1610884 - heap-buffer-overflow (READ of size 8) in mozilla::dom::quota::QuotaObject::LockedMaybeUpdateSize

Status: RESOLVED DUPLICATE of bug 1610880

(Core :: Storage: Quota Manager, defect)

Description

[Brian Carpenter [:geeknik]]

Whilst browsing the web using Firefox Nightly (ASAN built from https://hg.mozilla.org/mozilla-central/rev/be3a05f615a557fd4c5171f789cc460688d9c3b8), the browser crashed. I had 38 tabs open, it's hard to say which one triggered this.

==325169==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60f0006702b8 at pc 0x7f21ae50605b bp 0x7f2104ef68b0 sp 0x7f2104ef68a8
READ of size 8 at 0x60f0006702b8 thread T40 (IPDL Background)
    #0 0x7f21ae50605a in mozilla::dom::quota::QuotaObject::LockedMaybeUpdateSize(long, bool) /builds/worker/workspace/build/src/dom/quota/ActorsParent.cpp:3285:39
    #1 0x7f21ae504084 in mozilla::dom::quota::QuotaObject::MaybeUpdateSize(long, bool) /builds/worker/workspace/build/src/dom/quota/ActorsParent.cpp:3226:10
    #2 0x7f21af392100 in UpdateUsage /builds/worker/workspace/build/src/dom/localstorage/ActorsParent.cpp:5503:24
    #3 0x7f21af392100 in NoteInactiveDatabase /builds/worker/workspace/build/src/dom/localstorage/ActorsParent.cpp:4941:28
    #4 0x7f21af392100 in UnregisterSnapshot /builds/worker/workspace/build/src/dom/localstorage/ActorsParent.cpp:5680:15
    #5 0x7f21af392100 in mozilla::dom::(anonymous namespace)::Snapshot::Finish() /builds/worker/workspace/build/src/dom/localstorage/ActorsParent.cpp:5965:14
    #6 0x7f21af38fde9 in mozilla::dom::(anonymous namespace)::Snapshot::RecvFinish() /builds/worker/workspace/build/src/dom/localstorage/ActorsParent.cpp:6122:3
    #7 0x7f21a887aa32 in mozilla::dom::PBackgroundLSSnapshotParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundLSSnapshotParent.cpp:215:28
    #8 0x7f21a8896cbd in mozilla::ipc::PBackgroundParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundParent.cpp:3522:32
    #9 0x7f21a7f5d206 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2214:25
    #10 0x7f21a7f59502 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2136:9
    #11 0x7f21a7f5b0f9 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1975:3
    #12 0x7f21a7f5b727 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2006:13
    #13 0x7f21a6dfad59 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1220:14
    #14 0x7f21a6e04281 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
    #15 0x7f21a7f659a3 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:332:5
    #16 0x7f21a7e893e2 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #17 0x7f21a7e893e2 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308:3
    #18 0x7f21a7e893e2 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290:3
    #19 0x7f21a6df4736 in nsThread::ThreadFunc(void*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:464:10
    #20 0x7f21bd6cb288 in _pt_root /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #21 0x7f21c08a44e1 in start_thread (/lib64/libpthread.so.0+0x94e1)
    #22 0x7f21c0465692 in clone (/lib64/libc.so.6+0x101692)

Address 0x60f0006702b8 is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow /builds/worker/workspace/build/src/dom/quota/ActorsParent.cpp:3285:39 in mozilla::dom::quota::QuotaObject::LockedMaybeUpdateSize(long, bool)
Shadow bytes around the buggy address:
  0x0c1e800c6000: fd fd fd fa fa fa fa fa fa fa fa fa fd fd fd fd
  0x0c1e800c6010: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c1e800c6020: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1e800c6030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1e800c6040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c1e800c6050: fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa
  0x0c1e800c6060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1e800c6070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1e800c6080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1e800c6090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1e800c60a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
Thread T40 (IPDL Background) created by T0 here:
    #0 0x55f8b1ebf33a in pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:209:3
    #1 0x7f21bd6b9663 in _PR_CreateThread /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:458:14
    #2 0x7f21bd6a368e in PR_CreateThread /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:533:12
    #3 0x7f21a6df6d33 in nsThread::Init(nsTSubstring<char> const&) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:670:8
    #4 0x7f21a6e03461 in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) /builds/worker/workspace/build/src/xpcom/threads/nsThreadManager.cpp:621:12
    #5 0x7f21a6e06f43 in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, nsIRunnable*, unsigned int) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:139:57
    #6 0x7f21a7f1fd79 in NS_NewNamedThread<16> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:69:10
    #7 0x7f21a7f1fd79 in (anonymous namespace)::ParentImpl::CreateBackgroundThread() /builds/worker/workspace/build/src/ipc/glue/BackgroundImpl.cpp:943:7
    #8 0x7f21a7eea125 in CreateActorForSameProcess /builds/worker/workspace/build/src/ipc/glue/BackgroundImpl.cpp:853:32
    #9 0x7f21a7eea125 in GetOrCreateForCurrentThread /builds/worker/workspace/build/src/ipc/glue/BackgroundImpl.cpp:1455:9
    #10 0x7f21a7eea125 in mozilla::ipc::BackgroundChild::GetOrCreateForCurrentThread(nsIEventTarget*) /builds/worker/workspace/build/src/ipc/glue/BackgroundImpl.cpp:657:10
    #11 0x7f21ad29d3d7 in mozilla::dom::ClientManager::ClientManager() /builds/worker/workspace/build/src/dom/clients/manager/ClientManager.cpp:50:7
    #12 0x7f21ad2a0180 in mozilla::dom::ClientManager::GetOrCreateForCurrentThread() /builds/worker/workspace/build/src/dom/clients/manager/ClientManager.cpp:208:14
    #13 0x7f21ad291cea in mozilla::dom::ClientManager::CreateSource(mozilla::dom::ClientType, nsISerialEventTarget*, nsIPrincipal*) /builds/worker/workspace/build/src/dom/clients/manager/ClientManager.cpp:264:31
    #14 0x7f21b281c43a in nsDocShell::MaybeCreateInitialClientSource(nsIPrincipal*) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:2504:26
    #15 0x7f21b285016f in nsDocShell::CreateAboutBlankContentViewer(nsIPrincipal*, nsIPrincipal*, nsIContentSecurityPolicy*, nsIURI*, bool, bool, mozilla::dom::WindowGlobalChild*) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6597:5
    #16 0x7f21b285133c in CreateAboutBlankContentViewer /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6655:10
    #17 0x7f21b285133c in non-virtual thunk to nsDocShell::CreateAboutBlankContentViewer(nsIPrincipal*, nsIPrincipal*, nsIContentSecurityPolicy*) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp
    #18 0x7f21b291853d in mozilla::AppWindow::Initialize(nsIAppWindow*, nsIAppWindow*, nsIURI*, int, int, bool, nsIRemoteTab*, mozIDOMWindowProxy*, nsWidgetInitData&) /builds/worker/workspace/build/src/xpfe/appshell/AppWindow.cpp:297:21
    #19 0x7f21b293dec3 in nsAppShellService::JustCreateTopWindow(nsIAppWindow*, nsIURI*, unsigned int, int, int, bool, nsIRemoteTab*, mozIDOMWindowProxy*, mozilla::AppWindow**) /builds/worker/workspace/build/src/xpfe/appshell/nsAppShellService.cpp:668:25
    #20 0x7f21b293f36d in nsAppShellService::CreateTopLevelWindow(nsIAppWindow*, nsIURI*, unsigned int, int, int, nsIRemoteTab*, mozIDOMWindowProxy*, nsIAppWindow**) /builds/worker/workspace/build/src/xpfe/appshell/nsAppShellService.cpp:172:8
    #21 0x7f21b3228073 in nsAppStartup::CreateChromeWindow(nsIWebBrowserChrome*, unsigned int, nsIRemoteTab*, mozIDOMWindowProxy*, unsigned long, bool*, nsIWebBrowserChrome**) /builds/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:629:15
    #22 0x7f21b33f729d in CreateChromeWindow /builds/worker/workspace/build/src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:419:33
    #23 0x7f21b33f729d in nsWindowWatcher::OpenWindowInternal(mozIDOMWindowProxy*, char const*, char const*, char const*, bool, bool, bool, nsIArray*, bool, bool, bool, nsDocShellLoadState*, mozilla::dom::BrowsingContext**) /builds/worker/workspace/build/src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:904:12
    #24 0x7f21b33f4822 in nsWindowWatcher::OpenWindow(mozIDOMWindowProxy*, char const*, char const*, char const*, nsISupports*, mozIDOMWindowProxy**) /builds/worker/workspace/build/src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:292:3
    #25 0x7f21a6e37351 in NS_InvokeByIndex /builds/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:106
    #26 0x7f21a8b8ce24 in Invoke /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1643:10
    #27 0x7f21a8b8ce24 in Call /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1184:19
    #28 0x7f21a8b8ce24 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1150:23
    #29 0x7f21a8b92ec4 in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:947:10
    #30 0x7f21b3719c9e in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:452:13
    #31 0x7f21b3719c9e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:544:12
    #32 0x7f21b3702e1d in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:612:10
    #33 0x7f21b3702e1d in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3021:16
    #34 0x7f21b36e5cb5 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:424:10
    #35 0x7f21b371a5d8 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:580:13
    #36 0x7f21b371c5a9 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:625:8
    #37 0x7f21b38b737b in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2734:10
    #38 0x7f21a8b7d568 in nsXPCWrappedJS::CallMethod(unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedJSClass.cpp:956:17
    #39 0x7f21a6e389e1 in PrepareAndDispatch /builds/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:125:37
    #40 0x7f21a6e378ea in SharedStub (/home/geeknik/firefox/libxul.so+0x22fd8ea)
    #41 0x7f21b2ede5e6 in nsCommandLine::EnumerateHandlers(nsresult (*)(nsICommandLineHandler*, nsICommandLine*, void*), void*) /builds/worker/workspace/build/src/toolkit/components/commandlines/nsCommandLine.cpp:448:10
    #42 0x7f21b2edfb2a in nsCommandLine::Run() /builds/worker/workspace/build/src/toolkit/components/commandlines/nsCommandLine.cpp:503:8
    #43 0x7f21b349ff37 in XREMain::XRE_mainRun() /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4537:19
    #44 0x7f21b34a25ee in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4740:8
    #45 0x7f21b34a3a10 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4821:21
    #46 0x55f8b1f07511 in do_main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:217:22
    #47 0x55f8b1f07511 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:339:16
    #48 0x7f21c038b1a2 in __libc_start_main (/lib64/libc.so.6+0x271a2)

==325169==ABORTING

Comment 1

[Daniel Veditz [:dveditz]]

If you're not modifying Firefox code it might be easier to take part in the "ASAN Nightly" project. Bugs will be filed automatically, and if we can figure out how to fix random crashes we still pay bounties (if you put your email in a pref to let us know)

https://developer.mozilla.org/en-US/docs/Mozilla/Testing/ASan_Nightly_Project

Comment 2

[Daniel Veditz [:dveditz]]

The stack here is exactly the same as the other but, just the error as detected by ASAN is slightly different. These are dupes.

Comment 3

[Tom Ritter [:tjr] (OOTO until 4/30 at least)]

Duplicate