Closed Bug 1605897 Opened 4 years ago Closed 4 years ago

heap-use-after-free in [@ mozilla::dom::RemoteWorkerChild::ErrorPropagationOnMainThread]

Categories

(Core :: DOM: Workers, defect)

Product:
Core
Component:
DOM: Workers
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1601024

People

(Reporter: tsmith, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: crash, csectype-uaf)

Crash Data

This has been seen a few times by the fuzzers. This report is from build m-c 20191224-03fe3d76bd48

Unfortunately it is not reproducible at this time. If we are able to collect and reduce a testcase we will attach it.

==3508==ERROR: AddressSanitizer: heap-use-after-free on address 0x11e2795ea280 at pc 0x7ffaf85884aa bp 0x00a921bfd8e0 sp 0x00a921bfd928
READ of size 8 at 0x11e2795ea280 thread T0
    #0 0x7ffaf85884a9 in mozilla::dom::RemoteWorkerChild::ErrorPropagationOnMainThread \src\dom\workers\remoteworkers\RemoteWorkerChild.cpp:670
    #1 0x7ffaf8524201 in mozilla::dom::`anonymous namespace'::ReportErrorRunnable::WorkerRun \src\dom\workers\WorkerError.cpp:91
    #2 0x7ffaf855fa0c in mozilla::dom::WorkerRunnable::Run \src\dom\workers\WorkerRunnable.cpp:369
    #3 0x7ffaef4c30a2 in mozilla::ThrottledEventQueue::Inner::ExecuteRunnable \src\xpcom\threads\ThrottledEventQueue.cpp:252
    #4 0x7ffaef4c2b03 in mozilla::ThrottledEventQueue::Inner::Executor::Run \src\xpcom\threads\ThrottledEventQueue.cpp:80
    #5 0x7ffaef498228 in nsThread::ProcessNextEvent \src\xpcom\threads\nsThread.cpp:1241
    #6 0x7ffaef4a4858 in NS_ProcessNextEvent \src\xpcom\threads\nsThreadUtils.cpp:486
    #7 0x7ffaf074468f in mozilla::ipc::MessagePump::Run \src\ipc\glue\MessagePump.cpp:87
    #8 0x7ffaf068617e in MessageLoop::RunHandler \src\ipc\chromium\src\base\message_loop.cc:308
    #9 0x7ffaf0685f15 in MessageLoop::Run \src\ipc\chromium\src\base\message_loop.cc:290
    #10 0x7ffaf8e41aea in nsBaseAppShell::Run \src\widget\nsBaseAppShell.cpp:137
    #11 0x7ffaf8fdf068 in nsAppShell::Run \src\widget\windows\nsAppShell.cpp:406
    #12 0x7ffafd1a1c08 in XRE_RunAppShell \src\toolkit\xre\nsEmbedFunctions.cpp:946
    #13 0x7ffaf068617e in MessageLoop::RunHandler \src\ipc\chromium\src\base\message_loop.cc:308
    #14 0x7ffaf0685f15 in MessageLoop::Run \src\ipc\chromium\src\base\message_loop.cc:290
    #15 0x7ffafd1a0cd6 in XRE_InitChildProcess \src\toolkit\xre\nsEmbedFunctions.cpp:781
    #16 0x7ff6a6ec2142 in NS_internal_main \src\browser\app\nsBrowserApp.cpp:303
    #17 0x7ff6a6ec1501 in wmain \src\toolkit\xre\nsWindowsWMain.cpp:131
    #18 0x7ff6a6fbcd17 in __scrt_common_main_seh f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:288
    #19 0x7ffb35857bd3 in BaseThreadInitThunk+0x13 (C:\Windows\System32\KERNEL32.DLL+0x180017bd3)
    #20 0x7ffb35b2cee0 in RtlUserThreadStart+0x20 (C:\Windows\SYSTEM32\ntdll.dll+0x18006cee0)

0x11e2795ea280 is located 192 bytes inside of 248-byte region [0x11e2795ea1c0,0x11e2795ea2b8)
freed by thread T15 here:
    #0 0x7ffb061b4ae4 in free Z:\task_1576855953\fetches\llvm-project\llvm\projects\compiler-rt\lib\asan\asan_malloc_win.cc:85
    #1 0x7ffaf859d6cc in mozilla::dom::RemoteWorkerChild::~RemoteWorkerChild \src\dom\workers\remoteworkers\RemoteWorkerChild.cpp:261
    #2 0x7ffaf06aaea0 in mozilla::ipc::BackgroundChildImpl::DeallocPRemoteWorkerChild \src\ipc\glue\BackgroundChildImpl.cpp:344
    #3 0x7ffaf074c829 in mozilla::ipc::ActorLifecycleProxy::~ActorLifecycleProxy \src\ipc\glue\ProtocolUtils.cpp:253
    #4 0x7ffaf0cc5342 in mozilla::ipc::PBackgroundChild::OnMessageReceived \src\obj-firefox\ipc\ipdl\PBackgroundChild.cpp:5877
    #5 0x7ffaf073c4cb in mozilla::ipc::MessageChannel::DispatchAsyncMessage \src\ipc\glue\MessageChannel.cpp:2212
    #6 0x7ffaf0737ff9 in mozilla::ipc::MessageChannel::DispatchMessage \src\ipc\glue\MessageChannel.cpp:2134
    #7 0x7ffaf073a1b6 in mozilla::ipc::MessageChannel::RunMessage \src\ipc\glue\MessageChannel.cpp:1973
    #8 0x7ffaf073a866 in mozilla::ipc::MessageChannel::MessageTask::Run \src\ipc\glue\MessageChannel.cpp:2004
    #9 0x7ffaef498228 in nsThread::ProcessNextEvent \src\xpcom\threads\nsThread.cpp:1241
    #10 0x7ffaef4a4858 in NS_ProcessNextEvent \src\xpcom\threads\nsThreadUtils.cpp:486
    #11 0x7ffaf0745a6c in mozilla::ipc::MessagePumpForNonMainThreads::Run \src\ipc\glue\MessagePump.cpp:332
    #12 0x7ffaf068617e in MessageLoop::RunHandler \src\ipc\chromium\src\base\message_loop.cc:308
    #13 0x7ffaf0685f15 in MessageLoop::Run \src\ipc\chromium\src\base\message_loop.cc:290
    #14 0x7ffaef4904f5 in nsThread::ThreadFunc \src\xpcom\threads\nsThread.cpp:459
    #15 0x7ffb05b473dd in _PR_NativeRunThread \src\nsprpub\pr\src\threads\combined\pruthr.c:399
    #16 0x7ffb05b173f4 in pr_root \src\nsprpub\pr\src\md\windows\w95thred.c:139
    #17 0x7ffb32e2d9f1 in o_strncat_s+0x71 (C:\Windows\System32\ucrtbase.dll+0x18001d9f1)
    #18 0x7ffb061bf838 in __asan::AsanThread::ThreadStart Z:\task_1576855953\fetches\llvm-project\llvm\projects\compiler-rt\lib\asan\asan_thread.cc:262

previously allocated by thread T15 here:
    #0 0x7ffb061b4bf4 in malloc Z:\task_1576855953\fetches\llvm-project\llvm\projects\compiler-rt\lib\asan\asan_malloc_win.cc:101
    #1 0x7ffb05fc16dd in moz_xmalloc \src\memory\mozalloc\mozalloc.cpp:52
    #2 0x7ffaf06aad1b in mozilla::ipc::BackgroundChildImpl::AllocPRemoteWorkerChild \src\ipc\glue\BackgroundChildImpl.cpp:328
    #3 0x7ffaf0cc6fa3 in mozilla::ipc::PBackgroundChild::OnMessageReceived \src\obj-firefox\ipc\ipdl\PBackgroundChild.cpp:6245
    #4 0x7ffaf073c4cb in mozilla::ipc::MessageChannel::DispatchAsyncMessage \src\ipc\glue\MessageChannel.cpp:2212
    #5 0x7ffaf0737ff9 in mozilla::ipc::MessageChannel::DispatchMessage \src\ipc\glue\MessageChannel.cpp:2134
    #6 0x7ffaf073a1b6 in mozilla::ipc::MessageChannel::RunMessage \src\ipc\glue\MessageChannel.cpp:1973
    #7 0x7ffaf073a866 in mozilla::ipc::MessageChannel::MessageTask::Run \src\ipc\glue\MessageChannel.cpp:2004
    #8 0x7ffaef498228 in nsThread::ProcessNextEvent \src\xpcom\threads\nsThread.cpp:1241
    #9 0x7ffaef4a4858 in NS_ProcessNextEvent \src\xpcom\threads\nsThreadUtils.cpp:486
    #10 0x7ffaf0745a6c in mozilla::ipc::MessagePumpForNonMainThreads::Run \src\ipc\glue\MessagePump.cpp:332
    #11 0x7ffaf068617e in MessageLoop::RunHandler \src\ipc\chromium\src\base\message_loop.cc:308
    #12 0x7ffaf0685f15 in MessageLoop::Run \src\ipc\chromium\src\base\message_loop.cc:290
    #13 0x7ffaef4904f5 in nsThread::ThreadFunc \src\xpcom\threads\nsThread.cpp:459
    #14 0x7ffb05b473dd in _PR_NativeRunThread \src\nsprpub\pr\src\threads\combined\pruthr.c:399
    #15 0x7ffb05b173f4 in pr_root \src\nsprpub\pr\src\md\windows\w95thred.c:139
    #16 0x7ffb32e2d9f1 in o_strncat_s+0x71 (C:\Windows\System32\ucrtbase.dll+0x18001d9f1)
    #17 0x7ffb061bf838 in __asan::AsanThread::ThreadStart Z:\task_1576855953\fetches\llvm-project\llvm\projects\compiler-rt\lib\asan\asan_thread.cc:262
    #18 0x7ffb35857bd3 in BaseThreadInitThunk+0x13 (C:\Windows\System32\KERNEL32.DLL+0x180017bd3)

Thread T15 created by T0 here:
    #0 0x7ffb061c095c in __asan_wrap_CreateThread Z:\task_1576855953\fetches\llvm-project\llvm\projects\compiler-rt\lib\asan\asan_win.cc:146
    #1 0x7ffb32e2d8d6 in beginthreadex+0x56 (C:\Windows\System32\ucrtbase.dll+0x18001d8d6)
    #2 0x7ffb05b1721d in _PR_MD_CREATE_THREAD \src\nsprpub\pr\src\md\windows\w95thred.c:153
    #3 0x7ffb05b482ec in _PR_NativeCreateThread \src\nsprpub\pr\src\threads\combined\pruthr.c:1058
    #4 0x7ffb05b48c95 in _PR_CreateThread \src\nsprpub\pr\src\threads\combined\pruthr.c:1184
    #5 0x7ffb05b3b6ef in PR_CreateThread \src\nsprpub\pr\src\threads\combined\pruthr.c:1404
    #6 0x7ffaef493387 in nsThread::Init \src\xpcom\threads\nsThread.cpp:675
    #7 0x7ffaef4a33f7 in nsThreadManager::NewNamedThread \src\xpcom\threads\nsThreadManager.cpp:617
    #8 0x7ffaef4a7660 in NS_NewNamedThread \src\xpcom\threads\nsThreadUtils.cpp:139
    #9 0x7ffaf859b46c in mozilla::dom::RemoteWorkerService::InitializeOnMainThread \src\dom\workers\remoteworkers\RemoteWorkerService.cpp:82
    #10 0x7ffaf859ae14 in mozilla::dom::RemoteWorkerService::Initialize \src\dom\workers\remoteworkers\RemoteWorkerService.cpp:49
    #11 0x7ffaf82eed9e in mozilla::dom::ContentChild::InitXPCOM \src\dom\ipc\ContentChild.cpp:1353
    #12 0x7ffaf82ee9cf in mozilla::dom::ContentChild::RecvSetXPCOMProcessAttributes \src\dom\ipc\ContentChild.cpp:626
    #13 0x7ffaf09954a5 in mozilla::dom::PContentChild::OnMessageReceived \src\obj-firefox\ipc\ipdl\PContentChild.cpp:10756
    #14 0x7ffaf073c4cb in mozilla::ipc::MessageChannel::DispatchAsyncMessage \src\ipc\glue\MessageChannel.cpp:2212
    #15 0x7ffaf0737ff9 in mozilla::ipc::MessageChannel::DispatchMessage \src\ipc\glue\MessageChannel.cpp:2134
    #16 0x7ffaf073a1b6 in mozilla::ipc::MessageChannel::RunMessage \src\ipc\glue\MessageChannel.cpp:1973
    #17 0x7ffaf073a866 in mozilla::ipc::MessageChannel::MessageTask::Run \src\ipc\glue\MessageChannel.cpp:2004
    #18 0x7ffaef498228 in nsThread::ProcessNextEvent \src\xpcom\threads\nsThread.cpp:1241
    #19 0x7ffaef4a4858 in NS_ProcessNextEvent \src\xpcom\threads\nsThreadUtils.cpp:486
    #20 0x7ffaf074468f in mozilla::ipc::MessagePump::Run \src\ipc\glue\MessagePump.cpp:87
    #21 0x7ffaf068617e in MessageLoop::RunHandler \src\ipc\chromium\src\base\message_loop.cc:308
    #22 0x7ffaf0685f15 in MessageLoop::Run \src\ipc\chromium\src\base\message_loop.cc:290
    #23 0x7ffaf8e41aea in nsBaseAppShell::Run \src\widget\nsBaseAppShell.cpp:137
    #24 0x7ffaf8fdf068 in nsAppShell::Run \src\widget\windows\nsAppShell.cpp:406
    #25 0x7ffafd1a1c08 in XRE_RunAppShell \src\toolkit\xre\nsEmbedFunctions.cpp:946
    #26 0x7ffaf068617e in MessageLoop::RunHandler \src\ipc\chromium\src\base\message_loop.cc:308
    #27 0x7ffaf0685f15 in MessageLoop::Run \src\ipc\chromium\src\base\message_loop.cc:290
    #28 0x7ffafd1a0cd6 in XRE_InitChildProcess \src\toolkit\xre\nsEmbedFunctions.cpp:781
    #29 0x7ff6a6ec2142 in NS_internal_main \src\browser\app\nsBrowserApp.cpp:303
    #30 0x7ff6a6ec1501 in wmain \src\toolkit\xre\nsWindowsWMain.cpp:131
    #31 0x7ff6a6fbcd17 in __scrt_common_main_seh f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:288
    #32 0x7ffb35857bd3 in BaseThreadInitThunk+0x13 (C:\Windows\System32\KERNEL32.DLL+0x180017bd3)
    #33 0x7ffb35b2cee0 in RtlUserThreadStart+0x20 (C:\Windows\SYSTEM32\ntdll.dll+0x18006cee0)

Maybe this is just a dupe of bug 1601024.

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → DUPLICATE
Group: dom-core-security
You need to log in before you can comment on or make changes to this bug.