AddressSanitizer: heap-use-after-free /src/gfx/vr/ipc/VRLayerParent.h:29:38 in GetGroup
Categories
(Core :: WebVR, defect, P2)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr60 | --- | unaffected |
| firefox-esr68 | --- | wontfix |
| firefox68 | --- | wontfix |
| firefox69 | --- | fixed |
People
(Reporter: jkratzer, Assigned: kip)
References
(Blocks 2 open bugs)
Details
(4 keywords)
Found while fuzzing mozilla-central rev 93075ec49df3. I don't currently have a working testcase but will update if one becomes available.
==17277==ERROR: AddressSanitizer: heap-use-after-free on address 0x60800082c078 at pc 0x7fac98539b84 bp 0x7fac3356ad10 sp 0x7fac3356ad08
READ of size 4 at 0x60800082c078 thread T47 (Compositor)
#0 0x7fac98539b83 in GetGroup /src/gfx/vr/ipc/VRLayerParent.h:29:38
#1 0x7fac98539b83 in mozilla::gfx::VRDisplayHost::RemoveLayer(mozilla::gfx::VRLayerParent*) /src/gfx/vr/VRDisplayHost.cpp:175
#2 0x7fac9856a9d4 in mozilla::gfx::VRLayerParent::Destroy() /src/gfx/vr/ipc/VRLayerParent.cpp:33:16
#3 0x7fac9856a8a0 in mozilla::gfx::VRLayerParent::RecvDestroy() /src/gfx/vr/ipc/VRLayerParent.cpp:22:3
#4 0x7fac967d1dc2 in mozilla::gfx::PVRLayerParent::OnMessageReceived(IPC::Message const&) /src/obj-firefox/ipc/ipdl/PVRLayerParent.cpp:151:20
#5 0x7fac967e2880 in mozilla::gfx::PVRManagerParent::OnMessageReceived(IPC::Message const&) /src/obj-firefox/ipc/ipdl/PVRManagerParent.cpp:298:28
#6 0x7fac95b87369 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /src/ipc/glue/MessageChannel.cpp:2151:21
#7 0x7fac95b8301c in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /src/ipc/glue/MessageChannel.cpp:2078:9
#8 0x7fac95b852e7 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /src/ipc/glue/MessageChannel.cpp:1937:3
#9 0x7fac95b86077 in mozilla::ipc::MessageChannel::MessageTask::Run() /src/ipc/glue/MessageChannel.cpp:1968:13
#10 0x7fac95a6766f in RunTask /src/ipc/chromium/src/base/message_loop.cc:442:9
#11 0x7fac95a6766f in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask&&) /src/ipc/chromium/src/base/message_loop.cc:450
#12 0x7fac95a68b6b in MessageLoop::DoWork() /src/ipc/chromium/src/base/message_loop.cc:523:13
#13 0x7fac95a6b5d4 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /src/ipc/chromium/src/base/message_pump_default.cc:35:31
#14 0x7fac95a65a9e in RunInternal /src/ipc/chromium/src/base/message_loop.cc:315:10
#15 0x7fac95a65a9e in RunHandler /src/ipc/chromium/src/base/message_loop.cc:308
#16 0x7fac95a65a9e in MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:290
#17 0x7fac95aaf9d7 in base::Thread::ThreadMain() /src/ipc/chromium/src/base/thread.cc:192:16
#18 0x7fac95a7db18 in ThreadFunc(void*) /src/ipc/chromium/src/base/platform_thread_posix.cc:40:13
#19 0x7facb9b9e6b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
#20 0x7facb8c1b41c in clone /build/glibc-Cl5G7W/glibc-2.23/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:109
0x60800082c078 is located 88 bytes inside of 96-byte region [0x60800082c020,0x60800082c080)
freed by thread T47 (Compositor) here:
#0 0x560327e6f9e2 in free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:124:3
#1 0x7fac98576775 in mozilla::gfx::VRManagerParent::DeallocPVRLayerParent(mozilla::gfx::PVRLayerParent*) /src/gfx/vr/ipc/VRManagerParent.cpp:54:3
#2 0x7fac967ea8de in mozilla::gfx::PVRManagerParent::DeallocSubtree() /src/obj-firefox/ipc/ipdl/PVRManagerParent.cpp:1179:52
#3 0x7fac967e9e36 in mozilla::gfx::PVRManagerParent::OnChannelClose() /src/obj-firefox/ipc/ipdl/PVRManagerParent.cpp:1133:5
#4 0x7fac95ba920b in applyImpl<mozilla::ipc::MessageChannel, void (mozilla::ipc::MessageChannel::)()> /src/obj-firefox/dist/include/nsThreadUtils.h:1122:12
#5 0x7fac95ba920b in apply<mozilla::ipc::MessageChannel, void (mozilla::ipc::MessageChannel::)()> /src/obj-firefox/dist/include/nsThreadUtils.h:1128
#6 0x7fac95ba920b in mozilla::detail::RunnableMethodImpl<mozilla::ipc::MessageChannel*, void (mozilla::ipc::MessageChannel::)(), false, (mozilla::RunnableKind)1>::Run() /src/obj-firefox/dist/include/nsThreadUtils.h:1174
#7 0x7fac95a6766f in RunTask /src/ipc/chromium/src/base/message_loop.cc:442:9
#8 0x7fac95a6766f in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask&&) /src/ipc/chromium/src/base/message_loop.cc:450
#9 0x7fac95a68b6b in MessageLoop::DoWork() /src/ipc/chromium/src/base/message_loop.cc:523:13
#10 0x7fac95a6b5d4 in base::MessagePumpDefault::Run(base::MessagePump::Delegate) /src/ipc/chromium/src/base/message_pump_default.cc:35:31
#11 0x7fac95a65a9e in RunInternal /src/ipc/chromium/src/base/message_loop.cc:315:10
#12 0x7fac95a65a9e in RunHandler /src/ipc/chromium/src/base/message_loop.cc:308
#13 0x7fac95a65a9e in MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:290
#14 0x7fac95aaf9d7 in base::Thread::ThreadMain() /src/ipc/chromium/src/base/thread.cc:192:16
#15 0x7fac95a7db18 in ThreadFunc(void*) /src/ipc/chromium/src/base/platform_thread_posix.cc:40:13
#16 0x7facb9b9e6b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
previously allocated by thread T47 (Compositor) here:
#0 0x560327e6fd63 in __interceptor_malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:146:3
#1 0x560327ea45fd in moz_xmalloc /src/memory/mozalloc/mozalloc.cpp:68:15
#2 0x7fac98576402 in operator new /src/obj-firefox/dist/include/mozilla/mozalloc.h:131:10
#3 0x7fac98576402 in mozilla::gfx::VRManagerParent::AllocPVRLayerParent(unsigned int const&, unsigned int const&) /src/gfx/vr/ipc/VRManagerParent.cpp:44
#4 0x7fac967e5df1 in mozilla::gfx::PVRManagerParent::OnMessageReceived(IPC::Message const&) /src/obj-firefox/ipc/ipdl/PVRManagerParent.cpp:347:60
#5 0x7fac95b87369 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /src/ipc/glue/MessageChannel.cpp:2151:21
#6 0x7fac95b8301c in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /src/ipc/glue/MessageChannel.cpp:2078:9
#7 0x7fac95b852e7 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /src/ipc/glue/MessageChannel.cpp:1937:3
#8 0x7fac95b86077 in mozilla::ipc::MessageChannel::MessageTask::Run() /src/ipc/glue/MessageChannel.cpp:1968:13
#9 0x7fac95a6766f in RunTask /src/ipc/chromium/src/base/message_loop.cc:442:9
#10 0x7fac95a6766f in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask&&) /src/ipc/chromium/src/base/message_loop.cc:450
#11 0x7fac95a68b6b in MessageLoop::DoWork() /src/ipc/chromium/src/base/message_loop.cc:523:13
#12 0x7fac95a6b5d4 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /src/ipc/chromium/src/base/message_pump_default.cc:35:31
#13 0x7fac95a65a9e in RunInternal /src/ipc/chromium/src/base/message_loop.cc:315:10
#14 0x7fac95a65a9e in RunHandler /src/ipc/chromium/src/base/message_loop.cc:308
#15 0x7fac95a65a9e in MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:290
#16 0x7fac95aaf9d7 in base::Thread::ThreadMain() /src/ipc/chromium/src/base/thread.cc:192:16
#17 0x7fac95a7db18 in ThreadFunc(void*) /src/ipc/chromium/src/base/platform_thread_posix.cc:40:13
#18 0x7facb9b9e6b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
Thread T47 (Compositor) created by T0 here:
#0 0x560327e5867d in pthread_create /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:210:3
#1 0x7fac95a7a2d2 in CreateThread /src/ipc/chromium/src/base/platform_thread_posix.cc:123:14
#2 0x7fac95a7a2d2 in PlatformThread::Create(unsigned long, PlatformThread::Delegate*, unsigned long*) /src/ipc/chromium/src/base/platform_thread_posix.cc:134
#3 0x7fac95aaed98 in base::Thread::StartWithOptions(base::Thread::Options const&) /src/ipc/chromium/src/base/thread.cc:97:8
#4 0x7fac981a28fa in CreateCompositorThread /src/gfx/layers/ipc/CompositorThread.cpp:90:26
#5 0x7fac981a28fa in mozilla::layers::CompositorThreadHolder::CompositorThreadHolder() /src/gfx/layers/ipc/CompositorThread.cpp:42
#6 0x7fac981a3061 in mozilla::layers::CompositorThreadHolder::Start() /src/gfx/layers/ipc/CompositorThread.cpp:111:33
#7 0x7fac982bb18a in gfxPlatform::Init() /src/gfx/thebes/gfxPlatform.cpp:961:3
#8 0x7fac982b8753 in gfxPlatform::GetPlatform() /src/gfx/thebes/gfxPlatform.cpp:480:5
#9 0x7fac9efe68c8 in mozilla::widget::GfxInfoBase::GetContentBackend(nsTSubstring<char16_t>&) /src/widget/GfxInfoBase.cpp:1479:25
#10 0x7fac94860c41 in NS_InvokeByIndex /src/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:106
#11 0x7fac96d90667 in Invoke /src/js/xpconnect/src/XPCWrappedNative.cpp:1630:10
#12 0x7fac96d90667 in Call /src/js/xpconnect/src/XPCWrappedNative.cpp:1178
#13 0x7fac96d90667 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /src/js/xpconnect/src/XPCWrappedNative.cpp:1144
#14 0x7fac96d993cb in GetAttribute /src/js/xpconnect/src/xpcprivate.h:1478:12
#15 0x7fac96d993cb in XPC_WN_GetterSetter(JSContext*, unsigned int, JS::Value*) /src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:981
#16 0x7faca39027c7 in CallJSNative /src/js/src/vm/Interpreter.cpp:442:13
#17 0x7faca39027c7 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /src/js/src/vm/Interpreter.cpp:534
#18 0x7faca3907080 in InternalCall /src/js/src/vm/Interpreter.cpp:589:10
#19 0x7faca3907080 in Call /src/js/src/vm/Interpreter.cpp:605
#20 0x7faca3907080 in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /src/js/src/vm/Interpreter.cpp:729
#21 0x7faca3f4946f in CallGetter /src/js/src/vm/NativeObject.cpp:2216:12
#22 0x7faca3f4946f in GetExistingProperty<js::CanGC> /src/js/src/vm/NativeObject.cpp:2268
#23 0x7faca3f4946f in NativeGetPropertyInline<js::CanGC> /src/js/src/vm/NativeObject.cpp:2517
#24 0x7faca3f4946f in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /src/js/src/vm/NativeObject.cpp:2554
#25 0x7faca38e8332 in GetProperty /src/js/src/vm/ObjectOperations-inl.h:117:10
#26 0x7faca38e8332 in GetObjectElementOperation /src/js/src/vm/Interpreter-inl.h:488
#27 0x7faca38e8332 in GetElementOperation /src/js/src/vm/Interpreter-inl.h:602
#28 0x7faca38e8332 in Interpret(JSContext*, js::RunState&) /src/js/src/vm/Interpreter.cpp:2883
#29 0x7faca38ccbe8 in js::RunScript(JSContext*, js::RunState&) /src/js/src/vm/Interpreter.cpp:422:10
#30 0x7faca3903138 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /src/js/src/vm/Interpreter.cpp:562:13
#31 0x7faca3904d82 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /src/js/src/vm/Interpreter.cpp:605:8
#32 0x7faca4549167 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /src/js/src/jsapi.cpp:2558:10
#33 0x7fac96d75479 in nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) /src/js/xpconnect/src/XPCWrappedJSClass.cpp:993:17
#34 0x7fac94862348 in PrepareAndDispatch /src/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:127:37
#35 0x7fac9486121a in SharedStub (/home/ubuntu/builds/m-c-20190405111221-fuzzing-asan-opt/libxul.so+0x4b6321a)
#36 0x7fac947b4179 in NS_CreateServicesFromCategory(char const*, nsISupports*, char const*, char16_t const*) /src/xpcom/components/nsCategoryManager.cpp:679:19
#37 0x7faca3639c70 in nsXREDirProvider::DoStartup() /src/toolkit/xre/nsXREDirProvider.cpp:1019:11
#38 0x7faca360f1cb in XREMain::XRE_mainRun() /src/toolkit/xre/nsAppRunner.cpp:4409:16
#39 0x7faca36129d4 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /src/toolkit/xre/nsAppRunner.cpp:4727:8
#40 0x7faca3614219 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /src/toolkit/xre/nsAppRunner.cpp:4808:21
#41 0x560327ea264c in do_main /src/browser/app/nsBrowserApp.cpp:212:22
#42 0x560327ea264c in main /src/browser/app/nsBrowserApp.cpp:291
#43 0x7facb8b3482f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
SUMMARY: AddressSanitizer: heap-use-after-free /src/gfx/vr/ipc/VRLayerParent.h:29:38 in GetGroup
Shadow bytes around the buggy address:
0x0c10800fd7b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c10800fd7c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c10800fd7d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c10800fd7e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c10800fd7f0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c10800fd800: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd[fd]
0x0c10800fd810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c10800fd820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c10800fd830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c10800fd840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c10800fd850: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==17277==ABORTING
|
||
Updated•5 years ago
|
|
Assignee | |
Comment 1•5 years ago
|
||
I will take this and verify if it is still an issue after the refactoring / rewrite work that recently landed in Bug 1466702.
|
||
Comment 2•5 years ago
|
||
Kip, is this still something you can take a look at? Still an issue or did it get fixed by bug 1466702?
|
|
Assignee | |
Comment 3•5 years ago
|
||
(In reply to Liz Henry (:lizzard) from comment #2)
Kip, is this still something you can take a look at? Still an issue or did it get fixed by bug 1466702?
Bug 1466702 has landed, integrating VRDisplayHost into VRManager. This effectively changes the lifespan of the VRDisplayHost, gfxVRExternal, and VRDisplayLocal code that was effected, preventing it from being deallocated before the UAF in this scenario.
I had not been able to reproduce the original test case, but suspect with this extensive refactoring that the original issue would no longer apply.
I feel confident in closing this issue, but would welcome any additional test case that could help verify this.
|
|
||
Updated•5 years ago
|
|
||
Updated•4 years ago
|
|
||
Updated•3 years ago
|
Description
•