Closed Bug 1551904 Opened 5 years ago Closed 5 years ago

AddressSanitizer: heap-use-after-free /src/obj-firefox/dist/include/nsCOMPtr.h:823:48 in get

Categories

(Core :: WebRTC, defect)

defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 1551836
Tracking Status
firefox68 --- affected

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(4 keywords)

Found while fuzzing mozilla-central rev b0645d43f221.

I don't currently have a working testcase but will update when one becomes available.

==16801==ERROR: AddressSanitizer: heap-use-after-free on address 0x6170001c8620 at pc 0x7f3e10f5f37a bp 0x7ffef98c7030 sp 0x7ffef98c7028
READ of size 8 at 0x6170001c8620 thread T0 (file:// Content)
    #0 0x7f3e10f5f379 in get /src/obj-firefox/dist/include/nsCOMPtr.h:823:48
    #1 0x7f3e10f5f379 in operator nsPIDOMWindowInner * /src/obj-firefox/dist/include/nsCOMPtr.h:831
    #2 0x7f3e10f5f379 in GetWindow /src/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.h:234
    #3 0x7f3e10f5f379 in GetWindow /src/media/webrtc/signaling/src/peerconnection/PeerConnectionMedia.cpp:769
    #4 0x7f3e10f5f379 in mozilla::PeerConnectionMedia::ProtocolProxyQueryHandler::SetProxyOnPcm(nsIProxyInfo&) /src/media/webrtc/signaling/src/peerconnection/PeerConnectionMedia.cpp:69
    #5 0x7f3e10f5e4f8 in mozilla::PeerConnectionMedia::ProtocolProxyQueryHandler::OnProxyAvailable(nsICancelable*, nsIChannel*, nsIProxyInfo*, nsresult) /src/media/webrtc/signaling/src/peerconnection/PeerConnectionMedia.cpp:54:5
    #6 0x7f3e0ea54cf6 in mozilla::net::nsAsyncResolveRequest::DoCallback()::'lambda'(mozilla::net::nsAsyncResolveRequest*, nsIProxyInfo*, bool)::operator()(mozilla::net::nsAsyncResolveRequest*, nsIProxyInfo*, bool) const /src/netwerk/base/nsProtocolProxyService.cpp:357:26
    #7 0x7f3e0e9a8726 in operator() /src/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/6.4.0/../../../../include/c++/6.4.0/functional:2127:14
    #8 0x7f3e0e9a8726 in mozilla::net::nsAsyncResolveRequest::AsyncApplyFilters::Finish() /src/netwerk/base/nsProtocolProxyService.cpp:588
    #9 0x7f3e0e9a7f94 in mozilla::net::nsAsyncResolveRequest::AsyncApplyFilters::ProcessNextFilter() /src/netwerk/base/nsProtocolProxyService.cpp:499:14
    #10 0x7f3e0e9a7598 in mozilla::net::nsAsyncResolveRequest::AsyncApplyFilters::AsyncProcess(mozilla::net::nsAsyncResolveRequest*) /src/netwerk/base/nsProtocolProxyService.cpp:475:19
    #11 0x7f3e0ea538e2 in mozilla::net::nsAsyncResolveRequest::DoCallback() /src/netwerk/base/nsProtocolProxyService.cpp:366:30
    #12 0x7f3e0e99965d in mozilla::net::ExecuteCallback::Run() /src/netwerk/base/nsPACMan.cpp:119:16
    #13 0x7f3e0e698437 in nsThread::ProcessNextEvent(bool, bool*) /src/xpcom/threads/nsThread.cpp:1175:14
    #14 0x7f3e0e6a0074 in NS_ProcessNextEvent(nsIThread*, bool) /src/xpcom/threads/nsThreadUtils.cpp:486:10
    #15 0x7f3e0fa1fd54 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /src/ipc/glue/MessagePump.cpp:110:5
    #16 0x7f3e0f8f5cae in RunInternal /src/ipc/chromium/src/base/message_loop.cc:315:10
    #17 0x7f3e0f8f5cae in RunHandler /src/ipc/chromium/src/base/message_loop.cc:308
    #18 0x7f3e0f8f5cae in MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:290
    #19 0x7f3e1903e683 in nsBaseAppShell::Run() /src/widget/nsBaseAppShell.cpp:137:27
    #20 0x7f3e1d671dce in XRE_RunAppShell() /src/toolkit/xre/nsEmbedFunctions.cpp:919:20
    #21 0x7f3e0f8f5cae in RunInternal /src/ipc/chromium/src/base/message_loop.cc:315:10
    #22 0x7f3e0f8f5cae in RunHandler /src/ipc/chromium/src/base/message_loop.cc:308
    #23 0x7f3e0f8f5cae in MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:290
    #24 0x7f3e1d670f3c in XRE_InitChildProcess(int, char**, XREChildData const*) /src/toolkit/xre/nsEmbedFunctions.cpp:757:34
    #25 0x55be39b9672e in content_process_main /src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #26 0x55be39b9672e in main /src/browser/app/nsBrowserApp.cpp:263
    #27 0x7f3e328b0b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #28 0x55be39ab7e1c in _start (/home/worker/builds/m-c-20190514160211-fuzzing-asan-opt/firefox+0x2fe1c)

