use after free in HTTP2 code, mozilla::net::Http2Session::RecvPushPromise (Http2Session.cpp)
Categories
(Core :: Networking: HTTP, defect, P1)
Tracking
()
People
(Reporter: hanno, Assigned: michal)
References
Details
(4 keywords, Whiteboard: [necko-triaged][post-critsmash-triage][adv-main68+][adv-esr60.8+])
Attachments
(2 files)
47 bytes,
text/x-phabricator-request
|
ritu
:
approval-mozilla-beta+
abillings
:
sec-approval+
|
Details | Review |
8.63 KB,
patch
|
ritu
:
approval-mozilla-esr60+
|
Details | Diff | Splinter Review |
I observed a use after free in the HTTP2 code with the optimized ASAN builds.
From the line numbers the bug should be somewhere in Http2Session.cpp between line 2049 and 2016:
if (NS_FAILED(ds->AsyncOpenURI(
pushedURL, EmptyCString(),
nsICacheStorage::OPEN_READONLY | nsICacheStorage::OPEN_SECRETLY,
cpcc))) {
LOG3(
("Http2Session::RecvPushPromise %p failed to open cache entry for "
"push check",
self));
}
}
}
pushedStream->SetHTTPState(Http2Stream::RESERVED_BY_REMOTE);
Stack trace:
==18805==ERROR: AddressSanitizer: heap-use-after-free on address 0x61400042eebc at pc 0x7f4330719163 bp 0x7f42e6c19410 sp 0x7f42e6c19408
WRITE of size 4 at 0x61400042eebc thread T8 (Socket Thread)
#0 0x7f4330719162 in SetHTTPState /builds/worker/workspace/build/src/netwerk/protocol/http/Http2Stream.h:62:45
#1 0x7f4330719162 in mozilla::net::Http2Session::RecvPushPromise(mozilla::net::Http2Session*) /builds/worker/workspace/build/src/netwerk/protocol/http/Http2Session.cpp:2061
#2 0x7f43307284c2 in mozilla::net::Http2Session::WriteSegmentsAgain(mozilla::net::nsAHttpSegmentWriter*, unsigned int, unsigned int*, bool*) /builds/worker/workspace/build/src/netwerk/protocol/http/Http2Session.cpp:3556:10
#3 0x7f43308c9cb5 in mozilla::net::nsHttpConnection::OnSocketReadable() /builds/worker/workspace/build/src/netwerk/protocol/http/nsHttpConnection.cpp:2076:24
#4 0x7f43308cc897 in mozilla::net::nsHttpConnection::OnInputStreamReady(nsIAsyncInputStream*) /builds/worker/workspace/build/src/netwerk/protocol/http/nsHttpConnection.cpp:2419:17
#5 0x7f43308cd0ec in non-virtual thunk to mozilla::net::nsHttpConnection::OnInputStreamReady(nsIAsyncInputStream*) /builds/worker/workspace/build/src/netwerk/protocol/http/nsHttpConnection.cpp
#6 0x7f432ff33538 in mozilla::net::nsSocketInputStream::OnSocketReady(nsresult) /builds/worker/workspace/build/src/netwerk/base/nsSocketTransport2.cpp:277:27
#7 0x7f432ff42b13 in mozilla::net::nsSocketTransport::OnSocketReady(PRFileDesc*, short) /builds/worker/workspace/build/src/netwerk/base/nsSocketTransport2.cpp:2185:14
#8 0x7f432ff53b01 in mozilla::net::nsSocketTransportService::DoPollIteration(mozilla::BaseTimeDuration<mozilla::TimeDurationValueCalculator>*) /builds/worker/workspace/build/src/netwerk/base/nsSocketTransportService2.cpp
#9 0x7f432ff51c95 in mozilla::net::nsSocketTransportService::Run() /builds/worker/workspace/build/src/netwerk/base/nsSocketTransportService2.cpp:972:7
#10 0x7f432ff5417c in non-virtual thunk to mozilla::net::nsSocketTransportService::Run() /builds/worker/workspace/build/src/netwerk/base/nsSocketTransportService2.cpp
#11 0x7f432fcbf3d6 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1162:14
#12 0x7f432fcc56c8 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:474:10
#13 0x7f4330c4e28a in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:303:20
#14 0x7f4330b94d8f in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#15 0x7f4330b94d8f in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
#16 0x7f4330b94d8f in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
#17 0x7f432fcb958a in nsThread::ThreadFunc(void*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:449:11
#18 0x7f4350751666 in _pt_root /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:201:5
#19 0x7f43503956da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
#20 0x7f434f37388e in clone /build/glibc-OTsEL5/glibc-2.27/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
0x61400042eebc is located 124 bytes inside of 440-byte region [0x61400042ee40,0x61400042eff8)
freed by thread T8 (Socket Thread) here:
#0 0x55eef3d2b5d2 in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:124:3
#1 0x7f432fb6e497 in RawRemove /builds/worker/workspace/build/src/xpcom/ds/PLDHashTable.cpp:637:3
#2 0x7f432fb6e497 in RawRemove /builds/worker/workspace/build/src/xpcom/ds/PLDHashTable.cpp:621
#3 0x7f432fb6e497 in PLDHashTable::RemoveEntry(PLDHashEntryHdr*) /builds/worker/workspace/build/src/xpcom/ds/PLDHashTable.cpp:615
#4 0x7f4330709f50 in RemoveEntry /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTHashtable.h:214:48
#5 0x7f4330709f50 in Remove /builds/worker/workspace/build/src/obj-firefox/dist/include/nsBaseHashtable.h:184
#6 0x7f4330709f50 in mozilla::net::Http2Session::CleanupStream(mozilla::net::Http2Stream*, nsresult, mozilla::net::Http2Session::errorType) /builds/worker/workspace/build/src/netwerk/protocol/http/Http2Session.cpp:1243
#7 0x7f433071b294 in CleanupStream /builds/worker/workspace/build/src/netwerk/protocol/http/Http2Session.cpp:1262:3
#8 0x7f433071b294 in mozilla::net::Http2Session::CachePushCheckCallback::OnCacheEntryCheck(nsICacheEntry*, nsIApplicationCache*, unsigned int*) /builds/worker/workspace/build/src/netwerk/protocol/http/Http2Session.cpp:2224
#9 0x7f4330586ede in mozilla::net::CacheEntry::InvokeCallback(mozilla::net::CacheEntry::Callback&) /builds/worker/workspace/build/src/netwerk/cache2/CacheEntry.cpp:741:46
#10 0x7f4330585faf in mozilla::net::CacheEntry::InvokeCallbacks(bool) /builds/worker/workspace/build/src/netwerk/cache2/CacheEntry.cpp:668:30
#11 0x7f4330581650 in mozilla::net::CacheEntry::InvokeCallbacks() /builds/worker/workspace/build/src/netwerk/cache2/CacheEntry.cpp:610:31
#12 0x7f433057f3eb in Open /builds/worker/workspace/build/src/netwerk/cache2/CacheEntry.cpp:340:3
#13 0x7f433057f3eb in mozilla::net::CacheEntry::AsyncOpen(nsICacheEntryOpenCallback*, unsigned int) /builds/worker/workspace/build/src/netwerk/cache2/CacheEntry.cpp:315
#14 0x7f433057a695 in mozilla::net::CacheStorage::AsyncOpenURI(nsIURI*, nsTSubstring<char> const&, unsigned int, nsICacheEntryOpenCallback*) /builds/worker/workspace/build/src/netwerk/cache2/CacheStorage.cpp:105:19
#15 0x7f4330718463 in mozilla::net::Http2Session::RecvPushPromise(mozilla::net::Http2Session*) /builds/worker/workspace/build/src/netwerk/protocol/http/Http2Session.cpp:2049:11
#16 0x7f43307284c2 in mozilla::net::Http2Session::WriteSegmentsAgain(mozilla::net::nsAHttpSegmentWriter*, unsigned int, unsigned int*, bool*) /builds/worker/workspace/build/src/netwerk/protocol/http/Http2Session.cpp:3556:10
#17 0x7f43308c9cb5 in mozilla::net::nsHttpConnection::OnSocketReadable() /builds/worker/workspace/build/src/netwerk/protocol/http/nsHttpConnection.cpp:2076:24
#18 0x7f43308cc897 in mozilla::net::nsHttpConnection::OnInputStreamReady(nsIAsyncInputStream*) /builds/worker/workspace/build/src/netwerk/protocol/http/nsHttpConnection.cpp:2419:17
#19 0x7f43308cd0ec in non-virtual thunk to mozilla::net::nsHttpConnection::OnInputStreamReady(nsIAsyncInputStream*) /builds/worker/workspace/build/src/netwerk/protocol/http/nsHttpConnection.cpp
#20 0x7f432ff33538 in mozilla::net::nsSocketInputStream::OnSocketReady(nsresult) /builds/worker/workspace/build/src/netwerk/base/nsSocketTransport2.cpp:277:27
#21 0x7f432ff42b13 in mozilla::net::nsSocketTransport::OnSocketReady(PRFileDesc*, short) /builds/worker/workspace/build/src/netwerk/base/nsSocketTransport2.cpp:2185:14
#22 0x7f432ff53b01 in mozilla::net::nsSocketTransportService::DoPollIteration(mozilla::BaseTimeDuration<mozilla::TimeDurationValueCalculator>*) /builds/worker/workspace/build/src/netwerk/base/nsSocketTransportService2.cpp
#23 0x7f432ff51c95 in mozilla::net::nsSocketTransportService::Run() /builds/worker/workspace/build/src/netwerk/base/nsSocketTransportService2.cpp:972:7
#24 0x7f432ff5417c in non-virtual thunk to mozilla::net::nsSocketTransportService::Run() /builds/worker/workspace/build/src/netwerk/base/nsSocketTransportService2.cpp
#25 0x7f432fcbf3d6 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1162:14
#26 0x7f432fcc56c8 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:474:10
#27 0x7f4330c4e28a in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:303:20
#28 0x7f4330b94d8f in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#29 0x7f4330b94d8f in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
#30 0x7f4330b94d8f in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
#31 0x7f432fcb958a in nsThread::ThreadFunc(void*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:449:11
#32 0x7f4350751666 in _pt_root /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:201:5
#33 0x7f43503956da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
previously allocated by thread T8 (Socket Thread) here:
#0 0x55eef3d2b953 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:146:3
#1 0x55eef3d6017d in moz_xmalloc /builds/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:68:15
#2 0x7f4330716ec2 in operator new /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:131:10
#3 0x7f4330716ec2 in mozilla::net::Http2Session::RecvPushPromise(mozilla::net::Http2Session*) /builds/worker/workspace/build/src/netwerk/protocol/http/Http2Session.cpp:1913
#4 0x7f43307284c2 in mozilla::net::Http2Session::WriteSegmentsAgain(mozilla::net::nsAHttpSegmentWriter*, unsigned int, unsigned int*, bool*) /builds/worker/workspace/build/src/netwerk/protocol/http/Http2Session.cpp:3556:10
#5 0x7f43308c9cb5 in mozilla::net::nsHttpConnection::OnSocketReadable() /builds/worker/workspace/build/src/netwerk/protocol/http/nsHttpConnection.cpp:2076:24
#6 0x7f43308cc897 in mozilla::net::nsHttpConnection::OnInputStreamReady(nsIAsyncInputStream*) /builds/worker/workspace/build/src/netwerk/protocol/http/nsHttpConnection.cpp:2419:17
#7 0x7f43308cd0ec in non-virtual thunk to mozilla::net::nsHttpConnection::OnInputStreamReady(nsIAsyncInputStream*) /builds/worker/workspace/build/src/netwerk/protocol/http/nsHttpConnection.cpp
#8 0x7f432ff33538 in mozilla::net::nsSocketInputStream::OnSocketReady(nsresult) /builds/worker/workspace/build/src/netwerk/base/nsSocketTransport2.cpp:277:27
#9 0x7f432ff42b13 in mozilla::net::nsSocketTransport::OnSocketReady(PRFileDesc*, short) /builds/worker/workspace/build/src/netwerk/base/nsSocketTransport2.cpp:2185:14
#10 0x7f432ff53b01 in mozilla::net::nsSocketTransportService::DoPollIteration(mozilla::BaseTimeDuration<mozilla::TimeDurationValueCalculator>*) /builds/worker/workspace/build/src/netwerk/base/nsSocketTransportService2.cpp
#11 0x7f432ff51c95 in mozilla::net::nsSocketTransportService::Run() /builds/worker/workspace/build/src/netwerk/base/nsSocketTransportService2.cpp:972:7
#12 0x7f432ff5417c in non-virtual thunk to mozilla::net::nsSocketTransportService::Run() /builds/worker/workspace/build/src/netwerk/base/nsSocketTransportService2.cpp
#13 0x7f432fcbf3d6 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1162:14
#14 0x7f432fcc56c8 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:474:10
#15 0x7f4330c4e28a in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:303:20
#16 0x7f4330b94d8f in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#17 0x7f4330b94d8f in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
#18 0x7f4330b94d8f in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
#19 0x7f432fcb958a in nsThread::ThreadFunc(void*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:449:11
#20 0x7f4350751666 in _pt_root /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:201:5
#21 0x7f43503956da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
Thread T8 (Socket Thread) created by T0 here:
#0 0x55eef3d1426d in __interceptor_pthread_create /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:210:3
#1 0x7f435074e395 in _PR_CreateThread /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:433:14
#2 0x7f435074df7e in PR_CreateThread /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:518:12
#3 0x7f432fcbb889 in nsThread::Init(nsTSubstring<char> const&) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:655:8
#4 0x7f432fcc4810 in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) /builds/worker/workspace/build/src/xpcom/threads/nsThreadManager.cpp:414:12
#5 0x7f432fcc8549 in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, nsIRunnable*, unsigned int) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:127:57
#6 0x7f432ff4f9bc in NS_NewNamedThread<14> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:71:10
#7 0x7f432ff4f9bc in mozilla::net::nsSocketTransportService::Init() /builds/worker/workspace/build/src/netwerk/base/nsSocketTransportService2.cpp:608
#8 0x7f432fc52dc2 in mozilla::xpcom::CreateInstanceImpl(mozilla::xpcom::ModuleID, nsISupports*, nsID const&, void**) /builds/worker/workspace/build/src/obj-firefox/xpcom/components/StaticComponents.cpp:5349:7
#9 0x7f432fc75fdf in CreateInstance /builds/worker/workspace/build/src/xpcom/components/nsComponentManager.cpp:220:46
#10 0x7f432fc75fdf in nsComponentManagerImpl::GetServiceLocked((anonymous namespace)::MutexLock&, (anonymous namespace)::EntryWrapper&, nsID const&, void**) /builds/worker/workspace/build/src/xpcom/components/nsComponentManager.cpp:1396
#11 0x7f432fc6b03c in nsComponentManagerImpl::GetServiceByContractID(char const*, nsID const&, void**) /builds/worker/workspace/build/src/xpcom/components/nsComponentManager.cpp:1583:10
#12 0x7f432fc7ecd5 in CallGetService /builds/worker/workspace/build/src/xpcom/components/nsComponentManagerUtils.cpp:61:43
#13 0x7f432fc7ecd5 in nsGetServiceByContractIDWithError::operator()(nsID const&, void**) const /builds/worker/workspace/build/src/xpcom/components/nsComponentManagerUtils.cpp:253
#14 0x7f432fb069be in nsCOMPtr_base::assign_from_gs_contractid_with_error(nsGetServiceByContractIDWithError const&, nsID const&) /builds/worker/workspace/build/src/xpcom/base/nsCOMPtr.cpp:91:7
#15 0x7f432fe9d9dd in operator= /builds/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h:746:5
#16 0x7f432fe9d9dd in InitializeSocketTransportService /builds/worker/workspace/build/src/netwerk/base/nsIOService.cpp:306
#17 0x7f432fe9d9dd in mozilla::net::nsIOService::SetOffline(bool) /builds/worker/workspace/build/src/netwerk/base/nsIOService.cpp:1127
#18 0x7f432fe9c4da in mozilla::net::nsIOService::Init() /builds/worker/workspace/build/src/netwerk/base/nsIOService.cpp:271:3
#19 0x7f432fe9f91e in mozilla::net::nsIOService::GetInstance() /builds/worker/workspace/build/src/netwerk/base/nsIOService.cpp:362:9
#20 0x7f432fc536b6 in mozilla::xpcom::CreateInstanceImpl(mozilla::xpcom::ModuleID, nsISupports*, nsID const&, void**) /builds/worker/workspace/build/src/obj-firefox/xpcom/components/StaticComponents.cpp:5367:48
#21 0x7f432fc75fdf in CreateInstance /builds/worker/workspace/build/src/xpcom/components/nsComponentManager.cpp:220:46
#22 0x7f432fc75fdf in nsComponentManagerImpl::GetServiceLocked((anonymous namespace)::MutexLock&, (anonymous namespace)::EntryWrapper&, nsID const&, void**) /builds/worker/workspace/build/src/xpcom/components/nsComponentManager.cpp:1396
#23 0x7f432fc6b03c in nsComponentManagerImpl::GetServiceByContractID(char const*, nsID const&, void**) /builds/worker/workspace/build/src/xpcom/components/nsComponentManager.cpp:1583:10
#24 0x7f4331d88821 in CallGetService<nsIIOService> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsServiceManagerUtils.h:73:10
#25 0x7f4331d88821 in nsScriptSecurityManager::Init() /builds/worker/workspace/build/src/caps/nsScriptSecurityManager.cpp:1405
#26 0x7f4331d8974c in nsScriptSecurityManager::InitStatics() /builds/worker/workspace/build/src/caps/nsScriptSecurityManager.cpp:1465:28
#27 0x7f4331786a58 in nsXPConnect::InitStatics() /builds/worker/workspace/build/src/js/xpconnect/src/nsXPConnect.cpp:135:3
#28 0x7f43317206b8 in xpcModuleCtor() /builds/worker/workspace/build/src/js/xpconnect/src/XPCModule.cpp:11:3
#29 0x7f4338ebc2f8 in nsLayoutModuleInitialize() /builds/worker/workspace/build/src/layout/build/nsLayoutModule.cpp:106:7
#30 0x7f432fc6c0d5 in nsComponentManagerImpl::Init() /builds/worker/workspace/build/src/xpcom/components/nsComponentManager.cpp:532:5
#31 0x7f432fd15509 in NS_InitXPCOM2 /builds/worker/workspace/build/src/xpcom/build/XPCOMInit.cpp:451:51
#32 0x7f433c0f5874 in Initialize /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:1364:8
#33 0x7f433c0f5874 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4834
#34 0x7f433c0f73b0 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4922:21
#35 0x55eef3d5e1ec in do_main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:214:22
#36 0x55eef3d5e1ec in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:293
#37 0x7f434f273b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/netwerk/protocol/http/Http2Stream.h:62:45 in SetHTTPState
Shadow bytes around the buggy address:
0x0c288007dd80: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c288007dd90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c288007dda0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c288007ddb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
0x0c288007ddc0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c288007ddd0: fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd
0x0c288007dde0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c288007ddf0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
0x0c288007de00: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c288007de10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c288007de20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==18805==ABORTING
Comment 1•5 years ago
|
||
(In reply to Hanno Boeck from comment #0)
I observed a use after free in the HTTP2 code with the optimized ASAN builds.
From the line numbers the bug should be somewhere in Http2Session.cpp between line 2049 and 2016:
Was this meant to be 2061 ?
Reporter | ||
Comment 2•5 years ago
•
|
||
(In reply to :Gijs (he/him) from comment #1)
Was this meant to be 2061 ?
Yes, sorry, typo. Just look at the stack trace:
#1 0x7f4330719162 in mozilla::net::Http2Session::RecvPushPromise(mozilla::net::Http2Session*) /builds/worker/workspace/build/src/netwerk/protocol/http/Http2Session.cpp:2061
Updated•5 years ago
|
Comment 3•5 years ago
•
|
||
Heh. The comment on line Http2Session.cpp#2040:
// Another nifty trick! Even though this is using nsIURIs (which are not
// generally ok off the main thread), since we're not using the protocol
// handler to create any URIs, this will work just fine here. Don't try this
// at home, though, kids. I'm a trained professional.
In the second stack trace it looks like the call to AsyncOpenURI leads to us finding the URI in the cache on line Http2Session.cpp#2224, and subsequently removing the item from the hashtable at Http2Session.cpp#1243:
// removing from the stream transaction hash will
// delete the Http2Stream and drop the reference to
// its transaction
So I guess that deletes the Http2PushedStream that the pushedStream* points to, prior to trying to use it on line 2061.
Not sure if the assumption from the comment is wrong, or something else is at play here. (or I might also be totally wrong, I've never seen this code before).
Comment 4•5 years ago
|
||
Paul, your analyzes is correct. I'll try to find someone to look at this soon.
Comment 5•5 years ago
•
|
||
plinks:
https://searchfox.org/mozilla-central/rev/99a2a5a955960b0e58ceade1db1f7652d9db4ba1/netwerk/protocol/http/Http2Session.cpp#2224
https://searchfox.org/mozilla-central/rev/99a2a5a955960b0e58ceade1db1f7652d9db4ba1/netwerk/protocol/http/Http2Session.cpp#1243
https://searchfox.org/mozilla-central/rev/99a2a5a955960b0e58ceade1db1f7652d9db4ba1/netwerk/protocol/http/Http2Session.cpp#1913
I think this relates to https://bugzilla.mozilla.org/show_bug.cgi?id=1547266#c6
Comment 6•5 years ago
|
||
I will duplicate this bug to bug 1547266. They are really the same thing to fix.
Reporter | ||
Comment 7•5 years ago
|
||
I can't read #1547266, can you add me to CC? (Also want to point out that this bug is older.)
Assignee | ||
Comment 8•5 years ago
|
||
This seems to be quite different from the problem in bug 1547266 and the fix in that bug won't probably fix this issue. Reopening and taking the bug.
Assignee | ||
Comment 9•5 years ago
|
||
If we find a usable cache entry, the stream is closed and release in CachePushCheckCallback::OnCacheEntryCheck(). This patch converts raw pointer to a weak pointer, so we can simply check if the object still exists after AsyncOpenURI() finishes.
Assignee | ||
Comment 10•5 years ago
|
||
Comment on attachment 9070238 [details]
Bug 1528481 - Possible use after free in Http2Session::RecvPushPromise() if we have a usable entry in the cache for the resource, r=dragana
Security Approval Request
- How easily could an exploit be constructed based on the patch?: This UAF can be triggered quite easily, but I don't think it can be used for any useful exploit.
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Yes
- Which older supported branches are affected by this flaw?: since version 56
- If not all supported branches, which bug introduced the flaw?: Bug 1367551
- Do you have backports for the affected branches?: No
- If not, how different, hard to create, and risky will they be?: Should be easy to backport the patch if necessary.
- How likely is this patch to cause regressions; how much testing does it need?: The patch shouldn't cause regressions. It's a simple change and probably the worst what could happen is that we won't handle http2 server push, which is just a performance optimization.
Comment 11•5 years ago
|
||
sec-approval+ for trunk. We'll want Beta and ESR60 patches made and nominated as well.
Updated•5 years ago
|
Comment 12•5 years ago
|
||
Comment 13•5 years ago
|
||
(In reply to Michal Novotny [:michal] from comment #10)
- How easily could an exploit be constructed based on the patch?: This UAF can be triggered quite easily, but I don't think it can be used for any useful exploit.
Why is it not useful for an exploit if it's easily triggered?
Assignee | ||
Comment 14•5 years ago
|
||
The stream is released when AsyncOpen() is called at https://searchfox.org/mozilla-central/rev/b3b401254229f0a26f7ee625ef5f09c6c31e3949/netwerk/protocol/http/Http2Session.cpp#2049. And the methods on the freed object are called few lines below. IMO the memory will be still unused so we'll be writing to and reading from a poisoned memory at:
https://searchfox.org/mozilla-central/rev/b3b401254229f0a26f7ee625ef5f09c6c31e3949/netwerk/protocol/http/Http2Stream.h#62
https://searchfox.org/mozilla-central/rev/b3b401254229f0a26f7ee625ef5f09c6c31e3949/netwerk/protocol/http/Http2Stream.h#148
https://searchfox.org/mozilla-central/rev/b3b401254229f0a26f7ee625ef5f09c6c31e3949/netwerk/protocol/http/Http2Stream.h#149
It doesn't seem dangerous to me but I might be wrong.
ni for Michal to request uplift
Assignee | ||
Comment 17•5 years ago
|
||
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration:
- User impact if declined: use after free
- Fix Landed on Version: 69
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): simple change
- String or UUID changes made by this patch: none
Assignee | ||
Comment 18•5 years ago
|
||
Comment on attachment 9070238 [details]
Bug 1528481 - Possible use after free in Http2Session::RecvPushPromise() if we have a usable entry in the cache for the resource, r=dragana
Beta/Release Uplift Approval Request
- User impact if declined: use after free
- Is this code covered by automated tests?: Unknown
- Has the fix been verified in Nightly?: No
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): simple change
- String changes made/needed: none
Comment on attachment 9073275 [details] [diff] [review] patch for esr60 Sec-high, ESR60+, ESR8+
Comment on attachment 9070238 [details]
Bug 1528481 - Possible use after free in Http2Session::RecvPushPromise() if we have a usable entry in the cache for the resource, r=dragana
Sec-high, Beta68+
Updated•5 years ago
|
Comment 21•5 years ago
|
||
uplift |
Comment 22•5 years ago
|
||
uplift |
Updated•5 years ago
|
Updated•5 years ago
|
Updated•5 years ago
|
Updated•5 years ago
|
Updated•5 years ago
|
Updated•4 years ago
|
Updated•27 days ago
|
Description
•