Closed Bug 1736751 Opened 3 years ago Closed 3 years ago

heap-use-after-free in [@ mozilla::TaskController::EnsureMainThreadTasksScheduled]

Categories

(Core :: XPCOM, defect)

Product:
Core
Component:
XPCOM
Platform:
Unspecified
Windows
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
96 Branch
Tracking Flags:
Tracking Status
firefox-esr91 95+ fixed
firefox94 --- wontfix
firefox95 + fixed
firefox96 + fixed

People

(Reporter: tsmith, Assigned: mccr8)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-uaf, sec-high, Whiteboard: [sec-survey][adv-main95+r][adv-ESR91.4.0+r])

Attachments

(1 file)

Bug 1736751 - Use swap in ThreadEventQueue::SetObserver.
48 bytes, text/x-phabricator-request
diannaS
: approval-mozilla-beta+
RyanVM
: approval-mozilla-esr91+
tjr
: sec-approval+
Details | Review

Found while fuzzing m-c 20211019-4185629111d3 (--enable-address-sanitizer --enable-fuzzing)

This was reported once by fuzzer while fuzzing on Windows. The test case is not reproducible.

==3900==ERROR: AddressSanitizer: heap-use-after-free on address 0x124265943020 at pc 0x7ffe21f82c22 bp 0x004871b7f5e0 sp 0x004871b7f628
READ of size 8 at 0x124265943020 thread T27
    #0 0x7ffe21f82c21 in mozilla::TaskController::EnsureMainThreadTasksScheduled /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:928
    #1 0x7ffe21f82c21 in mozilla::TaskController::RunPoolThread(void) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:281
    #2 0x7ffe4b571fbe in _PR_NativeRunThread /builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c:399
    #3 0x7ffe4b54b08b in pr_root /builds/worker/checkouts/gecko/nsprpub/pr/src/md/windows/w95thred.c:139
    #4 0x7ffe5d18fb7f  (C:\Windows\System32\ucrtbase.dll+0x18001fb7f)
    #5 0x7ffe4b9506f7 in __asan::AsanThread::ThreadStart(unsigned __int64) Z:\task_163462757786343\fetches\llvm-project\llvm\projects\compiler-rt\lib\asan\asan_thread.cpp:270
    #6 0x7ffe5d8784d3  (C:\Windows\System32\KERNEL32.DLL+0x1800084d3)
    #7 0x7ffe4c5079fc in mozilla::interceptor::FuncHook<mozilla::interceptor::WindowsDllInterceptor<mozilla::interceptor::VMSharingPolicyShared>,void (*)(int, void *, void *)>::operator() /builds/worker/checkouts/gecko/toolkit/xre/dllservices/mozglue/nsWindowsDllInterceptor.h:150
    #8 0x7ffe4c5079fc in patched_BaseThreadInitThunk /builds/worker/checkouts/gecko/toolkit/xre/dllservices/mozglue/WindowsDllBlocklist.cpp:588
    #9 0x7ffe60281790  (C:\Windows\SYSTEM32\ntdll.dll+0x180051790)

0x124265943020 is located 0 bytes inside of 24-byte region [0x124265943020,0x124265943038)
freed by thread T0 here:
    #0 0x7ffe4b945bdb in free Z:\task_163462757786343\fetches\llvm-project\llvm\projects\compiler-rt\lib\asan\asan_malloc_win.cpp:82
    #1 0x7ffe21db4ec3 in operator delete /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:51
    #2 0x7ffe21db4ec3 in nsWindowsSystemProxySettings::Release(void) /builds/worker/checkouts/gecko/xpcom/base/nsUUIDGenerator.cpp:9
    #3 0x7ffe21f94f14 in nsCOMPtr<nsIThreadObserver>::operator= /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:690
    #4 0x7ffe21f94f14 in mozilla::ThreadEventQueue::SetObserver(class nsIThreadObserver *) /builds/worker/checkouts/gecko/xpcom/threads/ThreadEventQueue.cpp:264
    #5 0x7ffe21fb5078 in nsThread::SetObserver(class nsIThreadObserver *) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1268
    #6 0x7ffe21fbdf60 in nsThreadManager::Shutdown(void) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadManager.cpp:437
    #7 0x7ffe22056fa9 in mozilla::ShutdownXPCOM(class nsIServiceManager *) /builds/worker/checkouts/gecko/xpcom/build/XPCOMInit.cpp:655
    #8 0x7ffe2f6372e0 in XRE_TermEmbedding(void) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:218
    #9 0x7ffe2342e088 in mozilla::ipc::ScopedXREEmbed::Stop(void) /builds/worker/checkouts/gecko/ipc/glue/ScopedXREEmbed.cpp:90
    #10 0x7ffe2f638141 in XRE_InitChildProcess(int, char **const, struct XREChildData const *) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:753
    #11 0x7ff64fa11d39 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:58
    #12 0x7ff64fa11d39 in NS_internal_main(int, char **, char **) /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:327
    #13 0x7ff64fa114d4 in wmain /builds/worker/checkouts/gecko/toolkit/xre/nsWindowsWMain.cpp:131
    #14 0x7ff64fb0e747 in invoke_main d:\agent\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:90
    #15 0x7ff64fb0e747 in __scrt_common_main_seh d:\agent\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288
    #16 0x7ffe5d8784d3  (C:\Windows\System32\KERNEL32.DLL+0x1800084d3)
    #17 0x7ffe60281790  (C:\Windows\SYSTEM32\ntdll.dll+0x180051790)

previously allocated by thread T0 here:
    #0 0x7ffe4b945ceb in malloc Z:\task_163462757786343\fetches\llvm-project\llvm\projects\compiler-rt\lib\asan\asan_malloc_win.cpp:98
    #1 0x7ffe4c3f154d in moz_xmalloc /builds/worker/checkouts/gecko/memory/mozalloc/mozalloc.cpp:52
    #2 0x7ffe2b32566f in operator new /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:33
    #3 0x7ffe2b32566f in nsAppShell::Init(void) /builds/worker/checkouts/gecko/widget/windows/nsAppShell.cpp:553
    #4 0x7ffe2b25260f in nsAppShellInit /builds/worker/checkouts/gecko/widget/nsAppShellSingleton.h:47
    #5 0x7ffe2b25260f in nsWidgetWindowsModuleCtor(void) /builds/worker/checkouts/gecko/widget/windows/nsWidgetFactory.cpp:49
    #6 0x7ffe21f13a12 in mozilla::xpcom::CallInitFunc /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:8971
    #7 0x7ffe21f13a12 in mozilla::xpcom::CreateInstanceImpl /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:12074
    #8 0x7ffe21f53ccf in `anonymous namespace'::EntryWrapper::CreateInstance /builds/worker/checkouts/gecko/xpcom/components/nsComponentManager.cpp:174
    #9 0x7ffe21f53ccf in nsComponentManagerImpl::GetServiceLocked /builds/worker/checkouts/gecko/xpcom/components/nsComponentManager.cpp:1276
    #10 0x7ffe21f52e58 in nsComponentManagerImpl::GetService(struct nsID const &, struct nsID const &, void **) /builds/worker/checkouts/gecko/xpcom/components/nsComponentManager.cpp:1330
    #11 0x7ffe21f5d43e in CallGetService /builds/worker/checkouts/gecko/xpcom/components/nsComponentManagerUtils.cpp:51
    #12 0x7ffe21f5d43e in nsGetServiceByCID::operator()(struct nsID const &, void **) const /builds/worker/checkouts/gecko/xpcom/components/nsComponentManagerUtils.cpp:220
    #13 0x7ffe21d57a63 in nsCOMPtr_base::assign_from_gs_cid(class nsGetServiceByCID, struct nsID const &) /builds/worker/checkouts/gecko/xpcom/base/nsCOMPtr.cpp:64
    #14 0x7ffe2f638b49 in nsCOMPtr<nsIAppShell>::nsCOMPtr /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:611
    #15 0x7ffe2f638b49 in XRE_RunAppShell(void) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:874
    #16 0x7ffe2331cc45 in MessageLoop::RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331
    #17 0x7ffe2331cc45 in MessageLoop::RunHandler(void) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324
    #18 0x7ffe2331ca15 in MessageLoop::Run(void) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306
    #19 0x7ffe2f638109 in XRE_InitChildProcess(int, char **const, struct XREChildData const *) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:749
    #20 0x7ff64fa11d39 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:58
    #21 0x7ff64fa11d39 in NS_internal_main(int, char **, char **) /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:327
    #22 0x7ff64fa114d4 in wmain /builds/worker/checkouts/gecko/toolkit/xre/nsWindowsWMain.cpp:131
    #23 0x7ff64fb0e747 in invoke_main d:\agent\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:90
    #24 0x7ff64fb0e747 in __scrt_common_main_seh d:\agent\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288
    #25 0x7ffe5d8784d3  (C:\Windows\System32\KERNEL32.DLL+0x1800084d3)
    #26 0x7ffe60281790  (C:\Windows\SYSTEM32\ntdll.dll+0x180051790)

Thread T27 created by T10 here:
    #0 0x7ffe4b951792 in __asan_wrap_CreateThread Z:\task_163462757786343\fetches\llvm-project\llvm\projects\compiler-rt\lib\asan\asan_win.cpp:146
    #1 0x7ffe5d18fa76  (C:\Windows\System32\ucrtbase.dll+0x18001fa76)
    #2 0x7ffe4b54aebd in _PR_MD_CREATE_THREAD /builds/worker/checkouts/gecko/nsprpub/pr/src/md/windows/w95thred.c:153
    #3 0x7ffe4b572d9c in _PR_NativeCreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c:1058
    #4 0x7ffe4b5736f3 in _PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c:1184
    #5 0x7ffe4b569abf in PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c:1404
    #6 0x7ffe21f8304e in mozilla::TaskController::InitializeThreadPool(void) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:162
    #7 0x7ffe21f84105 in mozilla::TaskController::AddTask(struct already_AddRefed<class mozilla::Task> &&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:322
    #8 0x7ffe24f361c3 in mozilla::image::DecodePool::AsyncRun(class mozilla::image::IDecodingTask *) /builds/worker/checkouts/gecko/image/DecodePool.cpp:164
    #9 0x7ffe24f93d6a in mozilla::image::LaunchDecodingTask /builds/worker/checkouts/gecko/image/RasterImage.cpp:1137
    #10 0x7ffe24f93d6a in mozilla::image::RasterImage::DecodeMetadata /builds/worker/checkouts/gecko/image/RasterImage.cpp:1261
    #11 0x7ffe24f93d6a in mozilla::image::RasterImage::OnImageDataAvailable(class nsIRequest *, class nsISupports *, class nsIInputStream *, unsigned __int64, unsigned int) /builds/worker/checkouts/gecko/image/RasterImage.cpp:948
    #12 0x7ffe25015893 in imgRequest::OnDataAvailable(class nsIRequest *, class nsIInputStream *, unsigned __int64, unsigned int) /builds/worker/checkouts/gecko/image/imgRequest.cpp:1018
    #13 0x7ffe23fb2e94 in nsJARChannel::OnDataAvailable(class nsIRequest *, class nsIInputStream *, unsigned __int64, unsigned int) /builds/worker/checkouts/gecko/modules/libjar/nsJARChannel.cpp:1266
    #14 0x7ffe223915c1 in nsInputStreamPump::OnStateTransfer(void) /builds/worker/checkouts/gecko/netwerk/base/nsInputStreamPump.cpp:532
    #15 0x7ffe223905d1 in nsInputStreamPump::OnInputStreamReady(class nsIAsyncInputStream *) /builds/worker/checkouts/gecko/netwerk/base/nsInputStreamPump.cpp:377
    #16 0x7ffe21ef83a6 in nsInputStreamReadyEvent::Run(void) /builds/worker/checkouts/gecko/xpcom/io/nsStreamUtils.cpp:94
    #17 0x7ffe21fb2ee5 in nsThread::ProcessNextEvent(bool, bool *) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1145
    #18 0x7ffe21fc356c in NS_ProcessNextEvent(class nsIThread *, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:467
    #19 0x7ffe2340fdfa in mozilla::ipc::MessagePumpForNonMainThreads::Run(class base::MessagePump::Delegate *) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:330
    #20 0x7ffe2331cc45 in MessageLoop::RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331
    #21 0x7ffe2331cc45 in MessageLoop::RunHandler(void) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324
    #22 0x7ffe2331ca15 in MessageLoop::Run(void) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306
    #23 0x7ffe21faa323 in nsThread::ThreadFunc(void *) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:390
    #24 0x7ffe4b571fbe in _PR_NativeRunThread /builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c:399
    #25 0x7ffe4b54b08b in pr_root /builds/worker/checkouts/gecko/nsprpub/pr/src/md/windows/w95thred.c:139
    #26 0x7ffe5d18fb7f  (C:\Windows\System32\ucrtbase.dll+0x18001fb7f)
    #27 0x7ffe4b9506f7 in __asan::AsanThread::ThreadStart(unsigned __int64) Z:\task_163462757786343\fetches\llvm-project\llvm\projects\compiler-rt\lib\asan\asan_thread.cpp:270
    #28 0x7ffe5d8784d3  (C:\Windows\System32\KERNEL32.DLL+0x1800084d3)
    #29 0x7ffe4c5079fc in mozilla::interceptor::FuncHook<mozilla::interceptor::WindowsDllInterceptor<mozilla::interceptor::VMSharingPolicyShared>,void (*)(int, void *, void *)>::operator() /builds/worker/checkouts/gecko/toolkit/xre/dllservices/mozglue/nsWindowsDllInterceptor.h:150
    #30 0x7ffe4c5079fc in patched_BaseThreadInitThunk /builds/worker/checkouts/gecko/toolkit/xre/dllservices/mozglue/WindowsDllBlocklist.cpp:588
    #31 0x7ffe60281790  (C:\Windows\SYSTEM32\ntdll.dll+0x180051790)

Thread T10 created by T0 here:
    #0 0x7ffe4b951792 in __asan_wrap_CreateThread Z:\task_163462757786343\fetches\llvm-project\llvm\projects\compiler-rt\lib\asan\asan_win.cpp:146
    #1 0x7ffe5d18fa76  (C:\Windows\System32\ucrtbase.dll+0x18001fa76)
    #2 0x7ffe4b54aebd in _PR_MD_CREATE_THREAD /builds/worker/checkouts/gecko/nsprpub/pr/src/md/windows/w95thred.c:153
    #3 0x7ffe4b572d9c in _PR_NativeCreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c:1058
    #4 0x7ffe4b5736f3 in _PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c:1184
    #5 0x7ffe4b569abf in PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c:1404
    #6 0x7ffe21fad4dc in nsThread::Init(class nsTSubstring<char> const &) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:602
    #7 0x7ffe21fc10e9 in nsThreadManager::NewNamedThread(class nsTSubstring<char> const &, unsigned int, class nsIThread **) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadManager.cpp:580
    #8 0x7ffe21fcce1c in NS_NewNamedThread(class nsTSubstring<char> const &, class nsIThread **, struct already_AddRefed<class nsIRunnable>, unsigned int) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:163
    #9 0x7ffe24f358ef in NS_NewNamedThread /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:87
    #10 0x7ffe24f358ef in mozilla::image::DecodePool::DecodePool(void) /builds/worker/checkouts/gecko/image/DecodePool.cpp:98
    #11 0x7ffe24f35331 in mozilla::image::DecodePool::Singleton(void) /builds/worker/checkouts/gecko/image/DecodePool.cpp:63
    #12 0x7ffe250491e2 in mozilla::image::EnsureModuleInitialized(void) /builds/worker/checkouts/gecko/image/build/nsImageModule.cpp:74
    #13 0x7ffe21f1a843 in mozilla::xpcom::CallInitFunc /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:8971
    #14 0x7ffe21f1a843 in mozilla::xpcom::CreateInstanceImpl /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:9527
    #15 0x7ffe21f53ccf in `anonymous namespace'::EntryWrapper::CreateInstance /builds/worker/checkouts/gecko/xpcom/components/nsComponentManager.cpp:174
    #16 0x7ffe21f53ccf in nsComponentManagerImpl::GetServiceLocked /builds/worker/checkouts/gecko/xpcom/components/nsComponentManager.cpp:1276
    #17 0x7ffe21f56694 in nsComponentManagerImpl::GetServiceByContractID(char const *, struct nsID const &, void **) /builds/worker/checkouts/gecko/xpcom/components/nsComponentManager.cpp:1465
    #18 0x7ffe21f5d5ae in CallGetService /builds/worker/checkouts/gecko/xpcom/components/nsComponentManagerUtils.cpp:61
    #19 0x7ffe21f5d5ae in nsGetServiceByContractID::operator()(struct nsID const &, void **) const /builds/worker/checkouts/gecko/xpcom/components/nsComponentManagerUtils.cpp:243
    #20 0x7ffe21d57e93 in nsCOMPtr_base::assign_from_gs_contractid(class nsGetServiceByContractID, struct nsID const &) /builds/worker/checkouts/gecko/xpcom/base/nsCOMPtr.cpp:82
    #21 0x7ffe24baa202 in nsCOMPtr<imgITools>::nsCOMPtr /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:627
    #22 0x7ffe24baa202 in gfxPlatform::Init(void) /builds/worker/checkouts/gecko/gfx/thebes/gfxPlatform.cpp:980
    #23 0x7ffe24babffa in gfxPlatform::InitChild(class mozilla::gfx::ContentDeviceData const &) /builds/worker/checkouts/gecko/gfx/thebes/gfxPlatform.cpp:479
    #24 0x7ffe2a597466 in mozilla::dom::ContentChild::InitGraphicsDeviceData /builds/worker/checkouts/gecko/dom/ipc/ContentChild.cpp:1315
    #25 0x7ffe2a597466 in mozilla::dom::ContentChild::RecvSetXPCOMProcessAttributes(class mozilla::dom::XPCOMInitData &&, class mozilla::dom::ipc::StructuredCloneData const &, class mozilla::widget::FullLookAndFeel &&, class mozilla::dom::SystemFontList &&, class mozilla::Maybe<void *> const &, unsigned __int64 const &, class nsTArray<void *> &&) /builds/worker/checkouts/gecko/dom/ipc/ContentChild.cpp:698
    #26 0x7ffe2360f8c9 in mozilla::dom::PContentChild::OnMessageReceived(class IPC::Message const &) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:11079
    #27 0x7ffe234056a4 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(class mozilla::ipc::ActorLifecycleProxy *, class IPC::Message const &) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2043
    #28 0x7ffe234019cf in mozilla::ipc::MessageChannel::DispatchMessage(class IPC::Message &&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1968
    #29 0x7ffe2340384c in mozilla::ipc::MessageChannel::RunMessage(class mozilla::ipc::MessageChannel::MessageTask &) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1827
    #30 0x7ffe23403df8 in mozilla::ipc::MessageChannel::MessageTask::Run(void) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1855
    #31 0x7ffe21fd202d in mozilla::RunnableTask::Run(void) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:467
    #32 0x7ffe21f88363 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(class mozilla::detail::BaseAutoLock<class mozilla::Mutex &> const &) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:770
    #33 0x7ffe21f847cc in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(class mozilla::detail::BaseAutoLock<class mozilla::Mutex &> const &) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:606
    #34 0x7ffe21f8518e in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:390
    #35 0x7ffe21fdc081 in mozilla::TaskController::InitializeInternal::<unnamed-tag>::operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:123
    #36 0x7ffe21fdc081 in mozilla::detail::RunnableFunction<`lambda at /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:123:7'>::Run /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:531
    #37 0x7ffe21fb2255 in nsThread::ProcessNextEvent(bool, bool *) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1151
    #38 0x7ffe21fc356c in NS_ProcessNextEvent(class nsIThread *, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:467
    #39 0x7ffe2340eb3e in mozilla::ipc::MessagePump::Run(class base::MessagePump::Delegate *) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85
    #40 0x7ffe2331cc45 in MessageLoop::RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331
    #41 0x7ffe2331cc45 in MessageLoop::RunHandler(void) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324
    #42 0x7ffe2331ca15 in MessageLoop::Run(void) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306
    #43 0x7ffe2b12786a in nsBaseAppShell::Run(void) /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137
    #44 0x7ffe2b32622b in nsAppShell::Run(void) /builds/worker/checkouts/gecko/widget/windows/nsAppShell.cpp:603
    #45 0x7ffe2f638ba4 in XRE_RunAppShell(void) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:917
    #46 0x7ffe2331cc45 in MessageLoop::RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331
    #47 0x7ffe2331cc45 in MessageLoop::RunHandler(void) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324
    #48 0x7ffe2331ca15 in MessageLoop::Run(void) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306
    #49 0x7ffe2f638109 in XRE_InitChildProcess(int, char **const, struct XREChildData const *) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:749
    #50 0x7ff64fa11d39 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:58
    #51 0x7ff64fa11d39 in NS_internal_main(int, char **, char **) /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:327
    #52 0x7ff64fa114d4 in wmain /builds/worker/checkouts/gecko/toolkit/xre/nsWindowsWMain.cpp:131
    #53 0x7ff64fb0e747 in invoke_main d:\agent\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:90
    #54 0x7ff64fb0e747 in __scrt_common_main_seh d:\agent\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288
    #55 0x7ffe5d8784d3  (C:\Windows\System32\KERNEL32.DLL+0x1800084d3)
    #56 0x7ffe60281790  (C:\Windows\SYSTEM32\ntdll.dll+0x180051790)

Hmm. Maybe ThreadEventQueue::SetObserver() needs to do something like this:

nsCOMPtr<nsIThreadObserver> oldObserver = mObserver.forget()
mObserver = aObserver;
if (NS_IsMainThread()) {
    TaskController::Get()->SetThreadObserver(aObserver);
}

Right now, the oldObserver line doesn't exist. The main thread can do mObserver = aObserver, which destroys the old mObserver (that's the free stack), but TaskController still has a raw pointer to it, so if the other thread runs in between there and when SetThreadObserver runs it'll get a dead object.

The stack is happening at shutdown, but AFAICT it could happen any time the observer gets changed. The window is quite small but if there's some way to repeatedly get this to happen from content, maybe it could be exploited, so I'll mark it sec-high.

Assignee: nobody → continuation
Keywords: sec-high

Hopefully this fix is not so obscure that somebody reverts it later.

Another fix would be to make TaskController::mObserver a strong reference. I'm not sure why it is weak right now.

Comment on attachment 9246864 [details]
Bug 1736751 - Use swap in ThreadEventQueue::SetObserver.

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: It is easy to tell that my patch is rooting something on the stack. I'm not sure how easy it is to cause these thread observers to get swapped, or if it can be done from content at all. The one non-reproducible stack we have is at shutdown, but maybe it could be triggered at other times.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
  • Which older supported branches are affected by this flaw?: all (not ESR78)
  • If not all supported branches, which bug introduced the flaw?: None
  • Do you have backports for the affected branches?: No
  • If not, how different, hard to create, and risky will they be?: I think the patch should apply unchanged. This method hasn't changed in a year.
  • How likely is this patch to cause regressions; how much testing does it need?: Unlikely. We just end up releasing an object a few lines later. I don't think much testing is needed.
Attachment #9246864 - Flags: sec-approval?

Comment on attachment 9246864 [details]
Bug 1736751 - Use swap in ThreadEventQueue::SetObserver.

Approved to land and request uplift

Attachment #9246864 - Flags: sec-approval? → sec-approval+

Use swap in ThreadEventQueue::SetObserver. r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/60a2ad57a0a0617b410efa043feab0b7757a5653
https://hg.mozilla.org/mozilla-central/rev/60a2ad57a0a0

Group: dom-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 3 years ago
status-firefox96: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 96 Branch

As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.

Please visit this google form to reply.

Flags: needinfo?(continuation)
Whiteboard: [sec-survey]

Comment on attachment 9246864 [details]
Bug 1736751 - Use swap in ThreadEventQueue::SetObserver.

Beta/Release Uplift Approval Request

  • User impact if declined: Possible security issue. It isn't clear if this is actually a problem in practice.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): It just moves a release slightly.
  • String changes made/needed: none

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration:
  • User impact if declined:
  • Fix Landed on Version: 96
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky):
  • String or UUID changes made by this patch: none
Flags: needinfo?(continuation)
Attachment #9246864 - Flags: approval-mozilla-esr91?
Attachment #9246864 - Flags: approval-mozilla-beta?

Comment on attachment 9246864 [details]
Bug 1736751 - Use swap in ThreadEventQueue::SetObserver.

Approved Uplift for 95.0b6

Attachment #9246864 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

Comment on attachment 9246864 [details]
Bug 1736751 - Use swap in ThreadEventQueue::SetObserver.

Approved for 91.4esr.

Attachment #9246864 - Flags: approval-mozilla-esr91? → approval-mozilla-esr91+
QA Whiteboard: [post-critsmash-triage]
Flags: qe-verify-
Whiteboard: [sec-survey] → [sec-survey][adv-main95+][adv-ESR91.4.0+]
Whiteboard: [sec-survey][adv-main95+][adv-ESR91.4.0+] → [sec-survey][adv-main95+r][adv-ESR91.4.0+r]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: