AddressSanitizer: heap-use-after-free PLDHashTable.cpp:502 in PLDHashTable::Search
Categories
(Core :: Graphics: WebGPU, defect, P3)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr78 | --- | unaffected |
| firefox-esr91 | --- | disabled |
| firefox91 | --- | disabled |
| firefox92 | --- | disabled |
| firefox93 | --- | fixed |
People
(Reporter: m.cooolie, Assigned: kvark)
References
(Regression)
Details
(Keywords: regression, sec-other)
Attachments
(4 files)
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4582.0 Safari/537.36
Steps to reproduce:
#Reproduce
OS:Ubuntu X64
Firefox: Nightly 92.0a1 (2021-07-27) (64-bit)
step:
- sudo python -m http.server 80
- python -m ffpuppet firefox -p prefs.js -d -u http://localhost/poc.html
- close current table
I did not make minicase because I still don’t know how to use lithium with prefs.js, I hope you guys can tell me~
Actual results:
=================================================================
==13204==ERROR: AddressSanitizer: heap-use-after-free on address 0x12c31f8482e0 at pc 0x7ffcf9061253 bp 0x00a007dfe6d0 sp 0x00a007dfe718
READ of size 8 at 0x12c31f8482e0 thread T0
#0 0x7ffcf9061252 in PLDHashTable::Search /builds/worker/checkouts/gecko/xpcom/ds/PLDHashTable.cpp:502
#1 0x7ffcfa5e959a in mozilla::ipc::IToplevelProtocol::DestroySharedMemory /builds/worker/checkouts/gecko/ipc/glue/ProtocolUtils.cpp:781
#2 0x7ffcfa5eb86d in mozilla::ipc::IProtocol::DeallocShmem /builds/worker/checkouts/gecko/ipc/glue/ProtocolUtils.cpp:480
#3 0x7ffcffbc2e0f in mozilla::webgpu::Buffer::Cleanup /builds/worker/checkouts/gecko/dom/webgpu/Buffer.cpp:64
#4 0x7ffcffbc2c87 in mozilla::webgpu::Buffer::cycleCollection::Unlink /builds/worker/checkouts/gecko/dom/webgpu/Buffer.cpp:28
#5 0x7ffcf8fdddd0 in nsCycleCollector::CollectWhite /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:3081
#6 0x7ffcf8fe130f in nsCycleCollector::Collect /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:3435
#7 0x7ffcf8fe093b in nsCycleCollector::ShutdownCollect /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:3350
#8 0x7ffcf8fe683f in nsCycleCollector_shutdown /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:3959
#9 0x7ffcf92bddf9 in mozilla::ShutdownXPCOM /builds/worker/checkouts/gecko/xpcom/build/XPCOMInit.cpp:709
#10 0x7ffd06c7f150 in XRE_TermEmbedding /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:215
#11 0x7ffcfa5ef328 in mozilla::ipc::ScopedXREEmbed::Stop /builds/worker/checkouts/gecko/ipc/glue/ScopedXREEmbed.cpp:90
#12 0x7ffd06c80111 in XRE_InitChildProcess /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:746
#13 0x7ff6c5901f49 in NS_internal_main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:327
#14 0x7ff6c59014d4 in wmain /builds/worker/checkouts/gecko/toolkit/xre/nsWindowsWMain.cpp:131
#15 0x7ff6c59ff1d7 in __scrt_common_main_seh f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:288
#16 0x7ffd712b7033 in BaseThreadInitThunk+0x13 (C:\Windows\System32\KERNEL32.DLL+0x180017033)
#17 0x7ffd71c82650 in RtlUserThreadStart+0x20 (C:\Windows\SYSTEM32\ntdll.dll+0x180052650)
0x12c31f8482e0 is located 96 bytes inside of 600-byte region [0x12c31f848280,0x12c31f8484d8)
freed by thread T0 here:
#0 0x7ffd49fd5afb in free Z:\task_1625848830\fetches\llvm-project\llvm\projects\compiler-rt\lib\asan\asan_malloc_win.cpp:82
#1 0x7ffcfa8d4dfc in mozilla::layers::PCompositorManagerChild::~PCompositorManagerChild /builds/worker/workspace/obj-build/ipc/ipdl/PCompositorManagerChild.cpp:62
#2 0x7ffcfa5e761e in mozilla::ipc::ActorLifecycleProxy::~ActorLifecycleProxy /builds/worker/checkouts/gecko/ipc/glue/ProtocolUtils.cpp:280
#3 0x7ffcfa7aff01 in mozilla::layers::PCompositorManagerChild::OnChannelClose /builds/worker/workspace/obj-build/ipc/ipdl/PCompositorManagerChild.cpp:596
#4 0x7ffcfa5cb101 in mozilla::ipc::MessageChannel::Close /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2631
#5 0x7ffcfc160fc1 in mozilla::layers::CompositorManagerChild::Shutdown /builds/worker/checkouts/gecko/gfx/layers/ipc/CompositorManagerChild.cpp:79
#6 0x7ffcfc20b731 in gfxPlatform::ShutdownLayersIPC /builds/worker/checkouts/gecko/gfx/thebes/gfxPlatform.cpp:1350
#7 0x7ffcf92bda8f in mozilla::ShutdownXPCOM /builds/worker/checkouts/gecko/xpcom/build/XPCOMInit.cpp:622
#8 0x7ffd06c7f150 in XRE_TermEmbedding /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:215
#9 0x7ffcfa5ef328 in mozilla::ipc::ScopedXREEmbed::Stop /builds/worker/checkouts/gecko/ipc/glue/ScopedXREEmbed.cpp:90
#10 0x7ffd06c80111 in XRE_InitChildProcess /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:746
#11 0x7ff6c5901f49 in NS_internal_main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:327
#12 0x7ff6c59014d4 in wmain /builds/worker/checkouts/gecko/toolkit/xre/nsWindowsWMain.cpp:131
#13 0x7ff6c59ff1d7 in __scrt_common_main_seh f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:288
#14 0x7ffd712b7033 in BaseThreadInitThunk+0x13 (C:\Windows\System32\KERNEL32.DLL+0x180017033)
#15 0x7ffd71c82650 in RtlUserThreadStart+0x20 (C:\Windows\SYSTEM32\ntdll.dll+0x180052650)
previously allocated by thread T0 here:
#0 0x7ffd49fd5c0b in malloc Z:\task_1625848830\fetches\llvm-project\llvm\projects\compiler-rt\lib\asan\asan_malloc_win.cpp:98
#1 0x7ffd5e25139d in moz_xmalloc /builds/worker/checkouts/gecko/memory/mozalloc/mozalloc.cpp:52
#2 0x7ffcfc160c94 in mozilla::layers::CompositorManagerChild::Init /builds/worker/checkouts/gecko/gfx/layers/ipc/CompositorManagerChild.cpp:65
#3 0x7ffd01b33e9e in mozilla::dom::ContentChild::RecvInitRendering /builds/worker/checkouts/gecko/dom/ipc/ContentChild.cpp:1538
#4 0x7ffcfa82d490 in mozilla::dom::PContentChild::OnMessageReceived /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8796
#5 0x7ffcfa5c6f64 in mozilla::ipc::MessageChannel::DispatchAsyncMessage /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2084
#6 0x7ffcfa5c33cf in mozilla::ipc::MessageChannel::DispatchMessage /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2011
#7 0x7ffcfa5c5251 in mozilla::ipc::MessageChannel::RunMessage /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1859
#8 0x7ffcfa5c57fc in mozilla::ipc::MessageChannel::MessageTask::Run /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1890
#9 0x7ffcf923c9ad in mozilla::RunnableTask::Run /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:502
#10 0x7ffcf91f8d89 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:805
#11 0x7ffcf91f4bcc in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:641
#12 0x7ffcf91f5590 in mozilla::TaskController::ProcessPendingMTTask /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:425
#13 0x7ffcf9246da1 in mozilla::detail::RunnableFunction<`lambda at /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:135:7'>::Run /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:532
#14 0x7ffcf921d9ab in nsThread::ProcessNextEvent /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1148
#15 0x7ffcf922e24c in NS_ProcessNextEvent /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:466
#16 0x7ffcfa5d063e in mozilla::ipc::MessagePump::Run /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85
#17 0x7ffcfa4de7c5 in MessageLoop::RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324
#18 0x7ffcfa4de595 in MessageLoop::Run /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306
#19 0x7ffd026b121a in nsBaseAppShell::Run /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137
#20 0x7ffd02897bcb in nsAppShell::Run /builds/worker/checkouts/gecko/widget/windows/nsAppShell.cpp:603
#21 0x7ffd06c80c44 in XRE_RunAppShell /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:910
#22 0x7ffcfa4de7c5 in MessageLoop::RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324
#23 0x7ffcfa4de595 in MessageLoop::Run /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306
#24 0x7ffd06c800d9 in XRE_InitChildProcess /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:742
#25 0x7ff6c5901f49 in NS_internal_main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:327
#26 0x7ff6c59014d4 in wmain /builds/worker/checkouts/gecko/toolkit/xre/nsWindowsWMain.cpp:131
#27 0x7ff6c59ff1d7 in __scrt_common_main_seh f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:288
#28 0x7ffd712b7033 in BaseThreadInitThunk+0x13 (C:\Windows\System32\KERNEL32.DLL+0x180017033)
SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/checkouts/gecko/xpcom/ds/PLDHashTable.cpp:502 in PLDHashTable::Search
Shadow bytes around the buggy address:
0x04ef83709000: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x04ef83709010: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x04ef83709020: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x04ef83709030: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x04ef83709040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x04ef83709050: fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd
0x04ef83709060: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x04ef83709070: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x04ef83709080: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x04ef83709090: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
0x04ef837090a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==13204==ABORTING
Expected results:
NO CRASH
|
||
Updated•3 years ago
|
|
||
Updated•3 years ago
|
|
||
Comment 1•3 years ago
|
||
Callstack in webgpu, with dom.webgpu.enabled:true. Not a sec issue, since webgpu is still a prototype.
@kvark fyi
|
|
||
Updated•3 years ago
|
|
||
Updated•3 years ago
|
|
|
||
Comment 2•3 years ago
|
||
I did not make minicase because I still don’t know how to use lithium with prefs.js, I hope you guys can tell me~
You can chat with our developers at https://chat.mozilla.org/ -- try https://chat.mozilla.org/#/room/#fuzzing:mozilla.org
|
Assignee | |
Comment 3•3 years ago
|
||
Hmm, I'm not actually able to reproduce this. What does "close current table" mean? Do you mean closing the tab?
Running the asan-enabled build with this pref file, closing the tab, and it exits normally.
|
|
Assignee | |
Comment 4•3 years ago
|
||
Would you be able to reproduce this on an artifact from https://treeherder.mozilla.org/jobs?repo=try&revision=0c2e8203e3aaa18a6bacbdfd35d2ac81457f9838&selectedTaskRun=D8ePeSz_QUmdgn7My_6nlQ.0 ?
Exact artifact URL for the linux asan build.
|
|
Assignee | |
Comment 5•3 years ago
|
||
https://phabricator.services.mozilla.com/D122530 is on the way to landing, which should fix this. But I can't verify since I'm not able to reproduce.
install node&puppeteer-core (ffpuppet not work on windows).
|
|
Assignee | |
Comment 8•3 years ago
•
|
||
Thank you! I was able to reproduce it now. Fix is on the way - https://phabricator.services.mozilla.com/D122658
|
|
Assignee | |
Comment 9•3 years ago
|
||
|
||
Updated•3 years ago
|
|
||
Comment 10•3 years ago
|
||
Bug 1723077 - Don't release WebGPU shmem if the channel is closed r=jgilbert
https://hg.mozilla.org/integration/autoland/rev/c0b40ec24ca1ecf4ab1db3e7cad9d51914c55353
https://hg.mozilla.org/mozilla-central/rev/c0b40ec24ca1
|
||
Updated•3 years ago
|
|
||
Updated•3 years ago
|
|
|
||
Comment 11•3 years ago
|
||
This feature is not eligible for the security bug bounty because it is still in an experimental state. If you are pursuing bounties please stick to the default-enabled features in firefox Nightly builds. These do include many "in-progress" features that aren't yet enabled in Release, but are valid bounty targets.
|
|
||
Comment 12•3 years ago
|
||
For the above please see our FAQ answer https://www.mozilla.org/en-US/security/bug-bounty/faq/#nondefault-pref
|
||
Updated•3 years ago
|
|
Reporter | |
Comment 13•3 years ago
|
||
Please credit to yangkang(@dnpushme) of 360 ATA Team.
|
||
Comment 14•3 years ago
|
||
When running the “node ff.test.js /[path]/firefox http://localhost:800/poc.html” with the file from comment 7, I got the following error:
for await (const chunk of readable) {
^^^^^
SyntaxError: Unexpected reserved word
at createScript (vm.js:80:10)
at Object.runInThisContext (vm.js:139:10)
at Module._compile (module.js:616:28)
at Object.Module._extensions..js (module.js:663:10)
at Module.load (module.js:565:32)
at tryModuleLoad (module.js:505:12)
at Function.Module._load (module.js:497:3)
at Module.require (module.js:596:17)
at require (internal/module.js:11:18)
@m.coolie, could you please confirm the fix on your end on the latest 93 Beta build? Thank you!
|
|
Reporter | |
Comment 15•3 years ago
|
||
Not reproduce on 94.0a1 (2021-09-07) (64-bit).
I donot know how get latest 93 Beta build asan version.
|
|
||
Comment 16•3 years ago
|
||
(In reply to m.cooolie from comment #15)
Not reproduce on 94.0a1 (2021-09-07) (64-bit).
I donot know how get latest 93 Beta build asan version.
Oh, sure, https://treeherder.mozilla.org/jobs?repo=mozilla-beta&selectedTaskRun=QXlQx4nqQA2Dpsr8Jsb1cg.0 - artifact direct download. Thank you for your time!
|
|
Reporter | |
Comment 17•3 years ago
|
||
(In reply to Anca Soncutean [:Anca], Desktop Release QA from comment #16)
(In reply to m.cooolie from comment #15)
Not reproduce on 94.0a1 (2021-09-07) (64-bit).
I donot know how get latest 93 Beta build asan version.
Oh, sure, https://treeherder.mozilla.org/jobs?repo=mozilla-beta&selectedTaskRun=QXlQx4nqQA2Dpsr8Jsb1cg.0 - artifact direct download. Thank you for your time!
uaf not reproduced,but get this.
Hit MOZ_CRASH(mozilla::LinkedList<nsSHistory>::~LinkedList() [T = nsSHistory] has a buggy user: it should have removed all this list's elements before the list's destruction) at /builds/worker/workspace/obj-build/dist/include/mozilla/LinkedList.h:444
#01: ???[/home/yyf/Desktop/tmp/liunx.target/93/firefox/libxul.so +0x186136d7]
#02: ???[/lib/x86_64-linux-gnu/libc.so.6 +0x44147]
#03: on_exit[/lib/x86_64-linux-gnu/libc.so.6 +0x442f0]
#04: __libc_start_main[/lib/x86_64-linux-gnu/libc.so.6 +0x2856c]
#05: ???[/home/yyf/Desktop/tmp/liunx.target/93/firefox/firefox +0x671b3]
#06: ??? (???:???)
AddressSanitizer:DEADLYSIGNAL
|
||
Updated•3 years ago
|
|
|
Assignee | |
Comment 18•3 years ago
|
||
LinkedList<nsSHistory> looks unrelated to WebGPU
|
|
||
Updated•2 years ago
|
Description
•