Closed
Bug 1564273
Opened 5 years ago
Closed 5 years ago
heap-use-after-free in [@ nsThreadManager::Shutdown]
Categories
(Core :: Graphics: WebRender, defect)
Core
Graphics: WebRender
Tracking
()
RESOLVED
DUPLICATE
of bug 1479273
Tracking | Status | |
---|---|---|
firefox69 | --- | affected |
People
(Reporter: tsmith, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: crash, csectype-uaf, testcase-wanted)
Attachments
(1 file)
3.97 KB,
text/plain
|
Details |
Found with m-c 20190707-483d687212fb
==52564==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000069f40 at pc 0x7f1f40a4cf25 bp 0x7ffcf685e8d0 sp 0x7ffcf685e8c8
READ of size 8 at 0x611000069f40 thread T0 (GPU Process)
#0 0x7f1f40a4cf24 in Release /src/obj-firefox/dist/include/mozilla/RefPtr.h:46:40
#1 0x7f1f40a4cf24 in Release /src/obj-firefox/dist/include/mozilla/RefPtr.h:363
#2 0x7f1f40a4cf24 in ~RefPtr /src/obj-firefox/dist/include/mozilla/RefPtr.h:77
#3 0x7f1f40a4cf24 in Destruct /src/obj-firefox/dist/include/nsTArray.h:525
#4 0x7f1f40a4cf24 in DestructRange /src/obj-firefox/dist/include/nsTArray.h:2183
#5 0x7f1f40a4cf24 in ClearAndRetainStorage /src/obj-firefox/dist/include/nsTArray.h:1300
#6 0x7f1f40a4cf24 in ~nsTArray_Impl /src/obj-firefox/dist/include/nsTArray.h:881
#7 0x7f1f40a4cf24 in nsThreadManager::Shutdown() /src/xpcom/threads/nsThreadManager.cpp:318
#8 0x7f1f40ab5f79 in mozilla::ShutdownXPCOM(nsIServiceManager*) /src/xpcom/build/XPCOMInit.cpp:647:28
#9 0x7f1f4fac3c3f in XRE_InitChildProcess(int, char**, XREChildData const*) /src/toolkit/xre/nsEmbedFunctions.cpp:758:16
#10 0x561e59ae2113 in content_process_main /src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#11 0x561e59ae2113 in main /src/browser/app/nsBrowserApp.cpp:267
#12 0x7f1f6580bb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#13 0x561e59a0364c in _start (/home/worker/builds/m-c-20190707211726-fuzzing-asan-opt/firefox+0x4564c)
0x611000069f40 is located 0 bytes inside of 232-byte region [0x611000069f40,0x61100006a028)
freed by thread T11 (WRWorker#6) here:
#0 0x561e59aaece2 in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:124:3
#1 0x7f1f40a3c7dc in nsThread::Release() /src/xpcom/threads/nsThread.cpp:191:1
#2 0x7f1f66cec88d in _PR_DestroyThreadPrivate /src/nsprpub/pr/src/threads/prtpd.c:237:25
#3 0x7f1f66cdcaf4 in _pt_thread_death_internal /src/nsprpub/pr/src/pthreads/ptthread.c:855:9
#4 0x7f1f66cdcd76 in _pt_thread_death /src/nsprpub/pr/src/pthreads/ptthread.c:828:5
#5 0x7f1f6692c407 in __nptl_deallocate_tsd.part.5 (/lib/x86_64-linux-gnu/libpthread.so.0+0x6407)
previously allocated by thread T11 (WRWorker#6) here:
#0 0x561e59aaf063 in __interceptor_malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:146:3
#1 0x561e59ae3dcd in moz_xmalloc /src/memory/mozalloc/mozalloc.cpp:52:15
#2 0x7f1f40a43586 in operator new /src/obj-firefox/dist/include/mozilla/cxxalloc.h:33:10
#3 0x7f1f40a43586 in nsThreadManager::GetCurrentThread() /src/xpcom/threads/nsThreadManager.cpp:376
#4 0x7f1f4ef74280 in profiler_register_thread(char const*, void*) /src/tools/profiler/core/platform.cpp:3777:9
#5 0x7f1f44040627 in gecko_profiler_register_thread /src/gfx/layers/wr/WebRenderBridgeParent.cpp:142:3
#6 0x7f1f520ac1c2 in webrender_bindings::bindings::wr_thread_pool_new::_$u7b$$u7b$closure$u7d$$u7d$::h9e0a5abfefaf5976 /src/gfx/webrender_bindings/src/bindings.rs:1046:12
Thread T11 (WRWorker#6) created by T0 (GPU Process) here:
#0 0x561e59a9763d in __interceptor_pthread_create /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:210:3
#1 0x7f1f527245b5 in std::sys::unix::thread::Thread::new::hba7601f1ccb9f089 /rustc/3c235d5600393dfe6c36eeed34042efad8d4f26e/src/libstd/sys/unix/thread.rs:68:18
Reporter | ||
Updated•5 years ago
|
Summary: nsThread::MaybeRemoveFromThreadList → heap-use-after-free in [@ nsThreadManager::Shutdown]
Reporter | ||
Comment 1•5 years ago
|
||
Updated•5 years ago
|
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
Updated•6 months ago
|
Group: gfx-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•