0x6170001c8620 is located 160 bytes inside of 648-byte region [0x6170001c8580,0x6170001c8808)
freed by thread T0 (file:// Content) here:
    #0 0x55be39b634b2 in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:124:3
    #1 0x7f3e10f2dacc in mozilla::PeerConnectionImpl::Release() /src/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp:230:1
    #2 0x7f3e0e43a2d1 in ~nsCOMPtr_base /src/xpcom/base/nsCOMPtr.h:331:7
    #3 0x7f3e0e43a2d1 in ~SegmentImpl /src/obj-firefox/dist/include/mozilla/SegmentedVector.h:74
    #4 0x7f3e0e43a2d1 in mozilla::SegmentedVector<nsCOMPtr<nsISupports>, 4096ul, mozilla::MallocAllocPolicy>::PopLastN(unsigned int) /src/obj-firefox/dist/include/mozilla/SegmentedVector.h:235
    #5 0x7f3e0e413ddc in mozilla::dom::DeferredFinalizerImpl<nsISupports>::DeferredFinalize(unsigned int, void*) /src/obj-firefox/dist/include/mozilla/dom/BindingUtils.h:2703:15
    #6 0x7f3e0e4152c6 in mozilla::IncrementalFinalizeRunnable::ReleaseNow(bool) /src/xpcom/base/CycleCollectedJSRuntime.cpp:1277:17
    #7 0x7f3e0e415ebd in mozilla::CycleCollectedJSRuntime::FinalizeDeferredThings(mozilla::CycleCollectedJSContext::DeferredFinalizeType) /src/xpcom/base/CycleCollectedJSRuntime.cpp:1357:24
    #8 0x7f3e0e410276 in mozilla::CycleCollectedJSRuntime::OnGC(JSContext*, JSGCStatus) /src/xpcom/base/CycleCollectedJSRuntime.cpp:1416:7
    #9 0x7f3e1e9cdde7 in callGCCallback /src/js/src/gc/GC.cpp:1851:3
    #10 0x7f3e1e9cdde7 in js::gc::GCRuntime::maybeCallGCCallback(JSGCStatus) /src/js/src/gc/GC.cpp:7412
    #11 0x7f3e1e9cef5f in ~AutoCallGCCallbacks /src/js/src/gc/GC.cpp:7391:32
    #12 0x7f3e1e9cef5f in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget, JS::GCReason) /src/js/src/gc/GC.cpp:7501
    #13 0x7f3e1e9d21d3 in js::gc::GCRuntime::collect(bool, js::SliceBudget, JS::GCReason) /src/js/src/gc/GC.cpp:7659:9
    #14 0x7f3e1e9dc48a in gc /src/js/src/gc/GC.cpp:7747:3
    #15 0x7f3e1e9dc48a in JS::NonIncrementalGC(JSContext*, JSGCInvocationKind, JS::GCReason) /src/js/src/gc/GC.cpp:8582
    #16 0x7f3e12fcb61d in nsJSContext::GarbageCollectNow(JS::GCReason, nsJSContext::IsIncremental, nsJSContext::IsShrinking, long) /src/dom/base/nsJSEnvironment.cpp:1146:5
    #17 0x7f3e159613e8 in mozilla::dom::FuzzingFunctions_Binding::garbageCollect(JSContext*, unsigned int, JS::Value*) /src/obj-firefox/dom/bindings/FuzzingFunctionsBinding.cpp:42:3
    #18 0x7f3e1d94a230 in CallJSNative /src/js/src/vm/Interpreter.cpp:443:13
    #19 0x7f3e1d94a230 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /src/js/src/vm/Interpreter.cpp:535
    #20 0x7f3e1d92aad0 in CallFromStack /src/js/src/vm/Interpreter.cpp:594:10
    #21 0x7f3e1d92aad0 in Interpret(JSContext*, js::RunState&) /src/js/src/vm/Interpreter.cpp:3082
    #22 0x7f3e1d9146a8 in js::RunScript(JSContext*, js::RunState&) /src/js/src/vm/Interpreter.cpp:423:10
    #23 0x7f3e1d94aba3 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /src/js/src/vm/Interpreter.cpp:563:13
    #24 0x7f3e1d94c822 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /src/js/src/vm/Interpreter.cpp:606:8
    #25 0x7f3e1e5ab128 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /src/js/src/jsapi.cpp:2655:10
    #26 0x7f3e1585436f in mozilla::dom::FontFaceSetForEachCallback::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::FontFace&, mozilla::dom::FontFace&, mozilla::dom::FontFaceSet&, mozilla::ErrorResult&) /src/obj-firefox/dom/bindings/FontFaceSetBinding.cpp:247:8

