Open Bug 1658947 Opened 5 years ago Updated 4 months ago

AddressSanitizer: heap-use-after-free /builds/worker/workspace/obj-build/dist/include/mozilla/ipc/ProtocolUtils.h:230:31 in Id

Categories

(Core :: DOM: Device Interfaces, defect)

Product:
Core
Component:
DOM: Device Interfaces
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox81 --- disabled

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: crash, csectype-uaf, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(2 files)

testcase.html
381 bytes, text/html
Details
prefs.js
8.68 KB, application/x-javascript
Details

Testcase found while fuzzing mozilla-central rev 32ec11f12a62. I'm currently reducing the testcase and will attach once complete.

=================================================================
==28623==ERROR: AddressSanitizer: heap-use-after-free on address 0x608000319128 at pc 0x7f7ee1d029a3 bp 0x7ffd6c0524d0 sp 0x7ffd6c0524c8
READ of size 4 at 0x608000319128 thread T0 (Web Content)
    #0 0x7f7ee1d029a2 in Id /builds/worker/workspace/obj-build/dist/include/mozilla/ipc/ProtocolUtils.h:230:31
    #1 0x7f7ee1d029a2 in mozilla::dom::PGamepadTestChannelChild::SendShutdownChannel() /builds/worker/workspace/obj-build/ipc/ipdl/PGamepadTestChannelChild.cpp:79:68
    #2 0x7f7ee696d5b3 in DestroyPBackgroundActor /gecko/dom/gamepad/GamepadServiceTest.cpp:83:11
    #3 0x7f7ee696d5b3 in mozilla::dom::GamepadServiceTest::Shutdown() /gecko/dom/gamepad/GamepadServiceTest.cpp:53:3
    #4 0x7f7ee43e8e2c in mozilla::dom::Navigator::Invalidate() /gecko/dom/base/Navigator.cpp:217:26
    #5 0x7f7ee43e94d0 in mozilla::dom::Navigator::cycleCollection::Unlink(void*) /gecko/dom/base/Navigator.cpp:135:8
    #6 0x7f7ee019b934 in nsCycleCollector::CollectWhite() /gecko/xpcom/base/nsCycleCollector.cpp:3083:26
    #7 0x7f7ee019e416 in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) /gecko/xpcom/base/nsCycleCollector.cpp:3432:24
    #8 0x7f7ee019dfb5 in nsCycleCollector::ShutdownCollect() /gecko/xpcom/base/nsCycleCollector.cpp:3352:20
    #9 0x7f7ee019fe96 in nsCycleCollector::Shutdown(bool) /gecko/xpcom/base/nsCycleCollector.cpp:3641:5
    #10 0x7f7ee01a1c03 in nsCycleCollector_shutdown(bool) /gecko/xpcom/base/nsCycleCollector.cpp:3956:18
    #11 0x7f7ee03ca21b in mozilla::ShutdownXPCOM(nsIServiceManager*) /gecko/xpcom/build/XPCOMInit.cpp:721:3
    #12 0x7f7eec5ae3fc in XRE_TermEmbedding() /gecko/toolkit/xre/nsEmbedFunctions.cpp:223:3
    #13 0x7f7ee174bf22 in mozilla::ipc::ScopedXREEmbed::Stop() /gecko/ipc/glue/ScopedXREEmbed.cpp:90:5
    #14 0x7f7eec5af344 in XRE_InitChildProcess(int, char**, XREChildData const*) /gecko/toolkit/xre/nsEmbedFunctions.cpp:748:16
    #15 0x555c2ee49433 in content_process_main /gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #16 0x555c2ee49433 in main /gecko/browser/app/nsBrowserApp.cpp:303:18
    #17 0x7f7efd6a00b2 in __libc_start_main /build/glibc-YYA7BZ/glibc-2.31/csu/../csu/libc-start.c:308:16
    #18 0x555c2ed9dd99 in _start (/home/worker/builds/m-c-20200812155527-fuzzing-asan-opt/firefox+0xa4d99)

0x608000319128 is located 8 bytes inside of 88-byte region [0x608000319120,0x608000319178)
freed by thread T0 (Web Content) here:
    #0 0x555c2ee164cd in free /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:123:3
    #1 0x7f7ee1671325 in mozilla::ipc::BackgroundChildImpl::DeallocPGamepadTestChannelChild(mozilla::dom::PGamepadTestChannelChild*) /gecko/ipc/glue/BackgroundChildImpl.cpp:631:3
    #2 0x7f7ee1742041 in mozilla::ipc::ActorLifecycleProxy::~ActorLifecycleProxy() /gecko/ipc/glue/ProtocolUtils.cpp:276:11
    #3 0x7f7ee1dd5436 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/ipc/ProtocolUtils.h:862:3
    #4 0x7f7ee1dd5436 in mozilla::ipc::PBackgroundChild::ClearSubtree() /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6827:9
    #5 0x7f7ee1dcef6a in mozilla::ipc::PBackgroundChild::OnChannelClose() /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6602:5
    #6 0x7f7ee1733d12 in mozilla::ipc::MessageChannel::Close() /gecko/ipc/glue/MessageChannel.cpp:2713:3
    #7 0x7f7ee16c27f5 in (anonymous namespace)::ChildImpl::ThreadLocalDestructor(void*) /gecko/ipc/glue/BackgroundImpl.cpp:1627:32
    #8 0x7f7ee16d191b in Shutdown /gecko/ipc/glue/BackgroundImpl.cpp:341:9
    #9 0x7f7ee16d191b in Shutdown /gecko/ipc/glue/BackgroundImpl.cpp:1503:38
    #10 0x7f7ee16d191b in (anonymous namespace)::ChildImpl::ShutdownObserver::Observe(nsISupports*, char const*, char16_t const*) /gecko/ipc/glue/BackgroundImpl.cpp:1658:3
    #11 0x7f7ee02147c3 in nsObserverList::NotifyObservers(nsISupports*, char const*, char16_t const*) /gecko/xpcom/ds/nsObserverList.cpp:65:19
    #12 0x7f7ee021be22 in nsObserverService::NotifyObservers(nsISupports*, char const*, char16_t const*) /gecko/xpcom/ds/nsObserverService.cpp:287:19
    #13 0x7f7ee03c9ffd in mozilla::ShutdownXPCOM(nsIServiceManager*) /gecko/xpcom/build/XPCOMInit.cpp:640:24
    #14 0x7f7eec5ae3fc in XRE_TermEmbedding() /gecko/toolkit/xre/nsEmbedFunctions.cpp:223:3
    #15 0x7f7ee174bf22 in mozilla::ipc::ScopedXREEmbed::Stop() /gecko/ipc/glue/ScopedXREEmbed.cpp:90:5
    #16 0x7f7eec5af344 in XRE_InitChildProcess(int, char**, XREChildData const*) /gecko/toolkit/xre/nsEmbedFunctions.cpp:748:16
    #17 0x555c2ee49433 in content_process_main /gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #18 0x555c2ee49433 in main /gecko/browser/app/nsBrowserApp.cpp:303:18
    #19 0x7f7efd6a00b2 in __libc_start_main /build/glibc-YYA7BZ/glibc-2.31/csu/../csu/libc-start.c:308:16

previously allocated by thread T0 (Web Content) here:
    #0 0x555c2ee1674d in malloc /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:145:3
    #1 0x555c2ee4c83d in moz_xmalloc /gecko/memory/mozalloc/mozalloc.cpp:52:15
    #2 0x7f7ee696d3f9 in operator new /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:33:10
    #3 0x7f7ee696d3f9 in mozilla::dom::GamepadServiceTest::InitPBackgroundActor() /gecko/dom/gamepad/GamepadServiceTest.cpp:74:12
    #4 0x7f7ee696d352 in mozilla::dom::GamepadServiceTest::CreateTestService(nsPIDOMWindowInner*) /gecko/dom/gamepad/GamepadServiceTest.cpp:46:12
    #5 0x7f7ee43fcc82 in mozilla::dom::Navigator::RequestGamepadServiceTest() /gecko/dom/base/Navigator.cpp:1521:27
    #6 0x7f7ee4cd6190 in mozilla::dom::Navigator_Binding::requestGamepadServiceTest(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/NavigatorBinding.cpp:1262:85
    #7 0x7f7ee607ffe8 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /gecko/dom/bindings/BindingUtils.cpp:3222:13
    #8 0x7f7eec822a71 in CallJSNative /gecko/js/src/vm/Interpreter.cpp:507:13
    #9 0x7f7eec822a71 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:599:12
    #10 0x7f7eec824da8 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:664:10
    #11 0x7f7eed6ff689 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /gecko/js/src/jit/BaselineIC.cpp:3015:10
    #12 0x2de06dea0c97  (<unknown module>)
    #13 0x63100100f7df  (<unknown module>)
    #14 0x2de06de9e49e  (<unknown module>)
    #15 0x7f7eed90f2ca in EnterBaseline /gecko/js/src/jit/BaselineJIT.cpp:115:5
    #16 0x7f7eed90f2ca in js::jit::EnterBaselineInterpreterAtBranch(JSContext*, js::InterpreterFrame*, unsigned char*) /gecko/js/src/jit/BaselineJIT.cpp:188:26
    #17 0x7f7eec816110 in Interpret(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:2238:17
    #18 0x7f7eec7ee229 in js::RunScript(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:468:13
    #19 0x7f7eec822bc7 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:636:13
    #20 0x7f7eec824da8 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:664:10
    #21 0x7f7eec825086 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:681:8
    #22 0x7f7eec9c44a0 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /gecko/js/src/jsapi.cpp:2831:10

SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/obj-build/dist/include/mozilla/ipc/ProtocolUtils.h:230:31 in Id
Shadow bytes around the buggy address:
  0x0c108005b1d0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c108005b1e0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c108005b1f0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c108005b200: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c108005b210: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c108005b220: fa fa fa fa fd[fd]fd fd fd fd fd fd fd fd fd fa
  0x0c108005b230: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
  0x0c108005b240: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c108005b250: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c108005b260: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c108005b270: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==28623==ABORTING
Flags: in-testsuite?
Group: core-security
Keywords: bugmon
Bugmon Analysis: Failed to identify testcase. Please ensure that the testcase meets the requirements identified here: https://github.com/MozillaSecurity/bugmon#testcase-identification Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Group: core-security → dom-core-security

I believe this requires a test pref enabled. Is that for our own internal testing, or will some users actually run this way?

Attached file testcase.html

(In reply to Daniel Veditz [:dveditz] from comment #2)

I believe this requires a test pref enabled. Is that for our own internal testing, or will some users actually run this way?

Correct. This requires the user_pref("dom.gamepad.test.enabled", true) to be set. This would only apply to users testing WebVR/Gamepad without a legitimate device.

Attached file prefs.js
Keywords: bugmon
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
Bugmon Analysis: Verified bug as reproducible on mozilla-central 20200813213942-f46205a42fae. Failed to bisect testcase (Start build crashes!): > Start: e8b7c48d4e7ed1b63aeedff379b51e566ea499d9 (20191107015224) > End: 32ec11f12a6225412c435cc250491175a7552021 (20200813092915) > BuildFlags: BuildFlags(asan=True, tsan=False, debug=False, fuzzing=False, coverage=False, valgrind=False)
Group: dom-core-security
status-firefox81: affecteddisabled

Bugmon Analysis
Unable to reproduce bug 1658947 using build mozilla-central 20201205093858-7ce95b6cde26. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: