Closed
Bug 1631622
Opened 4 years ago
Closed 4 years ago
[TALOS-2020-1054] use-after-free in nsISHEntry
Categories
(Core :: DOM: Navigation, defect)
Core
DOM: Navigation
Tracking
()
RESOLVED
DUPLICATE
of bug 1620818
People
(Reporter: dveditz, Unassigned)
Details
(Keywords: crash, csectype-uaf, testcase)
Attachments
(2 files)
Mozilla Firefox nsISHEntry Code Execution Vulnerability
An exploitable code execution vulnerability exists in the nsISHEntry object of Mozilla Firefox 76.0a1 (2020-03-20) x64. A specially crafted web page can a use-after-free vulnerability resulting in a code execution. A victim needs to visit a malicious webpage to trigger this vulnerability.
Tested Versions
Mozilla Firefox 76.0a1 (2020-03-20) x64
CVSSv3 Score
8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE
CWE-416 - Use After Free
Details
This vulnerability is related with the nsISHEntry component which is part of docShell.
A malicious web page can lead to a race condition situation which can cause a use-after-free vulnerability and remote code execution.
Tracking an nsISHEntry object life cycle we can notice that there is an allocation made :
previously allocated by thread T0 (Web Content) here:
#0 0x55c991736b0d in malloc /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:145:3
#1 0x55c99176c4fd in moz_xmalloc /builds/worker/checkouts/gecko/memory/mozalloc/mozalloc.cpp:52:15
#2 0x7f6bb409ebb2 in operator new /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:33:10
#3 0x7f6bb409ebb2 in mozilla::dom::CreateSHEntryForDocShell(nsISHistory*) /builds/worker/checkouts/gecko/docshell/shistory/ChildSHistory.cpp:126:32
#4 0x7f6bb4045fbf in nsDocShell::AddToSessionHistory(nsIURI*, nsIChannel*, nsIPrincipal*, nsIPrincipal*, nsIPrincipal*, nsIContentSecurityPolicy*, bool, nsISHEntry**) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:11091:13
#5 0x7f6bb403237a in nsDocShell::OnNewURI(nsIURI*, nsIChannel*, nsIPrincipal*, nsIPrincipal*, nsIPrincipal*, unsigned int, nsIContentSecurityPolicy*, bool, bool, bool) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:10559:13
#6 0x7f6bb403316c in nsDocShell::OnLoadingSite(nsIChannel*, bool, bool) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:10621:10
#7 0x7f6bb3fcf7bb in nsDocShell::CreateContentViewer(nsTSubstring<char> const&, nsIRequest*, nsIStreamListener**) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:7711:33
#8 0x7f6bb3fcd73b in nsDSURIContentListener::DoContent(nsTSubstring<char> const&, bool, nsIRequest*, nsIStreamListener**, bool*) /builds/worker/checkouts/gecko/docshell/base/nsDSURIContentListener.cpp:199:20
#9 0x7f6bac07ae4d in nsDocumentOpenInfo::TryContentListener(nsIURIContentListener*, nsIChannel*) /builds/worker/checkouts/gecko/uriloader/base/nsURILoader.cpp:632:18
#10 0x7f6bac078607 in nsDocumentOpenInfo::DispatchContent(nsIRequest*, nsISupports*) /builds/worker/checkouts/gecko/uriloader/base/nsURILoader.cpp:313:9
#11 0x7f6bac07706d in nsDocumentOpenInfo::OnStartRequest(nsIRequest*) /builds/worker/checkouts/gecko/uriloader/base/nsURILoader.cpp:191:8
#12 0x7f6baacd96d2 in mozilla::net::HttpChannelChild::DoOnStartRequest(nsIRequest*, nsISupports*) /builds/worker/checkouts/gecko/netwerk/protocol/http/HttpChannelChild.cpp:710:20
#13 0x7f6baace33fe in mozilla::net::HttpChannelChild::OnStartRequest(nsresult const&, mozilla::net::nsHttpResponseHead const&, bool const&, mozilla::net::nsHttpHeaderArray const&, mozilla::net::ParentLoadInfoForwarderArgs const&, bool const&, bool const&, bool const&, unsigned long const&, int const&, unsigned int const&, nsTString<char> const&, nsTString<char> const&, mozilla::net::NetAddr const&, mozilla::net::NetAddr const&, unsigned int const&, nsTString<char> const&, long const&, bool const&, bool const&, bool const&, mozilla::net::ResourceTimingStructArgs const&, bool const&, mozilla::Maybe<unsigned int> const&, bool const&, nsILoadInfo::CrossOriginOpenerPolicy const&) /builds/worker/checkouts/gecko/netwerk/protocol/http/HttpChannelChild.cpp:556:3
#14 0x7f6baad4793b in operator() /builds/worker/checkouts/gecko/netwerk/protocol/http/HttpChannelChild.cpp:410:15
#15 0x7f6baad4793b in std::_Function_handler<void (), mozilla::net::HttpChannelChild::RecvOnStartRequest(nsresult const&, mozilla::net::nsHttpResponseHead const&, bool const&, mozilla::net::nsHttpHeaderArray const&, mozilla::net::ParentLoadInfoForwarderArgs const&, bool const&, bool const&, bool const&, unsigned long const&, int const&, unsigned int const&, nsTString<char> const&, nsTString<char> const&, mozilla::net::NetAddr const&, mozilla::net::NetAddr const&, short const&, unsigned int const&, nsTString<char> const&, long const&, bool const&, bool const&, bool const&, mozilla::net::ResourceTimingStructArgs const&, bool const&, mozilla::Maybe<unsigned int> const&, bool const&, nsILoadInfo::CrossOriginOpenerPolicy const&)::$_6>::_M_invoke(std::_Any_data const&) /builds/worker/fetches/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/7.4.0/../../../../include/c++/7.4.0/bits/std_function.h:316:2
#16 0x7f6baabaa7a9 in mozilla::net::ChannelEventQueue::RunOrEnqueue(mozilla::net::ChannelEvent*, bool) /builds/worker/workspace/obj-build/dist/include/mozilla/net/ChannelEventQueue.h:260:10
#17 0x7f6baace1d80 in mozilla::net::HttpChannelChild::RecvOnStartRequest(nsresult const&, mozilla::net::nsHttpResponseHead const&, bool const&, mozilla::net::nsHttpHeaderArray const&, mozilla::net::ParentLoadInfoForwarderArgs const&, bool const&, bool const&, bool const&, unsigned long const&, int const&, unsigned int const&, nsTString<char> const&, nsTString<char> const&, mozilla::net::NetAddr const&, mozilla::net::NetAddr const&, short const&, unsigned int const&, nsTString<char> const&, long const&, bool const&, bool const&, bool const&, mozilla::net::ResourceTimingStructArgs const&, bool const&, mozilla::Maybe<unsigned int> const&, bool const&, nsILoadInfo::CrossOriginOpenerPolicy const&) /builds/worker/checkouts/gecko/netwerk/protocol/http/HttpChannelChild.cpp:400:12
#18 0x7f6bab58d261 in mozilla::net::PHttpChannelChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PHttpChannelChild.cpp:862:28
#19 0x7f6bab40899e in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8314:32
#20 0x7f6bab26413c in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2187:25
#21 0x7f6bab261255 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2111:9
#22 0x7f6bab2626cf in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1959:3
#23 0x7f6bab262ede in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1990:13
#24 0x7f6baa1bdf0d in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:282:20
#25 0x7f6baa1f18ce in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1220:14
#26 0x7f6baa1fc35c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:481:10
#27 0x7f6bab26be6a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:87:21
#28 0x7f6bab198fe7 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:315:10
#29 0x7f6bab198fe7 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:308:3
#30 0x7f6bab198fe7 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:290:3
#31 0x7f6bb128eff8 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
#32 0x7f6bb4a35cb6 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:911:20
#33 0x7f6bab198fe7 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:315:10
#34 0x7f6bab198fe7 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:308:3
#35 0x7f6bab198fe7 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:290:3
Further, nsISHEntry object gets deallocated:
0x60e0000e8000 is located 0 bytes inside of 160-byte region [0x60e0000e8000,0x60e0000e80a0)
freed by thread T0 (Web Content) here:
#0 0x55c99173688d in free /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:123:3
#1 0x7f6bb40aee86 in nsSHEntry::Release() /builds/worker/checkouts/gecko/docshell/shistory/nsSHEntry.cpp:81:1
#2 0x7f6bb3fdc2d4 in ~nsCOMPtr_base /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:330:7
#3 0x7f6bb3fdc2d4 in nsDocShell::~nsDocShell() /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:479:1
#4 0x7f6bb3fddc6d in nsDocShell::~nsDocShell() /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:440:27
#5 0x7f6baa02fc32 in SnowWhiteKiller::~SnowWhiteKiller() /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:2417:7
#6 0x7f6baa02f088 in nsCycleCollector::FreeSnowWhite(bool) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:2605:3
#7 0x7f6baa03693d in nsCycleCollector::BeginCollection(ccType, nsICycleCollectorListener*) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:3573:3
#8 0x7f6baa03618b in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:3402:9
#9 0x7f6baa03960e in nsCycleCollector_collect(nsICycleCollectorListener*) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:3900:21
#10 0x7f6bad58eb14 in nsJSContext::CycleCollectNow(nsICycleCollectorListener*) /builds/worker/checkouts/gecko/dom/base/nsJSEnvironment.cpp:1537:3
#11 0x7f6baebfcc11 in mozilla::dom::FuzzingFunctions_Binding::cycleCollect(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/obj-build/dom/bindings/FuzzingFunctionsBinding.cpp:68:3
#12 0x7f6bb4c689e7 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:476:13
#13 0x7f6bb4c689e7 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:568:12
#14 0x7f6bb4c6a69a in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:631:10
#15 0x7f6bb4c5104a in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:635:10
#16 0x7f6bb4c5104a in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3026:16
#17 0x7f6bb4c36ff3 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:448:10
#18 0x7f6bb4c68aca in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:603:13
#19 0x7f6bb4c6a69a in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:631:10
#20 0x7f6bb4c6a919 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:648:8
#21 0x7f6bb4e1a022 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jsapi.cpp:2790:10
#22 0x7f6bae9f6668 in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventHandlerBinding.cpp:276:37
#23 0x7f6baf5f4757 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget> >(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:367:12
#24 0x7f6baf5f2930 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/checkouts/gecko/dom/events/JSEventHandler.cpp:201:12
#25 0x7f6baf5b830e in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1079:22
#26 0x7f6baf5b9dce in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1271:17
#27 0x7f6baf5a695f in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:356:17
#28 0x7f6baf5a4eb1 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:558:16
#29 0x7f6baf5a9989 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1055:11
#30 0x7f6bb183668e in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:1157:7
#31 0x7f6bb401ff73 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:6071:20
#32 0x7f6bb401f17e in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:5854:7
Because of bad referencing handling nsISHEntry (mOSHE) object is being reused during docShell object destruction:
==18500==ERROR: AddressSanitizer: heap-use-after-free on address 0x60e0000e8000 at pc 0x7f6bb400232a bp 0x7ffeb29d8660 sp 0x7ffeb29d8658
READ of size 8 at 0x60e0000e8000 thread T0 (Web Content)
#0 0x7f6bb4002329 in SynchronizeLayoutHistoryState /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:3294:12
#1 0x7f6bb4002329 in non-virtual thunk to nsDocShell::SynchronizeLayoutHistoryState() /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp
#2 0x7f6bb182ead2 in nsDocumentViewer::Close(nsISHEntry*) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:1669:44
#3 0x7f6bb182df5d in nsDocumentViewer::~nsDocumentViewer() /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:627:5
#4 0x7f6bb183031d in nsDocumentViewer::~nsDocumentViewer() /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:625:39
#5 0x7f6bb182db66 in nsDocumentViewer::Release() /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:613:1
#6 0x7f6bb3fdc5f7 in ~nsCOMPtr_base /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:330:7
#7 0x7f6bb3fdc5f7 in nsDocShell::~nsDocShell() /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:479:1
#8 0x7f6bb3fddc6d in nsDocShell::~nsDocShell() /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:440:27
#9 0x7f6baa02fc32 in SnowWhiteKiller::~SnowWhiteKiller() /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:2417:7
#10 0x7f6baa02f088 in nsCycleCollector::FreeSnowWhite(bool) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:2605:3
#11 0x7f6baa03693d in nsCycleCollector::BeginCollection(ccType, nsICycleCollectorListener*) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:3573:3
#12 0x7f6baa03618b in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:3402:9
#13 0x7f6baa03960e in nsCycleCollector_collect(nsICycleCollectorListener*) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:3900:21
#14 0x7f6bad58eb14 in nsJSContext::CycleCollectNow(nsICycleCollectorListener*) /builds/worker/checkouts/gecko/dom/base/nsJSEnvironment.cpp:1537:3
#15 0x7f6baebfcc11 in mozilla::dom::FuzzingFunctions_Binding::cycleCollect(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/obj-build/dom/bindings/FuzzingFunctionsBinding.cpp:68:3
#16 0x7f6bb4c689e7 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:476:13
#17 0x7f6bb4c689e7 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:568:12
#18 0x7f6bb4c6a69a in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:631:10
#19 0x7f6bb4c5104a in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:635:10
#20 0x7f6bb4c5104a in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3026:16
#21 0x7f6bb4c36ff3 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:448:10
#22 0x7f6bb4c68aca in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:603:13
#23 0x7f6bb4c6a69a in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:631:10
#24 0x7f6bb4c6a919 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:648:8
#25 0x7f6bb4e1a022 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jsapi.cpp:2790:10
#26 0x7f6bae9f6668 in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventHandlerBinding.cpp:276:37
#27 0x7f6baf5f4757 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget> >(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:367:12
#28 0x7f6baf5f2930 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/checkouts/gecko/dom/events/JSEventHandler.cpp:201:12
#29 0x7f6baf5b830e in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1079:22
#30 0x7f6baf5b9dce in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1271:17
#31 0x7f6baf5a695f in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:356:17
#32 0x7f6baf5a4eb1 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:558:16
#33 0x7f6baf5a9989 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1055:11
#34 0x7f6bb183668e in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:1157:7
#35 0x7f6bb401ff73 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:6071:20
#36 0x7f6bb401f17e in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:5854:7
#37 0x7f6bb40224af in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp
#38 0x7f6bac06ed80 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:1348:3
#39 0x7f6bac06db6c in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:907:14
#40 0x7f6bac06a52c in nsDocLoader::DocLoaderIsEmpty(bool) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:727:9
#41 0x7f6bac06c863 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:615:5
#42 0x7f6bac06d6fc in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp
#43 0x7f6baa482d4b in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:611:22
#44 0x7f6baa4859c7 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:518:10
#45 0x7f6bad2cc41f in mozilla::dom::Document::DoUnblockOnload() /builds/worker/checkouts/gecko/dom/base/Document.cpp:10762:18
#46 0x7f6bad282f4c in mozilla::dom::Document::UnblockOnload(bool) /builds/worker/checkouts/gecko/dom/base/Document.cpp:10694:9
#47 0x7f6bad2a778c in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:7360:3
#48 0x7f6bad3743f4 in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1158:12
#49 0x7f6bad3743f4 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1164:12
#50 0x7f6bad3743f4 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1210:13
#51 0x7f6baa1bdf0d in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:282:20
#52 0x7f6baa1f18ce in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1220:14
#53 0x7f6baa1fc35c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:481:10
#54 0x7f6bab26be6a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:87:21
#55 0x7f6bab198fe7 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:315:10
#56 0x7f6bab198fe7 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:308:3
#57 0x7f6bab198fe7 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:290:3
#58 0x7f6bb128eff8 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
#59 0x7f6bb4a35cb6 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:911:20
#60 0x7f6bab198fe7 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:315:10
#61 0x7f6bab198fe7 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:308:3
#62 0x7f6bab198fe7 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:290:3
#63 0x7f6bb4a3536a in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:742:34
#64 0x55c99176920f in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#65 0x55c99176920f in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:303:18
#66 0x7f6bc3ab11e2 in __libc_start_main /build/glibc-t7JzpG/glibc-2.30/csu/../csu/libc-start.c:308:16
#67 0x55c9916bebbc in _start (/ramdisk/bin/firefox/firefox+0x9ebbc)
Proper heap grooming can give an attacker full control of this use-after-free vulnerability and as a result could allow it to be turned into arbitrary code execution.
### Crash Information
==18500==ERROR: AddressSanitizer: heap-use-after-free on address 0x60e0000e8000 at pc 0x7f6bb400232a bp 0x7ffeb29d8660 sp 0x7ffeb29d8658
READ of size 8 at 0x60e0000e8000 thread T0 (Web Content)
#0 0x7f6bb4002329 in SynchronizeLayoutHistoryState /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:3294:12
#1 0x7f6bb4002329 in non-virtual thunk to nsDocShell::SynchronizeLayoutHistoryState() /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp
#2 0x7f6bb182ead2 in nsDocumentViewer::Close(nsISHEntry*) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:1669:44
#3 0x7f6bb182df5d in nsDocumentViewer::~nsDocumentViewer() /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:627:5
#4 0x7f6bb183031d in nsDocumentViewer::~nsDocumentViewer() /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:625:39
#5 0x7f6bb182db66 in nsDocumentViewer::Release() /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:613:1
#6 0x7f6bb3fdc5f7 in ~nsCOMPtr_base /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:330:7
#7 0x7f6bb3fdc5f7 in nsDocShell::~nsDocShell() /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:479:1
#8 0x7f6bb3fddc6d in nsDocShell::~nsDocShell() /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:440:27
#9 0x7f6baa02fc32 in SnowWhiteKiller::~SnowWhiteKiller() /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:2417:7
#10 0x7f6baa02f088 in nsCycleCollector::FreeSnowWhite(bool) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:2605:3
#11 0x7f6baa03693d in nsCycleCollector::BeginCollection(ccType, nsICycleCollectorListener*) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:3573:3
#12 0x7f6baa03618b in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:3402:9
#13 0x7f6baa03960e in nsCycleCollector_collect(nsICycleCollectorListener*) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:3900:21
#14 0x7f6bad58eb14 in nsJSContext::CycleCollectNow(nsICycleCollectorListener*) /builds/worker/checkouts/gecko/dom/base/nsJSEnvironment.cpp:1537:3
#15 0x7f6baebfcc11 in mozilla::dom::FuzzingFunctions_Binding::cycleCollect(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/obj-build/dom/bindings/FuzzingFunctionsBinding.cpp:68:3
#16 0x7f6bb4c689e7 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:476:13
#17 0x7f6bb4c689e7 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:568:12
#18 0x7f6bb4c6a69a in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:631:10
#19 0x7f6bb4c5104a in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:635:10
#20 0x7f6bb4c5104a in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3026:16
#21 0x7f6bb4c36ff3 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:448:10
#22 0x7f6bb4c68aca in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:603:13
#23 0x7f6bb4c6a69a in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:631:10
#24 0x7f6bb4c6a919 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:648:8
#25 0x7f6bb4e1a022 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jsapi.cpp:2790:10
#26 0x7f6bae9f6668 in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventHandlerBinding.cpp:276:37
#27 0x7f6baf5f4757 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget> >(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:367:12
#28 0x7f6baf5f2930 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/checkouts/gecko/dom/events/JSEventHandler.cpp:201:12
#29 0x7f6baf5b830e in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1079:22
#30 0x7f6baf5b9dce in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1271:17
#31 0x7f6baf5a695f in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:356:17
#32 0x7f6baf5a4eb1 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:558:16
#33 0x7f6baf5a9989 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1055:11
#34 0x7f6bb183668e in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:1157:7
#35 0x7f6bb401ff73 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:6071:20
#36 0x7f6bb401f17e in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:5854:7
#37 0x7f6bb40224af in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp
#38 0x7f6bac06ed80 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:1348:3
#39 0x7f6bac06db6c in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:907:14
#40 0x7f6bac06a52c in nsDocLoader::DocLoaderIsEmpty(bool) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:727:9
#41 0x7f6bac06c863 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:615:5
#42 0x7f6bac06d6fc in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp
#43 0x7f6baa482d4b in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:611:22
#44 0x7f6baa4859c7 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:518:10
#45 0x7f6bad2cc41f in mozilla::dom::Document::DoUnblockOnload() /builds/worker/checkouts/gecko/dom/base/Document.cpp:10762:18
#46 0x7f6bad282f4c in mozilla::dom::Document::UnblockOnload(bool) /builds/worker/checkouts/gecko/dom/base/Document.cpp:10694:9
#47 0x7f6bad2a778c in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:7360:3
#48 0x7f6bad3743f4 in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1158:12
#49 0x7f6bad3743f4 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1164:12
#50 0x7f6bad3743f4 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1210:13
#51 0x7f6baa1bdf0d in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:282:20
#52 0x7f6baa1f18ce in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1220:14
#53 0x7f6baa1fc35c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:481:10
#54 0x7f6bab26be6a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:87:21
#55 0x7f6bab198fe7 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:315:10
#56 0x7f6bab198fe7 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:308:3
#57 0x7f6bab198fe7 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:290:3
#58 0x7f6bb128eff8 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
#59 0x7f6bb4a35cb6 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:911:20
#60 0x7f6bab198fe7 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:315:10
#61 0x7f6bab198fe7 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:308:3
#62 0x7f6bab198fe7 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:290:3
#63 0x7f6bb4a3536a in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:742:34
#64 0x55c99176920f in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#65 0x55c99176920f in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:303:18
#66 0x7f6bc3ab11e2 in __libc_start_main /build/glibc-t7JzpG/glibc-2.30/csu/../csu/libc-start.c:308:16
#67 0x55c9916bebbc in _start (/ramdisk/bin/firefox/firefox+0x9ebbc)
0x60e0000e8000 is located 0 bytes inside of 160-byte region [0x60e0000e8000,0x60e0000e80a0)
freed by thread T0 (Web Content) here:
#0 0x55c99173688d in free /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:123:3
#1 0x7f6bb40aee86 in nsSHEntry::Release() /builds/worker/checkouts/gecko/docshell/shistory/nsSHEntry.cpp:81:1
#2 0x7f6bb3fdc2d4 in ~nsCOMPtr_base /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:330:7
#3 0x7f6bb3fdc2d4 in nsDocShell::~nsDocShell() /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:479:1
#4 0x7f6bb3fddc6d in nsDocShell::~nsDocShell() /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:440:27
#5 0x7f6baa02fc32 in SnowWhiteKiller::~SnowWhiteKiller() /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:2417:7
#6 0x7f6baa02f088 in nsCycleCollector::FreeSnowWhite(bool) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:2605:3
#7 0x7f6baa03693d in nsCycleCollector::BeginCollection(ccType, nsICycleCollectorListener*) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:3573:3
#8 0x7f6baa03618b in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:3402:9
#9 0x7f6baa03960e in nsCycleCollector_collect(nsICycleCollectorListener*) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:3900:21
#10 0x7f6bad58eb14 in nsJSContext::CycleCollectNow(nsICycleCollectorListener*) /builds/worker/checkouts/gecko/dom/base/nsJSEnvironment.cpp:1537:3
#11 0x7f6baebfcc11 in mozilla::dom::FuzzingFunctions_Binding::cycleCollect(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/obj-build/dom/bindings/FuzzingFunctionsBinding.cpp:68:3
#12 0x7f6bb4c689e7 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:476:13
#13 0x7f6bb4c689e7 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:568:12
#14 0x7f6bb4c6a69a in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:631:10
#15 0x7f6bb4c5104a in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:635:10
#16 0x7f6bb4c5104a in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3026:16
#17 0x7f6bb4c36ff3 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:448:10
#18 0x7f6bb4c68aca in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:603:13
#19 0x7f6bb4c6a69a in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:631:10
#20 0x7f6bb4c6a919 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:648:8
#21 0x7f6bb4e1a022 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jsapi.cpp:2790:10
#22 0x7f6bae9f6668 in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventHandlerBinding.cpp:276:37
#23 0x7f6baf5f4757 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget> >(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:367:12
#24 0x7f6baf5f2930 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/checkouts/gecko/dom/events/JSEventHandler.cpp:201:12
#25 0x7f6baf5b830e in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1079:22
#26 0x7f6baf5b9dce in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1271:17
#27 0x7f6baf5a695f in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:356:17
#28 0x7f6baf5a4eb1 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:558:16
#29 0x7f6baf5a9989 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1055:11
#30 0x7f6bb183668e in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:1157:7
#31 0x7f6bb401ff73 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:6071:20
#32 0x7f6bb401f17e in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:5854:7
previously allocated by thread T0 (Web Content) here:
#0 0x55c991736b0d in malloc /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:145:3
#1 0x55c99176c4fd in moz_xmalloc /builds/worker/checkouts/gecko/memory/mozalloc/mozalloc.cpp:52:15
#2 0x7f6bb409ebb2 in operator new /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:33:10
#3 0x7f6bb409ebb2 in mozilla::dom::CreateSHEntryForDocShell(nsISHistory*) /builds/worker/checkouts/gecko/docshell/shistory/ChildSHistory.cpp:126:32
#4 0x7f6bb4045fbf in nsDocShell::AddToSessionHistory(nsIURI*, nsIChannel*, nsIPrincipal*, nsIPrincipal*, nsIPrincipal*, nsIContentSecurityPolicy*, bool, nsISHEntry**) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:11091:13
#5 0x7f6bb403237a in nsDocShell::OnNewURI(nsIURI*, nsIChannel*, nsIPrincipal*, nsIPrincipal*, nsIPrincipal*, unsigned int, nsIContentSecurityPolicy*, bool, bool, bool) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:10559:13
#6 0x7f6bb403316c in nsDocShell::OnLoadingSite(nsIChannel*, bool, bool) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:10621:10
#7 0x7f6bb3fcf7bb in nsDocShell::CreateContentViewer(nsTSubstring<char> const&, nsIRequest*, nsIStreamListener**) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:7711:33
#8 0x7f6bb3fcd73b in nsDSURIContentListener::DoContent(nsTSubstring<char> const&, bool, nsIRequest*, nsIStreamListener**, bool*) /builds/worker/checkouts/gecko/docshell/base/nsDSURIContentListener.cpp:199:20
#9 0x7f6bac07ae4d in nsDocumentOpenInfo::TryContentListener(nsIURIContentListener*, nsIChannel*) /builds/worker/checkouts/gecko/uriloader/base/nsURILoader.cpp:632:18
#10 0x7f6bac078607 in nsDocumentOpenInfo::DispatchContent(nsIRequest*, nsISupports*) /builds/worker/checkouts/gecko/uriloader/base/nsURILoader.cpp:313:9
#11 0x7f6bac07706d in nsDocumentOpenInfo::OnStartRequest(nsIRequest*) /builds/worker/checkouts/gecko/uriloader/base/nsURILoader.cpp:191:8
#12 0x7f6baacd96d2 in mozilla::net::HttpChannelChild::DoOnStartRequest(nsIRequest*, nsISupports*) /builds/worker/checkouts/gecko/netwerk/protocol/http/HttpChannelChild.cpp:710:20
#13 0x7f6baace33fe in mozilla::net::HttpChannelChild::OnStartRequest(nsresult const&, mozilla::net::nsHttpResponseHead const&, bool const&, mozilla::net::nsHttpHeaderArray const&, mozilla::net::ParentLoadInfoForwarderArgs const&, bool const&, bool const&, bool const&, unsigned long const&, int const&, unsigned int const&, nsTString<char> const&, nsTString<char> const&, mozilla::net::NetAddr const&, mozilla::net::NetAddr const&, unsigned int const&, nsTString<char> const&, long const&, bool const&, bool const&, bool const&, mozilla::net::ResourceTimingStructArgs const&, bool const&, mozilla::Maybe<unsigned int> const&, bool const&, nsILoadInfo::CrossOriginOpenerPolicy const&) /builds/worker/checkouts/gecko/netwerk/protocol/http/HttpChannelChild.cpp:556:3
#14 0x7f6baad4793b in operator() /builds/worker/checkouts/gecko/netwerk/protocol/http/HttpChannelChild.cpp:410:15
#15 0x7f6baad4793b in std::_Function_handler<void (), mozilla::net::HttpChannelChild::RecvOnStartRequest(nsresult const&, mozilla::net::nsHttpResponseHead const&, bool const&, mozilla::net::nsHttpHeaderArray const&, mozilla::net::ParentLoadInfoForwarderArgs const&, bool const&, bool const&, bool const&, unsigned long const&, int const&, unsigned int const&, nsTString<char> const&, nsTString<char> const&, mozilla::net::NetAddr const&, mozilla::net::NetAddr const&, short const&, unsigned int const&, nsTString<char> const&, long const&, bool const&, bool const&, bool const&, mozilla::net::ResourceTimingStructArgs const&, bool const&, mozilla::Maybe<unsigned int> const&, bool const&, nsILoadInfo::CrossOriginOpenerPolicy const&)::$_6>::_M_invoke(std::_Any_data const&) /builds/worker/fetches/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/7.4.0/../../../../include/c++/7.4.0/bits/std_function.h:316:2
#16 0x7f6baabaa7a9 in mozilla::net::ChannelEventQueue::RunOrEnqueue(mozilla::net::ChannelEvent*, bool) /builds/worker/workspace/obj-build/dist/include/mozilla/net/ChannelEventQueue.h:260:10
#17 0x7f6baace1d80 in mozilla::net::HttpChannelChild::RecvOnStartRequest(nsresult const&, mozilla::net::nsHttpResponseHead const&, bool const&, mozilla::net::nsHttpHeaderArray const&, mozilla::net::ParentLoadInfoForwarderArgs const&, bool const&, bool const&, bool const&, unsigned long const&, int const&, unsigned int const&, nsTString<char> const&, nsTString<char> const&, mozilla::net::NetAddr const&, mozilla::net::NetAddr const&, short const&, unsigned int const&, nsTString<char> const&, long const&, bool const&, bool const&, bool const&, mozilla::net::ResourceTimingStructArgs const&, bool const&, mozilla::Maybe<unsigned int> const&, bool const&, nsILoadInfo::CrossOriginOpenerPolicy const&) /builds/worker/checkouts/gecko/netwerk/protocol/http/HttpChannelChild.cpp:400:12
#18 0x7f6bab58d261 in mozilla::net::PHttpChannelChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PHttpChannelChild.cpp:862:28
#19 0x7f6bab40899e in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8314:32
#20 0x7f6bab26413c in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2187:25
#21 0x7f6bab261255 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2111:9
#22 0x7f6bab2626cf in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1959:3
#23 0x7f6bab262ede in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1990:13
#24 0x7f6baa1bdf0d in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:282:20
#25 0x7f6baa1f18ce in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1220:14
#26 0x7f6baa1fc35c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:481:10
#27 0x7f6bab26be6a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:87:21
#28 0x7f6bab198fe7 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:315:10
#29 0x7f6bab198fe7 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:308:3
#30 0x7f6bab198fe7 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:290:3
#31 0x7f6bb128eff8 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
#32 0x7f6bb4a35cb6 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:911:20
#33 0x7f6bab198fe7 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:315:10
#34 0x7f6bab198fe7 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:308:3
#35 0x7f6bab198fe7 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:290:3
SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:3294:12 in SynchronizeLayoutHistoryState
Shadow bytes around the buggy address:
0x0c1c80014fb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
0x0c1c80014fc0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c1c80014fd0: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
0x0c1c80014fe0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x0c1c80014ff0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
=>0x0c1c80015000:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c1c80015010: fd fd fd fd fa fa fa fa fa fa fa fa fd fd fd fd
0x0c1c80015020: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
0x0c1c80015030: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c1c80015040: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
0x0c1c80015050: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==18500==ABORTING
Credit
Discovered by Marcin 'Icewall' Noga of Cisco Talos.
https://talosintelligence.com/vulnerability_reports/
|
Reporter | |
Comment 1•4 years ago
|
||
Couldn't reproduce a crash the POC but I was not using an ASAN build. Maybe under ASAN the error is detected even without their memory-munging harness files (parts of the test harness appear to be missing)
|
||
Comment 2•4 years ago
|
||
I am also unable to reproduce the issue with an ASan build.
|
||
Comment 3•4 years ago
•
|
||
So this is about the chemspill? Looks like bug 1620818 to me at first glance.
Component: DOM: Core & HTML → DOM: Navigation
|
|
||
Comment 4•4 years ago
•
|
||
But what is nice that we have at least some testcase here. I'll try to reproduce without the patch for bug 1620818.
(feel free to do the same :))
Looks like the test relies on FuzzingFunctions
|
|
||
Comment 5•4 years ago
|
||
No luck reproducing with or without the patch from bug 1620818.
Tyson, could you perhaps try to reproduce without the patch for bug 1620818?
Flags: needinfo?(twsmith)
|
|
||
Comment 6•4 years ago
|
||
I retried with m-c 20200315-7eedc316b2c7 (ASan fuzzing build for FuzzingFunctions) still no luck.
Flags: needinfo?(twsmith)
|
|
Reporter | |
Comment 7•4 years ago
|
||
Marcin: we are having trouble reproducing your crash: The testcase appears to be calling into test harness functions that aren't present (e.g. window.gc(), which seems probably relevant to a use-after-free vuln :-) )
This particular crash looks like one we fixed in our recent out-of-cycle 74.0.1 release:
https://www.mozilla.org/en-US/security/advisories/mfsa2020-11/#CVE-2020-6819
Bug details are still private, but the crashing stack was the same. The fix was
https://hg.mozilla.org/mozilla-central/rev/8755eccf58cd6bd4fc1f00e6bcf45681d41da314
Flags: needinfo?(manoga)
Same as with the second crash , I was not able to reproduce it neither.
.html file should not miss anything. I think I left window.gc() because its by default in freememory function in domato ;).
One thing I can add here and what could have a influence especially in case of this bug is that attached testcase during fuzzing is loaded in an iframe.
I'm loading 10 testcases each after each and after 10th restart the browser. Looking into the log I see that attached testcase was 9th in the queue.
I'v been loading all of these testcases from the queue in the same order but without results.
This particular crash looks like one we fixed in our recent out-of-cycle 74.0.1 release:
https://www.mozilla.org/en-US/security/advisories/mfsa2020-11/#CVE-2020-6819
Yeah, when I saw that advisory I thought it might be the same root cause but was not sure.
Flags: needinfo?(manoga)
|
|
Reporter | |
Comment 9•4 years ago
|
||
Although it could be different since no one can reproduce even before our patch, this stack is identical to the one we recently fixed in 74.0.1 so it does seem a pretty clear duplicate.
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → DUPLICATE
|
||
Comment 10•4 years ago
|
||
Can we get access to that duplicate?
|
||
Comment 11•4 years ago
|
||
Marcin, you don't happen to record the testcases run in the browser prior to this testcase do you? If so, could you also attach them here?
Flags: needinfo?(manoga)
|
||
Comment 12•4 years ago
|
||
Flags: needinfo?(manoga)
|
|
||
Comment 13•4 years ago
|
||
(In reply to Jason Kratzer [:jkratzer] from comment #11)
Marcin, you don't happen to record the testcases run in the browser prior to this testcase do you? If so, could you also attach them here?
I have, package attached. The order is opposite than file numbers, so they have been executed : 8 , 7 , ...0 .
|
|
Reporter | |
Comment 15•4 years ago
|
||
Jason, is comment 13 (+attachment) what you needed?
vulndev: done.
Flags: needinfo?(dveditz) → needinfo?(jkratzer)
|
|
||
Comment 16•4 years ago
|
||
Yes. I tried reproducing using the cache with ASAN, TSAN, and with MOZ_CHAOSMODE. No luck unfortunately.
Flags: needinfo?(jkratzer)
|
|
Reporter | |
Updated•11 months ago
|
Group: dom-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•