1528481 - (CVE-2019-11713) use after free in HTTP2 code, mozilla::net::Http2Session::RecvPushPromise (Http2Session.cpp)

Status: RESOLVED FIXED

(Core :: Networking: HTTP, defect, P1)

Description

I observed a use after free in the HTTP2 code with the optimized ASAN builds.

From the line numbers the bug should be somewhere in Http2Session.cpp between line 2049 and 2016:

  if (NS_FAILED(ds->AsyncOpenURI(
          pushedURL, EmptyCString(),
          nsICacheStorage::OPEN_READONLY | nsICacheStorage::OPEN_SECRETLY,
          cpcc))) {
    LOG3(
        ("Http2Session::RecvPushPromise %p failed to open cache entry for "
         "push check",
         self));
  }
}

}

pushedStream->SetHTTPState(Http2Stream::RESERVED_BY_REMOTE);

Stack trace:

==18805==ERROR: AddressSanitizer: heap-use-after-free on address 0x61400042eebc at pc 0x7f4330719163 bp 0x7f42e6c19410 sp 0x7f42e6c19408
WRITE of size 4 at 0x61400042eebc thread T8 (Socket Thread)
    #0 0x7f4330719162 in SetHTTPState /builds/worker/workspace/build/src/netwerk/protocol/http/Http2Stream.h:62:45
    #1 0x7f4330719162 in mozilla::net::Http2Session::RecvPushPromise(mozilla::net::Http2Session*) /builds/worker/workspace/build/src/netwerk/protocol/http/Http2Session.cpp:2061
    #2 0x7f43307284c2 in mozilla::net::Http2Session::WriteSegmentsAgain(mozilla::net::nsAHttpSegmentWriter*, unsigned int, unsigned int*, bool*) /builds/worker/workspace/build/src/netwerk/protocol/http/Http2Session.cpp:3556:10
    #3 0x7f43308c9cb5 in mozilla::net::nsHttpConnection::OnSocketReadable() /builds/worker/workspace/build/src/netwerk/protocol/http/nsHttpConnection.cpp:2076:24
    #4 0x7f43308cc897 in mozilla::net::nsHttpConnection::OnInputStreamReady(nsIAsyncInputStream*) /builds/worker/workspace/build/src/netwerk/protocol/http/nsHttpConnection.cpp:2419:17
    #5 0x7f43308cd0ec in non-virtual thunk to mozilla::net::nsHttpConnection::OnInputStreamReady(nsIAsyncInputStream*) /builds/worker/workspace/build/src/netwerk/protocol/http/nsHttpConnection.cpp
    #6 0x7f432ff33538 in mozilla::net::nsSocketInputStream::OnSocketReady(nsresult) /builds/worker/workspace/build/src/netwerk/base/nsSocketTransport2.cpp:277:27
    #7 0x7f432ff42b13 in mozilla::net::nsSocketTransport::OnSocketReady(PRFileDesc*, short) /builds/worker/workspace/build/src/netwerk/base/nsSocketTransport2.cpp:2185:14
    #8 0x7f432ff53b01 in mozilla::net::nsSocketTransportService::DoPollIteration(mozilla::BaseTimeDuration<mozilla::TimeDurationValueCalculator>*) /builds/worker/workspace/build/src/netwerk/base/nsSocketTransportService2.cpp
    #9 0x7f432ff51c95 in mozilla::net::nsSocketTransportService::Run() /builds/worker/workspace/build/src/netwerk/base/nsSocketTransportService2.cpp:972:7
    #10 0x7f432ff5417c in non-virtual thunk to mozilla::net::nsSocketTransportService::Run() /builds/worker/workspace/build/src/netwerk/base/nsSocketTransportService2.cpp
    #11 0x7f432fcbf3d6 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1162:14
    #12 0x7f432fcc56c8 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:474:10
    #13 0x7f4330c4e28a in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:303:20
    #14 0x7f4330b94d8f in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #15 0x7f4330b94d8f in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
    #16 0x7f4330b94d8f in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
    #17 0x7f432fcb958a in nsThread::ThreadFunc(void*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:449:11
    #18 0x7f4350751666 in _pt_root /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #19 0x7f43503956da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
    #20 0x7f434f37388e in clone /build/glibc-OTsEL5/glibc-2.27/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

0x61400042eebc is located 124 bytes inside of 440-byte region [0x61400042ee40,0x61400042eff8)
freed by thread T8 (Socket Thread) here:
    #0 0x55eef3d2b5d2 in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:124:3
    #1 0x7f432fb6e497 in RawRemove /builds/worker/workspace/build/src/xpcom/ds/PLDHashTable.cpp:637:3
    #2 0x7f432fb6e497 in RawRemove /builds/worker/workspace/build/src/xpcom/ds/PLDHashTable.cpp:621
    #3 0x7f432fb6e497 in PLDHashTable::RemoveEntry(PLDHashEntryHdr*) /builds/worker/workspace/build/src/xpcom/ds/PLDHashTable.cpp:615
    #4 0x7f4330709f50 in RemoveEntry /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTHashtable.h:214:48
    #5 0x7f4330709f50 in Remove /builds/worker/workspace/build/src/obj-firefox/dist/include/nsBaseHashtable.h:184
    #6 0x7f4330709f50 in mozilla::net::Http2Session::CleanupStream(mozilla::net::Http2Stream*, nsresult, mozilla::net::Http2Session::errorType) /builds/worker/workspace/build/src/netwerk/protocol/http/Http2Session.cpp:1243
    #7 0x7f433071b294 in CleanupStream /builds/worker/workspace/build/src/netwerk/protocol/http/Http2Session.cpp:1262:3
    #8 0x7f433071b294 in mozilla::net::Http2Session::CachePushCheckCallback::OnCacheEntryCheck(nsICacheEntry*, nsIApplicationCache*, unsigned int*) /builds/worker/workspace/build/src/netwerk/protocol/http/Http2Session.cpp:2224
    #9 0x7f4330586ede in mozilla::net::CacheEntry::InvokeCallback(mozilla::net::CacheEntry::Callback&) /builds/worker/workspace/build/src/netwerk/cache2/CacheEntry.cpp:741:46
    #10 0x7f4330585faf in mozilla::net::CacheEntry::InvokeCallbacks(bool) /builds/worker/workspace/build/src/netwerk/cache2/CacheEntry.cpp:668:30
    #11 0x7f4330581650 in mozilla::net::CacheEntry::InvokeCallbacks() /builds/worker/workspace/build/src/netwerk/cache2/CacheEntry.cpp:610:31
    #12 0x7f433057f3eb in Open /builds/worker/workspace/build/src/netwerk/cache2/CacheEntry.cpp:340:3
    #13 0x7f433057f3eb in mozilla::net::CacheEntry::AsyncOpen(nsICacheEntryOpenCallback*, unsigned int) /builds/worker/workspace/build/src/netwerk/cache2/CacheEntry.cpp:315
    #14 0x7f433057a695 in mozilla::net::CacheStorage::AsyncOpenURI(nsIURI*, nsTSubstring<char> const&, unsigned int, nsICacheEntryOpenCallback*) /builds/worker/workspace/build/src/netwerk/cache2/CacheStorage.cpp:105:19
    #15 0x7f4330718463 in mozilla::net::Http2Session::RecvPushPromise(mozilla::net::Http2Session*) /builds/worker/workspace/build/src/netwerk/protocol/http/Http2Session.cpp:2049:11
    #16 0x7f43307284c2 in mozilla::net::Http2Session::WriteSegmentsAgain(mozilla::net::nsAHttpSegmentWriter*, unsigned int, unsigned int*, bool*) /builds/worker/workspace/build/src/netwerk/protocol/http/Http2Session.cpp:3556:10
    #17 0x7f43308c9cb5 in mozilla::net::nsHttpConnection::OnSocketReadable() /builds/worker/workspace/build/src/netwerk/protocol/http/nsHttpConnection.cpp:2076:24
    #18 0x7f43308cc897 in mozilla::net::nsHttpConnection::OnInputStreamReady(nsIAsyncInputStream*) /builds/worker/workspace/build/src/netwerk/protocol/http/nsHttpConnection.cpp:2419:17
    #19 0x7f43308cd0ec in non-virtual thunk to mozilla::net::nsHttpConnection::OnInputStreamReady(nsIAsyncInputStream*) /builds/worker/workspace/build/src/netwerk/protocol/http/nsHttpConnection.cpp
    #20 0x7f432ff33538 in mozilla::net::nsSocketInputStream::OnSocketReady(nsresult) /builds/worker/workspace/build/src/netwerk/base/nsSocketTransport2.cpp:277:27
    #21 0x7f432ff42b13 in mozilla::net::nsSocketTransport::OnSocketReady(PRFileDesc*, short) /builds/worker/workspace/build/src/netwerk/base/nsSocketTransport2.cpp:2185:14
    #22 0x7f432ff53b01 in mozilla::net::nsSocketTransportService::DoPollIteration(mozilla::BaseTimeDuration<mozilla::TimeDurationValueCalculator>*) /builds/worker/workspace/build/src/netwerk/base/nsSocketTransportService2.cpp
    #23 0x7f432ff51c95 in mozilla::net::nsSocketTransportService::Run() /builds/worker/workspace/build/src/netwerk/base/nsSocketTransportService2.cpp:972:7
    #24 0x7f432ff5417c in non-virtual thunk to mozilla::net::nsSocketTransportService::Run() /builds/worker/workspace/build/src/netwerk/base/nsSocketTransportService2.cpp
    #25 0x7f432fcbf3d6 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1162:14
    #26 0x7f432fcc56c8 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:474:10
    #27 0x7f4330c4e28a in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:303:20
    #28 0x7f4330b94d8f in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #29 0x7f4330b94d8f in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
    #30 0x7f4330b94d8f in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
    #31 0x7f432fcb958a in nsThread::ThreadFunc(void*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:449:11
    #32 0x7f4350751666 in _pt_root /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #33 0x7f43503956da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)

previously allocated by thread T8 (Socket Thread) here:
    #0 0x55eef3d2b953 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:146:3
    #1 0x55eef3d6017d in moz_xmalloc /builds/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:68:15
    #2 0x7f4330716ec2 in operator new /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:131:10
    #3 0x7f4330716ec2 in mozilla::net::Http2Session::RecvPushPromise(mozilla::net::Http2Session*) /builds/worker/workspace/build/src/netwerk/protocol/http/Http2Session.cpp:1913
    #4 0x7f43307284c2 in mozilla::net::Http2Session::WriteSegmentsAgain(mozilla::net::nsAHttpSegmentWriter*, unsigned int, unsigned int*, bool*) /builds/worker/workspace/build/src/netwerk/protocol/http/Http2Session.cpp:3556:10
    #5 0x7f43308c9cb5 in mozilla::net::nsHttpConnection::OnSocketReadable() /builds/worker/workspace/build/src/netwerk/protocol/http/nsHttpConnection.cpp:2076:24
    #6 0x7f43308cc897 in mozilla::net::nsHttpConnection::OnInputStreamReady(nsIAsyncInputStream*) /builds/worker/workspace/build/src/netwerk/protocol/http/nsHttpConnection.cpp:2419:17
    #7 0x7f43308cd0ec in non-virtual thunk to mozilla::net::nsHttpConnection::OnInputStreamReady(nsIAsyncInputStream*) /builds/worker/workspace/build/src/netwerk/protocol/http/nsHttpConnection.cpp
    #8 0x7f432ff33538 in mozilla::net::nsSocketInputStream::OnSocketReady(nsresult) /builds/worker/workspace/build/src/netwerk/base/nsSocketTransport2.cpp:277:27
    #9 0x7f432ff42b13 in mozilla::net::nsSocketTransport::OnSocketReady(PRFileDesc*, short) /builds/worker/workspace/build/src/netwerk/base/nsSocketTransport2.cpp:2185:14
    #10 0x7f432ff53b01 in mozilla::net::nsSocketTransportService::DoPollIteration(mozilla::BaseTimeDuration<mozilla::TimeDurationValueCalculator>*) /builds/worker/workspace/build/src/netwerk/base/nsSocketTransportService2.cpp
    #11 0x7f432ff51c95 in mozilla::net::nsSocketTransportService::Run() /builds/worker/workspace/build/src/netwerk/base/nsSocketTransportService2.cpp:972:7
    #12 0x7f432ff5417c in non-virtual thunk to mozilla::net::nsSocketTransportService::Run() /builds/worker/workspace/build/src/netwerk/base/nsSocketTransportService2.cpp
    #13 0x7f432fcbf3d6 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1162:14
    #14 0x7f432fcc56c8 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:474:10
    #15 0x7f4330c4e28a in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:303:20
    #16 0x7f4330b94d8f in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #17 0x7f4330b94d8f in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
    #18 0x7f4330b94d8f in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
    #19 0x7f432fcb958a in nsThread::ThreadFunc(void*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:449:11
    #20 0x7f4350751666 in _pt_root /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #21 0x7f43503956da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)

Thread T8 (Socket Thread) created by T0 here:
    #0 0x55eef3d1426d in __interceptor_pthread_create /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:210:3
    #1 0x7f435074e395 in _PR_CreateThread /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:433:14
    #2 0x7f435074df7e in PR_CreateThread /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:518:12
    #3 0x7f432fcbb889 in nsThread::Init(nsTSubstring<char> const&) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:655:8
    #4 0x7f432fcc4810 in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) /builds/worker/workspace/build/src/xpcom/threads/nsThreadManager.cpp:414:12
    #5 0x7f432fcc8549 in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, nsIRunnable*, unsigned int) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:127:57
    #6 0x7f432ff4f9bc in NS_NewNamedThread<14> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:71:10
    #7 0x7f432ff4f9bc in mozilla::net::nsSocketTransportService::Init() /builds/worker/workspace/build/src/netwerk/base/nsSocketTransportService2.cpp:608
    #8 0x7f432fc52dc2 in mozilla::xpcom::CreateInstanceImpl(mozilla::xpcom::ModuleID, nsISupports*, nsID const&, void**) /builds/worker/workspace/build/src/obj-firefox/xpcom/components/StaticComponents.cpp:5349:7
    #9 0x7f432fc75fdf in CreateInstance /builds/worker/workspace/build/src/xpcom/components/nsComponentManager.cpp:220:46
    #10 0x7f432fc75fdf in nsComponentManagerImpl::GetServiceLocked((anonymous namespace)::MutexLock&, (anonymous namespace)::EntryWrapper&, nsID const&, void**) /builds/worker/workspace/build/src/xpcom/components/nsComponentManager.cpp:1396
    #11 0x7f432fc6b03c in nsComponentManagerImpl::GetServiceByContractID(char const*, nsID const&, void**) /builds/worker/workspace/build/src/xpcom/components/nsComponentManager.cpp:1583:10
    #12 0x7f432fc7ecd5 in CallGetService /builds/worker/workspace/build/src/xpcom/components/nsComponentManagerUtils.cpp:61:43
    #13 0x7f432fc7ecd5 in nsGetServiceByContractIDWithError::operator()(nsID const&, void**) const /builds/worker/workspace/build/src/xpcom/components/nsComponentManagerUtils.cpp:253
    #14 0x7f432fb069be in nsCOMPtr_base::assign_from_gs_contractid_with_error(nsGetServiceByContractIDWithError const&, nsID const&) /builds/worker/workspace/build/src/xpcom/base/nsCOMPtr.cpp:91:7
    #15 0x7f432fe9d9dd in operator= /builds/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h:746:5
    #16 0x7f432fe9d9dd in InitializeSocketTransportService /builds/worker/workspace/build/src/netwerk/base/nsIOService.cpp:306
    #17 0x7f432fe9d9dd in mozilla::net::nsIOService::SetOffline(bool) /builds/worker/workspace/build/src/netwerk/base/nsIOService.cpp:1127
    #18 0x7f432fe9c4da in mozilla::net::nsIOService::Init() /builds/worker/workspace/build/src/netwerk/base/nsIOService.cpp:271:3
    #19 0x7f432fe9f91e in mozilla::net::nsIOService::GetInstance() /builds/worker/workspace/build/src/netwerk/base/nsIOService.cpp:362:9
    #20 0x7f432fc536b6 in mozilla::xpcom::CreateInstanceImpl(mozilla::xpcom::ModuleID, nsISupports*, nsID const&, void**) /builds/worker/workspace/build/src/obj-firefox/xpcom/components/StaticComponents.cpp:5367:48
    #21 0x7f432fc75fdf in CreateInstance /builds/worker/workspace/build/src/xpcom/components/nsComponentManager.cpp:220:46
    #22 0x7f432fc75fdf in nsComponentManagerImpl::GetServiceLocked((anonymous namespace)::MutexLock&, (anonymous namespace)::EntryWrapper&, nsID const&, void**) /builds/worker/workspace/build/src/xpcom/components/nsComponentManager.cpp:1396
    #23 0x7f432fc6b03c in nsComponentManagerImpl::GetServiceByContractID(char const*, nsID const&, void**) /builds/worker/workspace/build/src/xpcom/components/nsComponentManager.cpp:1583:10
    #24 0x7f4331d88821 in CallGetService<nsIIOService> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsServiceManagerUtils.h:73:10
    #25 0x7f4331d88821 in nsScriptSecurityManager::Init() /builds/worker/workspace/build/src/caps/nsScriptSecurityManager.cpp:1405
    #26 0x7f4331d8974c in nsScriptSecurityManager::InitStatics() /builds/worker/workspace/build/src/caps/nsScriptSecurityManager.cpp:1465:28
    #27 0x7f4331786a58 in nsXPConnect::InitStatics() /builds/worker/workspace/build/src/js/xpconnect/src/nsXPConnect.cpp:135:3
    #28 0x7f43317206b8 in xpcModuleCtor() /builds/worker/workspace/build/src/js/xpconnect/src/XPCModule.cpp:11:3
    #29 0x7f4338ebc2f8 in nsLayoutModuleInitialize() /builds/worker/workspace/build/src/layout/build/nsLayoutModule.cpp:106:7
    #30 0x7f432fc6c0d5 in nsComponentManagerImpl::Init() /builds/worker/workspace/build/src/xpcom/components/nsComponentManager.cpp:532:5
    #31 0x7f432fd15509 in NS_InitXPCOM2 /builds/worker/workspace/build/src/xpcom/build/XPCOMInit.cpp:451:51
    #32 0x7f433c0f5874 in Initialize /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:1364:8
    #33 0x7f433c0f5874 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4834
    #34 0x7f433c0f73b0 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4922:21
    #35 0x55eef3d5e1ec in do_main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:214:22
    #36 0x55eef3d5e1ec in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:293
    #37 0x7f434f273b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/netwerk/protocol/http/Http2Stream.h:62:45 in SetHTTPState
Shadow bytes around the buggy address:
  0x0c288007dd80: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c288007dd90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c288007dda0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c288007ddb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
  0x0c288007ddc0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c288007ddd0: fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd  
  0x0c288007dde0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c288007ddf0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c288007de00: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c288007de10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c288007de20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==18805==ABORTING

Comment 1

[:Gijs (he/him)]

(In reply to Hanno Boeck from comment #0)

I observed a use after free in the HTTP2 code with the optimized ASAN builds.

From the line numbers the bug should be somewhere in Http2Session.cpp between line 2049 and 2016:

Was this meant to be 2061 ?

Comment 2

[Hanno Boeck]

(In reply to :Gijs (he/him) from comment #1)

Was this meant to be 2061 ?

Yes, sorry, typo. Just look at the stack trace:

#1 0x7f4330719162 in mozilla::net::Http2Session::RecvPushPromise(mozilla::net::Http2Session*) /builds/worker/workspace/build/src/netwerk/protocol/http/Http2Session.cpp:2061

Comment 3

[Paul Theriault [:pauljt] (no longer reading bugmail)]

Heh. The comment on line Http2Session.cpp#2040:

    // Another nifty trick! Even though this is using nsIURIs (which are not
    // generally ok off the main thread), since we're not using the protocol
    // handler to create any URIs, this will work just fine here. Don't try this
    // at home, though, kids. I'm a trained professional.

In the second stack trace it looks like the call to AsyncOpenURI leads to us finding the URI in the cache on line Http2Session.cpp#2224, and subsequently removing the item from the hashtable at Http2Session.cpp#1243:

  // removing from the stream transaction hash will
  // delete the Http2Stream and drop the reference to
  // its transaction

So I guess that deletes the Http2PushedStream that the pushedStream* points to, prior to trying to use it on line 2061.

Not sure if the assumption from the comment is wrong, or something else is at play here. (or I might also be totally wrong, I've never seen this code before).

Comment 4

[Honza Bambas (:mayhemer)]

Paul, your analyzes is correct. I'll try to find someone to look at this soon.

Comment 5

[Honza Bambas (:mayhemer)]

plinks:
https://searchfox.org/mozilla-central/rev/99a2a5a955960b0e58ceade1db1f7652d9db4ba1/netwerk/protocol/http/Http2Session.cpp#2224
https://searchfox.org/mozilla-central/rev/99a2a5a955960b0e58ceade1db1f7652d9db4ba1/netwerk/protocol/http/Http2Session.cpp#1243
https://searchfox.org/mozilla-central/rev/99a2a5a955960b0e58ceade1db1f7652d9db4ba1/netwerk/protocol/http/Http2Session.cpp#1913

I think this relates to https://bugzilla.mozilla.org/show_bug.cgi?id=1547266#c6

Comment 6

[Honza Bambas (:mayhemer)]

I will duplicate this bug to bug 1547266. They are really the same thing to fix.

Comment 7

[Hanno Boeck]

I can't read #1547266, can you add me to CC? (Also want to point out that this bug is older.)

Comment 8

[Michal Novotny [:michal]]

This seems to be quite different from the problem in bug 1547266 and the fix in that bug won't probably fix this issue. Reopening and taking the bug.

Comment 9

[Michal Novotny [:michal]]

Attachment: Bug 1528481 - Possible use after free in Http2Session::RecvPushPromise() if we have a usable entry in the cache for the resource, r=dragana

If we find a usable cache entry, the stream is closed and release in CachePushCheckCallback::OnCacheEntryCheck(). This patch converts raw pointer to a weak pointer, so we can simply check if the object still exists after AsyncOpenURI() finishes.

Comment 10

[Michal Novotny [:michal]]

Comment on attachment 9070238 [details]
Bug 1528481 - Possible use after free in Http2Session::RecvPushPromise() if we have a usable entry in the cache for the resource, r=dragana

Security Approval Request

• How easily could an exploit be constructed based on the patch?: This UAF can be triggered quite easily, but I don't think it can be used for any useful exploit.
• Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Yes
• Which older supported branches are affected by this flaw?: since version 56
• If not all supported branches, which bug introduced the flaw?: Bug 1367551
• Do you have backports for the affected branches?: No
• If not, how different, hard to create, and risky will they be?: Should be easy to backport the patch if necessary.
• How likely is this patch to cause regressions; how much testing does it need?: The patch shouldn't cause regressions. It's a simple change and probably the worst what could happen is that we won't handle http2 server push, which is just a performance optimization.

Comment 11

[Al Billings [:abillings - ex-MoCo]]

sec-approval+ for trunk. We'll want Beta and ESR60 patches made and nominated as well.

Comment 12

[Ryan VanderMeulen [:RyanVM][PTO June 24-28]]

https://hg.mozilla.org/integration/autoland/rev/fe5f083d8f2b0e5bc29be8a04aaa83b05f509bd0

Comment 13

[Frederik Braun [:freddy]]

(In reply to Michal Novotny [:michal] from comment #10)

• How easily could an exploit be constructed based on the patch?: This UAF can be triggered quite easily, but I don't think it can be used for any useful exploit.

Why is it not useful for an exploit if it's easily triggered?

Comment 14

[Michal Novotny [:michal]]

The stream is released when AsyncOpen() is called at https://searchfox.org/mozilla-central/rev/b3b401254229f0a26f7ee625ef5f09c6c31e3949/netwerk/protocol/http/Http2Session.cpp#2049. And the methods on the freed object are called few lines below. IMO the memory will be still unused so we'll be writing to and reading from a poisoned memory at:

https://searchfox.org/mozilla-central/rev/b3b401254229f0a26f7ee625ef5f09c6c31e3949/netwerk/protocol/http/Http2Stream.h#62
https://searchfox.org/mozilla-central/rev/b3b401254229f0a26f7ee625ef5f09c6c31e3949/netwerk/protocol/http/Http2Stream.h#148
https://searchfox.org/mozilla-central/rev/b3b401254229f0a26f7ee625ef5f09c6c31e3949/netwerk/protocol/http/Http2Stream.h#149

It doesn't seem dangerous to me but I might be wrong.

Comment 15

[Valentin Gosu [:valentin] (he/him) {{ FYI: OOO 14 June - 4 August }}]

https://hg.mozilla.org/mozilla-central/rev/fe5f083d8f2b0e5bc29be8a04aaa83b05f509bd0

Comment 16

[Valentin Gosu [:valentin] (he/him) {{ FYI: OOO 14 June - 4 August }}]

ni for Michal to request uplift

Comment 17

[Michal Novotny [:michal]]

Attachment: patch for esr60

ESR Uplift Approval Request

• If this is not a sec:{high,crit} bug, please state case for ESR consideration:
• User impact if declined: use after free
• Fix Landed on Version: 69
• Risk to taking this patch: Low
• Why is the change risky/not risky? (and alternatives if risky): simple change
• String or UUID changes made by this patch: none

Comment 18

[Michal Novotny [:michal]]

Comment on attachment 9070238 [details]
Bug 1528481 - Possible use after free in Http2Session::RecvPushPromise() if we have a usable entry in the cache for the resource, r=dragana

Beta/Release Uplift Approval Request

• User impact if declined: use after free
• Is this code covered by automated tests?: Unknown
• Has the fix been verified in Nightly?: No
• Needs manual test from QE?: No
• If yes, steps to reproduce:
• List of other uplifts needed: None
• Risk to taking this patch: Low
• Why is the change risky/not risky? (and alternatives if risky): simple change
• String changes made/needed: none

Comment 19

[Ritu Kothari (:ritu) (Inactive, please n-i to RyanVM, jcristau, or pascal)]

Comment on attachment 9073275 [details] [diff] [review]
patch for esr60

Sec-high, ESR60+, ESR8+

Comment 20

[Ritu Kothari (:ritu) (Inactive, please n-i to RyanVM, jcristau, or pascal)]

Comment on attachment 9070238 [details]
Bug 1528481 - Possible use after free in Http2Session::RecvPushPromise() if we have a usable entry in the cache for the resource, r=dragana

Sec-high, Beta68+

Comment 21

[Julien Cristau [:jcristau]]

https://hg.mozilla.org/releases/mozilla-beta/rev/3d562db5d1ed358a18da5bbe160c1da4864ef6c0

Comment 22

[Ryan VanderMeulen [:RyanVM][PTO June 24-28]]

https://hg.mozilla.org/releases/mozilla-esr60/rev/7d865c16cc05