AddressSanitizer: heap-use-after-free [@ mozilla::dom::MessagePortService::CloseAll] with READ of size 8
Categories
(Core :: DOM: Workers, defect, P1)
Tracking
()
People
(Reporter: jkratzer, Assigned: perry)
References
(Blocks 3 open bugs)
Details
(4 keywords, Whiteboard: [post-critsmash-triage][adv-main72+r])
Crash Data
Attachments
(1 file)
47 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-beta+
tjr
:
sec-approval+
|
Details | Review |
Testcase found while fuzzing mozilla-central rev 4def8673359e on Windows 10. I'm waiting on a Windows license to validate the testcase and reduce it. I will provide an update once I've had a chance to test it.
==17780==ERROR: AddressSanitizer: heap-use-after-free on address 0x12585910bea0 at pc 0x7ffe09bac4c5 bp 0x00c72ebfdea0 sp 0x00c72ebfdee8
READ of size 8 at 0x12585910bea0 thread T27
#0 0x7ffe09bac4c4 in mozilla::dom::MessagePortService::CloseAll \src\dom\messagechannel\MessagePortService.cpp:266
#1 0x7ffe09bac1a2 in mozilla::dom::MessagePortService::CloseAll \src\dom\messagechannel\MessagePortService.cpp:291
#2 0x7ffe09babcd5 in mozilla::dom::MessagePortParent::ForceClose \src\dom\messagechannel\MessagePortParent.cpp:158
#3 0x7ffe09b583d7 in mozilla::dom::RemoteWorkerController::PendingSharedWorkerOp::Cancel \src\dom\workers\remoteworkers\RemoteWorkerController.cpp:372
#4 0x7ffe09b524e8 in mozilla::dom::RemoteWorkerController::CancelAllPendingOps \src\dom\workers\remoteworkers\RemoteWorkerController.cpp:148
#5 0x7ffe09b5194a in mozilla::dom::RemoteWorkerController::Shutdown \src\dom\workers\remoteworkers\RemoteWorkerController.cpp:163
#6 0x7ffe09b5f214 in mozilla::dom::RemoteWorkerParent::ActorDestroy \src\dom\workers\remoteworkers\RemoteWorkerParent.cpp:106
#7 0x7ffe01e9ae71 in mozilla::ipc::IProtocol::DestroySubtree \src\ipc\glue\ProtocolUtils.cpp:572
#8 0x7ffe01e9ad82 in mozilla::ipc::IProtocol::DestroySubtree \src\ipc\glue\ProtocolUtils.cpp:560
#9 0x7ffe029457c9 in mozilla::ipc::PBackgroundParent::OnChannelError \src\obj-firefox\ipc\ipdl\PBackgroundParent.cpp:6091
#10 0x7ffe01e8932d in mozilla::ipc::MessageChannel::OnNotifyMaybeChannelError \src\ipc\glue\MessageChannel.cpp:2653
#11 0x7ffe01ea5ac3 in mozilla::detail::RunnableMethodImpl<mozilla::ipc::MessageChannel *,void (mozilla::ipc::MessageChannel::*)(),0,mozilla::RunnableKind::Cancelable>::Run \src\xpcom\threads\nsThreadUtils.h:1176
#12 0x7ffe00c24c47 in nsThread::ProcessNextEvent \src\xpcom\threads\nsThread.cpp:1250
#13 0x7ffe00c2ebb8 in NS_ProcessNextEvent \src\xpcom\threads\nsThreadUtils.cpp:486
#14 0x7ffe01e8efce in mozilla::ipc::MessagePumpForNonMainThreads::Run \src\ipc\glue\MessagePump.cpp:303
#15 0x7ffe01dce09e in MessageLoop::RunHandler \src\ipc\chromium\src\base\message_loop.cc:308
#16 0x7ffe01dcde35 in MessageLoop::Run \src\ipc\chromium\src\base\message_loop.cc:290
