Closed
Bug 1741186
Opened 3 years ago
Closed 2 years ago
AddressSanitizer: heap-use-after-free [@ IsCurrentThread] with READ of size 8
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
FIXED
96 Branch
| Tracking | Status | |
|---|---|---|
| firefox-esr91 | --- | unaffected |
| firefox94 | --- | unaffected |
| firefox95 | --- | disabled |
| firefox96 | --- | fixed |
People
(Reporter: jkratzer, Assigned: saschanaz)
References
(Blocks 2 open bugs, Regression)
Details
(4 keywords, Whiteboard: [bugmon:confirm])
Attachments
(5 files, 1 obsolete file)
Testcase found while fuzzing mozilla-central rev 0ea31fd939c8 (built with: --enable-address-sanitizer --enable-fuzzing).
Testcase can be reproduced using the following commands:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 0ea31fd939c8 --asan --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.zip
AddressSanitizer: heap-use-after-free [@ IsCurrentThread] with READ of size 8
=================================================================
==924855==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d000026ef8 at pc 0x7f17c41dfeed bp 0x7f173272db80 sp 0x7f173272db78
READ of size 8 at 0x60d000026ef8 thread T28 (DOM Worker)
#0 0x7f17c41dfeec in IsCurrentThread /xpcom/base/nsISupportsImpl.cpp:48:10
#1 0x7f17c41dfeec in nsAutoOwningThread::AssertCurrentThreadOwnsMe(char const*) const /xpcom/base/nsISupportsImpl.cpp:41:7
#2 0x7f17cb676771 in AssertOwnership<33> /builds/worker/workspace/obj-build/dist/include/nsISupportsImpl.h:60:5
#3 0x7f17cb676771 in AddRef /dom/locks/LockRequestChild.cpp:17:1
#4 0x7f17cb676771 in AddRef /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:49:39
#5 0x7f17cb676771 in AddRef /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:380:35
#6 0x7f17cb676771 in RefPtr /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:109:7
#7 0x7f17cb676771 in RefPtr<mozilla::dom::locks::LockRequestChild> mozilla::MakeRefPtr<mozilla::dom::locks::LockRequestChild, mozilla::dom::locks::LockRequest const&, mozilla::dom::Optional<mozilla::OwningNonNull<mozilla::dom::AbortSignal> > const&>(mozilla::dom::locks::LockRequest const&, mozilla::dom::Optional<mozilla::OwningNonNull<mozilla::dom::AbortSignal> > const&) /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:603:13
#8 0x7f17cb675784 in mozilla::dom::locks::LockManagerChild::RequestLock(mozilla::dom::locks::LockRequest const&, mozilla::dom::LockOptions const&) /dom/locks/LockManagerChild.cpp:80:23
#9 0x7f17cb675285 in mozilla::dom::LockManager::Request(nsTSubstring<char16_t> const&, mozilla::dom::LockOptions const&, mozilla::dom::LockGrantedCallback&, mozilla::ErrorResult&) /dom/locks/LockManager.cpp:149:11
#10 0x7f17cb674669 in mozilla::dom::LockManager::Request(nsTSubstring<char16_t> const&, mozilla::dom::LockGrantedCallback&, mozilla::ErrorResult&) /dom/locks/LockManager.cpp:109:10
#11 0x7f17c82167b4 in request /builds/worker/workspace/obj-build/dom/bindings/LockManagerBinding.cpp:596:64
#12 0x7f17c82167b4 in mozilla::dom::LockManager_Binding::request_promiseWrapper(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/LockManagerBinding.cpp:658:13
#13 0x7f17c97ae74a in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ConvertExceptionsToPromises>(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:3300:13
#14 0x7f17d10130f1 in CallJSNative /js/src/vm/Interpreter.cpp:387:13
#15 0x7f17d10130f1 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:474:12
#16 0x7f17d0fff73d in CallFromStack /js/src/vm/Interpreter.cpp:538:10
#17 0x7f17d0fff73d in Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3242:16
#18 0x7f17d0fe47a1 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:356:13
#19 0x7f17d101322c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:506:13
#20 0x7f17d101537b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:551:8
#21 0x7f17d15e44a7 in js::CallSelfHostedFunction(JSContext*, JS::Handle<js::PropertyName*>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /js/src/vm/SelfHosting.cpp:1538:10
#22 0x7f17d1256249 in AsyncFunctionResume(JSContext*, JS::Handle<js::AsyncFunctionGeneratorObject*>, ResumeKind, JS::Handle<JS::Value>) /js/src/vm/AsyncFunction.cpp:152:8
#23 0x7f17d144340c in AsyncFunctionPromiseReactionJob /js/src/builtin/Promise.cpp:2000:12
#24 0x7f17d144340c in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) /js/src/builtin/Promise.cpp:2160:12
#25 0x7f17d10130f1 in CallJSNative /js/src/vm/Interpreter.cpp:387:13
#26 0x7f17d10130f1 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:474:12
#27 0x7f17d101537b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:551:8
#28 0x7f17d128850d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:117:10
#29 0x7f17c859dd9c in mozilla::dom::PromiseJobCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/PromiseBinding.cpp:35:8
#30 0x7f17c4181827 in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:89:12
#31 0x7f17c4181827 in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:102:12
#32 0x7f17c4181827 in mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&) /xpcom/base/CycleCollectedJSContext.cpp:213:18
#33 0x7f17c415c017 in mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool) /xpcom/base/CycleCollectedJSContext.cpp:674:17
#34 0x7f17c415cfff in mozilla::CycleCollectedJSContext::AfterProcessTask(unsigned int) /xpcom/base/CycleCollectedJSContext.cpp:463:3
#35 0x7f17c439be68 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1212:24
#36 0x7f17c43a6a3c in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:467:10
#37 0x7f17cbb99a70 in mozilla::dom::WorkerPrivate::DoRunLoop(JSContext*) /dom/workers/WorkerPrivate.cpp:3105:7
#38 0x7f17cbb6190d in mozilla::dom::workerinternals::(anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /dom/workers/RuntimeService.cpp:2244:42
#39 0x7f17c439c14b in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1169:16
#40 0x7f17c43a6a3c in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:467:10
#41 0x7f17c5886fdd in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:300:20
#42 0x7f17c57052d1 in RunInternal /ipc/chromium/src/base/message_loop.cc:331:10
#43 0x7f17c57052d1 in RunHandler /ipc/chromium/src/base/message_loop.cc:324:3
#44 0x7f17c57052d1 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:306:3
#45 0x7f17c43946df in nsThread::ThreadFunc(void*) /xpcom/threads/nsThread.cpp:391:10
#46 0x7f17e107309e in _pt_root /nsprpub/pr/src/pthreads/ptthread.c:201:5
#47 0x7f17e2989608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477:8
#48 0x7f17e2551292 in __clone /build/glibc-eX1tMB/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
0x60d000026ef8 is located 88 bytes inside of 136-byte region [0x60d000026ea0,0x60d000026f28)
freed by thread T28 (DOM Worker) here:
#0 0x558f19469122 in __interceptor_free /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:111:3
#1 0x7f17cb679c49 in operator delete /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:51:10
#2 0x7f17cb679c49 in mozilla::dom::locks::LockRequestChild::Release() /dom/locks/LockRequestChild.cpp:17:1
#3 0x7f17cb67ff53 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:50:40
#4 0x7f17cb67ff53 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:381:36
#5 0x7f17cb67ff53 in ~RefPtr /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:81:7
#6 0x7f17cb67ff53 in ~ /dom/locks/LockRequestChild.cpp:52:9
#7 0x7f17cb67ff53 in _M_destroy /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/std_function.h:207:4
#8 0x7f17cb67ff53 in std::_Function_base::_Base_manager<mozilla::dom::locks::LockRequestChild::LockRequestChild(mozilla::dom::locks::LockRequest const&, mozilla::dom::Optional<mozilla::OwningNonNull<mozilla::dom::AbortSignal> > const&)::$_5>::_M_manager(std::_Any_data&, std::_Any_data const&, std::_Manager_operation) /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/std_function.h:231:8
#9 0x7f17cb67a14b in ~_Function_base /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/std_function.h:276:2
#10 0x7f17cb67a14b in mozilla::dom::locks::LockRequestChild::LockRequestChild(mozilla::dom::locks::LockRequest const&, mozilla::dom::Optional<mozilla::OwningNonNull<mozilla::dom::AbortSignal> > const&) /dom/locks/LockRequestChild.cpp:50:5
#11 0x7f17cb67674e in RefPtr<mozilla::dom::locks::LockRequestChild> mozilla::MakeRefPtr<mozilla::dom::locks::LockRequestChild, mozilla::dom::locks::LockRequest const&, mozilla::dom::Optional<mozilla::OwningNonNull<mozilla::dom::AbortSignal> > const&>(mozilla::dom::locks::LockRequest const&, mozilla::dom::Optional<mozilla::OwningNonNull<mozilla::dom::AbortSignal> > const&) /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:603:19
#12 0x7f17cb675784 in mozilla::dom::locks::LockManagerChild::RequestLock(mozilla::dom::locks::LockRequest const&, mozilla::dom::LockOptions const&) /dom/locks/LockManagerChild.cpp:80:23
#13 0x7f17cb675285 in mozilla::dom::LockManager::Request(nsTSubstring<char16_t> const&, mozilla::dom::LockOptions const&, mozilla::dom::LockGrantedCallback&, mozilla::ErrorResult&) /dom/locks/LockManager.cpp:149:11
#14 0x7f17cb674669 in mozilla::dom::LockManager::Request(nsTSubstring<char16_t> const&, mozilla::dom::LockGrantedCallback&, mozilla::ErrorResult&) /dom/locks/LockManager.cpp:109:10
#15 0x7f17c82167b4 in request /builds/worker/workspace/obj-build/dom/bindings/LockManagerBinding.cpp:596:64
#16 0x7f17c82167b4 in mozilla::dom::LockManager_Binding::request_promiseWrapper(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/LockManagerBinding.cpp:658:13
#17 0x7f17c97ae74a in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ConvertExceptionsToPromises>(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:3300:13
#18 0x7f17d10130f1 in CallJSNative /js/src/vm/Interpreter.cpp:387:13
#19 0x7f17d10130f1 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:474:12
#20 0x7f17d0fff73d in CallFromStack /js/src/vm/Interpreter.cpp:538:10
#21 0x7f17d0fff73d in Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3242:16
#22 0x7f17d0fe47a1 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:356:13
#23 0x7f17d101322c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:506:13
#24 0x7f17d101537b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:551:8
#25 0x7f17d15e44a7 in js::CallSelfHostedFunction(JSContext*, JS::Handle<js::PropertyName*>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /js/src/vm/SelfHosting.cpp:1538:10
#26 0x7f17d1256249 in AsyncFunctionResume(JSContext*, JS::Handle<js::AsyncFunctionGeneratorObject*>, ResumeKind, JS::Handle<JS::Value>) /js/src/vm/AsyncFunction.cpp:152:8
#27 0x7f17d144340c in AsyncFunctionPromiseReactionJob /js/src/builtin/Promise.cpp:2000:12
#28 0x7f17d144340c in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) /js/src/builtin/Promise.cpp:2160:12
#29 0x7f17d10130f1 in CallJSNative /js/src/vm/Interpreter.cpp:387:13
#30 0x7f17d10130f1 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:474:12
#31 0x7f17d101537b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:551:8
previously allocated by thread T28 (DOM Worker) here:
#0 0x558f1946938d in __interceptor_malloc /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:129:3
#1 0x558f194a40ad in moz_xmalloc /memory/mozalloc/mozalloc.cpp:52:15
#2 0x7f17cb67673d in operator new /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:33:10
#3 0x7f17cb67673d in RefPtr<mozilla::dom::locks::LockRequestChild> mozilla::MakeRefPtr<mozilla::dom::locks::LockRequestChild, mozilla::dom::locks::LockRequest const&, mozilla::dom::Optional<mozilla::OwningNonNull<mozilla::dom::AbortSignal> > const&>(mozilla::dom::locks::LockRequest const&, mozilla::dom::Optional<mozilla::OwningNonNull<mozilla::dom::AbortSignal> > const&) /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:603:15
#4 0x7f17cb675784 in mozilla::dom::locks::LockManagerChild::RequestLock(mozilla::dom::locks::LockRequest const&, mozilla::dom::LockOptions const&) /dom/locks/LockManagerChild.cpp:80:23
#5 0x7f17cb675285 in mozilla::dom::LockManager::Request(nsTSubstring<char16_t> const&, mozilla::dom::LockOptions const&, mozilla::dom::LockGrantedCallback&, mozilla::ErrorResult&) /dom/locks/LockManager.cpp:149:11
#6 0x7f17cb674669 in mozilla::dom::LockManager::Request(nsTSubstring<char16_t> const&, mozilla::dom::LockGrantedCallback&, mozilla::ErrorResult&) /dom/locks/LockManager.cpp:109:10
#7 0x7f17c82167b4 in request /builds/worker/workspace/obj-build/dom/bindings/LockManagerBinding.cpp:596:64
#8 0x7f17c82167b4 in mozilla::dom::LockManager_Binding::request_promiseWrapper(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/LockManagerBinding.cpp:658:13
#9 0x7f17c97ae74a in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ConvertExceptionsToPromises>(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:3300:13
#10 0x7f17d10130f1 in CallJSNative /js/src/vm/Interpreter.cpp:387:13
#11 0x7f17d10130f1 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:474:12
#12 0x7f17d0fff73d in CallFromStack /js/src/vm/Interpreter.cpp:538:10
#13 0x7f17d0fff73d in Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3242:16
#14 0x7f17d0fe47a1 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:356:13
#15 0x7f17d101322c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:506:13
#16 0x7f17d101537b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:551:8
#17 0x7f17d15e44a7 in js::CallSelfHostedFunction(JSContext*, JS::Handle<js::PropertyName*>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /js/src/vm/SelfHosting.cpp:1538:10
#18 0x7f17d1256249 in AsyncFunctionResume(JSContext*, JS::Handle<js::AsyncFunctionGeneratorObject*>, ResumeKind, JS::Handle<JS::Value>) /js/src/vm/AsyncFunction.cpp:152:8
#19 0x7f17d144340c in AsyncFunctionPromiseReactionJob /js/src/builtin/Promise.cpp:2000:12
#20 0x7f17d144340c in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) /js/src/builtin/Promise.cpp:2160:12
#21 0x7f17d10130f1 in CallJSNative /js/src/vm/Interpreter.cpp:387:13
#22 0x7f17d10130f1 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:474:12
#23 0x7f17d101537b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:551:8
#24 0x7f17d128850d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:117:10
#25 0x7f17c859dd9c in mozilla::dom::PromiseJobCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/PromiseBinding.cpp:35:8
Thread T28 (DOM Worker) created by T0 (Web Content) here:
#0 0x558f19453a8c in __interceptor_pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cpp:207:3
#1 0x7f17e1063124 in _PR_CreateThread /nsprpub/pr/src/pthreads/ptthread.c:458:14
#2 0x7f17e10543ce in PR_CreateThread /nsprpub/pr/src/pthreads/ptthread.c:533:12
#3 0x7f17c43979a5 in nsThread::Init(nsTSubstring<char> const&) /xpcom/threads/nsThread.cpp:607:18
#4 0x7f17cbbbe0b2 in mozilla::dom::WorkerThread::Create(mozilla::dom::WorkerThreadFriendKey const&) /dom/workers/WorkerThread.cpp:102:7
#5 0x7f17cbb405e8 in mozilla::dom::workerinternals::RuntimeService::ScheduleWorker(mozilla::dom::WorkerPrivate&) /dom/workers/RuntimeService.cpp:1389:14
#6 0x7f17cbb3f2e3 in mozilla::dom::workerinternals::RuntimeService::RegisterWorker(mozilla::dom::WorkerPrivate&) /dom/workers/RuntimeService.cpp:1256:19
#7 0x7f17cbb94110 in mozilla::dom::WorkerPrivate::Constructor(JSContext*, nsTSubstring<char16_t> const&, bool, mozilla::dom::WorkerKind, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, mozilla::dom::WorkerLoadInfo*, mozilla::ErrorResult&, nsTString<char16_t>) /dom/workers/WorkerPrivate.cpp:2525:24
#8 0x7f17cbbcc546 in mozilla::dom::RemoteWorkerChild::ExecWorkerOnMainThread(mozilla::dom::RemoteWorkerData&&) /dom/workers/remoteworkers/RemoteWorkerChild.cpp:437:41
#9 0x7f17cbbe9aba in operator() /dom/workers/remoteworkers/RemoteWorkerChild.cpp:298:29
#10 0x7f17cbbe9aba in mozilla::detail::RunnableFunction<mozilla::dom::RemoteWorkerChild::ExecWorker(mozilla::dom::RemoteWorkerData const&)::$_2>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
#11 0x7f17c43694ff in mozilla::SchedulerGroup::Runnable::Run() /xpcom/threads/SchedulerGroup.cpp:144:20
#12 0x7f17c43b5bf2 in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:468:16
#13 0x7f17c437b5bd in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:771:26
#14 0x7f17c4378b18 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:607:15
#15 0x7f17c4379229 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:391:36
#16 0x7f17c43bf264 in operator() /xpcom/threads/TaskController.cpp:127:37
#17 0x7f17c43bf264 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_1>::Run() /xpcom/threads/nsThreadUtils.h:531:5
#18 0x7f17c439b917 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1175:16
#19 0x7f17c43a6a3c in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:467:10
#20 0x7f17c5885924 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:107:5
#21 0x7f17c57052d1 in RunInternal /ipc/chromium/src/base/message_loop.cc:331:10
#22 0x7f17c57052d1 in RunHandler /ipc/chromium/src/base/message_loop.cc:324:3
#23 0x7f17c57052d1 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:306:3
#24 0x7f17cc298af7 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:137:27
#25 0x7f17d0d30f6f in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:917:20
#26 0x7f17c57052d1 in RunInternal /ipc/chromium/src/base/message_loop.cc:331:10
#27 0x7f17c57052d1 in RunHandler /ipc/chromium/src/base/message_loop.cc:324:3
#28 0x7f17c57052d1 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:306:3
#29 0x7f17d0d301a2 in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:749:34
#30 0x558f1949dced in content_process_main(mozilla::Bootstrap*, int, char**) /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#31 0x558f1949e118 in main /browser/app/nsBrowserApp.cpp:327:18
#32 0x7f17e24560b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: heap-use-after-free /xpcom/base/nsISupportsImpl.cpp:48:10 in IsCurrentThread
Shadow bytes around the buggy address:
0x0c1a7fffcd80: fa fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00
0x0c1a7fffcd90: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
0x0c1a7fffcda0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1a7fffcdb0: 00 00 fa fa fa fa fa fa fa fa 00 00 00 00 00 00
0x0c1a7fffcdc0: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
=>0x0c1a7fffcdd0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd[fd]
0x0c1a7fffcde0: fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa
0x0c1a7fffcdf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1a7fffce00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1a7fffce10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1a7fffce20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==924855==ABORTING
|
Reporter | |
Comment 1•3 years ago
|
||
|
|
Reporter | |
Comment 2•3 years ago
|
||
| Comment hidden (obsolete) |
|
||
Updated•3 years ago
|
Group: core-security → dom-core-security
|
||
Comment 4•3 years ago
|
||
The stack involves LockManager, and the test case involves starting up two different service workers with a script that does something with navigator.locks. Kagami, it looks like you've been looking at things related to those topics recently in bug 1738905, so could you take a look into this? Thanks.
Flags: needinfo?(krosylight)
Keywords: csectype-uaf,
sec-high
|
|
||
Updated•3 years ago
|
Summary: AddressSanitizer: heap-use-after-free [@ IsCurrentThread] with READ of size 8 → AddressSanitizer: heap-use-after-free [@ IsCurrentThread] with READ of size 8 of LockRequestChild
|
|
||
Updated•3 years ago
|
Summary: AddressSanitizer: heap-use-after-free [@ IsCurrentThread] with READ of size 8 of LockRequestChild → AddressSanitizer: heap-use-after-free [@ IsCurrentThread] with READ of size 8
|
Assignee | |
Comment 5•3 years ago
|
||
The debugger says the RefPtr constructor called in MakeRefPtr is getting an invalid pointer that points to garbage. Not sure how can it happen?
|
|
Assignee | |
Updated•3 years ago
|
Flags: needinfo?(krosylight)
|
|
Assignee | |
Updated•3 years ago
|
Flags: needinfo?(krosylight)
|
||
Comment 6•3 years ago
|
||
Is this something the automation can provide a pernosco trace for?
Flags: needinfo?(jkratzer)
|
|
Assignee | |
Comment 7•3 years ago
•
|
||
Still investigating, but it seems self.reportError(new Int16Array(2147483648)) is the (or at least one of the) core part of this issue. Not sure it only affects Web Locks or others too yet.
|
|
Reporter | |
Comment 8•3 years ago
|
||
(In reply to Andrew Sutherland [:asuth] (he/him) from comment #6)
Is this something the automation can provide a pernosco trace for?
There's no support for pernosco in bugmon yet but I'd be happy to record a trace of this issue. I'll link it here once I'm done.
Flags: needinfo?(jkratzer)
|
|
Assignee | |
Comment 9•3 years ago
|
||
A minimal-er repro. Open it and refresh, and then it busts.
|
|
Assignee | |
Comment 10•3 years ago
|
||
Comment on attachment 9250941 [details] 1741186.html ><!DOCTYPE html> ><meta charset="utf-8"> ><script> > const script = ` > self.reportError(new Int16Array(2147483648)) > navigator.locks.request("weblock_0", () => {}); > `; > new Worker(URL.createObjectURL(new Blob([script]))); > location.reload(); ></script>
|
|
Assignee | |
Comment 11•3 years ago
|
||
Attachment #9250941 -
Attachment is obsolete: true
|
|
Reporter | |
Comment 12•3 years ago
|
||
You can find a pernosco session for this bug here.
|
|
Assignee | |
Comment 13•3 years ago
|
||
Hi Jason, I can see no source file from that session, did something happen there?
Flags: needinfo?(jkratzer)
|
|
Reporter | |
Comment 14•3 years ago
|
||
:saschanaz, my apologies. Can you try this one?
Flags: needinfo?(jkratzer)
|
|
Assignee | |
Comment 15•3 years ago
|
||
Thanks!
And this is what I said in comment #5, it's somehow filled with 0xe5e5e5e5e5e5e5e5. Is the thread already being freed? https://pernos.co/debug/hHmPXWODjvUzHVKgD24B3A/index.html#f{m[A4WE,BEs5_,t[AQc,JfUV_,f{e[A4WE,BEe6_,s{af4h+ZPAA,bAdk,uDLQvww,oDLa1vg___/
|
|
Assignee | |
Comment 16•3 years ago
|
||
To note, the crash does not happen if you modify the attachment in comment #9 to use smaller number for reportError (e.g. 2147483), wait a bit for the error appears on the console, and then refresh. It busts when you refresh before the error appears.
|
|
Assignee | |
Comment 17•3 years ago
|
||
Bug 1741625 is another issue with reportError with large Int32Array and Web Locks. (Is it safe to add a See also from a security issue?)
|
|
Assignee | |
Updated•3 years ago
|
Assignee: nobody → krosylight
|
||
Updated•3 years ago
|
Severity: -- → S2
|
|
Assignee | |
Comment 18•3 years ago
|
||
Oh okay, something stupid (which is done by me 🥲) is happening here.
mWorkerRef = StrongWorkerRef::Create(
GetCurrentThreadWorkerPrivate(), "LockManager",
[self = RefPtr(this)]() { self->mWorkerRef = nullptr; });
The StrongWorkerRef here immediately fails with WorkerState::Canceling, and nothing grabs the ownership of the callback function, and thus it destructs immediately too. Since we passed this as RefPtr(this) it frees this. In the constructor. Thus the constructor eventually returns an already freed pointer, and boom.
|
||
Updated•3 years ago
|
Has Regression Range: --- → yes
Keywords: regression
|
|
Assignee | |
Updated•3 years ago
|
status-firefox94:
--- → disabled
status-firefox95:
--- → disabled
status-firefox-esr91:
--- → disabled
|
|
Assignee | |
Comment 19•3 years ago
|
||
|
|
Assignee | |
Comment 20•3 years ago
|
||
Depends on D131698
|
||
Comment 21•2 years ago
|
||
Set release status flags based on info from the regressing bug 1725942
status-firefox96:
--- → affected
|
|
Assignee | |
Comment 22•2 years ago
|
||
The use-after-free access happens immediately after free so I'm not sure this is really a security issue. Is it?
|
|
||
Comment 23•2 years ago
|
||
Yeah, that lowers the severity. I'll drop it to moderate for now.
Keywords: sec-high → sec-moderate
|
|
Assignee | |
Comment 24•2 years ago
•
|
||
Thanks!
And this is only enabled in Nightly (bug 1739233), should I still need to ship the fix first and the test later? How later if then?
Flags: needinfo?(continuation)
|
|
||
Comment 25•2 years ago
|
||
Given that this is Nightly-only and it doesn't really look exploitable, I think it is okay to just land the test at the same time.
Flags: needinfo?(continuation)
|
|
Assignee | |
Comment 26•2 years ago
|
||
Thanks! I'll land all in that case.
|
||
Comment 27•2 years ago
|
||
Add WorkerRef outside of the constructor r=smaug
https://hg.mozilla.org/integration/autoland/rev/2a0e59831157c7fbdc5f386bf8ccf1815c5e2422
https://hg.mozilla.org/mozilla-central/rev/2a0e59831157
Add test r=smaug
https://hg.mozilla.org/integration/autoland/rev/e662ecf354dbdcac92d00f715a925f8c7ddcb6c4
https://hg.mozilla.org/mozilla-central/rev/e662ecf354db
Group: dom-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → 96 Branch
|
||
Updated•2 years ago
|
Flags: in-testsuite+
|
||
Updated•2 years ago
|
Flags: qe-verify-
|
|
||
Updated•2 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•