previously allocated by thread T0 (file:// Content) here:
    #0 0x55be39b63833 in __interceptor_malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:146:3
    #1 0x55be39b9836d in moz_xmalloc /src/memory/mozalloc/mozalloc.cpp:68:15
    #2 0x7f3e10f2db23 in operator new /src/obj-firefox/dist/include/mozilla/mozalloc.h:131:10
    #3 0x7f3e10f2db23 in mozilla::PeerConnectionImpl::Constructor(mozilla::dom::GlobalObject const&, mozilla::ErrorResult&) /src/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp:234
    #4 0x7f3e13d8fa6d in mozilla::dom::PeerConnectionImpl_Binding::_constructor(JSContext*, unsigned int, JS::Value*) /src/obj-firefox/dom/bindings/PeerConnectionImplBinding.cpp:2053:59
    #5 0x7f3e10ac76b3 in xpc::DOMXrayTraits::construct(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&, js::Wrapper const&) /src/js/xpconnect/wrappers/XrayWrapper.cpp:1787:12
    #6 0x7f3e1e665fed in js::Proxy::construct(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /src/js/src/proxy/Proxy.cpp:523:19
    #7 0x7f3e1d94cea8 in InternalConstruct(JSContext*, js::AnyConstructArgs const&) /src/js/src/vm/Interpreter.cpp:646:12
    #8 0x7f3e1d92a992 in Interpret(JSContext*, js::RunState&) /src/js/src/vm/Interpreter.cpp:3073:16
    #9 0x7f3e1d9146a8 in js::RunScript(JSContext*, js::RunState&) /src/js/src/vm/Interpreter.cpp:423:10
    #10 0x7f3e1d94aba3 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /src/js/src/vm/Interpreter.cpp:563:13
    #11 0x7f3e1d94c822 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /src/js/src/vm/Interpreter.cpp:606:8
    #12 0x7f3e1e5ab128 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /src/js/src/jsapi.cpp:2655:10
    #13 0x7f3e13fd315d in mozilla::dom::RTCPeerConnectionJSImpl::__Init(mozilla::dom::RTCConfiguration const&, mozilla::dom::Optional<JS::Handle<JSObject*> > const&, mozilla::ErrorResult&, JS::Realm*) /src/obj-firefox/dom/bindings/RTCPeerConnectionBinding.cpp:8721:8
    #14 0x7f3e13ff17c0 in mozilla::dom::RTCPeerConnection::Constructor(mozilla::dom::GlobalObject const&, JSContext*, mozilla::dom::RTCConfiguration const&, mozilla::dom::Optional<JS::Handle<JSObject*> > const&, mozilla::ErrorResult&, JS::Handle<JSObject*>) /src/obj-firefox/dom/bindings/RTCPeerConnectionBinding.cpp:10096:16
    #15 0x7f3e141bc828 in mozilla::dom::RTCPeerConnection_Binding::_constructor(JSContext*, unsigned int, JS::Value*) /src/obj-firefox/dom/bindings/RTCPeerConnectionBinding.cpp:6074:63
    #16 0x7f3e1d94d4d5 in CallJSNative /src/js/src/vm/Interpreter.cpp:443:13
    #17 0x7f3e1d94d4d5 in CallJSNativeConstructor /src/js/src/vm/Interpreter.cpp:459
    #18 0x7f3e1d94d4d5 in InternalConstruct(JSContext*, js::AnyConstructArgs const&) /src/js/src/vm/Interpreter.cpp:652
    #19 0x7f3e1eb2de5d in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /src/js/src/jit/BaselineIC.cpp:3744:10
    #20 0x1b357c4fa8f7  (<unknown module>)
    #21 0x631001534037  (<unknown module>)
    #22 0x1b357c4f84de  (<unknown module>)

SUMMARY: AddressSanitizer: heap-use-after-free /src/obj-firefox/dist/include/nsCOMPtr.h:823:48 in get
Shadow bytes around the buggy address:
  0x0c2e80031070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2e80031080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2e80031090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2e800310a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2e800310b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c2e800310c0: fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd
  0x0c2e800310d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2e800310e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2e800310f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2e80031100: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2e80031110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==16801==ABORTING

GetWindow does:
mParent->GetWindow();
It looks like mParent is a weak reference. (The reference to the window that mParent holds looks to be a strong one.)

Group: core-security → media-core-security
Keywords: sec-high

(The object being referred to is actually a PeerConnectionImpl, not a window.)

This looks like a dupe of bug 1551836.

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
Group: media-core-security
You need to log in before you can comment on or make changes to this bug.