#17 0x7ffe00c1cd26 in nsThread::ThreadFunc \src\xpcom\threads\nsThread.cpp:458
#18 0x7ffe16d773dd in _PR_NativeRunThread \src\nsprpub\pr\src\threads\combined\pruthr.c:399
#19 0x7ffe16d473f4 in pr_root \src\nsprpub\pr\src\md\windows\w95thred.c:139
#20 0x7ffe4445d9f1 in o_strncat_s+0x71 (C:\Windows\System32\ucrtbase.dll+0x18001d9f1)
#21 0x7ffe1718f838 in __asan::AsanThread::ThreadStart Z:\task_1573467939\fetches\llvm-project\llvm\projects\compiler-rt\lib\asan\asan_thread.cc:262
#22 0x7ffe46107bd3 in BaseThreadInitThunk+0x13 (C:\Windows\System32\KERNEL32.DLL+0x180017bd3)
#23 0x7ffe18ef4d8b in patched_BaseThreadInitThunk \src\mozglue\dllservices\WindowsDllBlocklist.cpp:564
#24 0x7ffe46cccee0 in RtlUserThreadStart+0x20 (C:\Windows\SYSTEM32\ntdll.dll+0x18006cee0)
0x12585910bea0 is located 48 bytes inside of 80-byte region [0x12585910be70,0x12585910bec0)
freed by thread T27 here:
#0 0x7ffe17184ae4 in free Z:\task_1573467939\fetches\llvm-project\llvm\projects\compiler-rt\lib\asan\asan_malloc_win.cc:85
#1 0x7ffe09bacb4e in mozilla::dom::MessagePortParent::~MessagePortParent \src\dom\messagechannel\MessagePortParent.cpp:23
#2 0x7ffe01b7bc8b in mozilla::net::NeckoChild::DeallocPChannelDiverterChild \src\netwerk\ipc\NeckoChild.cpp:279
#3 0x7ffe01e95ee9 in mozilla::ipc::ActorLifecycleProxy::~ActorLifecycleProxy \src\ipc\glue\ProtocolUtils.cpp:253
#4 0x7ffe0293f9e1 in mozilla::ipc::PBackgroundParent::ClearSubtree \src\obj-firefox\ipc\ipdl\PBackgroundParent.cpp:6417
#5 0x7ffe029457d1 in mozilla::ipc::PBackgroundParent::OnChannelError \src\obj-firefox\ipc\ipdl\PBackgroundParent.cpp:6092
#6 0x7ffe01e8932d in mozilla::ipc::MessageChannel::OnNotifyMaybeChannelError \src\ipc\glue\MessageChannel.cpp:2653
#7 0x7ffe01ea5ac3 in mozilla::detail::RunnableMethodImpl<mozilla::ipc::MessageChannel *,void (mozilla::ipc::MessageChannel::*)(),0,mozilla::RunnableKind::Cancelable>::Run \src\xpcom\threads\nsThreadUtils.h:1176
#8 0x7ffe00c24c47 in nsThread::ProcessNextEvent \src\xpcom\threads\nsThread.cpp:1250
#9 0x7ffe00c2ebb8 in NS_ProcessNextEvent \src\xpcom\threads\nsThreadUtils.cpp:486
#10 0x7ffe01e8efce in mozilla::ipc::MessagePumpForNonMainThreads::Run \src\ipc\glue\MessagePump.cpp:303
#11 0x7ffe01dce09e in MessageLoop::RunHandler \src\ipc\chromium\src\base\message_loop.cc:308
#12 0x7ffe01dcde35 in MessageLoop::Run \src\ipc\chromium\src\base\message_loop.cc:290
#13 0x7ffe00c1cd26 in nsThread::ThreadFunc \src\xpcom\threads\nsThread.cpp:458
#14 0x7ffe16d773dd in _PR_NativeRunThread \src\nsprpub\pr\src\threads\combined\pruthr.c:399
#15 0x7ffe16d473f4 in pr_root \src\nsprpub\pr\src\md\windows\w95thred.c:139
#16 0x7ffe4445d9f1 in o_strncat_s+0x71 (C:\Windows\System32\ucrtbase.dll+0x18001d9f1)
#17 0x7ffe1718f838 in __asan::AsanThread::ThreadStart Z:\task_1573467939\fetches\llvm-project\llvm\projects\compiler-rt\lib\asan\asan_thread.cc:262
#18 0x7ffe46107bd3 in BaseThreadInitThunk+0x13 (C:\Windows\System32\KERNEL32.DLL+0x180017bd3)
previously allocated by thread T27 here:
#0 0x7ffe17184bf4 in malloc Z:\task_1573467939\fetches\llvm-project\llvm\projects\compiler-rt\lib\asan\asan_malloc_win.cc:101
#1 0x7ffe18ef16cd in moz_xmalloc \src\memory\mozalloc\mozalloc.cpp:52
#2 0x7ffe01df6b52 in mozilla::ipc::BackgroundParentImpl::AllocPMessagePortParent \src\ipc\glue\BackgroundParentImpl.cpp:984
#3 0x7ffe0292340f in mozilla::ipc::PBackgroundParent::OnMessageReceived \src\obj-firefox\ipc\ipdl\PBackgroundParent.cpp:4644
#4 0x7ffe01e85b8a in mozilla::ipc::MessageChannel::DispatchAsyncMessage \src\ipc\glue\MessageChannel.cpp:2208
#5 0x7ffe01e816b8 in mozilla::ipc::MessageChannel::DispatchMessage \src\ipc\glue\MessageChannel.cpp:2130
#6 0x7ffe01e83875 in mozilla::ipc::MessageChannel::RunMessage \src\ipc\glue\MessageChannel.cpp:1972
#7 0x7ffe01e83f25 in mozilla::ipc::MessageChannel::MessageTask::Run \src\ipc\glue\MessageChannel.cpp:2003
#8 0x7ffe00c24c47 in nsThread::ProcessNextEvent \src\xpcom\threads\nsThread.cpp:1250
#9 0x7ffe00c2ebb8 in NS_ProcessNextEvent \src\xpcom\threads\nsThreadUtils.cpp:486
#10 0x7ffe01e8f12c in mozilla::ipc::MessagePumpForNonMainThreads::Run \src\ipc\glue\MessagePump.cpp:333
#11 0x7ffe01dce09e in MessageLoop::RunHandler \src\ipc\chromium\src\base\message_loop.cc:308
#12 0x7ffe01dcde35 in MessageLoop::Run \src\ipc\chromium\src\base\message_loop.cc:290
#13 0x7ffe00c1cd26 in nsThread::ThreadFunc \src\xpcom\threads\nsThread.cpp:458
#14 0x7ffe16d773dd in _PR_NativeRunThread \src\nsprpub\pr\src\threads\combined\pruthr.c:399
#15 0x7ffe16d473f4 in pr_root \src\nsprpub\pr\src\md\windows\w95thred.c:139
#16 0x7ffe4445d9f1 in o_strncat_s+0x71 (C:\Windows\System32\ucrtbase.dll+0x18001d9f1)
#17 0x7ffe1718f838 in __asan::AsanThread::ThreadStart Z:\task_1573467939\fetches\llvm-project\llvm\projects\compiler-rt\lib\asan\asan_thread.cc:262
#18 0x7ffe46107bd3 in BaseThreadInitThunk+0x13 (C:\Windows\System32\KERNEL32.DLL+0x180017bd3)
Thread T27 created by T0 here:
#0 0x7ffe1719095c in __asan_wrap_CreateThread Z:\task_1573467939\fetches\llvm-project\llvm\projects\compiler-rt\lib\asan\asan_win.cc:146
#1 0x7ffe4445d8d6 in beginthreadex+0x56 (C:\Windows\System32\ucrtbase.dll+0x18001d8d6)
#2 0x7ffe16d4721d in _PR_MD_CREATE_THREAD \src\nsprpub\pr\src\md\windows\w95thred.c:153
#3 0x7ffe16d782ec in _PR_NativeCreateThread \src\nsprpub\pr\src\threads\combined\pruthr.c:1058
#4 0x7ffe16d78c95 in _PR_CreateThread \src\nsprpub\pr\src\threads\combined\pruthr.c:1184
#5 0x7ffe16d6b6ef in PR_CreateThread \src\nsprpub\pr\src\threads\combined\pruthr.c:1404
#6 0x7ffe00c1fc37 in nsThread::Init \src\xpcom\threads\nsThread.cpp:673
#7 0x7ffe00c2d757 in nsThreadManager::NewNamedThread \src\xpcom\threads\nsThreadManager.cpp:550
#8 0x7ffe00c31f40 in NS_NewNamedThread \src\xpcom\threads\nsThreadUtils.cpp:139
#9 0x7ffe01e441ee in `anonymous namespace'::ParentImpl::CreateBackgroundThread \src\ipc\glue\BackgroundImpl.cpp:944
#10 0x7ffe01e4a7bf in `anonymous namespace'::ParentImpl::CreateActorHelper::Run \src\ipc\glue\BackgroundImpl.cpp:1263
#11 0x7ffe00c24c47 in nsThread::ProcessNextEvent \src\xpcom\threads\nsThread.cpp:1250
#12 0x7ffe00c2ebb8 in NS_ProcessNextEvent \src\xpcom\threads\nsThreadUtils.cpp:486
#13 0x7ffe00c2e0f5 in nsThreadManager::SpinEventLoopUntilInternal \src\xpcom\threads\nsThreadManager.cpp:624
#14 0x7ffe11774ab1 in XPTC__InvokebyIndex+0x71 (C:\Users\Administrator\builds\asan\xul.dll+0x190e94ab1)
#15 0x7ffe02ce0a51 in XPCWrappedNative::CallMethod \src\js\xpconnect\src\XPCWrappedNative.cpp:1149
#16 0x7ffe02ce831e in XPC_WN_CallMethod \src\js\xpconnect\src\XPCWrappedNativeJSOps.cpp:946
#17 0x7ffe0ea504a4 in js::InternalCallOrConstruct \src\js\src\vm\Interpreter.cpp:548
#18 0x7ffe0ea5369a in InternalCall \src\js\src\vm\Interpreter.cpp:617
#19 0x7ffe0ea347a4 in Interpret \src\js\src\vm\Interpreter.cpp:3119
#20 0x7ffe0ea1702a in js::RunScript \src\js\src\vm\Interpreter.cpp:423
#21 0x7ffe0ea50d75 in js::InternalCallOrConstruct \src\js\src\vm\Interpreter.cpp:589
#22 0x7ffe0ea5369a in InternalCall \src\js\src\vm\Interpreter.cpp:617
#23 0x7ffe0ea538d2 in js::Call \src\js\src\vm\Interpreter.cpp:634
#24 0x7ffe0f0a1ecf in js::fun_apply \src\js\src\vm\JSFunction.cpp:1190
#25 0x7ffe0ea504a4 in js::InternalCallOrConstruct \src\js\src\vm\Interpreter.cpp:548
#26 0x7ffe0ea5369a in InternalCall \src\js\src\vm\Interpreter.cpp:617
#27 0x7ffe0ea347a4 in Interpret \src\js\src\vm\Interpreter.cpp:3119
#28 0x7ffe0ea1702a in js::RunScript \src\js\src\vm\Interpreter.cpp:423
#29 0x7ffe0ea50d75 in js::InternalCallOrConstruct \src\js\src\vm\Interpreter.cpp:589
#30 0x7ffe0ea5369a in InternalCall \src\js\src\vm\Interpreter.cpp:617
#31 0x7ffe0ea538d2 in js::Call \src\js\src\vm\Interpreter.cpp:634
#32 0x7ffe0ec30626 in JS_CallFunctionValue \src\js\src\jsapi.cpp:2655
#33 0x7ffe02cce934 in nsXPCWrappedJS::CallMethod \src\js\xpconnect\src\XPCWrappedJSClass.cpp:956
#34 0x7ffe00c5e966 in PrepareAndDispatch \src\xpcom\reflect\xptcall\md\win32\xptcstubs_x86_64.cpp:181
#35 0x7ffe11774b08 in SharedStub+0x48 (C:\Users\Administrator\builds\asan\xul.dll+0x190e94b08)
#36 0x7ffe0e79d0f9 in nsXREDirProvider::DoStartup \src\toolkit\xre\nsXREDirProvider.cpp:952
#37 0x7ffe0e74ab21 in XREMain::XRE_mainRun \src\toolkit\xre\nsAppRunner.cpp:4397
#38 0x7ffe0e74f4ed in XREMain::XRE_main \src\toolkit\xre\nsAppRunner.cpp:4721
#39 0x7ffe0e751378 in XRE_main \src\toolkit\xre\nsAppRunner.cpp:4802
#40 0x7ff758c6234e in NS_internal_main \src\browser\app\nsBrowserApp.cpp:308
#41 0x7ff758c61501 in wmain \src\toolkit\xre\nsWindowsWMain.cpp:131
#42 0x7ff758d5da67 in __scrt_common_main_seh f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:288
#43 0x7ffe46107bd3 in BaseThreadInitThunk+0x13 (C:\Windows\System32\KERNEL32.DLL+0x180017bd3)
#44 0x7ffe46cccee0 in RtlUserThreadStart+0x20 (C:\Windows\SYSTEM32\ntdll.dll+0x18006cee0)
SUMMARY: AddressSanitizer: heap-use-after-free \src\dom\messagechannel\MessagePortService.cpp:266 in mozilla::dom::MessagePortService::CloseAll
Shadow bytes around the buggy address:
0x049563c21780: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
0x049563c21790: fd fd fa fa fa fa fd fd fd fd fd fd fd fd fd fd
0x049563c217a0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fa fa
0x049563c217b0: fa fa fd fd fd fd fd fd fd fd fd fd fa fa fa fa
0x049563c217c0: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fd fd
=>0x049563c217d0: fd fd fd fd[fd]fd fd fd fa fa fa fa fd fd fd fd
0x049563c217e0: fd fd fd fd fd fd fa fa fa fa fd fd fd fd fd fd
0x049563c217f0: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
0x049563c21800: fd fd fa fa fa fa fd fd fd fd fd fd fd fd fd fa
0x049563c21810: fa fa fa fa 00 00 00 00 00 00 00 00 00 fa fa fa
0x049563c21820: fa fa 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==17780==ABORTING
Updated•5 years ago
|
Updated•5 years ago
|
Updated•5 years ago
|
Comment 1•5 years ago
|
||
I think I meant to needinfo Perry the other day but forgot.
Assignee | ||
Comment 2•5 years ago
|
||
The backtrace is a little mismatched. In particular, mozilla::net::NeckoChild::DeallocPChannelDiverterChild
doesn't seem to ever call mozilla::dom::MessagePortParent::~MessagePortParent
. The destructor is probably actually called by mozilla::ipc::BackgroundParentImpl::DeallocPMessagePortParent
.
I'd guess that at some point the call stack is (with the currently active stack frame first):
MessagePortService::CloseAll
MessagePortService::ParentDestroy
MessagePortParent::ActorDestroy
Shortly after, the data->mParent
, which is the this
of MessagePortParent::ActorDestroy
, seen in MessagePortService::CloseAll
becomes dangling when DeallocPMessagePortParent
runs (which should always happen after ActorDestroy
). Then the next call to MessagePortService::CloseAll
with the same arguments leads to UAF.
That's my best guess without being able to reproduce. I'll have a patch based on that hypothesis soon.
Assignee | ||
Comment 3•5 years ago
|
||
Updated•5 years ago
|
Updated•5 years ago
|
Assignee | ||
Comment 4•5 years ago
|
||
Comment on attachment 9111458 [details]
Bug 1597481 - upgrade heap-allocated MessagePortParent*s to CheckedUnsafePtr<MessagePortParent> r?asuth
Security Approval Request
- How easily could an exploit be constructed based on the patch?: Pretty unlikely; AFAICT it'd involve, at the very least, terminating a SharedWorker when there's events queued for it to handle but before it can actually handle those events, which probably relies on ordering of things and timing.
