Closed Bug 1669096 Opened 4 years ago Closed 4 years ago

ASan: heap-use-after-free in nsDocumentViewer::PermitUnload

Categories

(Core :: DOM: Navigation, defect, P1)

Product:
Core
Component:
DOM: Navigation
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
83 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- unaffected
firefox82 --- unaffected
firefox83 --- verified

People

(Reporter: geeknik, Assigned: kmag)

References

(Regression,
URL
)

Details

(5 keywords, Whiteboard: [sec-survey][post-critsmash-triage])

Attachments

(1 file)

Bug 1669096: Add missing kungFuDeathGrip. r=nika
47 bytes, text/x-phabricator-request
Details | Review

STR:

  1. Clean nightly profile + fission enabled: fission.autostart, fission,preserve_browsing_contexts, fission.remoteObjectEmbed, fission.processOriginNames, fission.sessionHistoryInParent, layers.advanced.fission.enabled -- tested and confirmed with Official ASan Nightly build ID 20201004093007
  2. Visit https://webrtc.github.io/test-pages/src/iframe-apprtc/ in ANY container tab.
  3. Join a room in each iframe, ignoring any errors (probably optional)
  4. Right click in either frame and select This Frame -> Show Only This Frame
  5. View crash #1:
==160669==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000d08274 at pc 0x7f36769a8c4a bp 0x7ffc6fea3cf0 sp 0x7ffc6fea3ce8
READ of size 1 at 0x611000d08274 thread T0 (https://webrtc.)
    #0 0x7f36769a8c49 in nsDocumentViewer::PermitUnload(nsIContentViewer::PermitUnloadAction, bool*) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:1286:25
    #1 0x7f36795020be in PermitUnload /builds/worker/workspace/obj-build/dist/include/nsIContentViewer.h:91:14
    #2 0x7f36795020be in nsDocShell::InternalLoad(nsDocShellLoadState*, mozilla::Maybe<unsigned int>) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:9236:26
    #3 0x7f3679556075 in nsDocShell::LoadURI(nsDocShellLoadState*, bool, bool) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:876:8
    #4 0x7f36794fe07b in mozilla::dom::BrowsingContext::LoadURI(nsDocShellLoadState*, bool) /builds/worker/checkouts/gecko/docshell/base/BrowsingContext.cpp:1678:23
    #5 0x7f36757abd21 in mozilla::dom::ContentChild::RecvLoadURI(mozilla::dom::MaybeDiscarded<mozilla::dom::BrowsingContext> const&, nsDocShellLoadState*, bool, std::function<void (bool const&)>&&) /builds/worker/checkouts/gecko/dom/ipc/ContentChild.cpp:4114:12
    #6 0x7f366ec763c5 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:13045:56
    #7 0x7f366ea730c8 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2150:25
    #8 0x7f366ea6f782 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2074:9
    #9 0x7f366ea7142a in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1922:3
    #10 0x7f366ea71a6d in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1953:13
    #11 0x7f366d7edf10 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:244:16
    #12 0x7f366d7ad1c3 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:514:26
    #13 0x7f366d7aa6f7 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:373:15
    #14 0x7f366d7aab47 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:170:36
    #15 0x7f366d7f83e4 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:87:37
    #16 0x7f366d7f83e4 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_1>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:577:5
    #17 0x7f366d7cfed6 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1234:14
    #18 0x7f366d7d9681 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:513:10
    #19 0x7f366ea7aa1c in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:109:5
    #20 0x7f366e993692 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #21 0x7f366e993692 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #22 0x7f366e993692 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #23 0x7f3676213c9a in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
    #24 0x7f367a1d421f in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:913:20
    #25 0x7f366e993692 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #26 0x7f366e993692 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #27 0x7f366e993692 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #28 0x7f367a1d3ab1 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:744:34
    #29 0x564074b3b998 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #30 0x564074b3b998 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:304:18
    #31 0x7f368467b041 in __libc_start_main (/lib64/libc.so.6+0x27041)
    #32 0x564074a8e878 in _start (/home/geeknik/firefox/firefox-bin+0xb4878)

0x611000d08274 is located 180 bytes inside of 216-byte region [0x611000d081c0,0x611000d08298)
freed by thread T0 (https://webrtc.) here:
    #0 0x564074b0847d in free /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:123:3
    #1 0x7f367699df19 in operator delete /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:51:10
    #2 0x7f367699df19 in nsDocumentViewer::Release() /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:550:1
    #3 0x7f367954f0a2 in assign_assuming_AddRef /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:378:7
    #4 0x7f367954f0a2 in assign_assuming_AddRef /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:401:20
    #5 0x7f367954f0a2 in operator= /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:697:5
    #6 0x7f367954f0a2 in nsDocShell::Destroy() /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:4495:20
    #7 0x7f3679c3d75c in nsWebBrowser::SetDocShell(nsDocShell*) /builds/worker/checkouts/gecko/toolkit/components/browser/nsWebBrowser.cpp:1131:18
    #8 0x7f3679c3c6ac in nsWebBrowser::InternalDestroy() /builds/worker/checkouts/gecko/toolkit/components/browser/nsWebBrowser.cpp:174:3
    #9 0x7f3679c432fc in Destroy /builds/worker/checkouts/gecko/toolkit/components/browser/nsWebBrowser.cpp:855:3
    #10 0x7f3679c432fc in non-virtual thunk to nsWebBrowser::Destroy() /builds/worker/checkouts/gecko/toolkit/components/browser/nsWebBrowser.cpp
    #11 0x7f36757e3198 in mozilla::dom::BrowserChild::DestroyWindow() /builds/worker/checkouts/gecko/dom/ipc/BrowserChild.cpp:903:31
    #12 0x7f36757fc03b in mozilla::dom::BrowserChild::RecvDestroy() /builds/worker/checkouts/gecko/dom/ipc/BrowserChild.cpp:2444:3
    #13 0x7f366f4bab28 in mozilla::dom::PBrowserChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBrowserChild.cpp:6354:56
    #14 0x7f366ec7150e in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8621:32
    #15 0x7f366ea730c8 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2150:25
    #16 0x7f366ea6f782 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2074:9
    #17 0x7f366ea7142a in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1922:3
    #18 0x7f366ea71a6d in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1953:13
    #19 0x7f366d7edf10 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:244:16
    #20 0x7f366d7ad1c3 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:514:26
    #21 0x7f366d7aa6f7 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:373:15
    #22 0x7f366d7aab47 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:170:36
    #23 0x7f366d7f83e4 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:87:37
    #24 0x7f366d7f83e4 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_1>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:577:5
    #25 0x7f366d7cfed6 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1234:14

previously allocated by thread T0 (https://webrtc.) here:
    #0 0x564074b086fd in malloc /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
    #1 0x564074b3e1ad in moz_xmalloc /builds/worker/checkouts/gecko/memory/mozalloc/mozalloc.cpp:52:15
    #2 0x7f367699da5a in operator new /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:33:10
    #3 0x7f367699da5a in NS_NewContentViewer() /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:501:37
    #4 0x7f36773d42fb in CreateDocument /builds/worker/checkouts/gecko/layout/build/nsContentDLF.cpp:312:46
    #5 0x7f36773d42fb in nsContentDLF::CreateInstance(char const*, nsIChannel*, nsILoadGroup*, nsTSubstring<char> const&, nsIDocShell*, nsISupports*, nsIStreamListener**, nsIContentViewer**) /builds/worker/checkouts/gecko/layout/build/nsContentDLF.cpp:127:12
    #6 0x7f3679548ac6 in NewContentViewerObj /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:8030:35
    #7 0x7f3679548ac6 in nsDocShell::CreateContentViewer(nsTSubstring<char> const&, nsIRequest*, nsIStreamListener**) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:7760:17
    #8 0x7f3679547974 in nsDSURIContentListener::DoContent(nsTSubstring<char> const&, bool, nsIRequest*, nsIStreamListener**, bool*) /builds/worker/checkouts/gecko/docshell/base/nsDSURIContentListener.cpp:178:20
    #9 0x7f366f881897 in nsDocumentOpenInfo::TryContentListener(nsIURIContentListener*, nsIChannel*) /builds/worker/checkouts/gecko/uriloader/base/nsURILoader.cpp:597:18
    #10 0x7f366f87ede7 in nsDocumentOpenInfo::DispatchContent(nsIRequest*, nsISupports*) /builds/worker/checkouts/gecko/uriloader/base/nsURILoader.cpp:276:9
    #11 0x7f366f87dcb2 in nsDocumentOpenInfo::OnStartRequest(nsIRequest*) /builds/worker/checkouts/gecko/uriloader/base/nsURILoader.cpp:154:8
    #12 0x7f366e442a05 in mozilla::net::HttpChannelChild::DoOnStartRequest(nsIRequest*, nsISupports*) /builds/worker/checkouts/gecko/netwerk/protocol/http/HttpChannelChild.cpp:557:20
    #13 0x7f366e441f4b in mozilla::net::HttpChannelChild::OnStartRequest(mozilla::net::nsHttpResponseHead const&, bool const&, mozilla::net::nsHttpHeaderArray const&, mozilla::net::HttpChannelOnStartRequestArgs const&) /builds/worker/checkouts/gecko/netwerk/protocol/http/HttpChannelChild.cpp:488:3
    #14 0x7f366e73ec42 in mozilla::net::ChannelEventQueue::FlushQueue() /builds/worker/checkouts/gecko/netwerk/ipc/ChannelEventQueue.cpp:90:12
    #15 0x7f366e789b78 in MaybeFlushQueue /builds/worker/workspace/obj-build/dist/include/mozilla/net/ChannelEventQueue.h:330:5
    #16 0x7f366e789b78 in CompleteResume /builds/worker/workspace/obj-build/dist/include/mozilla/net/ChannelEventQueue.h:309:5
    #17 0x7f366e789b78 in mozilla::net::ChannelEventQueue::ResumeInternal()::CompleteResumeRunnable::Run() /builds/worker/checkouts/gecko/netwerk/ipc/ChannelEventQueue.cpp:148:17
    #18 0x7f366d7edf10 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:244:16
    #19 0x7f366d7ad1c3 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:514:26
    #20 0x7f366d7aa6f7 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:373:15
    #21 0x7f366d7aab47 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:170:36
    #22 0x7f366d7f83e4 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:87:37
    #23 0x7f366d7f83e4 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_1>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:577:5
    #24 0x7f366d7cfed6 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1234:14
    #25 0x7f366d7d9681 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:513:10

SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:1286:25 in nsDocumentViewer::PermitUnload(nsIContentViewer::PermitUnloadAction, bool*)
  1. Immediately followed by crash #2:
==160704==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fc38898e3d7 bp 0x7ffeb8bebf70 sp 0x7ffeb8bebea0 T0)
==160704==The signal is caused by a READ memory access.
==160704==Hint: address points to the zero page.
    #0 0x7fc38898e3d7 in operator() /builds/worker/checkouts/gecko/dom/ipc/ContentChild.cpp:4239:27
    #1 0x7fc38898e3d7 in std::_Function_handler<void (mozilla::dom::BrowsingContext*), mozilla::dom::ContentChild::DispatchBeforeUnloadToSubtree(mozilla::dom::BrowsingContext*, std::function<void (nsIContentViewer::PermitUnloadResult const&)> const&)::$_16>::_M_invoke(std::_Any_data const&, mozilla::dom::BrowsingContext*&&) /builds/worker/fetches/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/7.4.0/../../../../include/c++/7.4.0/bits/std_function.h:316:2
    #2 0x7fc38c6c35ed in operator() /builds/worker/fetches/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/7.4.0/../../../../include/c++/7.4.0/bits/std_function.h:706:14
    #3 0x7fc38c6c35ed in mozilla::dom::BrowsingContext::PreOrderWalk(std::function<void (mozilla::dom::BrowsingContext*)> const&) /builds/worker/checkouts/gecko/docshell/base/BrowsingContext.cpp:849:3
    #4 0x7fc38c6c38b2 in mozilla::dom::BrowsingContext::PreOrderWalk(std::function<void (mozilla::dom::BrowsingContext*)> const&) /builds/worker/checkouts/gecko/docshell/base/BrowsingContext.cpp:855:12
    #5 0x7fc38897e37d in DispatchBeforeUnloadToSubtree /builds/worker/checkouts/gecko/dom/ipc/ContentChild.cpp:4236:16
    #6 0x7fc38897e37d in mozilla::dom::ContentChild::RecvDispatchBeforeUnloadToSubtree(mozilla::dom::MaybeDiscarded<mozilla::dom::BrowsingContext> const&, std::function<void (nsIContentViewer::PermitUnloadResult const&)>&&) /builds/worker/checkouts/gecko/dom/ipc/ContentChild.cpp:4226:5
    #7 0x7fc381e4ab56 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:13687:56
    #8 0x7fc381c440c8 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2150:25
    #9 0x7fc381c40782 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2074:9
    #10 0x7fc381c4242a in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1922:3
    #11 0x7fc381c42a6d in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1953:13
    #12 0x7fc3809bef10 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:244:16
    #13 0x7fc38097e1c3 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:514:26
    #14 0x7fc38097b6f7 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:373:15
    #15 0x7fc38097bb47 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:170:36
    #16 0x7fc3809c93b1 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:84:37
    #17 0x7fc3809c93b1 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:577:5
    #18 0x7fc3809a0ed6 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1234:14
    #19 0x7fc3809aa681 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:513:10
    #20 0x7fc381c4ba27 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:87:21
    #21 0x7fc381b64692 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #22 0x7fc381b64692 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #23 0x7fc381b64692 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #24 0x7fc3893e4c9a in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
    #25 0x7fc38d3a521f in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:913:20
    #26 0x7fc381b64692 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #27 0x7fc381b64692 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #28 0x7fc381b64692 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #29 0x7fc38d3a4ab1 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:744:34
    #30 0x55a36a2ad998 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #31 0x55a36a2ad998 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:304:18
    #32 0x7fc39784e041 in __libc_start_main (/lib64/libc.so.6+0x27041)
    #33 0x55a36a200878 in _start (/home/geeknik/firefox/firefox-bin+0xb4878)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/checkouts/gecko/dom/ipc/ContentChild.cpp:4239:27 in operator()

https://webrtc.github.io/test-pages/src/iframe-apprtc/ HAS to be opened in a container tab for this to work. Otherwise the page loads normally.

Group: core-security → dom-core-security
Flags: sec-bounty?

Nothing seems to keep nsDocumentViewer alive when PermitUnload is called.
This code changed heavily in bug 1655866.

Flags: needinfo?(kmaglione+bmo)
Assignee: nobody → kmaglione+bmo
Status: NEW → ASSIGNED
Flags: needinfo?(kmaglione+bmo)
Has Regression Range: --- → yes
Severity: -- → S2
Priority: -- → P1

https://hg.mozilla.org/integration/autoland/rev/d2ca55bf53dd61245eefee84557bb75c48b004bc
https://hg.mozilla.org/mozilla-central/rev/d2ca55bf53dd

Group: dom-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox83: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 83 Branch
status-firefox-esr78: --- → unaffected
Flags: sec-bounty? → sec-bounty+

As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.

Please visit this google form to reply.

Flags: needinfo?(kmaglione+bmo)
Whiteboard: [sec-survey]
Flags: qe-verify+
Whiteboard: [sec-survey] → [sec-survey][post-critsmash-triage]
Flags: needinfo?(kmaglione+bmo)

Reproduced the initial crash using Asan build 8ae706cfee33871aadf9c4aaa3d6480dafed07be. Verified that using latest Nightly asan, using the steps from comment 0, there is no crash recorded.

Status: RESOLVED → VERIFIED
status-firefox83: fixedverified
Flags: qe-verify+
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: