Closed Bug 1668876 Opened 4 years ago Closed 4 years ago

heap-use-after-free in [@ sandbox::BrokerServicesBase::TargetEventsThread]

Categories

(Core :: Security: Process Sandboxing, defect, P1)

Desktop
Windows
defect

Tracking

()

VERIFIED FIXED
84 Branch
Tracking Status
firefox-esr78 --- unaffected
firefox81 --- wontfix
firefox82 --- wontfix
firefox83 + verified
firefox84 + verified

People

(Reporter: tsmith, Assigned: bobowen)

References

(Regression)

Details

(4 keywords, Whiteboard: [fuzzblocker][post-critsmash-triage][adv-main83+r])

Attachments

(1 file)

To reproduce use a Windows ASan build with MOZ_DISABLE_CONTENT_SANDBOX=1. Open a tab, wait for content to load and then close the tab.

This is marked as a fuzzblocker because it blocks fuzzing on Windows.

==8484==ERROR: AddressSanitizer: heap-use-after-free on address 0x1238349e68d8 at pc 0x7ff60d8f19f4 bp 0x00543b5ff1a0 sp 0x00543b5ff1e0
READ of size 4 at 0x1238349e68d8 thread T1
    #0 0x7ff60d8f19f3 in sandbox::BrokerServicesBase::TargetEventsThread z:\build\build\src\security\sandbox\chromium\sandbox\win\src\broker_services.cc:373
    #1 0x7fffda90e448 in __asan::AsanThread::ThreadStart Z:\task_1600842074\fetches\llvm-project\llvm\projects\compiler-rt\lib\asan\asan_thread.cpp:262
    #2 0x7ff8091f7bd3 in BaseThreadInitThunk+0x13 (C:\WINDOWS\System32\KERNEL32.DLL+0x180017bd3)
    #3 0x7fffe10e49e2 in patched_BaseThreadInitThunk z:\build\build\src\mozglue\dllservices\WindowsDllBlocklist.cpp:592
    #4 0x7ff80a80ce50 in RtlUserThreadStart+0x20 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x18006ce50)

0x1238349e68d8 is located 8 bytes inside of 40-byte region [0x1238349e68d0,0x1238349e68f8)
freed by thread T1 here:
    #0 0x7fffda91098f in operator delete Z:\task_1600842074\fetches\llvm-project\llvm\projects\compiler-rt\lib\asan\asan_new_delete.cpp:160
    #1 0x7ff60d8f0760 in sandbox::BrokerServicesBase::TargetEventsThread z:\build\build\src\security\sandbox\chromium\sandbox\win\src\broker_services.cc:373
    #2 0x7fffda90e448 in __asan::AsanThread::ThreadStart Z:\task_1600842074\fetches\llvm-project\llvm\projects\compiler-rt\lib\asan\asan_thread.cpp:262
    #3 0x7ff8091f7bd3 in BaseThreadInitThunk+0x13 (C:\WINDOWS\System32\KERNEL32.DLL+0x180017bd3)
    #4 0x7fffe10e49e2 in patched_BaseThreadInitThunk z:\build\build\src\mozglue\dllservices\WindowsDllBlocklist.cpp:592
    #5 0x7ff80a80ce50 in RtlUserThreadStart+0x20 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x18006ce50)

previously allocated by thread T26 here:
    #0 0x7fffda91008f in operator new Z:\task_1600842074\fetches\llvm-project\llvm\projects\compiler-rt\lib\asan\asan_new_delete.cpp:99
    #1 0x7ff60d8f50c6 in sandbox::BrokerServicesBase::AddTargetPeerInternal z:\build\build\src\security\sandbox\chromium\sandbox\win\src\broker_services.cc:702
    #2 0x7ff60d8f594a in sandbox::BrokerServicesBase::AddTargetPeer z:\build\build\src\security\sandbox\chromium\sandbox\win\src\broker_services.cc:717
    #3 0x7fffc36c7248 in mozilla::SandboxBroker::AddTargetPeer z:\build\build\src\security\sandbox\win\src\sandboxbroker\sandboxBroker.cpp:1441
    #4 0x7fffc4cc730b in mozilla::ipc::WindowsProcessLauncher::DoFinishLaunch z:\build\build\src\ipc\glue\GeckoChildProcessHost.cpp:1589
    #5 0x7fffc4cc748f in mozilla::ipc::BaseProcessLauncher::FinishLaunch z:\build\build\src\ipc\glue\GeckoChildProcessHost.cpp:1602
    #6 0x7fffc4cf3ba2 in mozilla::MozPromise<void *,mozilla::ipc::LaunchError,0>::ThenValue<`lambda at z:/build/build/src/ipc/glue/GeckoChildProcessHost.cpp:1018:7',`lambda at z:/build/build/src/ipc/glue/GeckoChildProcessHost.cpp:1022:7'>::DoResolveOrRejectInternal z:\build\workspace\obj-build\dist\include\mozilla\MozPromise.h:769
    #7 0x7fffc36b8271 in mozilla::MozPromise<void *,mozilla::ipc::LaunchError,0>::ThenValueBase::ResolveOrRejectRunnable::Run z:\build\workspace\obj-build\dist\include\mozilla\MozPromise.h:410
    #8 0x7fffc39b7366 in mozilla::TaskQueue::Runner::Run z:\build\build\src\xpcom\threads\TaskQueue.cpp:158
    #9 0x7fffc39d42c4 in nsThread::ProcessNextEvent z:\build\build\src\xpcom\threads\nsThread.cpp:1234
    #10 0x7fffc39e009c in NS_ProcessNextEvent z:\build\build\src\xpcom\threads\nsThreadUtils.cpp:513
    #11 0x7fffc4d201de in mozilla::ipc::MessagePumpForNonMainThreads::Run z:\build\build\src\ipc\glue\MessagePump.cpp:302
    #12 0x7fffc4c664a5 in MessageLoop::RunHandler z:\build\build\src\ipc\chromium\src\base\message_loop.cc:327
    #13 0x7fffc4c66275 in MessageLoop::Run z:\build\build\src\ipc\chromium\src\base\message_loop.cc:309
    #14 0x7fffc39cc61d in nsThread::ThreadFunc z:\build\build\src\xpcom\threads\nsThread.cpp:442
    #15 0x7fffd92495ae in _PR_NativeRunThread z:\build\build\src\nsprpub\pr\src\threads\combined\pruthr.c:399
    #16 0x7fffd92228fb in pr_root z:\build\build\src\nsprpub\pr\src\md\windows\w95thred.c:139
    #17 0x7ff808400e81 in beginthreadex+0x141 (C:\WINDOWS\System32\ucrtbase.dll+0x180020e81)
    #18 0x7fffda90e448 in __asan::AsanThread::ThreadStart Z:\task_1600842074\fetches\llvm-project\llvm\projects\compiler-rt\lib\asan\asan_thread.cpp:262

Thread T1 created by T0 here:
    #0 0x7fffda90f907 in __asan_wrap_CreateThread Z:\task_1600842074\fetches\llvm-project\llvm\projects\compiler-rt\lib\asan\asan_win.cpp:146
    #1 0x7ff60d8ef242 in sandbox::BrokerServicesBase::Init z:\build\build\src\security\sandbox\chromium\sandbox\win\src\broker_services.cc:170
    #2 0x7ff60d96c01a in mozilla::sandboxing::InitializeBrokerServices z:\build\build\src\security\sandbox\win\SandboxInitialization.cpp:167
    #3 0x7ff60d96befc in mozilla::sandboxing::GetInitializedBrokerServices z:\build\build\src\security\sandbox\win\SandboxInitialization.cpp:184
    #4 0x7ff60d892005 in NS_internal_main z:\build\build\src\browser\app\nsBrowserApp.cpp:336
    #5 0x7ff60d89148e in wmain z:\build\build\src\toolkit\xre\nsWindowsWMain.cpp:131
    #6 0x7ff60d988837 in __scrt_common_main_seh f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:288
    #7 0x7ff8091f7bd3 in BaseThreadInitThunk+0x13 (C:\WINDOWS\System32\KERNEL32.DLL+0x180017bd3)
    #8 0x7ff80a80ce50 in RtlUserThreadStart+0x20 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x18006ce50)

Thread T26 created by T0 here:
    #0 0x7fffda90f907 in __asan_wrap_CreateThread Z:\task_1600842074\fetches\llvm-project\llvm\projects\compiler-rt\lib\asan\asan_win.cpp:146
    #1 0x7ff808400d96 in beginthreadex+0x56 (C:\WINDOWS\System32\ucrtbase.dll+0x180020d96)
    #2 0x7fffd922272d in _PR_MD_CREATE_THREAD z:\build\build\src\nsprpub\pr\src\md\windows\w95thred.c:153
    #3 0x7fffd924a40c in _PR_NativeCreateThread z:\build\build\src\nsprpub\pr\src\threads\combined\pruthr.c:1058
    #4 0x7fffd924ad73 in _PR_CreateThread z:\build\build\src\nsprpub\pr\src\threads\combined\pruthr.c:1184
    #5 0x7fffd9240d2f in PR_CreateThread z:\build\build\src\nsprpub\pr\src\threads\combined\pruthr.c:1404
    #6 0x7fffc39cf269 in nsThread::Init z:\build\build\src\xpcom\threads\nsThread.cpp:659
    #7 0x7fffc39dec36 in nsThreadManager::NewNamedThread z:\build\build\src\xpcom\threads\nsThreadManager.cpp:628
    #8 0x7fffc39e8d8c in NS_NewNamedThread z:\build\build\src\xpcom\threads\nsThreadUtils.cpp:161
    #9 0x7fffc39e3172 in NS_NewNamedThread z:\build\build\src\xpcom\threads\nsThreadUtils.cpp:152
    #10 0x7fffc4cc056c in mozilla::ipc::GetIPCLauncher z:\build\build\src\ipc\glue\GeckoChildProcessHost.cpp:927
    #11 0x7fffc4ce8f4a in mozilla::ipc::BaseProcessLauncher::BaseProcessLauncher z:\build\build\src\ipc\glue\GeckoChildProcessHost.cpp:150
    #12 0x7fffc4cbc726 in mozilla::ipc::GeckoChildProcessHost::AsyncLaunch z:\build\build\src\ipc\glue\GeckoChildProcessHost.cpp:692
    #13 0x7fffc4cbf670 in mozilla::ipc::GeckoChildProcessHost::LaunchAndWaitForProcessHandle z:\build\build\src\ipc\glue\GeckoChildProcessHost.cpp:809
    #14 0x7fffc4a5e581 in mozilla::net::SocketProcessHost::Launch z:\build\build\src\netwerk\ipc\SocketProcessHost.cpp:76
    #15 0x7fffc3d07798 in mozilla::net::nsIOService::LaunchSocketProcess z:\build\build\src\netwerk\base\nsIOService.cpp:542
    #16 0x7fffc45b62a1 in mozilla::net::nsHttpHandler::Init z:\build\build\src\netwerk\protocol\http\nsHttpHandler.cpp:470
    #17 0x7fffc45b2dc5 in mozilla::net::nsHttpHandler::GetInstance z:\build\build\src\netwerk\protocol\http\nsHttpHandler.cpp:179
    #18 0x7fffc4c29a71 in mozCreateComponent<mozilla::net::nsHttpHandler> z:\build\build\src\netwerk\build\nsNetModule.cpp:61
    #19 0x7fffc393d0b4 in mozilla::xpcom::CreateInstanceImpl z:\build\workspace\obj-build\xpcom\components\StaticComponents.cpp:11914
    #20 0x7fffc397efd2 in nsComponentManagerImpl::GetServiceLocked z:\build\build\src\xpcom\components\nsComponentManager.cpp:1330
    #21 0x7fffc3981887 in nsComponentManagerImpl::GetServiceByContractID z:\build\build\src\xpcom\components\nsComponentManager.cpp:1517
    #22 0x7fffc3988747 in nsGetServiceByContractIDWithError::operator() z:\build\build\src\xpcom\components\nsComponentManagerUtils.cpp:253
    #23 0x7fffc3797434 in nsCOMPtr_base::assign_from_gs_contractid_with_error z:\build\build\src\xpcom\base\nsCOMPtr.cpp:91
    #24 0x7fffc75778e5 in mozilla::dom::Navigator::GetAppVersion z:\build\build\src\dom\base\Navigator.cpp:1909
    #25 0x7fffcc3850ab in mozilla::dom::workerinternals::RuntimeService::RegisterWorker z:\build\build\src\dom\workers\RuntimeService.cpp:1195
    #26 0x7fffcc3ecda1 in mozilla::dom::WorkerPrivate::Constructor z:\build\build\src\dom\workers\WorkerPrivate.cpp:2420
    #27 0x7fffcc37b06b in mozilla::dom::ChromeWorker::Constructor z:\build\build\src\dom\workers\ChromeWorker.cpp:22
    #28 0x7fffc90cadfe in mozilla::dom::ChromeWorker_Binding::_constructor z:\build\workspace\obj-build\dom\bindings\WorkerBinding.cpp:287
    #29 0x7fffd0f5ed9c in InternalConstruct z:\build\build\src\js\src\vm\Interpreter.cpp:728
    #30 0x7fffd0f417f8 in Interpret z:\build\build\src\js\src\vm\Interpreter.cpp:3327
    #31 0x7fffd0f26b0a in js::RunScript z:\build\build\src\js\src\vm\Interpreter.cpp:469
    #32 0x7fffd0f5b26d in js::InternalCallOrConstruct z:\build\build\src\js\src\vm\Interpreter.cpp:637
    #33 0x7fffd0f5dd17 in js::Call z:\build\build\src\js\src\vm\Interpreter.cpp:682
    #34 0x7fffd0f605bf in js::CallGetter z:\build\build\src\js\src\vm\Interpreter.cpp:806
    #35 0x7fffd15e07e9 in js::NativeGetProperty z:\build\build\src\js\src\vm\NativeObject.cpp:2603
    #36 0x7fffd0f68edf in js::GetProperty z:\build\build\src\js\src\vm\Interpreter.cpp:4727
    #37 0x7fffd0f42185 in Interpret z:\build\build\src\js\src\vm\Interpreter.cpp:3017
    #38 0x7fffd0f26b0a in js::RunScript z:\build\build\src\js\src\vm\Interpreter.cpp:469
    #39 0x7fffd0f5b26d in js::InternalCallOrConstruct z:\build\build\src\js\src\vm\Interpreter.cpp:637
    #40 0x7fffd0f5dd17 in js::Call z:\build\build\src\js\src\vm\Interpreter.cpp:682
    #41 0x7fffd170020d in js::CallSelfHostedFunction z:\build\build\src\js\src\vm\SelfHosting.cpp:1694
    #42 0x7fffd12144b6 in AsyncFunctionResume z:\build\build\src\js\src\vm\AsyncFunction.cpp:128
    #43 0x7fffd13a29ea in PromiseReactionJob z:\build\build\src\js\src\builtin\Promise.cpp:1853
    #44 0x7fffd0f5ac40 in js::InternalCallOrConstruct z:\build\build\src\js\src\vm\Interpreter.cpp:600
    #45 0x7fffd0f5dd17 in js::Call z:\build\build\src\js\src\vm\Interpreter.cpp:682
    #46 0x7fffd10fe601 in JS::Call z:\build\build\src\js\src\jsapi.cpp:2830
    #47 0x7fffc8346020 in mozilla::dom::PromiseJobCallback::Call z:\build\workspace\obj-build\dom\bindings\PromiseBinding.cpp:30
    #48 0x7fffc3781cde in mozilla::PromiseJobRunnable::Run z:\build\build\src\xpcom\base\CycleCollectedJSContext.cpp:211
    #49 0x7fffc375a733 in mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint z:\build\build\src\xpcom\base\CycleCollectedJSContext.cpp:646
    #50 0x7fffc375b7fb in mozilla::CycleCollectedJSContext::BeforeProcessTask z:\build\build\src\xpcom\base\CycleCollectedJSContext.cpp:445
    #51 0x7fffc5a64aa6 in XPCJSContext::BeforeProcessTask z:\build\build\src\js\xpconnect\src\XPCJSContext.cpp:1405
    #52 0x7fffc39d2f5a in nsThread::ProcessNextEvent z:\build\build\src\xpcom\threads\nsThread.cpp:1114
    #53 0x7fffc39e009c in NS_ProcessNextEvent z:\build\build\src\xpcom\threads\nsThreadUtils.cpp:513
    #54 0x7fffc39df6a0 in nsThreadManager::SpinEventLoopUntilInternal z:\build\build\src\xpcom\threads\nsThreadManager.cpp:702
    #55 0x7fffd41c23a1 in XPTC__InvokebyIndex+0x71 (C:\Users\User\workspace\browsers\m-c-20201002092536-fuzzing-asan-opt\xul.dll+0x190b723a1)
    #56 0x7fffc5af40d3 in XPCWrappedNative::CallMethod z:\build\build\src\js\xpconnect\src\XPCWrappedNative.cpp:1142
    #57 0x7fffc5afa883 in XPC_WN_CallMethod z:\build\build\src\js\xpconnect\src\XPCWrappedNativeJSOps.cpp:947
    #58 0x7fffd0f5ac40 in js::InternalCallOrConstruct z:\build\build\src\js\src\vm\Interpreter.cpp:600
    #59 0x7fffd0f4199a in Interpret z:\build\build\src\js\src\vm\Interpreter.cpp:3337
    #60 0x7fffd0f26b0a in js::RunScript z:\build\build\src\js\src\vm\Interpreter.cpp:469
    #61 0x7fffd0f5b26d in js::InternalCallOrConstruct z:\build\build\src\js\src\vm\Interpreter.cpp:637
    #62 0x7fffd0f5dd17 in js::Call z:\build\build\src\js\src\vm\Interpreter.cpp:682
    #63 0x7fffd14de70c in js::fun_apply z:\build\build\src\js\src\vm\JSFunction.cpp:1209
    #64 0x7fffd0f5ac40 in js::InternalCallOrConstruct z:\build\build\src\js\src\vm\Interpreter.cpp:600
    #65 0x7fffd0f4199a in Interpret z:\build\build\src\js\src\vm\Interpreter.cpp:3337
    #66 0x7fffd0f26b0a in js::RunScript z:\build\build\src\js\src\vm\Interpreter.cpp:469
    #67 0x7fffd0f5b26d in js::InternalCallOrConstruct z:\build\build\src\js\src\vm\Interpreter.cpp:637
    #68 0x7fffd0f5dd17 in js::Call z:\build\build\src\js\src\vm\Interpreter.cpp:682
    #69 0x7fffd10fc947 in JS_CallFunctionValue z:\build\build\src\js\src\jsapi.cpp:2767
    #70 0x7fffc5ae3ad6 in nsXPCWrappedJS::CallMethod z:\build\build\src\js\xpconnect\src\XPCWrappedJSClass.cpp:970
    #71 0x7fffc3a1d9a4 in PrepareAndDispatch z:\build\build\src\xpcom\reflect\xptcall\md\win32\xptcstubs_x86_64.cpp:168
    #72 0x7fffd41c23f8 in SharedStub+0x48 (C:\Users\User\workspace\browsers\m-c-20201002092536-fuzzing-asan-opt\xul.dll+0x190b723f8)
    #73 0x7fffd0cdfdbf in nsXREDirProvider::DoStartup z:\build\build\src\toolkit\xre\nsXREDirProvider.cpp:971
    #74 0x7fffd0c6fb76 in XREMain::XRE_mainRun z:\build\build\src\toolkit\xre\nsAppRunner.cpp:4622
    #75 0x7fffd0c76b2a in XREMain::XRE_main z:\build\build\src\toolkit\xre\nsAppRunner.cpp:5038
    #76 0x7fffd0c779b8 in XRE_main z:\build\build\src\toolkit\xre\nsAppRunner.cpp:5094
    #77 0x7ff60d8920e7 in NS_internal_main z:\build\build\src\browser\app\nsBrowserApp.cpp:336
    #78 0x7ff60d89148e in wmain z:\build\build\src\toolkit\xre\nsWindowsWMain.cpp:131
    #79 0x7ff60d988837 in __scrt_common_main_seh f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:288
    #80 0x7ff8091f7bd3 in BaseThreadInitThunk+0x13 (C:\WINDOWS\System32\KERNEL32.DLL+0x180017bd3)
    #81 0x7ff80a80ce50 in RtlUserThreadStart+0x20 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x18006ce50)

Low severity because we ship with sandboxing enabled. But we want fuzzing, for sure!

Assignee: nobody → bobowencode
Severity: -- → S3
Group: core-security → dom-core-security
Keywords: sec-low
Priority: -- → P2
Status: NEW → ASSIGNED
Priority: P2 → P1
Group: dom-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → 84 Branch

Comment on attachment 9183443 [details]
Bug 1668876: Take chromium commit b8479b16bfe703cb09147f4d5cff0cfa3bd91366. r=tkikuchi!

Beta/Release Uplift Approval Request

  • User impact if declined: In theory this shouldn't affect users as it would only normally occur if people were turning off the process sandboxes.
    We do have one process that is unsandboxed that goes through this code, the GPU process, but as there is only one of these it should never hit this issue.
    Even so we might want to uplift this as we are still not too far into Beta.
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Very simple code change, taken from existing chromium commit.
  • String changes made/needed: None
Attachment #9183443 - Flags: approval-mozilla-beta?
Flags: qe-verify+
Whiteboard: [fuzzblocker] → [fuzzblocker][post-critsmash-triage]
QA Whiteboard: [qa-triaged]

Reproduced the issue on Firefox Nightly 84.0a1 (2020-10-22) (64-bit) with asan build (fuzzing enabled) on Windows 10 x64.
Verified-fixed on latest Firefox Nightly 84.0a1 (2020-10-29) (64-bit) asan build (fuzzing enabled) on Windows 10 x64. The browser no longer crashed after closing the tab.

Waiting for uplift to Beta to verify further.

Comment on attachment 9183443 [details]
Bug 1668876: Take chromium commit b8479b16bfe703cb09147f4d5cff0cfa3bd91366. r=tkikuchi!

Approved for 83 beta 6, thanks.

Attachment #9183443 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Has Regression Range: --- → yes

Verified-fixed on latest Firefox Beta 83.0b6 (64-bit) with asan build (fuzzing enabled) on Windows 10 x64.

Status: RESOLVED → VERIFIED
QA Whiteboard: [qa-triaged]
Flags: qe-verify+
Whiteboard: [fuzzblocker][post-critsmash-triage] → [fuzzblocker][post-critsmash-triage][adv-main83+r]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: