Closed Bug 1606364 Opened 4 years ago Closed 4 years ago

heap-use-after-free in [@ mozilla::dom::`anonymous namespace'::ReportErrorRunnable::WorkerRun]

Categories

(Core :: DOM: Workers, defect, P1)

Product:
Core
Component:
DOM: Workers
Platform:
Unspecified
Windows
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1601024

People

(Reporter: tsmith, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: crash, csectype-uaf, sec-high)

Found with m-c 20191126-3d8cfd4a935d

This was seen once by the fuzzers and is not reproducable. Logging for visibility if nothing can be done please feel free to close. If a reliable test case is found it will be attached.

==12880==ERROR: AddressSanitizer: heap-use-after-free on address 0x1206ea26a0e0 at pc 0x7ff9a678ae46 bp 0x0034811fd9e0 sp 0x0034811fda28
WRITE of size 8 at 0x1206ea26a0e0 thread T0
    #0 0x7ff9a678ae45 in mozilla::dom::`anonymous namespace'::ReportErrorRunnable::WorkerRun \src\dom\workers\WorkerError.cpp
    #1 0x7ff9a67c62ac in mozilla::dom::WorkerRunnable::Run \src\dom\workers\WorkerRunnable.cpp:369
    #2 0x7ff99d872912 in mozilla::ThrottledEventQueue::Inner::ExecuteRunnable \src\xpcom\threads\ThrottledEventQueue.cpp:252
    #3 0x7ff99d872373 in mozilla::ThrottledEventQueue::Inner::Executor::Run \src\xpcom\threads\ThrottledEventQueue.cpp:80
    #4 0x7ff99d84a1e7 in nsThread::ProcessNextEvent \src\xpcom\threads\nsThread.cpp:1250
    #5 0x7ff99d854118 in NS_ProcessNextEvent \src\xpcom\threads\nsThreadUtils.cpp:486
    #6 0x7ff99eab775f in mozilla::ipc::MessagePump::Run \src\ipc\glue\MessagePump.cpp:88
    #7 0x7ff99e9f9dee in MessageLoop::RunHandler \src\ipc\chromium\src\base\message_loop.cc:308
    #8 0x7ff99e9f9b85 in MessageLoop::Run \src\ipc\chromium\src\base\message_loop.cc:290
    #9 0x7ff9a70a4aba in nsBaseAppShell::Run \src\widget\nsBaseAppShell.cpp:137
    #10 0x7ff9a72400c8 in nsAppShell::Run \src\widget\windows\nsAppShell.cpp:406
    #11 0x7ff9ab3f9ea8 in XRE_RunAppShell \src\toolkit\xre\nsEmbedFunctions.cpp:934
    #12 0x7ff99e9f9dee in MessageLoop::RunHandler \src\ipc\chromium\src\base\message_loop.cc:308
    #13 0x7ff99e9f9b85 in MessageLoop::Run \src\ipc\chromium\src\base\message_loop.cc:290
    #14 0x7ff9ab3f908a in XRE_InitChildProcess \src\toolkit\xre\nsEmbedFunctions.cpp:769
    #15 0x7ff7aaaf213e in NS_internal_main \src\browser\app\nsBrowserApp.cpp:272
    #16 0x7ff7aaaf1501 in wmain \src\toolkit\xre\nsWindowsWMain.cpp:131
    #17 0x7ff7aabedb07 in __scrt_common_main_seh f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:288
    #18 0x7ff9e42c7bd3 in BaseThreadInitThunk+0x13 (C:\Windows\System32\KERNEL32.DLL+0x180017bd3)
    #19 0x7ff9e4cccee0 in RtlUserThreadStart+0x20 (C:\Windows\SYSTEM32\ntdll.dll+0x18006cee0)

0x1206ea26a0e0 is located 96 bytes inside of 248-byte region [0x1206ea26a080,0x1206ea26a178)
freed by thread T15 here:
    #0 0x7ff9b40c4ae4 in free Z:\task_1574438993\fetches\llvm-project\llvm\projects\compiler-rt\lib\asan\asan_malloc_win.cc:85
    #1 0x7ff9a6803aec in mozilla::dom::RemoteWorkerChild::~RemoteWorkerChild \src\dom\workers\remoteworkers\RemoteWorkerChild.cpp:266
    #2 0x7ff99ea1ed90 in mozilla::ipc::BackgroundChildImpl::DeallocPRemoteWorkerChild \src\ipc\glue\BackgroundChildImpl.cpp:344
    #3 0x7ff99eabf8f9 in mozilla::ipc::ActorLifecycleProxy::~ActorLifecycleProxy \src\ipc\glue\ProtocolUtils.cpp:253
    #4 0x7ff99f007312 in mozilla::ipc::PBackgroundChild::OnMessageReceived \src\obj-firefox\ipc\ipdl\PBackgroundChild.cpp:5877
    #5 0x7ff99eaaf59a in mozilla::ipc::MessageChannel::DispatchAsyncMessage \src\ipc\glue\MessageChannel.cpp:2208
    #6 0x7ff99eaab0c8 in mozilla::ipc::MessageChannel::DispatchMessage \src\ipc\glue\MessageChannel.cpp:2130
    #7 0x7ff99eaad285 in mozilla::ipc::MessageChannel::RunMessage \src\ipc\glue\MessageChannel.cpp:1972
    #8 0x7ff99eaad935 in mozilla::ipc::MessageChannel::MessageTask::Run \src\ipc\glue\MessageChannel.cpp:2003
    #9 0x7ff99d84a1e7 in nsThread::ProcessNextEvent \src\xpcom\threads\nsThread.cpp:1250
    #10 0x7ff99d854118 in NS_ProcessNextEvent \src\xpcom\threads\nsThreadUtils.cpp:486
    #11 0x7ff99eab8b3c in mozilla::ipc::MessagePumpForNonMainThreads::Run \src\ipc\glue\MessagePump.cpp:333
    #12 0x7ff99e9f9dee in MessageLoop::RunHandler \src\ipc\chromium\src\base\message_loop.cc:308
    #13 0x7ff99e9f9b85 in MessageLoop::Run \src\ipc\chromium\src\base\message_loop.cc:290
    #14 0x7ff99d8423c6 in nsThread::ThreadFunc \src\xpcom\threads\nsThread.cpp:458
    #15 0x7ff9b3cb73dd in _PR_NativeRunThread \src\nsprpub\pr\src\threads\combined\pruthr.c:399
    #16 0x7ff9b3c873f4 in pr_root \src\nsprpub\pr\src\md\windows\w95thred.c:139
    #17 0x7ff9e1fad9f1 in o_strncat_s+0x71 (C:\Windows\System32\ucrtbase.dll+0x18001d9f1)
    #18 0x7ff9b40cf838 in __asan::AsanThread::ThreadStart Z:\task_1574438993\fetches\llvm-project\llvm\projects\compiler-rt\lib\asan\asan_thread.cc:262

previously allocated by thread T15 here:
    #0 0x7ff9b40c4bf4 in malloc Z:\task_1574438993\fetches\llvm-project\llvm\projects\compiler-rt\lib\asan\asan_malloc_win.cc:101
    #1 0x7ff9b79016cd in moz_xmalloc \src\memory\mozalloc\mozalloc.cpp:52
    #2 0x7ff99ea1ec0b in mozilla::ipc::BackgroundChildImpl::AllocPRemoteWorkerChild \src\ipc\glue\BackgroundChildImpl.cpp:328
    #3 0x7ff99f008f73 in mozilla::ipc::PBackgroundChild::OnMessageReceived \src\obj-firefox\ipc\ipdl\PBackgroundChild.cpp:6245
    #4 0x7ff99eaaf59a in mozilla::ipc::MessageChannel::DispatchAsyncMessage \src\ipc\glue\MessageChannel.cpp:2208
    #5 0x7ff99eaab0c8 in mozilla::ipc::MessageChannel::DispatchMessage \src\ipc\glue\MessageChannel.cpp:2130
    #6 0x7ff99eaad285 in mozilla::ipc::MessageChannel::RunMessage \src\ipc\glue\MessageChannel.cpp:1972
    #7 0x7ff99eaad935 in mozilla::ipc::MessageChannel::MessageTask::Run \src\ipc\glue\MessageChannel.cpp:2003
    #8 0x7ff99d84a1e7 in nsThread::ProcessNextEvent \src\xpcom\threads\nsThread.cpp:1250
    #9 0x7ff99d854118 in NS_ProcessNextEvent \src\xpcom\threads\nsThreadUtils.cpp:486
    #10 0x7ff99eab8b3c in mozilla::ipc::MessagePumpForNonMainThreads::Run \src\ipc\glue\MessagePump.cpp:333
    #11 0x7ff99e9f9dee in MessageLoop::RunHandler \src\ipc\chromium\src\base\message_loop.cc:308
    #12 0x7ff99e9f9b85 in MessageLoop::Run \src\ipc\chromium\src\base\message_loop.cc:290
    #13 0x7ff99d8423c6 in nsThread::ThreadFunc \src\xpcom\threads\nsThread.cpp:458
    #14 0x7ff9b3cb73dd in _PR_NativeRunThread \src\nsprpub\pr\src\threads\combined\pruthr.c:399
    #15 0x7ff9b3c873f4 in pr_root \src\nsprpub\pr\src\md\windows\w95thred.c:139
    #16 0x7ff9e1fad9f1 in o_strncat_s+0x71 (C:\Windows\System32\ucrtbase.dll+0x18001d9f1)
    #17 0x7ff9b40cf838 in __asan::AsanThread::ThreadStart Z:\task_1574438993\fetches\llvm-project\llvm\projects\compiler-rt\lib\asan\asan_thread.cc:262
    #18 0x7ff9e42c7bd3 in BaseThreadInitThunk+0x13 (C:\Windows\System32\KERNEL32.DLL+0x180017bd3)

Thread T15 created by T0 here:
    #0 0x7ff9b40d095c in __asan_wrap_CreateThread Z:\task_1574438993\fetches\llvm-project\llvm\projects\compiler-rt\lib\asan\asan_win.cc:146
    #1 0x7ff9e1fad8d6 in beginthreadex+0x56 (C:\Windows\System32\ucrtbase.dll+0x18001d8d6)
    #2 0x7ff9b3c8721d in _PR_MD_CREATE_THREAD \src\nsprpub\pr\src\md\windows\w95thred.c:153
    #3 0x7ff9b3cb82ec in _PR_NativeCreateThread \src\nsprpub\pr\src\threads\combined\pruthr.c:1058
    #4 0x7ff9b3cb8c95 in _PR_CreateThread \src\nsprpub\pr\src\threads\combined\pruthr.c:1184
    #5 0x7ff9b3cab6ef in PR_CreateThread \src\nsprpub\pr\src\threads\combined\pruthr.c:1404
    #6 0x7ff99d845257 in nsThread::Init \src\xpcom\threads\nsThread.cpp:673
    #7 0x7ff99d852cb7 in nsThreadManager::NewNamedThread \src\xpcom\threads\nsThreadManager.cpp:550
    #8 0x7ff99d8574a0 in NS_NewNamedThread \src\xpcom\threads\nsThreadUtils.cpp:139
    #9 0x7ff9a680188c in mozilla::dom::RemoteWorkerService::InitializeOnMainThread \src\dom\workers\remoteworkers\RemoteWorkerService.cpp:82
    #10 0x7ff9a6801234 in mozilla::dom::RemoteWorkerService::Initialize \src\dom\workers\remoteworkers\RemoteWorkerService.cpp:49
    #11 0x7ff9a656844b in mozilla::dom::ContentChild::InitXPCOM \src\dom\ipc\ContentChild.cpp:1353
    #12 0x7ff9a65680cf in mozilla::dom::ContentChild::RecvSetXPCOMProcessAttributes \src\dom\ipc\ContentChild.cpp:628
    #13 0x7ff99ed00c1b in mozilla::dom::PContentChild::OnMessageReceived \src\obj-firefox\ipc\ipdl\PContentChild.cpp:10564
    #14 0x7ff99eaaf59a in mozilla::ipc::MessageChannel::DispatchAsyncMessage \src\ipc\glue\MessageChannel.cpp:2208
    #15 0x7ff99eaab0c8 in mozilla::ipc::MessageChannel::DispatchMessage \src\ipc\glue\MessageChannel.cpp:2130
    #16 0x7ff99eaad285 in mozilla::ipc::MessageChannel::RunMessage \src\ipc\glue\MessageChannel.cpp:1972
    #17 0x7ff99eaad935 in mozilla::ipc::MessageChannel::MessageTask::Run \src\ipc\glue\MessageChannel.cpp:2003
    #18 0x7ff99d84a1e7 in nsThread::ProcessNextEvent \src\xpcom\threads\nsThread.cpp:1250
    #19 0x7ff99d854118 in NS_ProcessNextEvent \src\xpcom\threads\nsThreadUtils.cpp:486
    #20 0x7ff99eab775f in mozilla::ipc::MessagePump::Run \src\ipc\glue\MessagePump.cpp:88
    #21 0x7ff99e9f9dee in MessageLoop::RunHandler \src\ipc\chromium\src\base\message_loop.cc:308
    #22 0x7ff99e9f9b85 in MessageLoop::Run \src\ipc\chromium\src\base\message_loop.cc:290
    #23 0x7ff9a70a4aba in nsBaseAppShell::Run \src\widget\nsBaseAppShell.cpp:137
    #24 0x7ff9a72400c8 in nsAppShell::Run \src\widget\windows\nsAppShell.cpp:406
    #25 0x7ff9ab3f9ea8 in XRE_RunAppShell \src\toolkit\xre\nsEmbedFunctions.cpp:934
    #26 0x7ff99e9f9dee in MessageLoop::RunHandler \src\ipc\chromium\src\base\message_loop.cc:308
    #27 0x7ff99e9f9b85 in MessageLoop::Run \src\ipc\chromium\src\base\message_loop.cc:290
    #28 0x7ff9ab3f908a in XRE_InitChildProcess \src\toolkit\xre\nsEmbedFunctions.cpp:769
    #29 0x7ff7aaaf213e in NS_internal_main \src\browser\app\nsBrowserApp.cpp:272
    #30 0x7ff7aaaf1501 in wmain \src\toolkit\xre\nsWindowsWMain.cpp:131
    #31 0x7ff7aabedb07 in __scrt_common_main_seh f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:288
    #32 0x7ff9e42c7bd3 in BaseThreadInitThunk+0x13 (C:\Windows\System32\KERNEL32.DLL+0x180017bd3)
    #33 0x7ff9e4cccee0 in RtlUserThreadStart+0x20 (C:\Windows\SYSTEM32\ntdll.dll+0x18006cee0)
Keywords: sec-high

The stacks here look similar to those in bug 1601024 (remote worker error handling).

See Also: → 1601024
Priority: -- → P1

(In reply to Andrew McCreight [:mccr8] from comment #1)

The stacks here look similar to those in bug 1601024 (remote worker error handling).
:perry, can you confirm? It's a dupe?

Flags: needinfo?(perry)

Comparing both stacks, I'm pretty confident this is a dupe.

Status: NEW → RESOLVED
Closed: 4 years ago
Flags: needinfo?(perry)
Resolution: --- → DUPLICATE
Group: dom-core-security
You need to log in before you can comment on or make changes to this bug.