1542593 - (CVE-2019-11714) PNeckoChild::SendPUDPSocketConstructor called off main thread

Status: RESOLVED FIXED

(Core :: Networking, defect, P2)

Description

I observed a null pointer crash in an asan build, stack trace below.

This looks very similar to #1542160 but that's already marked as fixed. (The crash happened with a build from Apr 1st).

==31446==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7f3902c57963 bp 0x7f38e7cebb50 sp 0x7f38e7ceb9c0 T26)
==31446==The signal is caused by a WRITE memory access.
==31446==Hint: address points to the zero page.
    #0 0x7f3902c57962 in mozilla::ipc::IPDLParamTraits<nsIPrincipal>::Write(IPC::Message*, mozilla::ipc::IProtocol*, nsIPrincipal*) /builds/worker/workspace/build/src/dom/ipc/PermissionMessageUtils.cpp:16:3
    #1 0x7f38fc6f27d9 in mozilla::net::PNeckoChild::SendPUDPSocketConstructor(mozilla::net::PUDPSocketChild*, IPC::Principal const&, nsTString<char> const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PNeckoChild.cpp:1099:5
    #2 0x7f39028f120a in mozilla::dom::UDPSocketChild::Bind(nsIUDPSocketInternal*, nsIPrincipal*, nsTSubstring<char> const&, unsigned short, bool, bool, unsigned int, unsigned int, nsIEventTarget*) /builds/worker/workspace/build/src/dom/network/UDPSocketChild.cpp:92:18
    #3 0x7f38fd2513e8 in mozilla::NrUdpSocketIpc::create_i(nsTSubstring<char> const&, unsigned short) /builds/worker/workspace/build/src/media/mtransport/nr_socket_prsock.cpp:1520:7
    #4 0x7f38fd25e2e2 in apply<RefPtr<mozilla::NrUdpSocketIpc>, void (mozilla::NrUdpSocketIpc::*)(const nsTSubstring<char> &, unsigned short), nsTString<char>, unsigned short, 0, 1> /builds/worker/workspace/build/src/media/mtransport/runnable_utils.h:78:5
    #5 0x7f38fd25e2e2 in mozilla::runnable_args_memfn<RefPtr<mozilla::NrUdpSocketIpc>, void (mozilla::NrUdpSocketIpc::*)(nsTSubstring<char> const&, unsigned short), nsTString<char>, unsigned short>::Run() /builds/worker/workspace/build/src/media/mtransport/runnable_utils.h:148
    #6 0x7f38fb29c929 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1180:14
    #7 0x7f38fb2a2a18 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:482:10
    #8 0x7f38fc2755ca in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:303:20
    #9 0x7f38fc1a718f in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #10 0x7f38fc1a718f in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
    #11 0x7f38fc1a718f in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
    #12 0x7f38fb2968fa in nsThread::ThreadFunc(void*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:454:11
    #13 0x7f3912dd55ad in _pt_root /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #14 0x7f3916004163 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8163)
    #15 0x7f3915be9dee in clone (/lib/x86_64-linux-gnu/libc.so.6+0x11adee)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/dom/ipc/PermissionMessageUtils.cpp:16:3 in mozilla::ipc::IPDLParamTraits<nsIPrincipal>::Write(IPC::Message*, mozilla::ipc::IProtocol*, nsIPrincipal*)
Thread T26 (mtransport) created by T6 (Socket Thread) here:
    #0 0x5583451e229d in pthread_create /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:210:3
    #1 0x7f3912dc7613 in _PR_CreateThread /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:433:14
    #2 0x7f3912db109e in PR_CreateThread /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:518:12
    #3 0x7f38fb298c19 in nsThread::Init(nsTSubstring<char> const&) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:661:8
    #4 0x7f38fb2a1b60 in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) /builds/worker/workspace/build/src/xpcom/threads/nsThreadManager.cpp:416:12
    #5 0x7f38fb2a58b9 in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, nsIRunnable*, unsigned int) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:135:57
    #6 0x7f38fd25cec2 in mozilla::SingletonThreadHolder::AddUse() /builds/worker/workspace/build/src/media/mtransport/nr_socket_prsock.cpp:214:21
    #7 0x7f38fd24de6f in GetIOThreadAndAddUse_s /builds/worker/workspace/build/src/media/mtransport/nr_socket_prsock.cpp:262:12
    #8 0x7f38fd24de6f in mozilla::NrUdpSocketIpc::NrUdpSocketIpc() /builds/worker/workspace/build/src/media/mtransport/nr_socket_prsock.cpp:1086
    #9 0x7f38fd25c2c0 in mozilla::NrSocketBase::CreateSocket(nr_transport_addr_*, RefPtr<mozilla::NrSocketBase>*, std::shared_ptr<mozilla::NrSocketProxyConfig> const&) /builds/worker/workspace/build/src/media/mtransport/nr_socket_prsock.cpp:2106:21
    #10 0x7f38fd28629c in nr_socket_local_create /builds/worker/workspace/build/src/media/mtransport/nricectx.cpp:1132:7
    #11 0x7f3907236ba2 in nr_socket_factory_create_socket /builds/worker/workspace/build/src/media/mtransport/third_party/nICEr/src/net/nr_socket.c:185:12
    #12 0x7f3907236ba2 in nr_ice_get_default_address /builds/worker/workspace/build/src/media/mtransport/third_party/nICEr/src/ice/ice_ctx.c:640
    #13 0x7f3907236ba2 in nr_ice_get_default_local_address /builds/worker/workspace/build/src/media/mtransport/third_party/nICEr/src/ice/ice_ctx.c:661
    #14 0x7f3907235f64 in nr_ice_set_local_addresses /builds/worker/workspace/build/src/media/mtransport/third_party/nICEr/src/ice/ice_ctx.c:744:11
    #15 0x7f38fd278a6b in mozilla::NrIceCtx::SetStunAddrs(nsTArray<mozilla::NrIceStunAddr> const&) /builds/worker/workspace/build/src/media/mtransport/nricectx.cpp:558:3
    #16 0x7f38fd017409 in mozilla::MediaTransportHandlerSTS::StartIceGathering(bool, nsTArray<mozilla::NrIceStunAddr> const&) /builds/worker/workspace/build/src/media/webrtc/signaling/src/peerconnection/MediaTransportHandler.cpp:572:14
    #17 0x7f38fd10eaa9 in apply<RefPtr<mozilla::PeerConnectionMedia>, void (mozilla::PeerConnectionMedia::*)(bool), bool, 0> /builds/worker/workspace/build/src/obj-firefox/dist/include/mtransport/runnable_utils.h:78:5
    #18 0x7f38fd10eaa9 in mozilla::runnable_args_memfn<RefPtr<mozilla::PeerConnectionMedia>, void (mozilla::PeerConnectionMedia::*)(bool), bool>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/mtransport/runnable_utils.h:148
    #19 0x7f38fb29c929 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1180:14
    #20 0x7f38fb2a2a18 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:482:10
    #21 0x7f38fb540cd4 in mozilla::net::nsSocketTransportService::Run() /builds/worker/workspace/build/src/netwerk/base/nsSocketTransportService2.cpp:1013:11
    #22 0x7f38fb542e7c in non-virtual thunk to mozilla::net::nsSocketTransportService::Run() /builds/worker/workspace/build/src/netwerk/base/nsSocketTransportService2.cpp
    #23 0x7f38fb29c929 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1180:14
    #24 0x7f38fb2a2a18 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:482:10
    #25 0x7f38fc2755ca in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:303:20
    #26 0x7f38fc1a718f in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #27 0x7f38fc1a718f in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
    #28 0x7f38fc1a718f in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
    #29 0x7f38fb2968fa in nsThread::ThreadFunc(void*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:454:11
    #30 0x7f3912dd55ad in _pt_root /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #31 0x7f3916004163 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8163)

Thread T6 (Socket Thread) created by T0 (Web Content) here:
    #0 0x5583451e229d in pthread_create /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:210:3
    #1 0x7f3912dc7613 in _PR_CreateThread /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:433:14
    #2 0x7f3912db109e in PR_CreateThread /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:518:12
    #3 0x7f38fb298c19 in nsThread::Init(nsTSubstring<char> const&) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:661:8
    #4 0x7f38fb2a1b60 in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) /builds/worker/workspace/build/src/xpcom/threads/nsThreadManager.cpp:416:12
    #5 0x7f38fb2a58b9 in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, nsIRunnable*, unsigned int) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:135:57
    #6 0x7f38fb53e6bc in NS_NewNamedThread<14> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:71:10
    #7 0x7f38fb53e6bc in mozilla::net::nsSocketTransportService::Init() /builds/worker/workspace/build/src/netwerk/base/nsSocketTransportService2.cpp:609
    #8 0x7f38fb21a948 in mozilla::xpcom::CreateInstanceImpl(mozilla::xpcom::ModuleID, nsISupports*, nsID const&, void**) /builds/worker/workspace/build/src/obj-firefox/xpcom/components/StaticComponents.cpp:8802:7
    #9 0x7f38fb2515cf in CreateInstance /builds/worker/workspace/build/src/xpcom/components/nsComponentManager.cpp:220:46
    #10 0x7f38fb2515cf in nsComponentManagerImpl::GetServiceLocked((anonymous namespace)::MutexLock&, (anonymous namespace)::EntryWrapper&, nsID const&, void**) /builds/worker/workspace/build/src/xpcom/components/nsComponentManager.cpp:1401
    #11 0x7f38fb2461c5 in nsComponentManagerImpl::GetServiceByContractID(char const*, nsID const&, void**) /builds/worker/workspace/build/src/xpcom/components/nsComponentManager.cpp:1588:10
    #12 0x7f38fb25a505 in CallGetService /builds/worker/workspace/build/src/xpcom/components/nsComponentManagerUtils.cpp:61:43
    #13 0x7f38fb25a505 in nsGetServiceByContractIDWithError::operator()(nsID const&, void**) const /builds/worker/workspace/build/src/xpcom/components/nsComponentManagerUtils.cpp:253
    #14 0x7f38fb0c9a9e in nsCOMPtr_base::assign_from_gs_contractid_with_error(nsGetServiceByContractIDWithError const&, nsID const&) /builds/worker/workspace/build/src/xpcom/base/nsCOMPtr.cpp:91:7
    #15 0x7f38fb488e4d in operator= /builds/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h:746:5
    #16 0x7f38fb488e4d in InitializeSocketTransportService /builds/worker/workspace/build/src/netwerk/base/nsIOService.cpp:306
    #17 0x7f38fb488e4d in mozilla::net::nsIOService::SetOffline(bool) /builds/worker/workspace/build/src/netwerk/base/nsIOService.cpp:1099
    #18 0x7f38fb48794a in mozilla::net::nsIOService::Init() /builds/worker/workspace/build/src/netwerk/base/nsIOService.cpp:271:3
    #19 0x7f38fb48ad8e in mozilla::net::nsIOService::GetInstance() /builds/worker/workspace/build/src/netwerk/base/nsIOService.cpp:362:9
    #20 0x7f38fb2286ed in mozilla::xpcom::CreateInstanceImpl(mozilla::xpcom::ModuleID, nsISupports*, nsID const&, void**) /builds/worker/workspace/build/src/obj-firefox/xpcom/components/StaticComponents.cpp:10196:48
    #21 0x7f38fb2515cf in CreateInstance /builds/worker/workspace/build/src/xpcom/components/nsComponentManager.cpp:220:46
    #22 0x7f38fb2515cf in nsComponentManagerImpl::GetServiceLocked((anonymous namespace)::MutexLock&, (anonymous namespace)::EntryWrapper&, nsID const&, void**) /builds/worker/workspace/build/src/xpcom/components/nsComponentManager.cpp:1401
    #23 0x7f38fb2461c5 in nsComponentManagerImpl::GetServiceByContractID(char const*, nsID const&, void**) /builds/worker/workspace/build/src/xpcom/components/nsComponentManager.cpp:1588:10
    #24 0x7f38fd415351 in CallGetService<nsIIOService> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsServiceManagerUtils.h:73:10
    #25 0x7f38fd415351 in nsScriptSecurityManager::Init() /builds/worker/workspace/build/src/caps/nsScriptSecurityManager.cpp:1430
    #26 0x7f38fd41627c in nsScriptSecurityManager::InitStatics() /builds/worker/workspace/build/src/caps/nsScriptSecurityManager.cpp:1491:28
    #27 0x7f38fcdc2d48 in nsXPConnect::InitStatics() /builds/worker/workspace/build/src/js/xpconnect/src/nsXPConnect.cpp:135:3
    #28 0x7f38fcd5b188 in xpcModuleCtor() /builds/worker/workspace/build/src/js/xpconnect/src/XPCModule.cpp:11:3
    #29 0x7f39045f7e78 in nsLayoutModuleInitialize() /builds/worker/workspace/build/src/layout/build/nsLayoutModule.cpp:108:7
    #30 0x7f38fb247335 in nsComponentManagerImpl::Init() /builds/worker/workspace/build/src/xpcom/components/nsComponentManager.cpp:535:5
    #31 0x7f38fb2f3ba9 in NS_InitXPCOM /builds/worker/workspace/build/src/xpcom/build/XPCOMInit.cpp:466:51
    #32 0x7f3907117fde in XRE_InitEmbedding2(nsIFile*, nsIFile*, nsIDirectoryServiceProvider*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:196:8
    #33 0x7f38fc28048d in mozilla::ipc::ScopedXREEmbed::Start() /builds/worker/workspace/build/src/ipc/glue/ScopedXREEmbed.cpp
    #34 0x7f3902c2fcd5 in mozilla::dom::ContentProcess::Init(int, char**) /builds/worker/workspace/build/src/dom/ipc/ContentProcess.cpp:188:13
    #35 0x7f3907118ae8 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:732:21
    #36 0x55834522c404 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #37 0x55834522c404 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:263
    #38 0x7f3915af309a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)

Comment 1

[Jed Davis [:jld] ⟨⏰|UTC-8⟩ ⟦he/him⟧]

dom/ipc/PermissionMessageUtils.cpp line 16 is:

  MOZ_DIAGNOSTIC_ASSERT(NS_IsMainThread());

We're accessing the NeckoChild on the wrong thread. This code in UDPSocketChild tries to use PBackground if on a non-main thread, but something seems to have gone wrong with the state of mBackgroundManager and we end up in the call at line 92.

This looks familiar, but I don't remember which other bug I might have seen this on.

(In reply to comment #0):

This looks very similar to #1542160 but that's already marked as fixed. (The crash happened with a build from Apr 1st).

Did you mean a different bug number there? Bug 1542160 isn't obviously related and isn't closed.

Comment 2

[Hanno Boeck]

(In reply to Jed Davis [:jld] ⟨⏰|UTC-6⟩ ⟦he/him⟧ from comment #1)

Did you mean a different bug number there? Bug 1542160 isn't obviously related and isn't closed.

Sorry, got confused with my notes. I meant bug 1484524

Comment 3

[Daniel Veditz [:dveditz]]

On non-nightlies diagnostic asserts won't fire, so this would presumably do something other than a null deref. Do you have a testcase?

Comment 4

[Hanno Boeck]

Sorry, I don't have a reproducer, these happen irregularly on some tests I do with asan-builds, but accessing the same webpages won't lead to the same bug in a reproducible way.

Comment 5

[Honza Bambas (:mayhemer)]

Kershaw, if you are too busy, please feel free to dis-assign, I'll find someone else. This is not a super-high priority.

Comment 6

[Kershaw Chang [:kershaw]]

Attachment: Bug 1542593 - Don't access gNeckoChild if not on main thread

Comment 7

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

https://hg.mozilla.org/integration/autoland/rev/6c982370080bbaed64a58475ec21db59dfe8327a
https://hg.mozilla.org/mozilla-central/rev/6c982370080b