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
- Which older supported branches are affected by this flaw?: None
- If not all supported branches, which bug introduced the flaw?: Bug 1231213
- Do you have backports for the affected branches?: No
- If not, how different, hard to create, and risky will they be?: N/A
- How likely is this patch to cause regressions; how much testing does it need?: Highly unlikely. It nulls-out a pointer that isn't supposed to be used again and replaces raw pointer usage with a smart pointer class that crashes in non-release builds when attempting to use a free'd pointee, which should catch any (highly unlikely) regressions.
Comment 5•5 years ago
|
||
FYI: We have an unreduced test case but reduction is blocked by bug 1601166. If bug 1601166 is fixed before this bug we should be able to reduce it if we want to land a test case for this bug.
Assignee | ||
Comment 6•5 years ago
|
||
Hi Daniel, I'm wondering if this is still waiting on something to be reviewed for sec-approval or if someone will be able to take a look?
Comment 7•5 years ago
|
||
Comment on attachment 9111458 [details]
Bug 1597481 - upgrade heap-allocated MessagePortParent*s to CheckedUnsafePtr<MessagePortParent> r?asuth
Approved to land and request uplift
Comment 8•5 years ago
|
||
https://hg.mozilla.org/integration/autoland/rev/44298fb8f4e2
Looks like this grafts cleanly to Beta as-landed, so go ahead and request Beta approval on the attachment whenever you're comfortable doing so after it merges to m-c.
Comment 9•5 years ago
|
||
Backed out for build bustages in MessagePortService.cpp:
https://hg.mozilla.org/integration/autoland/rev/5979b9ae60c04db5fbbc1d55c0b173bc51d6e194
Push with failures: https://treeherder.mozilla.org/#/jobs?repo=autoland&group_state=expanded&selectedJob=281420717&resultStatus=superseded%2Cretry%2Ctestfailed%2Cbusted%2Cexception%2Cusercancel&revision=44298fb8f4e295facdf395741b8500c6553afc3a
Failure log: https://treeherder.mozilla.org/logviewer.html#?job_id=281418029&repo=autoland
dom/messagechannel/MessagePortService.cpp:48:27: error: 'mozilla::dom::MessagePortService::MessagePortServiceData' has a field 'mozilla::dom::MessagePortService::MessagePortServiceData::mNextParents' whose type uses the anonymous namespace [-Werror=subobject-linkage]
Updated•5 years ago
|
Updated•5 years ago
|
Comment 10•5 years ago
|
||
accidentally removed the needinfo for perry from comment 8
Updated•5 years ago
|
Comment 12•5 years ago
|
||
https://hg.mozilla.org/integration/autoland/rev/16f90eb0cbf3fad1dd1052ace7b9d0bf88d17a00
https://hg.mozilla.org/mozilla-central/rev/16f90eb0cbf3
Assignee | ||
Comment 14•5 years ago
|
||
Comment on attachment 9111458 [details]
Bug 1597481 - upgrade heap-allocated MessagePortParent*s to CheckedUnsafePtr<MessagePortParent> r?asuth
Beta/Release Uplift Approval Request
- User impact if declined: Possible undefined behavior in the implementation due to possible UAF.
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: No
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Not risky because the patch's only logic change is that it prevents usage of a freed object.
- String changes made/needed:
Comment 15•5 years ago
|
||
Comment on attachment 9111458 [details]
Bug 1597481 - upgrade heap-allocated MessagePortParent*s to CheckedUnsafePtr<MessagePortParent> r?asuth
Approved for 72.0b8.
Comment 16•5 years ago
|
||
uplift |
Updated•5 years ago
|
Updated•5 years ago
|
Updated•5 years ago
|
Reporter | ||
Updated•5 years ago
|
Updated•5 years ago
|
Updated•4 years ago
|
Description
•