1660800 - AddressSanitizer: heap-use-after-free [@ IsCurrentThread] with READ of size 8

Status: RESOLVED FIXED

(Core :: Storage: IndexedDB, defect)

Description

[Jason Kratzer [:jkratzer]]

I've seen this crash a few times but haven't been able to get either an RR trace or reproducible testcase. Hopefully the stack is enough to identify the issue. The latest crash triggered on mozilla-central rev c38fb352aacf.

==17916==ERROR: AddressSanitizer: heap-use-after-free on address 0x6120002c6bf0 at pc 0x7f08f1da71f1 bp 0x7fff0b37cb40 sp 0x7fff0b37cb38
READ of size 8 at 0x6120002c6bf0 thread T0 (file:// Content)
    #0 0x7f08f1da71f0 in IsCurrentThread /gecko/xpcom/base/nsISupportsImpl.cpp:46:10
    #1 0x7f08f1da71f0 in nsAutoOwningThread::AssertCurrentThreadOwnsMe(char const*) const /gecko/xpcom/base/nsISupportsImpl.cpp:39:7
    #2 0x7f08f9b6a298 in AssertOwnership<42> /builds/worker/workspace/obj-build/dist/include/nsISupportsImpl.h:60:5
    #3 0x7f08f9b6a298 in AssertIsOnOwningThread /gecko/dom/indexedDB/ActorsChild.h:591:5
    #4 0x7f08f9b6a298 in mozilla::dom::indexedDB::(anonymous namespace)::DelayedActionRunnable<mozilla::dom::indexedDB::BackgroundCursorChild<(mozilla::dom::IDBCursorType)3> >::Run() /gecko/dom/indexedDB/ActorsChild.cpp:3505:11
    #5 0x7f08f1f19b7d in mozilla::SchedulerGroup::Runnable::Run() /gecko/xpcom/threads/SchedulerGroup.cpp:146:20
    #6 0x7f08f1f242e9 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:242:16
    #7 0x7f08f1f207d5 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:512:26
    #8 0x7f08f1f1e692 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:371:15
    #9 0x7f08f1f1eacf in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:168:36
    #10 0x7f08f1f30124 in operator() /gecko/xpcom/threads/TaskController.cpp:86:37
    #11 0x7f08f1f30124 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_5>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:577:5
    #12 0x7f08f1f551cc in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1242:14
    #13 0x7f08f1f52a5f in NS_ProcessNextEvent /gecko/xpcom/threads/nsThreadUtils.cpp:513:10
    #14 0x7f08f1f52a5f in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:906:22)> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:362:25
    #15 0x7f08f1f52a5f in nsThread::Shutdown() /gecko/xpcom/threads/nsThread.cpp:906:3
    #16 0x7f08f1f66203 in nsThreadPool::Shutdown() /gecko/xpcom/threads/nsThreadPool.cpp:398:17
    #17 0x7f08f1f6639c in non-virtual thunk to nsThreadPool::Shutdown() /gecko/xpcom/threads/nsThreadPool.cpp
    #18 0x7f08f22f0f68 in mozilla::net::nsStreamTransportService::Observe(nsISupports*, char const*, char16_t const*) /gecko/netwerk/base/nsStreamTransportService.cpp:345:12
    #19 0x7f08f22f106c in non-virtual thunk to mozilla::net::nsStreamTransportService::Observe(nsISupports*, char const*, char16_t const*) /gecko/netwerk/base/nsStreamTransportService.cpp
    #20 0x7f08f1e12383 in nsObserverList::NotifyObservers(nsISupports*, char const*, char16_t const*) /gecko/xpcom/ds/nsObserverList.cpp:65:19
    #21 0x7f08f1e19932 in nsObserverService::NotifyObservers(nsISupports*, char const*, char16_t const*) /gecko/xpcom/ds/nsObserverService.cpp:287:19
    #22 0x7f08f1fc699d in mozilla::ShutdownXPCOM(nsIServiceManager*) /gecko/xpcom/build/XPCOMInit.cpp:640:24
    #23 0x7f08fe19de6c in XRE_TermEmbedding() /gecko/toolkit/xre/nsEmbedFunctions.cpp:223:3
    #24 0x7f08f3349402 in mozilla::ipc::ScopedXREEmbed::Stop() /gecko/ipc/glue/ScopedXREEmbed.cpp:90:5
    #25 0x7f08fe19edb4 in XRE_InitChildProcess(int, char**, XREChildData const*) /gecko/toolkit/xre/nsEmbedFunctions.cpp:748:16
    #26 0x560596a136f3 in content_process_main /gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #27 0x560596a136f3 in main /gecko/browser/app/nsBrowserApp.cpp:303:18
    #28 0x7f090f2dc0b2 in __libc_start_main /build/glibc-YYA7BZ/glibc-2.31/csu/../csu/libc-start.c:308:16
    #29 0x560596968059 in _start (/home/worker/builds/m-c-20200818153308-fuzzing-asan-opt/firefox+0xa5059)

0x6120002c6bf0 is located 48 bytes inside of 296-byte region [0x6120002c6bc0,0x6120002c6ce8)
freed by thread T0 (file:// Content) here:
    #0 0x5605969e078d in free /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:123:3
    #1 0x7f08f9aea1c4 in mozilla::dom::indexedDB::BackgroundVersionChangeTransactionChild::DeallocPBackgroundIDBCursorChild(mozilla::dom::indexedDB::PBackgroundIDBCursorChild*) /gecko/dom/indexedDB/ActorsChild.cpp:2192:3
    #2 0x7f08f333f521 in mozilla::ipc::ActorLifecycleProxy::~ActorLifecycleProxy() /gecko/ipc/glue/ProtocolUtils.cpp:276:11
    #3 0x7f08f406e616 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/ipc/ProtocolUtils.h:862:3
    #4 0x7f08f406e616 in mozilla::dom::indexedDB::PBackgroundIDBVersionChangeTransactionChild::ClearSubtree() /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundIDBVersionChangeTransactionChild.cpp:698:9
    #5 0x7f08f3dd5637 in mozilla::dom::indexedDB::PBackgroundIDBDatabaseChild::ClearSubtree() /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundIDBDatabaseChild.cpp:1007:29
    #6 0x7f08f4021f87 in mozilla::dom::indexedDB::PBackgroundIDBFactoryChild::ClearSubtree() /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundIDBFactoryChild.cpp:433:29
    #7 0x7f08f39cd5b8 in mozilla::ipc::PBackgroundChild::ClearSubtree() /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6632:29
    #8 0x7f08f39ccada in mozilla::ipc::PBackgroundChild::OnChannelClose() /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6602:5
    #9 0x7f08f33311f2 in mozilla::ipc::MessageChannel::Close() /gecko/ipc/glue/MessageChannel.cpp:2713:3
    #10 0x7f08f32c0795 in (anonymous namespace)::ChildImpl::ThreadLocalDestructor(void*) /gecko/ipc/glue/BackgroundImpl.cpp:1627:32
    #11 0x7f08f32cf8ab in Shutdown /gecko/ipc/glue/BackgroundImpl.cpp:341:9
    #12 0x7f08f32cf8ab in Shutdown /gecko/ipc/glue/BackgroundImpl.cpp:1503:38
    #13 0x7f08f32cf8ab in (anonymous namespace)::ChildImpl::ShutdownObserver::Observe(nsISupports*, char const*, char16_t const*) /gecko/ipc/glue/BackgroundImpl.cpp:1658:3
    #14 0x7f08f1e12383 in nsObserverList::NotifyObservers(nsISupports*, char const*, char16_t const*) /gecko/xpcom/ds/nsObserverList.cpp:65:19
    #15 0x7f08f1e19932 in nsObserverService::NotifyObservers(nsISupports*, char const*, char16_t const*) /gecko/xpcom/ds/nsObserverService.cpp:287:19
    #16 0x7f08f1fc699d in mozilla::ShutdownXPCOM(nsIServiceManager*) /gecko/xpcom/build/XPCOMInit.cpp:640:24
    #17 0x7f08fe19de6c in XRE_TermEmbedding() /gecko/toolkit/xre/nsEmbedFunctions.cpp:223:3
    #18 0x7f08f3349402 in mozilla::ipc::ScopedXREEmbed::Stop() /gecko/ipc/glue/ScopedXREEmbed.cpp:90:5
    #19 0x7f08fe19edb4 in XRE_InitChildProcess(int, char**, XREChildData const*) /gecko/toolkit/xre/nsEmbedFunctions.cpp:748:16
    #20 0x560596a136f3 in content_process_main /gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #21 0x560596a136f3 in main /gecko/browser/app/nsBrowserApp.cpp:303:18
    #22 0x7f090f2dc0b2 in __libc_start_main /build/glibc-YYA7BZ/glibc-2.31/csu/../csu/libc-start.c:308:16

previously allocated by thread T0 (file:// Content) here:
    #0 0x5605969e0a0d in malloc /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:145:3
    #1 0x560596a16afd in moz_xmalloc /gecko/memory/mozalloc/mozalloc.cpp:52:15
    #2 0x7f08f9b2bb3c in operator new /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:33:10
    #3 0x7f08f9b2bb3c in mozilla::dom::IDBIndex::OpenCursorInternal(bool, JSContext*, JS::Handle<JS::Value>, mozilla::dom::IDBCursorDirection, mozilla::ErrorResult&) /gecko/dom/indexedDB/IDBIndex.cpp
    #4 0x7f08f9b2c422 in mozilla::dom::IDBIndex::OpenKeyCursor(JSContext*, JS::Handle<JS::Value>, mozilla::dom::IDBCursorDirection, mozilla::ErrorResult&) /gecko/dom/indexedDB/IDBIndex.cpp:99:10
    #5 0x7f08f7c4e71d in mozilla::dom::IDBIndex_Binding::openKeyCursor(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/IDBIndexBinding.cpp:561:77
    #6 0x7f08f7c81498 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /gecko/dom/bindings/BindingUtils.cpp:3227:13
    #7 0x7f08fe412511 in CallJSNative /gecko/js/src/vm/Interpreter.cpp:507:13
    #8 0x7f08fe412511 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:599:12
    #9 0x7f08fe414848 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:664:10
    #10 0x7f08fe3fad73 in CallFromStack /gecko/js/src/vm/Interpreter.cpp:668:10
    #11 0x7f08fe3fad73 in Interpret(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:3336:16
    #12 0x7f08fe3ddc99 in js::RunScript(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:468:13
    #13 0x7f08fe412667 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:636:13
    #14 0x7f08fe414848 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:664:10
    #15 0x7f08fe414b26 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:681:8
    #16 0x7f08fe5b3eb0 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /gecko/js/src/jsapi.cpp:2831:10
    #17 0x7f08f7877329 in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventHandlerBinding.cpp:276:37
    #18 0x7f08f8400ade in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget> >(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:367:12
    #19 0x7f08f83fece4 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /gecko/dom/events/JSEventHandler.cpp:201:12
    #20 0x7f08f83c448e in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /gecko/dom/events/EventListenerManager.cpp:1088:22
    #21 0x7f08f83c5c10 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /gecko/dom/events/EventListenerManager.cpp:1279:17
    #22 0x7f08f83b3c2f in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /gecko/dom/events/EventDispatcher.cpp:356:17

SUMMARY: AddressSanitizer: heap-use-after-free /gecko/xpcom/base/nsISupportsImpl.cpp:46:10 in IsCurrentThread
Shadow bytes around the buggy address:
  0x0c2480050d20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2480050d30: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
  0x0c2480050d40: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c2480050d50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2480050d60: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
=>0x0c2480050d70: fa fa fa fa fa fa fa fa fd fd fd fd fd fd[fd]fd
  0x0c2480050d80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2480050d90: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
  0x0c2480050da0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c2480050db0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2480050dc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==17916==ABORTING

Comment 1

[Jens Stutte [:jstutte]]

Looks similar to bug 1593596, if this helps?

Comment 2

[Simon Giesecke [:sg] [he/him]]

There are two places where DelayedActionRunnable is created/dispatched:

• https://searchfox.org/mozilla-central/rev/62f6cc5d9c829bc0c6f18e25f93203a98681ac97/dom/indexedDB/ActorsChild.cpp#3102, which is going to call BackgroundCursorChild::CompleteContinueRequestFromCache
• https://searchfox.org/mozilla-central/rev/62f6cc5d9c829bc0c6f18e25f93203a98681ac97/dom/indexedDB/ActorsChild.cpp#3252, which is going to call BackgroundCursorChild::SendDeleteMeInternal

From the stack alone, it's not completely clear which of these cases we have. It seems that this could be resolved though by making DelayedActionRunnable store a strong reference to the target, which would be enabled by making the PBackgroundIDBCursor protocol (https://searchfox.org/mozilla-central/rev/19c23d725f27d0989e4a60f36d64004cebb39736/dom/indexedDB/PBackgroundIDBCursor.ipdl#87) refcounted.

Comment 3

[Simon Giesecke [:sg] [he/him]]

(In reply to Jens Stutte [:jstutte] (REO for FF 81) from comment #1)

Looks similar to bug 1593596, if this helps?

AFAIU, it's not similar. Bug 1593596 was caused by a race, this is a genuine UAF.

Comment 4

[Simon Giesecke [:sg] [he/him]]

Attachment: Bug 1660800 - Make DelayedActionRunnable hold a strong reference to the target. r=#dom-workers-and-storage

Depends on D88143

Comment 5

[Simon Giesecke [:sg] [he/him]]

Comment on attachment 9171917 [details]
Bug 1660800 - Make DelayedActionRunnable hold a strong reference to the target. r=#dom-workers-and-storage

Security Approval Request

• How easily could an exploit be constructed based on the patch?: Unsure. We have no STR this situation. Probably this is happening only during shutdown when the actor subtree is destroyed early.
  It is obvious however that this fix is addressing a UAF situation. While it's also mentioned in the current check-in comment, this doesn't make it particularly more obvious.
• Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Yes
• Which older supported branches are affected by this flaw?: all
• If not all supported branches, which bug introduced the flaw?: None
• Do you have backports for the affected branches?: No
• If not, how different, hard to create, and risky will they be?: It might apply cleanly to release, beta and esr78, provided Bug 1660816 is also uplifted.

esr68 would require more work since it doesn't have SafeRefPtr at all for now.

• How likely is this patch to cause regressions; how much testing does it need?: Unlikely. For the situations that didn't crash no change in behavior is expected.

Comment 6

[Tom Ritter [:tjr] (OOTO until 4/30 at least)]

Comment on attachment 9171917 [details]
Bug 1660800 - Make DelayedActionRunnable hold a strong reference to the target. r=#dom-workers-and-storage

Approved to land.

Given the lifetime of 68, the backport cost, and the uncertainty around the issue I'm inclined to pass on 68.

Comment 7

[Ryan VanderMeulen [:RyanVM]]

Comment on attachment 9171917 [details]
Bug 1660800 - Make DelayedActionRunnable hold a strong reference to the target. r=#dom-workers-and-storage

The 68.12esr release was the final planned release prior to EOL. Unless this is chemspill-worthy, we're not doing any more uplifts for that release.

Comment 8

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/integration/autoland/rev/55d2e05d2e0b5ec0431b3d9dc7885d7989ccf83a

Comment 9

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

Backed out per Simon's request: https://hg.mozilla.org/integration/autoland/rev/451620a788ec7c0dbd59210c5889188520b32874

Comment 10

[Simon Giesecke [:sg] [he/him]]

Sorry, I needed to request backout since I noticed that the patch from Bug 1660816 broke the gcc build. It is now fixed. Are you going to reland this?

Comment 11

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/integration/autoland/rev/3bbe379479b164aea312a80c17c8ac2469203afe

Comment 12

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

https://hg.mozilla.org/mozilla-central/rev/3bbe379479b1

Comment 13

[BugBot [:suhaib / :marco/ :calixte]]

As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.

Please visit this google form to reply.

Comment 14

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-beta/rev/6d20e4affeaf

Comment 15

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-esr78/rev/c07342de355c

Comment 16

[Tom Ritter [:tjr] (OOTO until 4/30 at least)]

Attachment: advisory.txt