x7f171b64532f in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:314:10
    #16 0x7f171b64532f in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:307
    #17 0x7f171b64532f in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:289
    #18 0x7f171a73dc1a in nsThread::ThreadFunc(void*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:450:11
    #19 0x7f173b403676 in _pt_root /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #20 0x7f173b04a6b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
    #21 0x7f173a0d341c in clone /build/glibc-Cl5G7W/glibc-2.23/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:109
0x603001289b98 is located 8 bytes inside of 32-byte region [0x603001289b90,0x603001289bb0)
freed by thread T0 (Web Content) here:
    #0 0x55e47cdad5c2 in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:124:3
    #1 0x7f171a5453a5 in Truncate /builds/worker/workspace/build/src/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/4.9.4/../../../../include/c++/4.9.4/bits/atomic_base.h
    #2 0x7f171a5453a5 in nsTSubstring<char>::SetIsVoid(bool) /builds/worker/workspace/build/src/xpcom/string/nsTSubstring.cpp:969
    #3 0x7f171a6cf1a1 in Clear /builds/worker/workspace/build/src/xpcom/io/nsStringStream.cpp:62:24
    #4 0x7f171a6cf1a1 in nsStringInputStream::Close() /builds/worker/workspace/build/src/xpcom/io/nsStringStream.cpp:191
    #5 0x7f171a67cce1 in mozilla::NonBlockingAsyncInputStream::Close() /builds/worker/workspace/build/src/xpcom/io/NonBlockingAsyncInputStream.cpp:136:33
    #6 0x7f171a94261a in nsInputStreamPump::Cancel(nsresult) /builds/worker/workspace/build/src/netwerk/base/nsInputStreamPump.cpp:196:19
    #7 0x7f171a8fbe5d in Cancel /builds/worker/workspace/build/src/netwerk/base/nsBaseChannel.cpp:371:27
    #8 0x7f171a8fbe5d in non-virtual thunk to nsBaseChannel::Cancel(nsresult) /builds/worker/workspace/build/src/netwerk/base/nsBaseChannel.cpp
    #9 0x7f171a948030 in mozilla::net::nsLoadGroup::Cancel(nsresult) /builds/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:225:19
    #10 0x7f171c729f99 in nsDocLoader::Stop() /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:220:36
    #11 0x7f1725fb9027 in Stop /builds/worker/workspace/build/src/docshell/base/nsDocShell.h:213:25
    #12 0x7f1725fb9027 in nsDocShell::Stop(unsigned int) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:4675
    #13 0x7f1725fdb140 in nsDocShell::InternalLoad(nsDocShellLoadState*, nsIDocShell**, nsIRequest**) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp
    #14 0x7f1725fd19a5 in nsDocShell::LoadURI(nsDocShellLoadState*) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:748:10
    #15 0x7f1726005277 in nsDocShell::LoadURIWithOptions(nsTSubstring<char16_t> const&, unsigned int, nsIURI*, unsigned int, nsIInputStream*, nsIInputStream*, nsIURI*, nsIPrincipal*) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:3953:8
    #16 0x7f1726005a6a in LoadURI /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:3813:10
    #17 0x7f1726005a6a in non-virtual thunk to nsDocShell::LoadURI(nsTSubstring<char16_t> const&, unsigned int, nsIURI*, nsIInputStream*, nsIInputStream*, nsIPrincipal*) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp
    #18 0x7f171a774b91 in NS_InvokeByIndex /builds/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:106
    #19 0x7f171c1f15b3 in Invoke /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1628:10
    #20 0x7f171c1f15b3 in Call /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1186
    #21 0x7f171c1f15b3 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1152
    #22 0x7f171c1f7606 in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:946:10
    #23 0x7f1726daec2d in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:444:13
    #24 0x7f1726daec2d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:536
    #25 0x7f1726d99c52 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:595:10
    #26 0x7f1726d99c52 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3130
    #27 0x7f1726d7b046 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:424:10
    #28 0x7f1726daf5d1 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:564:13
    #29 0x7f1726db1252 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:607:8
    #30 0x7f1727982966 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2618:10
    #31 0x7f171e476e17 in mozilla::dom::MessageListener::ReceiveMessage(JSContext*, JS::Handle<JS::Value>, mozilla::dom::ReceiveMessageArgument const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/MessageManagerBinding.cpp:6908:8
    #32 0x7f171d898642 in ReceiveMessage<JS::Rooted<JS::Value> > /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/MessageManagerBinding.h:778:12
    #33 0x7f171d898642 in nsFrameMessageManager::ReceiveMessage(nsISupports*, nsFrameLoader*, bool, nsTSubstring<char16_t> const&, bool, mozilla::dom::ipc::StructuredCloneData*, mozilla::jsipc::CpowHolder*, nsIPrincipal*, nsTArray<mozilla::dom::ipc::StructuredCloneData>*, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsFrameMessageManager.cpp:760
    #34 0x7f1721fd8752 in ReceiveMessage /builds/worker/workspace/build/src/dom/base/nsFrameMessageManager.h:245:5
    #35 0x7f1721fd8752 in mozilla::dom::TabChild::RecvAsyncMessage(nsTString<char16_t> const&, nsTArray<mozilla::jsipc::CpowEntry>&&, IPC::Principal const&, mozilla::dom::ClonedMessageData const&) /builds/worker/workspace/build/src/dom/ipc/TabChild.cpp:2084
    #36 0x7f171bf61658 in mozilla::dom::PBrowserChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBrowserChild.cpp:2905:20
    #37 0x7f171b8b6271 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PContentChild.cpp:5486:28
    #38 0x7f171b6f1929 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2159:21
    #39 0x7f171b6ee73c in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2086:9
    #40 0x7f171b6f002c in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1935:3
previously allocated by thread T0 (Web Content) here:
    #0 0x55e47cdad943 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:146:3
    #1 0x7f171a5333e7 in Alloc /builds/worker/workspace/build/src/xpcom/string/nsSubstring.cpp:222:42
    #2 0x7f171a5333e7 in nsTSubstring<char>::StartBulkWriteImpl(unsigned int, unsigned int, bool, unsigned int, unsigned int, unsigned int) /builds/worker/workspace/build/src/xpcom/string/nsTSubstring.cpp:203
    #3 0x7f171a543714 in nsTSubstring<char>::Assign(char const*, unsigned int, std::nothrow_t const&) /builds/worker/workspace/build/src/xpcom/string/nsTSubstring.cpp:408:12
    #4 0x7f171a6d0d63 in SetData /builds/worker/workspace/build/src/xpcom/io/nsStringStream.cpp:121:7
    #5 0x7f171a6d0d63 in NS_NewCStringInputStream(nsIInputStream**, nsTSubstring<char> const&) /builds/worker/workspace/build/src/xpcom/io/nsStringStream.cpp:404
    #6 0x7f171b1256ce in nsDataChannel::OpenContentStream(bool, nsIInputStream**, nsIChannel**) /builds/worker/workspace/build/src/netwerk/protocol/data/nsDataChannel.cpp:97:10
    #7 0x7f171a8fa8ec in nsBaseChannel::BeginPumpingData() /builds/worker/workspace/build/src/netwerk/base/nsBaseChannel.cpp:244:8
    #8 0x7f171a8e7fed in nsBaseChannel::AsyncOpen(nsIStreamListener*, nsISupports*) /builds/worker/workspace/build/src/netwerk/base/nsBaseChannel.cpp:652:8
    #9 0x7f171a8fedd3 in AsyncOpen2 /builds/worker/workspace/build/src/netwerk/base/nsBaseChannel.cpp:684:10
    #10 0x7f171a8fedd3 in non-virtual thunk to nsBaseChannel::AsyncOpen2(nsIStreamListener*) /builds/worker/workspace/build/src/netwerk/base/nsBaseChannel.cpp
    #11 0x7f171c73d386 in nsURILoader::OpenURI(nsIChannel*, unsigned int, nsIInterfaceRequestor*) /builds/worker/workspace/build/src/uriloader/base/nsURILoader.cpp:837:19
    #12 0x7f172604381c in nsDocShell::DoChannelLoad(nsIChannel*, nsIURILoader*, bool) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:10443:20
    #13 0x7f172603ff25 in nsDocShell::DoURILoad(nsDocShellLoadState*, bool, nsIDocShell**, nsIRequest**, nsTSubstring<char16_t> const&, unsigned int) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:10233:8
    #14 0x7f1725fdb6d3 in nsDocShell::InternalLoad(nsDocShellLoadState*, nsIDocShell**, nsIRequest**) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:9546:8
    #15 0x7f1725fd19a5 in nsDocShell::LoadURI(nsDocShellLoadState*) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:748:10
    #16 0x7f171db544e7 in mozilla::dom::Location::SetURI(nsIURI*, nsIPrincipal&, mozilla::ErrorResult&, bool) /builds/worker/workspace/build/src/dom/base/Location.cpp:227:29
    #17 0x7f171db5835e in mozilla::dom::Location::SetHrefWithBase(nsTSubstring<char16_t> const&, nsIURI*, nsIPrincipal&, bool, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/Location.cpp:458:5
    #18 0x7f171db57a78 in DoSetHref /builds/worker/workspace/build/src/dom/base/Location.cpp:412:3
    #19 0x7f171db57a78 in mozilla::dom::Location::SetHref(nsTSubstring<char16_t> const&, nsIPrincipal&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/Location.cpp:404
    #20 0x7f171e36f3b9 in mozilla::dom::Location_Binding::set_href(JSContext*, JS::Handle<JSObject*>, void*, JSJitSetterCallArgs) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/LocationBinding.cpp:159:9
    #21 0x7f172027a23a in bool mozilla::dom::binding_detail::GenericSetter<mozilla::dom::binding_detail::CrossOriginThisPolicy>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3077:8
    #22 0x7f1726daec2d in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:444:13
    #23 0x7f1726daec2d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:536
    #24 0x7f1726db3cb5 in InternalCall /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:591:10
    #25 0x7f1726db3cb5 in Call /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:607
    #26 0x7f1726db3cb5 in js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:745
    #27 0x7f1727a08000 in js::SetPropertyIgnoringNamedGetter(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyDescriptor>, JS::ObjectOpResult&) /builds/worker/workspace/build/src/js/src/proxy/BaseProxyHandler.cpp:248:8
    #28 0x7f17202a393c in mozilla::dom::DOMProxyHandler::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) const /builds/worker/workspace/build/src/dom/bindings/DOMJSProxyHandler.cpp:253:10
    #29 0x7f1727a38ee0 in setInternal /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:424:19
    #30 0x7f1727a38ee0 in js::Proxy::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:432
    #31 0x7f172797cdd9 in SetProperty /builds/worker/workspace/build/src/js/src/vm/ObjectOperations-inl.h:280:12
    #32 0x7f172797cdd9 in JS_SetPropertyById(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2386
    #33 0x7f172797d283 in JS_SetProperty(JSContext*, JS::Handle<JSObject*>, char const*, JS::Handle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2396:10
    #34 0x7f171f772b27 in mozilla::dom::Window_Binding::set_location(JSContext*, JS::Handle<JSObject*>, void*, JSJitSetterCallArgs) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/WindowBinding.cpp:1460:10
    #35 0x7f172027a23a in bool mozilla::dom::binding_detail::GenericSetter<mozilla::dom::binding_detail::CrossOriginThisPolicy>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3077:8
    #36 0x7f1726daec2d in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:444:13
    #37 0x7f1726daec2d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:536
    #38 0x7f1726db3cb5 in InternalCall /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:591:10
    #39 0x7f1726db3cb5 in Call /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:607
    #40 0x7f1726db3cb5 in js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:745
    #41 0x7f172738d58d in SetExistingProperty(JSContext*, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyResult>, JS::ObjectOpResult&) /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2946:8
Thread T22 (HTML5 Parser) created by T0 (Web Content) here:
    #0 0x55e47cd9625d in __interceptor_pthread_create /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:210:3
    #1 0x7f173b4003a5 in _PR_CreateThread /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:433:14
    #2 0x7f173b3fff8e in PR_CreateThread /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:518:12
    #3 0x7f171a73ff79 in nsThread::Init(nsTSubstring<char> const&) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:656:8
    #4 0x7f171a749e0b in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) /builds/worker/workspace/build/src/xpcom/threads/nsThreadManager.cpp:433:12
    #5 0x7f171a74d6b9 in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, nsIRunnable*, unsigned int) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:127:57
    #6 0x7f171c8b1016 in NS_NewNamedThread<13> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:70:10
    #7 0x7f171c8b1016 in nsHtml5Module::GetStreamParserThread() /builds/worker/workspace/build/src/parser/html/nsHtml5Module.cpp:105
    #8 0x7f171c8c3390 in nsHtml5StreamParser::nsHtml5StreamParser(nsHtml5TreeOpExecutor*, nsHtml5Parser*, eParserMode) /builds/worker/workspace/build/src/parser/html/nsHtml5StreamParser.cpp:166:20
    #9 0x7f171c8b738a in nsHtml5Parser::MarkAsNotScriptCreated(char const*) /builds/worker/workspace/build/src/parser/html/nsHtml5Parser.cpp:560:37
    #10 0x7f1720daa93c in nsHTMLDocument::StartDocumentLoad(char const*, nsIChannel*, nsILoadGroup*, nsISupports*, nsIStreamListener**, bool, nsIContentSink*) /builds/worker/workspace/build/src/dom/html/nsHTMLDocument.cpp
    #11 0x7f1723939dc7 in CreateDocument /builds/worker/workspace/build/src/layout/build/nsContentDLF.cpp:354:13
    #12 0x7f1723939dc7 in nsContentDLF::CreateInstance(char const*, nsIChannel*, nsILoadGroup*, nsTSubstring<char> const&, nsIDocShell*, nsISupports*, nsIStreamListener**, nsIContentViewer**) /builds/worker/workspace/build/src/layout/build/nsContentDLF.cpp:153
    #13 0x7f1725fb98ee in NewContentViewerObj /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:8264:35
    #14 0x7f1725fb98ee in nsDocShell::CreateContentViewer(nsTSubstring<char> const&, nsIRequest*, nsIStreamListener**) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:8054
    #15 0x7f1725fb7fea in nsDSURIContentListener::DoContent(nsTSubstring<char> const&, bool, nsIRequest*, nsIStreamListener**, bool*) /builds/worker/workspace/build/src/docshell/base/nsDSURIContentListener.cpp:183:20
    #16 0x7f171c73b4f6 in nsDocumentOpenInfo::TryContentListener(nsIURIContentListener*, nsIChannel*) /builds/worker/workspace/build/src/uriloader/base/nsURILoader.cpp:750:18
    #17 0x7f171c738ae0 in nsDocumentOpenInfo::DispatchContent(nsIRequest*, nsISupports*) /builds/worker/workspace/build/src/uriloader/base/nsURILoader.cpp:422:30
    #18 0x7f171c73737f in nsDocumentOpenInfo::OnStartRequest(nsIRequest*, nsISupports*) /builds/worker/workspace/build/src/uriloader/base/nsURILoader.cpp:299:8
    #19 0x7f171a8fff73 in nsBaseChannel::OnStartRequest(nsIRequest*, nsISupports*) /builds/worker/workspace/build/src/netwerk/base/nsBaseChannel.cpp:783:23
    #20 0x7f171a94460d in nsInputStreamPump::OnStateStart() /builds/worker/workspace/build/src/netwerk/base/nsInputStreamPump.cpp:488:21
    #21 0x7f171a943c28 in nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) /builds/worker/workspace/build/src/netwerk/base/nsInputStreamPump.cpp:397:21
    #22 0x7f171a67d62d in RunAsyncWaitCallback /builds/worker/workspace/build/src/xpcom/io/NonBlockingAsyncInputStream.cpp:371:13
    #23 0x7f171a67d62d in mozilla::NonBlockingAsyncInputStream::AsyncWaitRunnable::Run() /builds/worker/workspace/build/src/xpcom/io/NonBlockingAsyncInputStream.cpp:29
    #24 0x7f171a715bb1 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:299:32
    #25 0x7f171a743b33 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1157:14
    #26 0x7f171a74acb8 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:468:10
    #27 0x7f171b6f8cba in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:88:21
    #28 0x7f171b64532f in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:314:10
    #29 0x7f171b64532f in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:307
    #30 0x7f171b64532f in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:289
    #31 0x7f172284d299 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
    #32 0x7f1726b2accf in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:915:20
    #33 0x7f171b64532f in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:314:10
    #34 0x7f171b64532f in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:307
    #35 0x7f171b64532f in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:289
    #36 0x7f1726b2a5a4 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:753:34
    #37 0x55e47cde03c4 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:49:28
    #38 0x55e47cde03c4 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:265
    #39 0x7f1739fec82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:23:3 in __asan_memcpy
Shadow bytes around the buggy address:
  0x0c0680249320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0680249330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0680249340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0680249350: fa fa fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x0c0680249360: 00 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c0680249370: fa fa fd[fd]fd fd fa fa fd fd fd fd fa fa fa fa
  0x0c0680249380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0680249390: fa fa fa fa fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c06802493a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c06802493b0: fa fa fa fa fa fa fa fa fa fa fd fd fd fa fa fa
  0x0c06802493c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==1179==ABORTING

Note that the job in comment 0 was starred as bug 1440038, but that's actually an entirely different gfx-related stack; hence filing a new bug for this parser one.

Group: core-security
Keywords: csectype-uaf, intermittent-failure, sec-high

Provisionally marking this sec-high as use-after-free seems potentially bad; feel free to adjust classification if appropriate.

From comment 0, it looks like canceling a stream on the main thread can free its off-the-main-thread delivery buffers while ReadSegments() is on the call stack on the delivery thread. This looks like a networking bug.

Component: HTML: Parser → Networking: HTTP
Group: core-security → network-core-security

Honza, can you please take a look?

Flags: needinfo?(honzab.moz)

Not sooner than in 2 weeks (so not if this is P1), but I can take a quick look.

Assignee: nobody → honzab.moz
Flags: needinfo?(honzab.moz)

Using reentrant monitor through out the public methods that access mData will likely help.

Status: NEW → ASSIGNED

AFAICT, this patch applies cleanly to Beta and almost-cleanly to ESR60. Assuming until I hear otherwise that all releases are affected.

status-firefox64: --- → wontfix
status-firefox65: --- → affected
status-firefox66: --- → affected
status-firefox-esr60: --- → affected
Comment on attachment 9036419 [details] [diff] [review]
v1

Review of attachment 9036419 [details] [diff] [review]:
-----------------------------------------------------------------

::: xpcom/io/nsStringStream.cpp
@@ +349,5 @@
>    aParams = params;
>  }
>  
>  bool nsStringInputStream::Deserialize(const InputStreamParams& aParams,
>                                        const FileDescriptorArray& /* aFDs */) {

do we need the reentrant monitor here as well, or is it call during init?
Attachment #9036419 - Flags: review?(dd.mozilla) → review+

(In reply to Dragana Damjanovic [:dragana] from comment #9)

Comment on attachment 9036419 [details] [diff] [review]
v1

Review of attachment 9036419 [details] [diff] [review]:

::: xpcom/io/nsStringStream.cpp
@@ +349,5 @@

aParams = params;
}

bool nsStringInputStream::Deserialize(const InputStreamParams& aParams,
const FileDescriptorArray& /* aFDs */) {

do we need the reentrant monitor here as well, or is it call during init?

we lock inside SetData, that is enough.

thanks!

Comment on attachment 9036419 [details] [diff] [review]
v1

[Security Approval Request]

How easily could an exploit be constructed based on the patch?: hmm.. there is a tight timing between reading the data on the html5 parser thread and the main thread canceling the channel + releasing the data. I don't know if a string stream can be used to load content and its cancellation can be fine-controlled by content (e.g. by a call to location.reload()).

so, potentially someone could guess what's going on and how to use it to replace the freed memory and fool the parser to do something fishy...

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No

Which older supported branches are affected by this flaw?: all

If not all supported branches, which bug introduced the flaw?: None

Do you have backports for the affected branches?: No

If not, how different, hard to create, and risky will they be?: no, but this is an old and simple code, the patch only needs rebasing, I believe.

How likely is this patch to cause regressions; how much testing does it need?: not likely, there is a green try push

Attachment #9036419 - Flags: sec-approval?

This is too late for the current release. I'll give sec-approval but for checkin on February 12.

Whiteboard: [checkin on 2/12]
Attachment #9036419 - Flags: sec-approval? → sec-approval+
Priority: -- → P2
Whiteboard: [checkin on 2/12] → [checkin on 2/12][necko-triaged]

This can land now, but needs rebasing first.

status-firefox67: --- → affected
tracking-firefox67: --- → +
Flags: needinfo?(honzab.moz)
Whiteboard: [checkin on 2/12][necko-triaged] → [necko-triaged]
Attached file Bug 1518774, r=dragana
Attachment #9036419 - Attachment is obsolete: true
Flags: needinfo?(honzab.moz)

Ryan, I rebased the patch, now it needs (stupid phab) to carry the r+ and get sec-a+ again.

This was backed out by the sheriffs for causing timeouts in test_invalid_mime_type_blob.html on Android debug (confirmed by a lot of retriggers before & after it landed).
https://hg.mozilla.org/integration/autoland/rev/1a7809015b49094905722525e3d90c2987b2d666

https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=228051990&repo=autoland&lineNumber=1576

Flags: needinfo?(honzab.moz)

Oh, now I realize I never pushed to try.. sorry for that.

The cause is the deadlock detector. Apparently we happen to keep some heavy used mutex as outer or inner relative to the newly added monitor. The failing test allocates a 1MB string that exercise the deadlock detector A LOT. I will try to figure out which mutex clashes and potentially try to remove the nesting, if easy. otherwise, I see it on a longer timeout (but 7 minutes is already long enough).

I have not found any potential deadlock detection in the failed test log from c20. Also, local testing didn't show anything (I was specifically watching for those)

Olli, the issue here is that the patch causes a perma-timeout of one test on android involving blobs. It's because the deadlock detector is more busy because of the new monitor I've added to string stream. ni? you in case there is something unexpected happening here or you know how to avoid this.

There is the following mutex nesting which exercises the deadlock detector on number of pause-in-debugger occasions while the test in c20 is running:
nsMultiplexInputStream::Clone -> nsStringInputStream::ReadSegments (via NS_InputStreamIsBuffered).

The Clone() method is invoked from [1] and stack [2]
This happens during serialization of the stream, we create a clone on every BroadcastChannelService::PostMessage call (from RecvPostMessage, on the parent process).

(Note that there is no reverse entering of the two locks, so no actual deadlock.)

[1] https://searchfox.org/mozilla-central/rev/cb7faaf6b4ad2528390186f1ce64618dea71031e/dom/file/StreamBlobImpl.cpp#75
[2]

Parent, IPDL thread:
 	xul.dll!nsTArray_base<nsTArrayInfallibleAllocator,nsTArray_CopyWithMemutils>::Length() Line 344	C++
 	xul.dll!nsTArray_Impl<mozilla::DeadlockDetector<mozilla::BlockingResourceBase>::OrderingEntry *,nsTArrayInfallibleAllocator>::BinaryIndexOf<const mozilla::DeadlockDetector<mozilla::BlockingResourceBase>::OrderingEntry *,nsDefaultComparator<const mozilla::DeadlockDetector<mozilla::BlockingResourceBase>::OrderingEntry *,const mozilla::DeadlockDetector<mozilla::BlockingResourceBase>::OrderingEntry *> >(0x00000229f8032920, {...}) Line 1236	C++
 	xul.dll!mozilla::DeadlockDetector<mozilla::BlockingResourceBase>::InTransitiveClosure(0x00000229f62d17c0, 0x00000229f8032920) Line 271	C++
 	xul.dll!mozilla::DeadlockDetector<mozilla::BlockingResourceBase>::InTransitiveClosure(0x00000229f6ea8380, 0x00000229f8032920) Line 278	C++
 	xul.dll!mozilla::DeadlockDetector<mozilla::BlockingResourceBase>::InTransitiveClosure(0x00000229f19b1bc0, 0x00000229f8032920) Line 278	C++
 	xul.dll!mozilla::DeadlockDetector<mozilla::BlockingResourceBase>::CheckAcquisition(0x00000229e9f2a580, 0x00000229f80448d0) Line 237	C++
 	xul.dll!mozilla::BlockingResourceBase::CheckAcquire() Line 255	C++
 	xul.dll!mozilla::ReentrantMonitor::Enter() Line 436	C++
 	xul.dll!mozilla::ReentrantMonitorAutoEnter::ReentrantMonitorAutoEnter({...}) Line 180	C++
 	xul.dll!nsStringInputStream::Clone(0x000000fa46c1b580) Line 431	C++
 	xul.dll!nsMultiplexInputStream::Clone(0x000000fa46c1b818) Line 1152	C++
 	xul.dll!NS_CloneInputStream(0x00000229e9f2a520, 0x000000fa46c1b818, 0x000000fa46c1b810) Line 798	C++
>	xul.dll!mozilla::dom::StreamBlobImpl::CreateInputStream(0x000000fa46c1b998, {...}) Line 75	C++
 	xul.dll!mozilla::dom::IPCBlobUtils::SerializeInternal<mozilla::ipc::PBackgroundParent>(0x00000229ec5efd40, 0x00000229f1f41800, {...}) Line 221	C++
 	xul.dll!mozilla::dom::IPCBlobUtils::Serialize(0x00000229ec5efd40, 0x00000229f1f41800, {...}) Line 252	C++
 	xul.dll!mozilla::dom::BroadcastChannelService::PostMessage(0x00000229ec4fdb00, {...}, {...}) Line 127	C++
 	xul.dll!mozilla::dom::BroadcastChannelParent::RecvPostMessage({...}) Line 42	C++
 	xul.dll!mozilla::dom::PBroadcastChannelParent::OnMessageReceived({...}) Line 134	C++
 	xul.dll!mozilla::ipc::PBackgroundParent::OnMessageReceived({...}) Line 1510	C++
 	xul.dll!mozilla::ipc::MessageChannel::DispatchAsyncMessage({...}) Line 2150	C++
 	xul.dll!mozilla::ipc::MessageChannel::DispatchMessage({...}) Line 2074	C++
 	xul.dll!mozilla::ipc::MessageChannel::RunMessage({...}) Line 1937	C++
 	xul.dll!mozilla::ipc::MessageChannel::MessageTask::Run() Line 1968	C++
 	xul.dll!nsThread::ProcessNextEvent(false, 0x000000fa46c1f4ff) Line 1164	C++
 	xul.dll!NS_ProcessNextEvent(0x00000229ec857500, false) Line 474	C++
 	xul.dll!mozilla::ipc::MessagePumpForNonMainThreads::Run(0x00000229e9f5f480) Line 303	C++
 	xul.dll!MessageLoop::RunInternal() Line 315	C++
 	xul.dll!MessageLoop::RunHandler() Line 309	C++
 	xul.dll!MessageLoop::Run() Line 291	C++
 	xul.dll!nsThread::ThreadFunc(0x000000fa43ff40b8) Line 451	C++
 	nss3.dll!_PR_NativeRunThread(0x00000229ebef5400) Line 406	C
 	nss3.dll!pr_root(0x00000229ebef5400) Line 137	C
Flags: needinfo?(honzab.moz) → needinfo?(bugs)

That stack trace is very baku-y.

Flags: needinfo?(bugs) → needinfo?(amarchesini)

dom/canvas/test/test_invalid_mime_type_blob.html is a famous test for android: I increased the timeout a couple of weeks ago for a similar reason. See the second patch on bug 1525275.

The test creates several nested blobs until the total size is greater than 1mb. At that point, the final blob is sent to the parent parent process, back to the content process and finally it's used to generate an image.

There are 2 approaches here:

  1. disable the test on android
  2. increase the timeout again.
Flags: needinfo?(amarchesini)

This test is extremely heavy and, often, on android, it timeouts.

Patch reviewed. Mayhemer, do you mind to re-land your patch together with mine?

Flags: needinfo?(honzab.moz)

(In reply to Andrea Marchesini [:baku] from comment #27)

Patch reviewed. Mayhemer, do you mind to re-land your patch together with mine?

Thanks for this, :baku! Yes, let's land them together.

Flags: needinfo?(honzab.moz)
Keywords: checkin-needed

https://hg.mozilla.org/mozilla-central/rev/1b2fde0bb6a5
https://hg.mozilla.org/mozilla-central/rev/9a3d155d6e41

Group: core-security-release
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox67: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla67

Looks like this needs a rebased patch for Beta & ESR60. Please create those and request approval when you get a chance.

Flags: needinfo?(honzab.moz)
Attached patch betaSplinter Review

Beta/Release Uplift Approval Request

  • Feature/Bug causing the regression: since ever
  • User impact if declined: possible use (read) after free on data that is consumed by content
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): added a re-entrant lock, no chance for a dead lock, been on m-c for a while (no issues) and is a hot code
  • String changes made/needed: none
Flags: needinfo?(honzab.moz)
Attachment #9046394 - Flags: approval-mozilla-beta?
Attached patch esr60Splinter Review

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: possible use (read) after free on data that is consumed by content
  • User impact if declined: crash, possible sec issue (likely exploitable)
  • Fix Landed on Version: 67
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): see comment 32
  • String or UUID changes made by this patch: none
Attachment #9046399 - Flags: approval-mozilla-esr60?
Comment on attachment 9046394 [details] [diff] [review]
beta

Fix for sec-high issue, has been on Nightly a while.
OK for uplift for beta 12.
Attachment #9046394 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Comment on attachment 9046399 [details] [diff] [review]
esr60

Fixes a networking sec bug. Approved for 60.6esr.
Attachment #9046399 - Flags: approval-mozilla-esr60? → approval-mozilla-esr60+
Whiteboard: [necko-triaged] → [necko-triaged][adv-main66+][adv-esr60.6+]

I'm having some trouble porting this to our tree. Despite this monitor being implemented in pretty much the same way in other places, when I try to add it in the affected class, I keep running into the following compilation error:

0:41.38 e:/mozdev/UXP/xpcom/io/nsStringStream.cpp(62): error C2248: 'mozilla::ReentrantMonitor::Ree
ntrantMonitor': cannot access private member declared in class 'mozilla::ReentrantMonitor'
0:41.38 e:\mozdev\UXP\obj-x86-unstable\dist\include\mozilla/ReentrantMonitor.h(148): note: see decl
aration of 'mozilla::ReentrantMonitor::ReentrantMonitor'
0:41.38 e:\mozdev\UXP\obj-x86-unstable\dist\include\mozilla/ReentrantMonitor.h(37): note: see decla
ration of 'mozilla::ReentrantMonitor'

What I don't understand is that indeed the members are private but can still be accessed the same way by other classes that define and use it the same way. I've not found any documentation describing these monitors either so kind of stuck on this. I'm probably missing something simple to properly implement/use these monitors but can't figure out what. Can you help me?

Group: network-core-security, core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: