Closed Bug 1747526 (CVE-2022-26385) Opened 2 years ago Closed 2 years ago

heap-use-after-free of TaskController

Categories

(Core :: XPCOM, defect)

Product:
Core
Component:
XPCOM
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
99 Branch
Tracking Flags:
Tracking Status
firefox-esr91 - wontfix
firefox97 --- wontfix
firefox98 + fixed
firefox99 + fixed

People

(Reporter: bo13oy, Assigned: nika)

Details

(Keywords: csectype-race, csectype-uaf, sec-moderate, Whiteboard: [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage][adv-main98+])

Attachments

(2 files, 1 obsolete file)

Bug 1747526 - Return a handle from asyncShutdown to observe and cancel thread shutdown progress, r=#xpcom-reviewers
48 bytes, text/x-phabricator-request
pascalc
: approval-mozilla-beta+
Details | Review
advisory.txt
243 bytes, text/plain
Details

Tested Version: Ubuntu 64-bit memory 5G + linux64-fuzzing-asan-opt(95.0.1 (64-bit))
[App]
Vendor=Mozilla
Name=Firefox
RemotingName=firefox
CodeName=Nightly
Version=95.0.1
BuildID=20211213184707
SourceStamp=e1e02ca86a8e08d28a750053f51cc30ed144fbb8
ID={ec8030f7-c20a-464f-9b0e-13a3a9e97384}

[Gecko]
MinVersion=95.0.1
MaxVersion=95.0.1

[XRE]
EnableProfileMigrator=1

There is no way to reproduce the vulnerability, temporarily can not provide poc samples,I feel that this is a conditional competition vulnerability,The conditions for triggering this vulnerability are demanding, it needs to be based on a very poorly performing environment in order to trigger the vulnerability.the crash report is as follows:

==ERROR: AddressSanitizer: heap-use-after-free on address 0x6040014e2570 at pc 0x7f72b5aaff3c bp 0x7f729053c4b0 sp 0x7f729053c4a8
READ of size 8 at 0x6040014e2570 thread T57 (MediaTimer #1)
==588784==WARNING: Can't create a socket pair to start external symbolizer (errno: 24)
==588784==WARNING: Can't create a socket pair to start external symbolizer (errno: 24)
==588784==WARNING: Can't create a socket pair to start external symbolizer (errno: 24)
==588784==WARNING: Can't create a socket pair to start external symbolizer (errno: 24)
==588784==WARNING: Can't create a socket pair to start external symbolizer (errno: 24)
==588784==WARNING: Failed to use and restart external symbolizer!
#0 0x7f72b5aaff3b in mozilla::Task::PriorityCompare::operator()(RefPtr<mozilla::Task> const&, RefPtr<mozilla::Task> const&) const /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:286
#1 0x7f72b5aaff3b in operator-> /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:316
#2 0x7f72b5aaff3b in operator() /builds/worker/workspace/obj-build/dist/include/mozilla/TaskController.h:160
#3 0x7f72b5aafc91 in std::_Rb_tree<RefPtr<mozilla::Task>, RefPtr<mozilla::Task>, std::_Identity<RefPtr<mozilla::Task> >, mozilla::Task::PriorityCompare, std::allocator<RefPtr<mozilla::Task> > >::_M_get_insert_unique_pos(RefPtr<mozilla::Task> const&) /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_tree.h:2038
#4 0x7f72b5a708ef in mozilla::TaskController::AddTask(already_AddRefed<mozilla::Task>&&) /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_tree.h:2091
#5 0x7f72b5a708ef in insert /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_set.h:511
#6 0x7f72b5a708ef in AddTask /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:357
#7 0x7f72b5a72422 in mozilla::TaskController::DispatchRunnable(already_AddRefed<nsIRunnable>&&, unsigned int, mozilla::TaskManager*) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:504
#8 0x7f72b5a598e2 in mozilla::detail::EventQueueInternal<16ul>::PutEvent(already_AddRefed<nsIRunnable>&&, mozilla::EventQueuePriority, mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&, mozilla::BaseTimeDuration<mozilla::TimeDurationValueCalculator>*) /builds/worker/checkouts/gecko/xpcom/threads/EventQueue.cpp:55
#9 0x7f72b5a7a20d in mozilla::ThreadEventQueue::PutEventInternal(already_AddRefed<nsIRunnable>&&, mozilla::EventQueuePriority, mozilla::ThreadEventQueue::NestedSink*) /builds/worker/checkouts/gecko/xpcom/threads/ThreadEventQueue.cpp:121
#10 0x7f72b5a7c168 in mozilla::ThreadEventTarget::Dispatch(already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/checkouts/gecko/xpcom/threads/ThreadEventTarget.cpp:97
#11 0x7f72b5a892a5 in NS_DispatchToMainThread(already_AddRefed<nsIRunnable>&&, unsigned int) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:229
#12 0x7f72b5a6492a in mozilla::SchedulerGroup::InternalUnlabeledDispatch(mozilla::TaskCategory, already_AddRefed<mozilla::SchedulerGroup::Runnable>&&) /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:92
#13 0x7f72b5a64706 in mozilla::SchedulerGroup::LabeledDispatch(mozilla::TaskCategory, already_AddRefed<nsIRunnable>&&, mozilla::PerformanceCounter*) /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:77
#14 0x7f72b5a9f351 in nsThreadPool::ShutdownThread(nsIThread*) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:166
#15 0x7f72b5aa02e5 in nsThreadPool::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:319
#16 0x7f72b5a929f4 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1169
#17 0x7f72b5a9c6ec in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:467
#18 0x7f72b6f23e0d in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300
#19 0x7f72b6dae1f1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331
#20 0x7f72b6dae1f1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324
#21 0x7f72b6dae1f1 in Run /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306
#22 0x7f72b5a8bd7b in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:391
#23 0x7f72d120609e in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201
#24 0x7f72d2b26608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
#25 0x7f72d26ee292 in clone ??:?
0x6040014e2570 is located 32 bytes inside of 40-byte region [0x6040014e2550,0x6040014e2578)
freed by thread T0 (Web Content) here:
#0 0x55bb39784cb2 in free _asan_rtl_
#1 0x7f72b5a56daa in std::_Rb_tree<RefPtr<mozilla::Task>, RefPtr<mozilla::Task>, std::_Identity<RefPtr<mozilla::Task> >, mozilla::Task::PriorityCompare, std::allocator<RefPtr<mozilla::Task> > >::_M_erase(std::_Rb_tree_node<RefPtr<mozilla::Task> >*) /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:51
#2 0x7f72b5a56daa in deallocate /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/ext/new_allocator.h:125
#3 0x7f72b5a56daa in deallocate /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/alloc_traits.h:462
#4 0x7f72b5a56daa in _M_put_node /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_tree.h:592
#5 0x7f72b5a56daa in _M_drop_node /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_tree.h:659
#6 0x7f72b5a56daa in _M_erase /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_tree.h:1858
#7 0x7f72b5a56d7f in std::_Rb_tree<RefPtr<mozilla::Task>, RefPtr<mozilla::Task>, std::_Identity<RefPtr<mozilla::Task> >, mozilla::Task::PriorityCompare, std::allocator<RefPtr<mozilla::Task> > >::_M_erase(std::_Rb_tree_node<RefPtr<mozilla::Task> >*) /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_tree.h:1856
#8 0x7f72b5a56d7f in std::_Rb_tree<RefPtr<mozilla::Task>, RefPtr<mozilla::Task>, std::_Identity<RefPtr<mozilla::Task> >, mozilla::Task::PriorityCompare, std::allocator<RefPtr<mozilla::Task> > >::_M_erase(std::_Rb_tree_node<RefPtr<mozilla::Task> >*) /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_tree.h:1856
#9 0x7f72b5a56d7f in std::_Rb_tree<RefPtr<mozilla::Task>, RefPtr<mozilla::Task>, std::_Identity<RefPtr<mozilla::Task> >, mozilla::Task::PriorityCompare, std::allocator<RefPtr<mozilla::Task> > >::_M_erase(std::_Rb_tree_node<RefPtr<mozilla::Task> >*) /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_tree.h:1856
#10 0x7f72b5a56d7f in std::_Rb_tree<RefPtr<mozilla::Task>, RefPtr<mozilla::Task>, std::_Identity<RefPtr<mozilla::Task> >, mozilla::Task::PriorityCompare, std::allocator<RefPtr<mozilla::Task> > >::_M_erase(std::_Rb_tree_node<RefPtr<mozilla::Task> >*) /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_tree.h:1856
#11 0x7f72b5a56d7f in std::_Rb_tree<RefPtr<mozilla::Task>, RefPtr<mozilla::Task>, std::_Identity<RefPtr<mozilla::Task> >, mozilla::Task::PriorityCompare, std::allocator<RefPtr<mozilla::Task> > >::_M_erase(std::_Rb_tree_node<RefPtr<mozilla::Task> >*) /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_tree.h:1856
#12 0x7f72b5ab0284 in mozilla::TaskController::~TaskController() /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_tree.h:949
#13 0x7f72b5ab0284 in ~set /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_set.h:271
#14 0x7f72b5ab0284 in ~TaskController /builds/worker/workspace/obj-build/dist/include/mozilla/TaskController.h:270
#15 0x7f72b5a6dfbc in std::unique_ptr<mozilla::TaskController, std::default_delete<mozilla::TaskController> >::~unique_ptr() /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/unique_ptr.h:78
#16 0x7f72b5a6dfbc in ~unique_ptr /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/unique_ptr.h:263
#17 0x7f72d2615a26 in __libc_secure_getenv ??:?
previously allocated by thread T3 (Socket Thread) here:
#0 0x55bb39784f1d in malloc _asan_rtl_
#1 0x55bb397bfb8d in moz_xmalloc /builds/worker/checkouts/gecko/memory/mozalloc/mozalloc.cpp:52
#2 0x7f72b5aaff62 in std::_Rb_tree_node<RefPtr<mozilla::Task> >* std::_Rb_tree<RefPtr<mozilla::Task>, RefPtr<mozilla::Task>, std::_Identity<RefPtr<mozilla::Task> >, mozilla::Task::PriorityCompare, std::allocator<RefPtr<mozilla::Task> > >::_Alloc_node::operator()<RefPtr<mozilla::Task> >(RefPtr<mozilla::Task>&&) const /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:33
#3 0x7f72b5aaff62 in allocate /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/ext/new_allocator.h:111
#4 0x7f72b5aaff62 in allocate /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/alloc_traits.h:436
#5 0x7f72b5aaff62 in _M_get_node /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_tree.h:588
#6 0x7f72b5aaff62 in _M_create_node<RefPtr<mozilla::Task> > /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_tree.h:642
#7 0x7f72b5aaff62 in operator()<RefPtr<mozilla::Task> > /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_tree.h:556
#8 0x7f72b5aafd97 in std::_Rb_tree_iterator<RefPtr<mozilla::Task> > std::_Rb_tree<RefPtr<mozilla::Task>, RefPtr<mozilla::Task>, std::_Identity<RefPtr<mozilla::Task> >, mozilla::Task::PriorityCompare, std::allocator<RefPtr<mozilla::Task> > >::_M_insert_<RefPtr<mozilla::Task>, std::_Rb_tree<RefPtr<mozilla::Task>, RefPtr<mozilla::Task>, std::_Identity<RefPtr<mozilla::Task> >, mozilla::Task::PriorityCompare, std::allocator<RefPtr<mozilla::Task> > >::_Alloc_node>(std::_Rb_tree_node_base*, std::_Rb_tree_node_base*, RefPtr<mozilla::Task>&&, std::_Rb_tree<RefPtr<mozilla::Task>, RefPtr<mozilla::Task>, std::_Identity<RefPtr<mozilla::Task> >, mozilla::Task::PriorityCompare, std::allocator<RefPtr<mozilla::Task> > >::_Alloc_node&) /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_tree.h:1753
#9 0x7f72b5a7092b in _M_insert_unique<RefPtr<mozilla::Task> > /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_tree.h:2096
#10 0x7f72b5a7092b in insert /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_set.h:511
#11 0x7f72b5a7092b in AddTask /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:357
#12 0x7f72b5a72422 in mozilla::TaskController::DispatchRunnable(already_AddRefed<nsIRunnable>&&, unsigned int, mozilla::TaskManager*) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:504
#13 0x7f72b5a598e2 in mozilla::detail::EventQueueInternal<16ul>::PutEvent(already_AddRefed<nsIRunnable>&&, mozilla::EventQueuePriority, mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&, mozilla::BaseTimeDuration<mozilla::TimeDurationValueCalculator>*) /builds/worker/checkouts/gecko/xpcom/threads/EventQueue.cpp:55
#14 0x7f72b5a7a20d in mozilla::ThreadEventQueue::PutEventInternal(already_AddRefed<nsIRunnable>&&, mozilla::EventQueuePriority, mozilla::ThreadEventQueue::NestedSink*) /builds/worker/checkouts/gecko/xpcom/threads/ThreadEventQueue.cpp:121
#15 0x7f72b5a7c168 in mozilla::ThreadEventTarget::Dispatch(already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/checkouts/gecko/xpcom/threads/ThreadEventTarget.cpp:97
#16 0x7f72b5a8ace7 in nsresult detail::ProxyRelease<nsISupports>(char const*, nsIEventTarget*, already_AddRefed<nsISupports>, bool) /builds/worker/workspace/obj-build/dist/include/nsIEventTarget.h:41
#17 0x7f72b5a8ace7 in ProxyRelease<nsISupports> /builds/worker/checkouts/gecko/xpcom/threads/nsProxyRelease.h:79
#18 0x7f72bc403b6b in nsMainThreadPtrHolder<mozilla::TransceiverImpl>::~nsMainThreadPtrHolder() /builds/worker/workspace/obj-build/dist/include/nsProxyRelease.h:105
#19 0x7f72bc403b6b in NS_ProxyRelease<mozilla::TransceiverImpl> /builds/worker/workspace/obj-build/dist/include/nsProxyRelease.h:143
#20 0x7f72bc403b6b in ~nsMainThreadPtrHolder /builds/worker/workspace/obj-build/dist/include/nsProxyRelease.h:279
#21 0x7f72bc4781ee in mozilla::detail::RunnableFunction<mozilla::TransceiverImpl::TransceiverImpl(nsPIDOMWindowInner*, bool, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, mozilla::MediaTransportHandler*, mozilla::JsepTransceiver*, nsISerialEventTarget*, nsISerialEventTarget*, mozilla::dom::MediaStreamTrack*, mozilla::WebRtcCallWrapper*)::$_98>::~RunnableFunction() /builds/worker/workspace/obj-build/dist/include/nsProxyRelease.h:304
#22 0x7f72bc4781ee in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:50
#23 0x7f72bc4781ee in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:381
#24 0x7f72bc4781ee in ~RefPtr /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:81
#25 0x7f72bc4781ee in ~nsMainThreadPtrHandle /builds/worker/workspace/obj-build/dist/include/nsProxyRelease.h:321
#26 0x7f72bc4781ee in ~ /builds/worker/checkouts/gecko/dom/media/webrtc/jsapi/TransceiverImpl.cpp:97
#27 0x7f72bc4781ee in ~RunnableFunction /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:522
#28 0x7f72bc4781ee in ~RunnableFunction /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:522
#29 0x7f72b5a7dd95 in mozilla::Runnable::Release() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:60
#30 0x7f72b5a9226b in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:377
#31 0x7f72b5a9226b in assign_assuming_AddRef /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:400
#32 0x7f72b5a9226b in operator= /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:696
#33 0x7f72b5a9226b in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1185
#34 0x7f72b5a9c6ec in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:467
#35 0x7f72b5e5d0b1 in mozilla::net::nsSocketTransportService::Run() /builds/worker/checkouts/gecko/netwerk/base/nsSocketTransportService2.cpp:1190
#36 0x7f72b5e5ed0c in non-virtual thunk to mozilla::net::nsSocketTransportService::Run() crtstuff.c:?
#37 0x7f72b5a929f4 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1169
#38 0x7f72b5a9c6ec in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:467
#39 0x7f72b6f23e0d in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300
Thread T57 (MediaTimer #1) created by T55 (MediaDe~hine #1) here:
#0 0x55bb3976f61c in pthread_create _asan_rtl_
#1 0x7f72d11f6124 in _PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:458
#2 0x7f72d11e73ce in PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:533
#3 0x7f72b5a8ebcd in nsThread::Init(nsTSubstring<char> const&) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:607
#4 0x7f72b5a9a9cf in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadManager.cpp:581
#5 0x7f72b5aa4c31 in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:163
#6 0x7f72b5a9e859 in nsThreadPool::PutEvent(already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:155
#7 0x7f72b5a9e859 in PutEvent /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:120
#8 0x7f72b5aa0ae9 in nsThreadPool::Dispatch(already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:357
#9 0x7f72bbc81877 in mozilla::MediaTimer::ScheduleUpdate() /builds/worker/checkouts/gecko/dom/media/MediaTimer.cpp:99
#10 0x7f72bbc81441 in mozilla::MediaTimer::WaitUntil(mozilla::TimeStamp const&, char const*) /builds/worker/checkouts/gecko/dom/media/MediaTimer.cpp:82
#11 0x7f72bba09001 in mozilla::MediaDecoderStateMachine::SetVideoDecodeModeInternal(mozilla::VideoDecodeMode) /builds/worker/checkouts/gecko/dom/media/MediaTimer.h:140
#12 0x7f72bba09001 in SetVideoDecodeModeInternal /builds/worker/checkouts/gecko/dom/media/MediaDecoderStateMachine.cpp:3198
#13 0x7f72bbba2086 in mozilla::detail::RunnableMethodImpl<mozilla::MediaDecoderStateMachine*, void (mozilla::MediaDecoderStateMachine::*)(mozilla::VideoDecodeMode), true, (mozilla::RunnableKind)0, mozilla::VideoDecodeMode>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1147
#14 0x7f72bbba2086 in apply<mozilla::MediaDecoderStateMachine, void (mozilla::MediaDecoderStateMachine::*)(mozilla::VideoDecodeMode)> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1153
#15 0x7f72bbba2086 in Run /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1200
#16 0x7f72b5a6a9d6 in mozilla::AutoTaskDispatcher::TaskGroupRunnable::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/TaskDispatcher.h:217
#17 0x7f72b5a77f0d in mozilla::TaskQueue::Runner::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskQueue.cpp:208
#18 0x7f72b5a9fc3b in nsThreadPool::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:305
#19 0x7f72b5a929f4 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1169
#20 0x7f72b5a9c6ec in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:467
#21 0x7f72b6f23e0d in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300
#22 0x7f72b6dae1f1 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331
#23 0x7f72b6dae1f1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324
#24 0x7f72b6dae1f1 in Run /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306
#25 0x7f72b5a8bd7b in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:391
#26 0x7f72d120609e in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201
#27 0x7f72d2b26608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
Thread T55 (MediaDe~hine #1) created by T0 (Web Content) here:
#0 0x55bb3976f61c in pthread_create _asan_rtl_
#1 0x7f72d11f6124 in _PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:458
#2 0x7f72d11e73ce in PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:533
#3 0x7f72b5a8ebcd in nsThread::Init(nsTSubstring<char> const&) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:607
#4 0x7f72b5a9a9cf in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadManager.cpp:581
#5 0x7f72b5aa4c31 in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:163
#6 0x7f72b5a9e859 in NS_NewNamedThread /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:155
#7 0x7f72b5a9e859 in PutEvent /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:120
#8 0x7f72b5aa0ae9 in nsThreadPool::Dispatch(already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:357
#9 0x7f72b5a75d23 in mozilla::TaskQueue::DispatchLocked(nsCOMPtr<nsIRunnable>&, unsigned int, mozilla::AbstractThread::DispatchReason) /builds/worker/checkouts/gecko/xpcom/threads/TaskQueue.cpp:68
#10 0x7f72b5aa8933 in mozilla::TaskQueue::Dispatch(already_AddRefed<nsIRunnable>, mozilla::AbstractThread::DispatchReason) /builds/worker/workspace/obj-build/dist/include/mozilla/TaskQueue.h:87
#11 0x7f72b5a6a755 in mozilla::AutoTaskDispatcher::DispatchTaskGroup(mozilla::UniquePtr<mozilla::AutoTaskDispatcher::PerThreadTaskGroup, mozilla::DefaultDelete<mozilla::AutoTaskDispatcher::PerThreadTaskGroup> >) /builds/worker/workspace/obj-build/dist/include/mozilla/TaskDispatcher.h:275
#12 0x7f72b5a69b36 in mozilla::AutoTaskDispatcher::~AutoTaskDispatcher() /builds/worker/workspace/obj-build/dist/include/mozilla/TaskDispatcher.h:121
#13 0x7f72b5a6bad9 in mozilla::XPCOMThreadWrapper::MaybeFireTailDispatcher() /builds/worker/workspace/obj-build/dist/include/mozilla/Maybe.h:639
#14 0x7f72b5a6bad9 in MaybeFireTailDispatcher /builds/worker/checkouts/gecko/xpcom/threads/AbstractThread.cpp:195
#15 0x7f72b5a67fac in non-virtual thunk to mozilla::XPCOMThreadWrapper::AfterProcessNextEvent(nsIThreadInternal*, bool) /builds/worker/checkouts/gecko/xpcom/threads/AbstractThread.cpp:133
#16 0x7f72b5a67fac in ?? ??:0
#17 0x7f72b5a92537 in ?? ??:0
#18 0x7f72b5a92537 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199
#19 0x7f72b5a9c6ec in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:467
#20 0x7f72b6f2284f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85
#21 0x7f72b6dae1f1 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331
#22 0x7f72b6dae1f1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324
#23 0x7f72b6dae1f1 in Run /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306
#24 0x7f72bd5a8567 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137
#25 0x7f72c16ff5df in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:917
#26 0x7f72b6dae1f1 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331
#27 0x7f72b6dae1f1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324
#28 0x7f72b6dae1f1 in Run /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306
#29 0x7f72c16fe851 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:749
#30 0x55bb397b987d in content_process_main(mozilla::Bootstrap*, int, char**) /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57
#31 0x55bb397b9ca8 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:327
#32 0x7f72d25f30b2 in __libc_start_main ??:?
Thread T3 (Socket Thread) created by T0 (Web Content) here:
#0 0x55bb3976f61c in pthread_create _asan_rtl_
#1 0x7f72d11f6124 in _PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:458
#2 0x7f72d11e73ce in PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:533
#3 0x7f72b5a8ebcd in nsThread::Init(nsTSubstring<char> const&) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:607
#4 0x7f72b5a9a9cf in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadManager.cpp:581
#5 0x7f72b5aa4c31 in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:163
#6 0x7f72b5e5aaea in mozilla::net::nsSocketTransportService::Init() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:85
#7 0x7f72b5e5aaea in Init /builds/worker/checkouts/gecko/netwerk/base/nsSocketTransportService2.cpp:760
#8 0x7f72b59ff719 in mozilla::xpcom::CreateInstanceImpl(mozilla::xpcom::ModuleID, nsISupports*, nsID const&, void**) /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:11443
#9 0x7f72b5a455b6 in nsComponentManagerImpl::GetServiceLocked(mozilla::Maybe<mozilla::MonitorAutoLock>&, (anonymous namespace)::EntryWrapper&, nsID const&, void**) /builds/worker/checkouts/gecko/xpcom/components/nsComponentManager.cpp:177
#10 0x7f72b5a455b6 in GetServiceLocked /builds/worker/checkouts/gecko/xpcom/components/nsComponentManager.cpp:1276
#11 0x7f72b5a4762c in nsComponentManagerImpl::GetServiceByContractID(char const*, nsID const&, void**) /builds/worker/checkouts/gecko/xpcom/components/nsComponentManager.cpp:1465
#12 0x7f72b5a4d042 in nsGetServiceByContractIDWithError::operator()(nsID const&, void**) const /builds/worker/checkouts/gecko/xpcom/components/nsComponentManagerUtils.cpp:61
#13 0x7f72b5a4d042 in operator() /builds/worker/checkouts/gecko/xpcom/components/nsComponentManagerUtils.cpp:253
#14 0x7f72b58a6a2d in nsCOMPtr_base::assign_from_gs_contractid_with_error(nsGetServiceByContractIDWithError const&, nsID const&) /builds/worker/checkouts/gecko/xpcom/base/nsCOMPtr.cpp:91
#15 0x7f72b5db45cb in mozilla::net::nsIOService::InitializeSocketTransportService() /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:774
#16 0x7f72b5db45cb in InitializeSocketTransportService /builds/worker/checkouts/gecko/netwerk/base/nsIOService.cpp:421
#17 0x7f72b5db3340 in mozilla::net::nsIOService::SetOffline(bool) /builds/worker/checkouts/gecko/netwerk/base/nsIOService.cpp:1272
#18 0x7f72b5db1661 in mozilla::net::nsIOService::Init() /builds/worker/checkouts/gecko/netwerk/base/nsIOService.cpp:305
#19 0x7f72b5db524b in mozilla::net::nsIOService::GetInstance() /builds/worker/checkouts/gecko/netwerk/base/nsIOService.cpp:478
#20 0x7f72b5a087b6 in mozilla::xpcom::CreateInstanceImpl(mozilla::xpcom::ModuleID, nsISupports*, nsID const&, void**) /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:10077
#21 0x7f72b5a455b6 in CreateInstance /builds/worker/checkouts/gecko/xpcom/components/nsComponentManager.cpp:177
#22 0x7f72b5a455b6 in GetServiceLocked /builds/worker/checkouts/gecko/xpcom/components/nsComponentManager.cpp:1276
#23 0x7f72b5a4762c in nsComponentManagerImpl::GetServiceByContractID(char const*, nsID const&, void**) /builds/worker/checkouts/gecko/xpcom/components/nsComponentManager.cpp:1465
#24 0x7f72b8035a77 in nsScriptSecurityManager::Init() /builds/worker/workspace/obj-build/dist/include/nsServiceManagerUtils.h:52
#25 0x7f72b8035a77 in Init /builds/worker/checkouts/gecko/caps/nsScriptSecurityManager.cpp:1476
#26 0x7f72b8036019 in nsScriptSecurityManager::InitStatics() /builds/worker/checkouts/gecko/caps/nsScriptSecurityManager.cpp:1537
#27 0x7f72b7dc42b7 in nsXPConnect::InitStatics() /builds/worker/checkouts/gecko/js/xpconnect/src/nsXPConnect.cpp:153
#28 0x7f72b7d57f18 in xpcModuleCtor() /builds/worker/checkouts/gecko/js/xpconnect/src/XPCModule.cpp:11
#29 0x7f72be3a5f18 in nsLayoutModuleInitialize() /builds/worker/checkouts/gecko/layout/build/nsLayoutModule.cpp:100
#30 0x7f72b5a3d0b6 in nsComponentManagerImpl::Init() /builds/worker/checkouts/gecko/xpcom/components/nsComponentManager.cpp:408
#31 0x7f72b5b025ca in NS_InitXPCOM /builds/worker/checkouts/gecko/xpcom/build/XPCOMInit.cpp:446
#32 0x7f72c16fdec7 in XRE_InitEmbedding2(nsIFile*, nsIFile*, nsIDirectoryServiceProvider*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:192
#33 0x7f72b6f689aa in mozilla::ipc::ScopedXREEmbed::Start() /builds/worker/checkouts/gecko/ipc/glue/ScopedXREEmbed.cpp:?
#34 0x7f72bcdc5c80 in mozilla::dom::ContentProcess::Init(int, char**) /builds/worker/checkouts/gecko/dom/ipc/ContentProcess.cpp:157
#35 0x7f72c16fe824 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:715
#36 0x55bb397b987d in content_process_main(mozilla::Bootstrap*, int, char**) /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57
#37 0x55bb397b9ca8 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:327
#38 0x7f72d25f30b2 in __libc_start_main ??:?
SUMMARY: AddressSanitizer: heap-use-after-free (/home/bobo/code/browsers/firefox/libxul.so+0x5525f3b)
Shadow bytes around the buggy address:
0x0c0880294450: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x0c0880294460: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x0c0880294470: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x0c0880294480: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 fa
0x0c0880294490: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 fa
=>0x0c08802944a0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd[fd]fa
0x0c08802944b0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x0c08802944c0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x0c08802944d0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x0c08802944e0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x0c08802944f0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable:           00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone:       fa
Freed heap region:       fd
Stack left redzone:      f1
Stack mid redzone:       f2
Stack right redzone:     f3
Stack after return:      f5
Stack use after scope:   f8
Global redzone:          f9
Global init order:       f6
Poisoned by user:        f7
Container overflow:      fc
Array cookie:            ac
Intra object redzone:    bb
ASan internal:           fe
Left alloca redzone:     ca
Right alloca redzone:    cb
==588784==ABORTING

This vuln is discovered by bo13oy of Cyber Kunlun Lab.

Thanks.

Flags: sec-bounty?

CodeName=Nightly
Version=95.0.1
BuildID=20211213184707
SourceStamp=e1e02ca86a8e08d28a750053f51cc30ed144fbb8

BuildID doesn't mean much when you create your own builds -- it is just a timestamp from the build. The changeset is much more helpful. This source is from the "mozilla-release" repository, so "Nightly" is incorrect. If it ends up mattering, the specific changeset is just after the 95.0.1 version bump but a couple days before the actual 95.0.1 changes started landing.

You might find the "ASAN Nightly" project interesting: spend less time pulling source and building, more time testing.
https://firefox-source-docs.mozilla.org/tools/sanitizer/asan_nightly.html

rjesup: is this something that your pool threads patch is likely to fix (bug 1746479)?

Unfortunately, without a reproducible testcase we can't simply test it to see. We do have other reports of crashes in TaskController that could all be varying symptoms of that same issue.
https://bugzilla.mozilla.org/buglist.cgi?quicksearch=sum%3Ataskcontroller%20crash

Flags: needinfo?(rjesup)
Group: firefox-core-security → dom-core-security
Component: Security → XPCOM
Product: Firefox → Core

I'd guess the problem is that sSingleton (a unique_ptr<TaskController>) is being accessed by Get() which returns a raw ptr, stored in a register, and while we're calling AddTask(), Shutdown() is called, which calls ShutdownInternal(), which sets sSingleton to nullptr (causing the tree to be freed while AddTask() is running on another thread -> UAF).

This isn't caught by the thread-safety code. We could hold the mGraphMutex when setting sSIngleton to null, but that doesn't eliminate the race, which is cause by unlocked multithread access to the singleton. If one is going to use a singleton that way, you need to ensure it's never destroyed (i.e. leak it), or have a global mutex for accessing the singleton (which would get a lot of traffic).

Since this is likely occurring relatively late in content process shutdown, it's probably hard (maybe extremely hard) to exploit, but if it's calling through a freed object, lots of things are possible.

Flags: needinfo?(rjesup) → needinfo?(bas)

This is odd. What's happening here is we're trying to post a Task while TaskController is in the process of being shutdown. There's not meant to be any more threads running when TaskController is destroyed. This should happen very, very late in the shutdown process (https://searchfox.org/mozilla-central/source/xpcom/build/XPCOMInit.cpp#805) after even the IOthread and the message loop are dead. This looks to me like something isn't properly shutting down its threadpool (or at least, shutting it down asynchronously, not blocking until its thread pool has finished shutting down).

Flags: needinfo?(bas)

This also would explain why this only occurs on very poorly performing hardware. Since it must have so few cores that it got a whole bunch of additional main thread shutdown work done without ever scheduling the offending threadpool in order for it to shutdown. We can further see that here, shutting down threadpools can have a timeout as seen here: https://searchfox.org/mozilla-central/source/xpcom/threads/nsThreadPool.cpp#477 if that timeout expires, we ignore the running threads and I guess all bets are off.

I'm not sure there's anything we can do here. TaskController can't block on those threads finishing, and even if it did it would sort of defy the point of the timeout. Personally I'd be inclined to replace that timeout with a MOZ_CRASH()? This was added to prevent shutdown hangs here: https://bugzilla.mozilla.org/show_bug.cgi?id=1500861 but I don't see how at that point a clean shutdown is possible.

I do not believe there's any way this could be exploited, as the UAF runs well after the time we're able to run any web code.

Nathan is no longer here and Valentin is on PTO, Nika, any thoughts on this?

Flags: needinfo?(nika)

MOZ_CRASH seems better than continuing in an unstable-ish state. Or kill the timeout, and let the normal shutdown timeout killer enforce a timeout.

Kris might have thoughts on this as well since she's been touching code related to this.

Flags: needinfo?(kwright)
Flags: needinfo?(kwright)

I had a conversation with :bas on IRC about this, and it's quite an unfortunate situation caused by the async shutdown logic in nsThreadPool conflicting with normal nsThread variants by allowing a nsThread to outlive the nsThreadManager being shut down.

I have a local workaround for this issue which functions by using raw PRThread* within nsThreadPool rather than using a nsThread, which allows us to mark it as PR_UNJOINABLE_THREAD and avoid the thread lifetime requirements. This ends up being quite complex as it requires us to manually handle waiting for thread shutdown in both the timeout and non-timeout cases.

Assignee: nobody → nika
Flags: needinfo?(nika)

This requires reworking the thread pool thread shutdown and startup processes
to handle it manually rather than using nsThread, but simplifies the
implementation of ShutdownWithTimeout substantially.

This change also marks threads in the threadpool as PR_UNJOINABLE_THREAD as
well, which also simplifies the shutdown process by no longer requiring
dispatching to main thread to join dying thread pool threads.

This change introduces a new interface, nsIThreadShutdown, which is used
to handle the relevant state for communicating thread shutdown state
between the joining and terminating threads. This type is now returned
from nsIThread::AsyncShutdown and can be used to register callbacks
for when thread shutdown is complete, as well as cancel shutdown
entirely, leading to the underlying PRThread never being joined using
PR_JoinThread. This leaking limitation may be avoidable if support for
detaching PRThreads is added to NSPR, or nsThread switches to a more
feature-complete threading API.

This patch also uses the new interface to rework nsThreadPool's Shutdown
and ShutdownWithTimeout methods to avoid poking at nsThread internals
and instead use the publicly facing methods. This allows us to start
async shutdown for all threads and spin the event loop until they all
complete, or a timeout timer fires.

Return a handle from asyncShutdown to observe and cancel thread shutdown progress, r=xpcom-reviewers,KrisWright
https://hg.mozilla.org/integration/autoland/rev/6dd8bcfb8ea79a781ec7ba9d3b6073ea8229db8c
https://hg.mozilla.org/mozilla-central/rev/6dd8bcfb8ea7

Group: dom-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 2 years ago
status-firefox99: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 99 Branch

This grafts cleanly to Beta but would need a rebased patch for ESR91 if we intend to uplift there as well. Not sure if we need that or not, however, given the severity and difficulty in reproducing?

status-firefox97: --- → wontfix
status-firefox98: --- → affected
status-firefox-esr91: --- → affected
tracking-firefox98: --- → +
tracking-firefox99: --- → +
tracking-firefox-esr91: --- → 98+
Flags: needinfo?(nika)
Attachment #9258749 - Attachment is obsolete: true

I'm not sure this is possible to exploit in release ESR builds because we'll have configured fastShutdownStage to 1 (https://searchfox.org/mozilla-esr91/rev/66183494c0f67d3c84db215390bb49ba9101f2e7/modules/libpref/init/StaticPrefList.yaml#10947), which means that we'll exit the browser from here: https://searchfox.org/mozilla-esr91/rev/66183494c0f67d3c84db215390bb49ba9101f2e7/xpcom/build/XPCOMInit.cpp#714-715, which is well before we ever actually shut down TaskController and enable this UAF (https://searchfox.org/mozilla-esr91/rev/66183494c0f67d3c84db215390bb49ba9101f2e7/xpcom/build/XPCOMInit.cpp#802).

It would also be quite difficult to exploit due to needing to run during shutdown after having a DNS thread hang for just the right amount of time.

Flags: needinfo?(nika)

The patch landed in nightly and beta is affected.
:nika, is this bug important enough to require an uplift?
If not please set status_beta to wontfix.

For more information, please visit auto_nag documentation.

Flags: needinfo?(nika)
Flags: qe-verify-
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage]
Flags: sec-bounty? → sec-bounty+

Comment on attachment 9259182 [details]
Bug 1747526 - Return a handle from asyncShutdown to observe and cancel thread shutdown progress, r=#xpcom-reviewers

Beta/Release Uplift Approval Request

  • User impact if declined: Users may continue to encounter a UAF out of TaskController and a few other threads utilizing ShutdownWithTimeout.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): This fix seems to work on our threads - the bigger risk is letting ShutdownWithTimeout threads continue to leak randomly because they're not being handled.
  • String changes made/needed:
Attachment #9259182 - Flags: approval-mozilla-beta?

Comment on attachment 9259182 [details]
Bug 1747526 - Return a handle from asyncShutdown to observe and cancel thread shutdown progress, r=#xpcom-reviewers

Approved for our last 98 beta, thanks.

Attachment #9259182 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Flags: needinfo?(nika)
Whiteboard: [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage] → [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage][adv-main98+]
Alias: CVE-2022-26385
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: