Closed Bug 1683035 Opened 3 years ago Closed 3 years ago

Crash in [@ mozilla::dom::quota::DirectoryLockImpl::NotifyOpenListener]

Categories

(Core :: Storage: Quota Manager, defect)

Product:
Core
Component:
Storage: Quota Manager
Platform:
Unspecified
Windows 10
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1682100

People

(Reporter: gsvelto, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, csectype-uaf)

Crash Data

Crash report: https://crash-stats.mozilla.org/report/index/2db02eee-2b8f-4415-b6fe-fbc7c0201216

Reason: EXCEPTION_ACCESS_VIOLATION_WRITE

Top 10 frames of crashing thread:

0 xul.dll mozilla::dom::quota::DirectoryLockImpl::NotifyOpenListener dom/quota/ActorsParent.cpp:2954
1 xul.dll mozilla::dom::quota::DirectoryLockImpl::~DirectoryLockImpl dom/quota/ActorsParent.cpp:2883
2 xul.dll mozilla::dom::quota::DirectoryLockImpl::Release dom/quota/ActorsParent.cpp:842
3 xul.dll mozilla::dom::quota::`anonymous namespace'::NormalOriginOperationBase::UnblockOpen dom/quota/ActorsParent.cpp:8282
4 xul.dll mozilla::dom::quota::`anonymous namespace'::OriginOperationBase::Run dom/quota/ActorsParent.cpp:8080
5 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:1200
6 xul.dll mozilla::ipc::MessagePumpForNonMainThreads::Run ipc/glue/MessagePump.cpp:332
7 xul.dll MessageLoop::RunHandler ipc/chromium/src/base/message_loop.cc:327
8 xul.dll MessageLoop::Run ipc/chromium/src/base/message_loop.cc:309
9 xul.dll static nsThread::ThreadFunc xpcom/threads/nsThread.cpp:441

This crash was detected by PHC and it's an use-after-free of a DirectoryLockImpl object. The object was allocated at this stack:

Alloc stack:

#0    mozilla::dom::quota::QuotaManager::OpenDirectory(mozilla::dom::quota::PersistenceType, mozilla::dom::quota::GroupAndOrigin const&, mozilla::dom::quota::Client::Type, bool, RefPtr<mozilla::dom::quota::OpenDirectoryListener>) (xul.pdb)
#1    mozilla::dom::`anonymous namespace'::PrepareDatastoreOp::BeginDatastorePreparationInternal() (xul.pdb)
#2    mozilla::dom::`anonymous namespace'::PrepareDatastoreOp::NestedRun() (xul.pdb)
#3    mozilla::dom::`anonymous namespace'::LSRequestBase::Run() (xul.pdb)
#4    nsThread::ProcessNextEvent(bool, bool*) (xul.pdb)
#5    mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) (xul.pdb)
#6    MessageLoop::RunHandler() (xul.pdb)
#7    MessageLoop::Run() (xul.pdb)
#8    static nsThread::ThreadFunc(void*) (xul.pdb)
#9    _PR_NativeRunThread(void*) (nss3.pdb)
#10    pr_root(void*) (nss3.pdb)
#11    thread_start<unsigned int (__cdecl*)(void *),1> (ucrtbase.pdb)
#12    BaseThreadInitThunk (kernel32.pdb)
#13    RtlUserThreadStart (ntdll.pdb)

And freed at this one:

#0    mozilla::dom::quota::DirectoryLockImpl::~DirectoryLockImpl() (xul.pdb)
#1    mozilla::dom::quota::DirectoryLockImpl::Release() (xul.pdb)
#2    mozilla::dom::quota::`anonymous namespace'::NormalOriginOperationBase::UnblockOpen() (xul.pdb)
#3    mozilla::dom::quota::`anonymous namespace'::OriginOperationBase::Run() (xul.pdb)
#4    nsThread::ProcessNextEvent(bool, bool*) (xul.pdb)
#5    mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) (xul.pdb)
#6    MessageLoop::RunHandler() (xul.pdb)
#7    MessageLoop::Run() (xul.pdb)
#8    static nsThread::ThreadFunc(void*) (xul.pdb)
#9    _PR_NativeRunThread(void*) (nss3.pdb)
#10    pr_root(void*) (nss3.pdb)
#11    thread_start<unsigned int (__cdecl*)(void *),1> (ucrtbase.pdb)
#12    BaseThreadInitThunk (kernel32.pdb)
#13    RtlUserThreadStart (ntdll.pdb)
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE
Group: core-security → dom-core-security
Group: dom-core-security
You need to log in before you can comment on or make changes to this bug.