Closed
Bug 1765951
(CVE-2022-34470)
Opened 3 years ago
Closed 2 years ago
heap-use-after-free in nsSHistory
Categories
(Core :: DOM: Navigation, defect, P2)
Core
DOM: Navigation
Tracking
()
VERIFIED
FIXED
103 Branch
People
(Reporter: arminius, Assigned: peterv)
References
Details
(Keywords: csectype-uaf, reporter-external, sec-high, Whiteboard: [STR in comment 8][adv-main102+][adv-esr91.11+])
Attachments
(3 files)
|
48 bytes,
text/x-phabricator-request
|
pascalc
:
approval-mozilla-beta+
tjr
:
sec-approval+
|
Details | Review |
|
48 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-esr91+
|
Details | Review |
|
147 bytes,
text/plain
|
Details |
Particular history navigation may cause a heap-use-after-free due to the (root) session history dereferencing a dead BC.
I suspect the issue is connected to how an error representation replaces the active document when a transformation via an XSLT sheet fails.
Edit: The XSLT issue was in fact unconnected to the UAF and moved to a different bug.
The ASAN reports below show a UAF on a local nightly build with fission disabled, and on ESR 91.9 with default settings. (There's still buggy behavior with fission, but I can't tell yet if there are similar potential consequences given the right testcase.)
- local mozilla-central build rev
fb7973567facwith--disable-fission:
==659463==ERROR: AddressSanitizer: heap-use-after-free on address 0x61a00020d420 at pc 0x7fe868ccdde9 bp 0x7fffec58b020 sp 0x7fffec58b018
READ of size 8 at 0x61a00020d420 thread T0
#0 0x7fe868ccdde8 in get /m-c/obj-asan/dist/include/mozilla/RefPtr.h:286:27
#1 0x7fe868ccdde8 in operator mozilla::dom::WindowContext * /m-c/obj-asan/dist/include/mozilla/RefPtr.h:299:12
#2 0x7fe868ccdde8 in Children /m-c/docshell/base/BrowsingContext.cpp:1031:32
#3 0x7fe868ccdde8 in mozilla::dom::BrowsingContext::GetChildren(nsTArray<RefPtr<mozilla::dom::BrowsingContext> >&) /m-c/docshell/base/BrowsingContext.cpp:1039:28
#4 0x7fe868ec22fe in nsSHistory::LoadDifferingEntries(nsISHEntry*, nsISHEntry*, mozilla::dom::BrowsingContext*, long, nsTArray<nsSHistory::LoadEntryResult>&, bool, bool, int) /m-c/docshell/shistory/nsSHistory.cpp:2165:12
#5 0x7fe868eba169 in nsSHistory::LoadEntry(int, long, unsigned int, nsTArray<nsSHistory::LoadEntryResult>&, bool, bool, bool) /m-c/docshell/shistory/nsSHistory.cpp:2123:26
#6 0x7fe868ec0761 in GotoIndex /m-c/docshell/shistory/nsSHistory.cpp:2005:10
#7 0x7fe868ec0761 in nsSHistory::GotoIndex(int, bool) /m-c/docshell/shistory/nsSHistory.cpp:1985:17
#8 0x7fe868e83390 in mozilla::dom::ChildSHistory::GotoIndex(int, int, bool, bool, mozilla::ErrorResult&) /m-c/docshell/shistory/ChildSHistory.cpp:219:21
#9 0x7fe868e82b8f in mozilla::dom::ChildSHistory::Go(int, bool, bool, mozilla::ErrorResult&) /m-c/docshell/shistory/ChildSHistory.cpp:167:3
#10 0x7fe868d1cbdb in nsDocShell::GoBack(bool, bool) /m-c/docshell/base/nsDocShell.cpp:3400:11
#11 0x7fe85a97ffd5 in NS_InvokeByIndex /m-c/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:101
#12 0x7fe85c5d3b52 in Invoke /m-c/js/xpconnect/src/XPCWrappedNative.cpp:1626:10
#13 0x7fe85c5d3b52 in Call /m-c/js/xpconnect/src/XPCWrappedNative.cpp:1179:19
#14 0x7fe85c5d3b52 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /m-c/js/xpconnect/src/XPCWrappedNative.cpp:1125:23
#15 0x7fe85c5d9985 in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /m-c/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:963:10
#16 0x7fe86a2d920f in CallJSNative /m-c/js/src/vm/Interpreter.cpp:420:13
#17 0x7fe86a2d920f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /m-c/js/src/vm/Interpreter.cpp:507:12
#18 0x7fe86a2c4dc8 in CallFromStack /m-c/js/src/vm/Interpreter.cpp:571:10
#19 0x7fe86a2c4dc8 in Interpret(JSContext*, js::RunState&) /m-c/js/src/vm/Interpreter.cpp:3293:16
#20 0x7fe86a2af6f8 in js::RunScript(JSContext*, js::RunState&) /m-c/js/src/vm/Interpreter.cpp:389:13
#21 0x7fe86a2d9470 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /m-c/js/src/vm/Interpreter.cpp:539:13
#22 0x7fe86a2dbbc5 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /m-c/js/src/vm/Interpreter.cpp:584:8
#23 0x7fe86a409180 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /m-c/js/src/vm/CallAndConstruct.cpp:117:10
#24 0x7fe86021864c in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /m-c/obj-asan/dom/bindings/EventHandlerBinding.cpp:283:37
#25 0x7fe861444140 in Call<nsCOMPtr<mozilla::dom::EventTarget> > /m-c/obj-asan/dist/include/mozilla/dom/EventHandlerBinding.h:365:12
#26 0x7fe861444140 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /m-c/dom/events/JSEventHandler.cpp:201:12
#27 0x7fe8613fc006 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /m-c/dom/events/EventListenerManager.cpp:1316:22
#28 0x7fe8613fe005 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /m-c/dom/events/EventListenerManager.cpp:1507:17
#29 0x7fe8614568ce in HandleEvent /m-c/dom/events/EventListenerManager.h:395:5
#30 0x7fe8614568ce in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /m-c/dom/events/EventDispatcher.cpp:348:17
#31 0x7fe8613e4e98 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /m-c/dom/events/EventDispatcher.cpp:550:16
#32 0x7fe8613ea74d in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /m-c/dom/events/EventDispatcher.cpp:1119:11
#33 0x7fe8613f0b99 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /m-c/dom/events/EventDispatcher.cpp
#34 0x7fe85e1c15aa in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /m-c/dom/base/nsINode.cpp:1354:17
#35 0x7fe86140f663 in mozilla::dom::EventTarget::DispatchEvent(mozilla::dom::Event&, mozilla::ErrorResult&) /m-c/dom/events/EventTarget.cpp:186:13
#36 0x7fe85dac74d9 in nsContentUtils::DispatchXULCommand(nsIContent*, bool, mozilla::dom::Event*, mozilla::PresShell*, bool, bool, bool, bool, unsigned short, short) /m-c/dom/base/nsContentUtils.cpp:6351:12
#37 0x7fe863f70da4 in nsXULElement::DispatchXULCommand(mozilla::EventChainVisitor const&, nsTAutoStringN<char16_t, 64ul>&) /m-c/dom/xul/nsXULElement.cpp:935:5
#38 0x7fe863f71616 in nsXULElement::PreHandleEvent(mozilla::EventChainVisitor&) /m-c/dom/xul/nsXULElement.cpp:983:12
#39 0x7fe8613e8e66 in PreHandleEvent /m-c/dom/events/EventDispatcher.cpp:436:22
#40 0x7fe8613e8e66 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /m-c/dom/events/EventDispatcher.cpp:921:16
#41 0x7fe8613f0b99 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /m-c/dom/events/EventDispatcher.cpp
#42 0x7fe85e1c15aa in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /m-c/dom/base/nsINode.cpp:1354:17
#43 0x7fe86027a6bb in mozilla::dom::EventTarget_Binding::dispatchEvent(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /m-c/obj-asan/dom/bindings/EventTargetBinding.cpp:851:36
#44 0x7fe860840149 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::MaybeCrossOriginObjectThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /m-c/dom/bindings/BindingUtils.cpp:3270:13
#45 0x7fe86a2d920f in CallJSNative /m-c/js/src/vm/Interpreter.cpp:420:13
#46 0x7fe86a2d920f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /m-c/js/src/vm/Interpreter.cpp:507:12
#47 0x7fe86b4c8032 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /m-c/js/src/jit/BaselineIC.cpp:1582:10
#48 0x15d0e33eddc7 (<unknown module>)
0x61a00020d420 is located 928 bytes inside of 1368-byte region [0x61a00020d080,0x61a00020d5d8)
freed by thread T0 here:
#0 0x55c9e7e4a862 in free /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:111:3
#1 0x7fe85a72b473 in MaybeKillObject /m-c/xpcom/base/nsCycleCollector.cpp:2419:29
#2 0x7fe85a72b473 in SnowWhiteKiller::Visit(nsPurpleBuffer&, nsPurpleBufferEntry*) /m-c/xpcom/base/nsCycleCollector.cpp:2444:9
#3 0x7fe85a716d55 in void nsPurpleBuffer::VisitEntries<SnowWhiteKiller>(SnowWhiteKiller&) /m-c/xpcom/base/nsCycleCollector.cpp:939:23
#4 0x7fe85a6fb438 in nsCycleCollector::FreeSnowWhiteWithBudget(js::SliceBudget&) /m-c/xpcom/base/nsCycleCollector.cpp:2612:14
#5 0x7fe85c595002 in AsyncFreeSnowWhite::Run() /m-c/js/xpconnect/src/XPCJSRuntime.cpp:150:9
#6 0x7fe85a9493d9 in IdleRunnableWrapper::Run() /m-c/xpcom/threads/nsThreadUtils.cpp:309:22
#7 0x7fe85a94b600 in mozilla::RunnableTask::Run() /m-c/xpcom/threads/TaskController.cpp:467:16
#8 0x7fe85a900483 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /m-c/xpcom/threads/TaskController.cpp:780:26
#9 0x7fe85a8fd1f5 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /m-c/xpcom/threads/TaskController.cpp:654:15
#10 0x7fe85a8fd5ef in mozilla::TaskController::ProcessPendingMTTask(bool) /m-c/xpcom/threads/TaskController.cpp:390:36
#11 0x7fe85a93d9f1 in operator() /m-c/xpcom/threads/TaskController.cpp:124:37
#12 0x7fe85a93d9f1 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /m-c/obj-asan/dist/include/nsThreadUtils.h:531:5
#13 0x7fe85a924517 in nsThread::ProcessNextEvent(bool, bool*) /m-c/xpcom/threads/nsThread.cpp:1180:16
#14 0x7fe85a92f4f1 in NS_ProcessNextEvent(nsIThread*, bool) /m-c/xpcom/threads/nsThreadUtils.cpp:465:10
#15 0x7fe85c275ba6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /m-c/ipc/glue/MessagePump.cpp:85:21
#16 0x7fe85c0c96b2 in RunInternal /m-c/ipc/chromium/src/base/message_loop.cc:380:10
#17 0x7fe85c0c96b2 in RunHandler /m-c/ipc/chromium/src/base/message_loop.cc:373:3
#18 0x7fe85c0c96b2 in MessageLoop::Run() /m-c/ipc/chromium/src/base/message_loop.cc:355:3
#19 0x7fe86470715a in nsBaseAppShell::Run() /m-c/widget/nsBaseAppShell.cpp:137:27
#20 0x7fe869c33ca9 in nsAppStartup::Run() /m-c/toolkit/components/startup/nsAppStartup.cpp:295:30
#21 0x7fe869ef16ad in XREMain::XRE_mainRun() /m-c/toolkit/xre/nsAppRunner.cpp:5746:22
#22 0x7fe869ef36ef in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /m-c/toolkit/xre/nsAppRunner.cpp:5931:8
#23 0x7fe869ef46a0 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /m-c/toolkit/xre/nsAppRunner.cpp:5998:21
#24 0x55c9e7e7fc47 in do_main /m-c/browser/app/nsBrowserApp.cpp:225:22
#25 0x55c9e7e7fc47 in main /m-c/browser/app/nsBrowserApp.cpp:395:16
#26 0x7fe875aea30f in __libc_start_call_main libc-start.c
previously allocated by thread T0 here:
#0 0x55c9e7e4aacd in malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:129:3
#1 0x55c9e7e840bd in moz_xmalloc /m-c/memory/mozalloc/mozalloc.cpp:52:15
#2 0x7fe868cbe1d6 in operator new /m-c/obj-asan/dist/include/mozilla/cxxalloc.h:33:10
#3 0x7fe868cbe1d6 in mozilla::dom::BrowsingContext::CreateDetached(nsGlobalWindowInner*, mozilla::dom::BrowsingContext*, mozilla::dom::BrowsingContextGroup*, nsTSubstring<char16_t> const&, mozilla::dom::BrowsingContext::Type, bool, bool) /m-c/docshell/base/BrowsingContext.cpp:431:15
#4 0x7fe85e15721c in CreateBrowsingContext(mozilla::dom::Element*, nsIOpenWindowInfo*, mozilla::dom::BrowsingContextGroup*, bool) /m-c/dom/base/nsFrameLoader.cpp
#5 0x7fe85e15765a in nsFrameLoader::Recreate(mozilla::dom::Element*, mozilla::dom::BrowsingContext*, mozilla::dom::BrowsingContextGroup*, mozilla::dom::NavigationIsolationOptions const&, bool, bool, bool) /m-c/dom/base/nsFrameLoader.cpp:496:15
#6 0x7fe85e17d264 in nsFrameLoaderOwner::ChangeRemotenessCommon(nsFrameLoaderOwner::ChangeRemotenessContextType const&, mozilla::dom::NavigationIsolationOptions const&, bool, bool, mozilla::dom::BrowsingContextGroup*, std::function<void ()>&, mozilla::ErrorResult&) /m-c/dom/base/nsFrameLoaderOwner.cpp:168:20
#7 0x7fe85e17eb84 in nsFrameLoaderOwner::ChangeRemoteness(mozilla::dom::RemotenessOptions const&, mozilla::ErrorResult&) /m-c/dom/base/nsFrameLoaderOwner.cpp:272:3
#8 0x7fe85fe20e9d in mozilla::dom::XULFrameElement_Binding::changeRemoteness(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /m-c/obj-asan/dom/bindings/XULFrameElementBinding.cpp:517:24
#9 0x7fe86083bf12 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /m-c/dom/bindings/BindingUtils.cpp:3270:13
#10 0x7fe86a2d920f in CallJSNative /m-c/js/src/vm/Interpreter.cpp:420:13
#11 0x7fe86a2d920f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /m-c/js/src/vm/Interpreter.cpp:507:12
#12 0x7fe86a2c4dc8 in CallFromStack /m-c/js/src/vm/Interpreter.cpp:571:10
#13 0x7fe86a2c4dc8 in Interpret(JSContext*, js::RunState&) /m-c/js/src/vm/Interpreter.cpp:3293:16
#14 0x7fe86a2af6f8 in js::RunScript(JSContext*, js::RunState&) /m-c/js/src/vm/Interpreter.cpp:389:13
#15 0x7fe86a2d9470 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /m-c/js/src/vm/Interpreter.cpp:539:13
#16 0x7fe86a2dbbc5 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /m-c/js/src/vm/Interpreter.cpp:584:8
#17 0x7fe86a406e5e in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /m-c/js/src/vm/CallAndConstruct.cpp:53:10
#18 0x7fe85c5c2b9f in nsXPCWrappedJS::CallMethod(unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) /m-c/js/xpconnect/src/XPCWrappedJSClass.cpp:981:17
#19 0x7fe85a98160c in PrepareAndDispatch /m-c/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:115:37
#20 0x7fe85a98052a in SharedStub xptcstubs_x86_64_linux.cpp
#21 0x7fe85a78bbe0 in nsObserverList::NotifyObservers(nsISupports*, char const*, char16_t const*) /m-c/xpcom/ds/nsObserverList.cpp:70:19
#22 0x7fe85a7bb0b0 in nsObserverService::NotifyObservers(nsISupports*, char const*, char16_t const*) /m-c/xpcom/ds/nsObserverService.cpp:292:19
#23 0x7fe86371b9fa in mozilla::dom::ContentParent::ActorDestroy(mozilla::ipc::IProtocol::ActorDestroyReason) /m-c/dom/ipc/ContentParent.cpp:2062:10
#24 0x7fe85c2ae763 in mozilla::ipc::IProtocol::DestroySubtree(mozilla::ipc::IProtocol::ActorDestroyReason) /m-c/ipc/glue/ProtocolUtils.cpp:577:3
#25 0x7fe863a173a2 in mozilla::dom::PContentParent::OnChannelError() /m-c/obj-asan/ipc/ipdl/PContentParent.cpp:16719:5
#26 0x7fe86371a035 in mozilla::dom::ContentParent::OnChannelError() /m-c/dom/ipc/ContentParent.cpp:1949:19
#27 0x7fe85c26fff4 in mozilla::ipc::MessageChannel::OnNotifyMaybeChannelError() /m-c/ipc/glue/MessageChannel.cpp:1982:3
#28 0x7fe85c2a3d7f in applyImpl<mozilla::ipc::MessageChannel, void (mozilla::ipc::MessageChannel::*)()> /m-c/obj-asan/dist/include/nsThreadUtils.h:1147:12
#29 0x7fe85c2a3d7f in apply<mozilla::ipc::MessageChannel, void (mozilla::ipc::MessageChannel::*)()> /m-c/obj-asan/dist/include/nsThreadUtils.h:1153:12
#30 0x7fe85c2a3d7f in mozilla::detail::RunnableMethodImpl<mozilla::ipc::MessageChannel*, void (mozilla::ipc::MessageChannel::*)(), false, (mozilla::RunnableKind)1>::Run() /m-c/obj-asan/dist/include/nsThreadUtils.h:1200:13
#31 0x7fe85a94b600 in mozilla::RunnableTask::Run() /m-c/xpcom/threads/TaskController.cpp:467:16
#32 0x7fe85a900483 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /m-c/xpcom/threads/TaskController.cpp:780:26
#33 0x7fe85a8fced8 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /m-c/xpcom/threads/TaskController.cpp:612:15
#34 0x7fe85a8fd5ef in mozilla::TaskController::ProcessPendingMTTask(bool) /m-c/xpcom/threads/TaskController.cpp:390:36
SUMMARY: AddressSanitizer: heap-use-after-free /m-c/obj-asan/dist/include/mozilla/RefPtr.h:286:27 in get
Shadow bytes around the buggy address:
0x0c3480039a30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3480039a40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3480039a50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3480039a60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3480039a70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c3480039a80: fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd
0x0c3480039a90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3480039aa0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3480039ab0: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
0x0c3480039ac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3480039ad0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==659463==ABORTING
mozilla-esr91.revision.7de26aa38d0d1ac5339bc1794cd55582651d410a.firefox.linux64-asan-opt:
==1134023==ERROR: AddressSanitizer: heap-use-after-free on address 0x61a000b3e05c at pc 0x7f0f89a32079 bp 0x7ffcdba155b0 sp 0x7ffcdba155a8
READ of size 2 at 0x61a000b3e05c thread T0
#0 0x7f0f89a32078 in IsDiscarded /builds/worker/workspace/obj-build/dist/include/mozilla/dom/BrowsingContext.h:301:37
#1 0x7f0f89a32078 in mozilla::dom::syncedcontext::Transaction<mozilla::dom::BrowsingContext>::Commit(mozilla::dom::BrowsingContext*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/SyncedContextInlines.h:92:7
#2 0x7f0f89bcfe3a in SetHistoryEntryCount /builds/worker/workspace/obj-build/dist/include/mozilla/dom/BrowsingContext.h:227:3
#3 0x7f0f89bcfe3a in operator() /builds/worker/checkouts/gecko/docshell/shistory/nsSHistory.cpp:1057:22
#4 0x7f0f89bcfe3a in std::_Function_handler<void (mozilla::dom::BrowsingContext*), nsSHistory::PurgeHistory(int)::$_5>::_M_invoke(std::_Any_data const&, mozilla::dom::BrowsingContext*&&) /builds/worker/fetches/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/std_function.h:316:2
#5 0x7f0f89a3f82b in operator() /builds/worker/fetches/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/std_function.h:706:14
#6 0x7f0f89a3f82b in mozilla::dom::BrowsingContext::PreOrderWalkVoid(std::function<void (mozilla::dom::BrowsingContext*)> const&) /builds/worker/checkouts/gecko/docshell/base/BrowsingContext.cpp:1027:3
#7 0x7f0f89bbabb7 in PreOrderWalk<(lambda at /builds/worker/checkouts/gecko/docshell/shistory/nsSHistory.cpp:1055:27)> /builds/worker/workspace/obj-build/dist/include/mozilla/dom/BrowsingContext.h:496:7
#8 0x7f0f89bbabb7 in nsSHistory::PurgeHistory(int) /builds/worker/checkouts/gecko/docshell/shistory/nsSHistory.cpp:1055:14
#9 0x7f0f7ff49e31 in NS_InvokeByIndex /builds/worker/checkouts/gecko/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:101
#10 0x7f0f818e7c29 in Invoke /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNative.cpp:1644:10
#11 0x7f0f818e7c29 in Call /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNative.cpp:1197:19
#12 0x7f0f818e7c29 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNative.cpp:1143:23
#13 0x7f0f818ec60c in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:922:10
#14 0x7f0f8a7aed11 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:426:13
#15 0x7f0f8a7aed11 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:511:12
#16 0x7f0f8b53815e in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jit/BaselineIC.cpp:1595:10
#17 0x2daaf004ad87 (<unknown module>)
0x61a000b3e05c is located 988 bytes inside of 1176-byte region [0x61a000b3dc80,0x61a000b3e118)
Thread T74 (WRRenderBackend) created by T26 here:
#0 0x55cb5aa41acc in __interceptor_pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cpp:205:3
#1 0x7f0f8d3cbc4f in std::sys::unix::thread::Thread::new::hfcb67ed381ed8607 gkrust.3qd15s5o-cgu.0
#2 0x7f0f8e970920 in wr_window_new /builds/worker/checkouts/gecko/gfx/webrender_bindings/src/bindings.rs:1665:36
#3 0x7f0f826cfb0e in mozilla::wr::NewRenderer::Run(mozilla::wr::RenderThread&, mozilla::wr::WrWindowId) /builds/worker/checkouts/gecko/gfx/webrender_bindings/WebRenderAPI.cpp:157:10
#4 0x7f0f8269ff4e in mozilla::wr::RenderThread::RunEvent(mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:414:11 r
#5 0x7f0f826b6636 in decltype(*(fp).*fp0(Get<0ul>(fp1).PassAsParameter(), Get<1ul>(fp1).PassAsParameter())) mozilla::detail::RunnableMethodArguments<mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >&&>::applyImpl<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >), StoreCopyPassByConstLRef<mozilla::wr::WrWindowId>, StoreCopyPassByRRef<mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> > >, 0ul, 1ul>(mozilla::wr::RenderThread*, void (mozilla::wr::RendaerThread::*)(mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >), mozilla::Tuple<StoreCopyPassByConstLRef<mozilla::wr::WrWindowId>, StoreCopyPassByRRef<mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> > > >&, std::integer_sequence<unsigned long, 0ul, 1ul>) /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1148:12
#6 0x7f0f826b639b in apply<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent>)> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1154:12
#7 0x7f0f826b639b in mozilla::detail::RunnableMethodImpl<mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >), true, (mozilla::RunnableKind)0, mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >&&>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1201:13
#8 0x7f0f80ecf649 in MessageLoop::RunTask(already_AddRefed<nsIRunnable>) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:454:11
#9 0x7f0f80ed02de in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask&&) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:463:5
#10 0x7f0f80ed0b6b in MessageLoop::DoWork() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:538:13
#11 0x7f0f80ed1e26 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_pump_default.cc:35:31
#12 0x7f0f80ecf241 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331:10
#13 0x7f0f80ecf241 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324:3
#14 0x7f0f80ecf241 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306:3
#15 0x7f0f80eed8ea in base::Thread::ThreadMain() /builds/worker/checkouts/gecko/ipc/chromium/src/base/thread.cc:187:16
#16 0x7f0f80ee151c in ThreadFunc(void*) /builds/worker/checkouts/gecko/ipc/chromium/src/base/platform_thread_posix.cc:40:13
#17 0x7f0f9e0145c1 in start_thread pthread_create.c
Thread T26 created by T0 here:
#0 0x55cb5aa41acc in __interceptor_pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cpp:205:3
#1 0x7f0f80edb37c in CreateThread /builds/worker/checkouts/gecko/ipc/chromium/src/base/platform_thread_posix.cc:123:14
#2 0x7f0f80edb37c in PlatformThread::Create(unsigned long, PlatformThread::Delegate*, unsigned long*) /builds/worker/checkouts/gecko/ipc/chromium/src/base/platform_thread_posix.cc:134:10
#3 0x7f0f80eed11d in base::Thread::StartWithOptions(base::Thread::Options const&) /builds/worker/checkouts/gecko/ipc/chromium/src/base/thread.cc:93:8
#4 0x7f0f8269ae4a in mozilla::wr::RenderThread::Start() /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:91:16
#5 0x7f0f82402089 in gfxPlatform::InitLayersIPC() /builds/worker/checkouts/gecko/gfx/thebes/gfxPlatform.cpp:1331:7
#6 0x7f0f823fd943 in gfxPlatform::Init() /builds/worker/checkouts/gecko/gfx/thebes/gfxPlatform.cpp:971:3
#7 0x7f0f823fc35b in gfxPlatform::GetPlatform() /builds/worker/checkouts/gecko/gfx/thebes/gfxPlatform.cpp:481:5
#8 0x7f0f86cf2a6c in mozilla::widget::GfxInfoBase::GetContentBackend(nsTSubstring<char16_t>&) /builds/worker/checkouts/gecko/widget/GfxInfoBase.cpp:1851:25
#9 0x7f0f7ff49e31 in NS_InvokeByIndex /builds/worker/checkouts/gecko/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:101
#10 0x7f0f818e7c29 in Invoke /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNative.cpp:1644:10
#11 0x7f0f818e7c29 in Call /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNative.cpp:1197:19
#12 0x7f0f818e7c29 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNative.cpp:1143:23
#13 0x7f0f818ed04e in GetAttribute /builds/worker/checkouts/gecko/js/xpconnect/src/xpcprivate.h:1461:12
#14 0x7f0f818ed04e in XPC_WN_GetterSetter(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:962:10
#15 0x7f0f8a7aed11 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:426:13
#16 0x7f0f8a7aed11 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:511:12
#17 0x7f0f8a7b090b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:588:8
#18 0x7f0f8a7b1bbb in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:713:10
#19 0x7f0f8acb0be2 in CallGetter /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2040:12
#20 0x7f0f8acb0be2 in GetExistingProperty<js::CanGC> /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2068:12
#21 0x7f0f8acb0be2 in NativeGetPropertyInline<js::CanGC> /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2214:14
#22 0x7f0f8acb0be2 in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2245:10
#23 0x7f0f8a79d6fe in GetProperty /builds/worker/checkouts/gecko/js/src/vm/ObjectOperations-inl.h:116:10
#24 0x7f0f8a79d6fe in GetObjectElementOperation /builds/worker/checkouts/gecko/js/src/vm/Interpreter-inl.h:419:10
#25 0x7f0f8a79d6fe in GetElementOperationWithStackIndex /builds/worker/checkouts/gecko/js/src/vm/Interpreter-inl.h:505:10
#26 0x7f0f8a79d6fe in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3040:12
#27 0x7f0f8a780547 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:395:13
#28 0x7f0f8a7aedf5 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:543:13
#29 0x7f0f8a7b090b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:588:8
#30 0x7f0f8a8e491c in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jsapi.cpp:2722:10
#31 0x7f0f818d9359 in nsXPCWrappedJS::CallMethod(unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedJSClass.cpp:971:17
#32 0x7f0f7ff4b7c2 in PrepareAndDispatch /builds/worker/checkouts/gecko/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:115:37
#33 0x7f0f7ff4a54a in SharedStub xptcstubs_x86_64_linux.cpp
#34 0x7f0f7feb6210 in NS_CreateServicesFromCategory(char const*, nsISupports*, char const*, char16_t const*) /builds/worker/checkouts/gecko/xpcom/components/nsCategoryManager.cpp:687:19
#35 0x7f0f8a591fc9 in nsXREDirProvider::DoStartup() /builds/worker/checkouts/gecko/toolkit/xre/nsXREDirProvider.cpp:982:11
#36 0x7f0f8a56dab8 in XREMain::XRE_mainRun() /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:4998:18
#37 0x7f0f8a570afc in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5434:8
#38 0x7f0f8a5718b3 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5493:21
#39 0x55cb5aa8bd3f in do_main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:225:22
#40 0x55cb5aa8bd3f in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:378:16
#41 0x7f0f9dfb430f in __libc_start_call_main libc-start.c
Thread T72 (WRSceneBuilder#) created by T26 here:
#0 0x55cb5aa41acc in __interceptor_pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cpp:205:3
#1 0x7f0f8d3cbc4f in std::sys::unix::thread::Thread::new::hfcb67ed381ed8607 gkrust.3qd15s5o-cgu.0
#2 0x7f0f8e970920 in wr_window_new /builds/worker/checkouts/gecko/gfx/webrender_bindings/src/bindings.rs:1665:36
#3 0x7f0f826cfb0e in mozilla::wr::NewRenderer::Run(mozilla::wr::RenderThread&, mozilla::wr::WrWindowId) /builds/worker/checkouts/gecko/gfx/webrender_bindings/WebRenderAPI.cpp:157:10
#4 0x7f0f8269ff4e in mozilla::wr::RenderThread::RunEvent(mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:414:11
#5 0x7f0f826b6636 in decltype(*(fp).*fp0(Get<0ul>(fp1).PassAsParameter(), Get<1ul>(fp1).PassAsParameter())) mozilla::detail::RunnableMethodArguments<mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >&&>::applyImpl<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >), StoreCopyPassByConstLRef<mozilla::wr::WrWindowId>, StoreCopyPassByRRef<mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> > >, 0ul, 1ul>(mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >), mozilla::Tuple<StoreCopyPassByConstLRef<mozilla::wr::WrWindowId>, StoreCopyPassByRRef<mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> > > >&, std::integer_sequence<unsigned long, 0ul, 1ul>) /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1148:12
#6 0x7f0f826b639b in apply<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent>)> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1154:12
#7 0x7f0f826b639b in mozilla::detail::RunnableMethodImpl<mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >), true, (mozilla::RunnableKind)0, mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >&&>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1201:13
#8 0x7f0f80ecf649 in MessageLoop::RunTask(already_AddRefed<nsIRunnable>) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:454:11
#9 0x7f0f80ed02de in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask&&) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:463:5
#10 0x7f0f80ed0b6b in MessageLoop::DoWork() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:538:13
#11 0x7f0f80ed1e26 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_pump_default.cc:35:31
#12 0x7f0f80ecf241 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331:10
#13 0x7f0f80ecf241 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324:3
#14 0x7f0f80ecf241 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306:3
#15 0x7f0f80eed8ea in base::Thread::ThreadMain() /builds/worker/checkouts/gecko/ipc/chromium/src/base/thread.cc:187:16
#16 0x7f0f80ee151c in ThreadFunc(void*) /builds/worker/checkouts/gecko/ipc/chromium/src/base/platform_thread_posix.cc:40:13
#17 0x7f0f9e0145c1 in start_thread pthread_create.c
SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/obj-build/dist/include/mozilla/dom/BrowsingContext.h:301:37 in IsDiscarded
Shadow bytes around the buggy address:
0x0c348015fbb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c348015fbc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c348015fbd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c348015fbe0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c348015fbf0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c348015fc00: fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd
0x0c348015fc10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c348015fc20: fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c348015fc30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c348015fc40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c348015fc50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1134023==ABORTING
I don't have a reliable testcase available yet, but I'll keep investigating and follow up.
Flags: sec-bounty?
|
||
Updated•3 years ago
|
Group: core-security → dom-core-security
Keywords: csectype-uaf
|
|
||
Comment 1•3 years ago
|
||
Looks like nsSHistory::mRootBC isn't getting cleared in some circumstance. The free stack doesn't look related to the use stack, so I don't think it is an issue of needing to root the BC from the use stack.
|
|
||
Comment 2•3 years ago
|
||
XSLT and nsSHistory? Sounds like something Peter could look at. :)
Flags: needinfo?(peterv)
|
||
Updated•2 years ago
|
Keywords: testcase-wanted
|
|
||
Comment 3•2 years ago
|
||
Setting a needinfo? on the reporter to signal we need more info to make any progress
Even an "unreliable testcase" would be useful: we can run it multiple times and if it does reproduce, preserve that run in Pernosco.
Flags: needinfo?(armin)
| Comment hidden (obsolete) |
| Comment hidden (obsolete) |
|
||
Comment 6•2 years ago
|
||
|
Assignee | |
Updated•2 years ago
|
Assignee: nobody → peterv
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
|
|
Assignee | |
Comment 7•2 years ago
|
||
|
Reporter | |
Comment 8•2 years ago
|
||
(In reply to Olli Pettay [:smaug] from comment #6)
a testcase triggering the crash mentioned in comment 0 would be still very nice. The testcases in comment 4 and comment 5 are showing mostly different issues.
These steps reproduce the UAF for me on ESR 91.10.0 (m-e-20220509165252-asan-opt):
- Go to
http://example.com/. - Go to
http://example.com/foo. - Go to
about:tabcrashed. - Go back two history entries at once (e.g. right-click the back arrow and choose the second-last entry).
- Go forward two entries.
- GC (e.g. via
about:memoryin a separate tab). - Press the reload or back button (possibly try a few times).
- A crash similar to the one below occurs.
==78268==ERROR: AddressSanitizer: heap-use-after-free on address 0x61a000176a80 at pc 0x7fc8c7911fb6 bp 0x7ffce1c2e610 sp 0x7ffce1c2e608
READ of size 8 at 0x61a000176a80 thread T0
#0 0x7fc8c7911fb5 in AddRef /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:49:39
#1 0x7fc8c7911fb5 in AddRef /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:380:35
#2 0x7fc8c7911fb5 in assign_with_AddRef /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:60:7
#3 0x7fc8c7911fb5 in operator= /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:190:5
#4 0x7fc8c7911fb5 in nsSHistory::InitiateLoad(nsISHEntry*, mozilla::dom::BrowsingContext*, long, nsTArray<nsSHistory::LoadEntryResult>&, bool) /builds/worker/checkouts/gecko/docshell/shistory/nsSHistory.cpp:2149:32
#5 0x7fc8c790bdfd in nsSHistory::LoadEntry(int, long, unsigned int, nsTArray<nsSHistory::LoadEntryResult>&, bool, bool) /builds/worker/checkouts/gecko/docshell/shistory/nsSHistory.cpp:2046:5
#6 0x7fc8c790b2c2 in nsSHistory::Reload(unsigned int, nsTArray<nsSHistory::LoadEntryResult>&) /builds/worker/checkouts/gecko/docshell/shistory/nsSHistory.cpp:1364:17
#7 0x7fc8c790ac66 in nsSHistory::Reload(unsigned int) /builds/worker/checkouts/gecko/docshell/shistory/nsSHistory.cpp:1325:17
#8 0x7fc8c78df815 in mozilla::dom::ChildSHistory::Reload(unsigned int, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/docshell/shistory/ChildSHistory.cpp:124:19
#9 0x7fc8c179bf9b in mozilla::dom::ChildSHistory_Binding::reload(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/ChildSHistoryBinding.cpp:218:24
#10 0x7fc8c2474279 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3297:13
#11 0x7fc8c84fb131 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:426:13
#12 0x7fc8c84fb131 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:511:12
#13 0x7fc8c84e2dae in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:575:10
#14 0x7fc8c84e2dae in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3226:16
#15 0x7fc8c84cc967 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:395:13
#16 0x7fc8c84fb215 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:543:13
#17 0x7fc8c84fcd2b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:588:8
#18 0x7fc8c8631a3b in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jsapi.cpp:2785:10
#19 0x7fc8c11117c4 in mozilla::dom::MessageListener::ReceiveMessage(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::ReceiveMessageArgument const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/MessageManagerBinding.cpp:6097:8
#20 0x7fc8c435e1f8 in mozilla::dom::MessageListener::ReceiveMessage(mozilla::dom::ReceiveMessageArgument const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/MessageManagerBinding.h:783:12
#21 0x7fc8c435ddb8 in mozilla::dom::JSActor::CallReceiveMessage(JSContext*, mozilla::dom::JSActorMessageMeta const&, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/ipc/jsactor/JSActor.cpp:271:22
#22 0x7fc8c435e47f in mozilla::dom::JSActor::ReceiveMessage(JSContext*, mozilla::dom::JSActorMessageMeta const&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/ipc/jsactor/JSActor.cpp:284:3
#23 0x7fc8c4364409 in mozilla::dom::JSActorManager::ReceiveRawMessage(mozilla::dom::JSActorMessageMeta const&, mozilla::Maybe<mozilla::dom::ipc::StructuredCloneData>&&, mozilla::Maybe<mozilla::dom::ipc::StructuredCloneData>&&) /builds/worker/checkouts/gecko/dom/ipc/jsactor/JSActorManager.cpp:192:14
#24 0x7fc8c437a440 in operator() /builds/worker/checkouts/gecko/dom/ipc/jsactor/JSActor.cpp:358:22
#25 0x7fc8c437a440 in mozilla::detail::RunnableFunction<mozilla::dom::JSActor::SendRawMessageInProcess(mozilla::dom::JSActorMessageMeta const&, mozilla::Maybe<mozilla::dom::ipc::StructuredCloneData>&&, mozilla::Maybe<mozilla::dom::ipc::StructuredCloneData>&&, std::function<already_AddRefed<mozilla::dom::JSActorManager> ()>&&)::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:532:5
#26 0x7fc8bdc5872a in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:502:16
#27 0x7fc8bdc28c4b in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:805:26
#28 0x7fc8bdc268f8 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:641:15
#29 0x7fc8bdc2700d in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:425:36
#30 0x7fc8bdc608e4 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:138:37
#31 0x7fc8bdc608e4 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_1>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:532:5
#32 0x7fc8bdc41e9f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1152:16
#33 0x7fc8bdc4c16c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:466:10
#34 0x7fc8becf6bdf in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:107:5
#35 0x7fc8bec0c241 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331:10
#36 0x7fc8bec0c241 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324:3
#37 0x7fc8bec0c241 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306:3
#38 0x7fc8c4a6e3a7 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
#39 0x7fc8c80b7a97 in nsAppStartup::Run() /builds/worker/checkouts/gecko/toolkit/components/startup/nsAppStartup.cpp:273:30
#40 0x7fc8c82bade2 in XREMain::XRE_mainRun() /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5249:22
#41 0x7fc8c82bcf0c in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5434:8
#42 0x7fc8c82bdcc3 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5493:21
#43 0x5588e1afad3f in do_main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:225:22
#44 0x5588e1afad3f in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:378:16
#45 0x7fc8dbe1030f in __libc_start_call_main libc-start.c
#46 0x7fc8dbe103c0 in __libc_start_main@GLIBC_2.2.5 (/usr/lib/libc.so.6+0x2d3c0)
#47 0x5588e1a4b6bc in _start (/m-e-20220509165252-asan-opt/firefox+0x566bc)
0x61a000176a80 is located 0 bytes inside of 1288-byte region [0x61a000176a80,0x61a000176f88)
freed by thread T0 here:
#0 0x5588e1ac64b2 in __interceptor_free /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:127:3
#1 0x7fc8bdaaafc5 in SnowWhiteKiller::Visit(nsPurpleBuffer&, nsPurpleBufferEntry*) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:2451:9
#2 0x7fc8bda8cd9d in void nsPurpleBuffer::VisitEntries<SnowWhiteKiller>(SnowWhiteKiller&) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:954:27
#3 0x7fc8bda8d5ce in nsCycleCollector::FreeSnowWhiteWithBudget(js::SliceBudget&) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:2619:14
#4 0x7fc8bf5e8cb3 in AsyncFreeSnowWhite::Run() /builds/worker/checkouts/gecko/js/xpconnect/src/XPCJSRuntime.cpp:146:9
#5 0x7fc8bdc57a89 in IdleRunnableWrapper::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:310:22
#6 0x7fc8bdc5872a in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:502:16
#7 0x7fc8bdc28c4b in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:805:26
#8 0x7fc8bdc26c2a in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:683:15
#9 0x7fc8bdc2700d in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:425:36
#10 0x7fc8bdc608b1 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:135:37
#11 0x7fc8bdc608b1 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:532:5
#12 0x7fc8bdc41e9f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1152:16
#13 0x7fc8bdc4c16c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:466:10
#14 0x7fc8becf6bea in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#15 0x7fc8bec0c241 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331:10
#16 0x7fc8bec0c241 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324:3
#17 0x7fc8bec0c241 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306:3
#18 0x7fc8c4a6e3a7 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
#19 0x7fc8c80b7a97 in nsAppStartup::Run() /builds/worker/checkouts/gecko/toolkit/components/startup/nsAppStartup.cpp:273:30
#20 0x7fc8c82bade2 in XREMain::XRE_mainRun() /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5249:22
#21 0x7fc8c82bcf0c in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5434:8
#22 0x7fc8c82bdcc3 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5493:21
#23 0x5588e1afad3f in do_main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:225:22
#24 0x5588e1afad3f in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:378:16
#25 0x7fc8dbe1030f in __libc_start_call_main libc-start.c
previously allocated by thread T0 here:
#0 0x5588e1ac671d in malloc /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
#1 0x5588e1b00a3d in moz_xmalloc /builds/worker/checkouts/gecko/memory/mozalloc/mozalloc.cpp:52:15
#2 0x7fc8c7782f6b in operator new /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:33:10
#3 0x7fc8c7782f6b in mozilla::dom::BrowsingContext::CreateDetached(nsGlobalWindowInner*, mozilla::dom::BrowsingContext*, mozilla::dom::BrowsingContextGroup*, nsTSubstring<char16_t> const&, mozilla::dom::BrowsingContext::Type, bool) /builds/worker/checkouts/gecko/docshell/base/BrowsingContext.cpp:413:15
#4 0x7fc8c0b41033 in CreateBrowsingContext(mozilla::dom::Element*, nsIOpenWindowInfo*, mozilla::dom::BrowsingContextGroup*, bool) /builds/worker/checkouts/gecko/dom/base/nsFrameLoader.cpp:349:12
#5 0x7fc8c0b416a1 in nsFrameLoader::Recreate(mozilla::dom::Element*, mozilla::dom::BrowsingContext*, mozilla::dom::BrowsingContextGroup*, mozilla::dom::RemotenessChangeOptions const&, bool, bool, bool) /builds/worker/checkouts/gecko/dom/base/nsFrameLoader.cpp:499:15
#6 0x7fc8c0b5f490 in nsFrameLoaderOwner::ChangeRemotenessCommon(nsFrameLoaderOwner::ChangeRemotenessContextType const&, mozilla::dom::RemotenessChangeOptions const&, bool, bool, mozilla::dom::BrowsingContextGroup*, std::function<void ()>&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsFrameLoaderOwner.cpp:163:20
#7 0x7fc8c0b60a49 in nsFrameLoaderOwner::ChangeRemotenessToProcess(mozilla::dom::ContentParent*, mozilla::dom::RemotenessChangeOptions const&, mozilla::dom::BrowsingContextGroup*, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsFrameLoaderOwner.cpp:284:3
#8 0x7fc8c77c96ea in mozilla::dom::CanonicalBrowsingContext::PendingRemotenessChange::FinishTopContent() /builds/worker/checkouts/gecko/docshell/base/CanonicalBrowsingContext.cpp:1485:21
#9 0x7fc8c77c920a in mozilla::dom::CanonicalBrowsingContext::PendingRemotenessChange::Finish() /builds/worker/checkouts/gecko/docshell/base/CanonicalBrowsingContext.cpp:1415:43
#10 0x7fc8c78a2e73 in operator() /builds/worker/checkouts/gecko/docshell/base/CanonicalBrowsingContext.cpp:1400:45
#11 0x7fc8c78a2e73 in InvokeMethod<(lambda at /builds/worker/checkouts/gecko/docshell/base/CanonicalBrowsingContext.cpp:1400:9), void ((lambda at /builds/worker/checkouts/gecko/docshell/base/CanonicalBrowsingContext.cpp:1400:9)::*)(bool) const, bool> /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:630:12
#12 0x7fc8c78a2e73 in InvokeCallbackMethod<false, (lambda at /builds/worker/checkouts/gecko/docshell/base/CanonicalBrowsingContext.cpp:1400:9), void ((lambda at /builds/worker/checkouts/gecko/docshell/base/CanonicalBrowsingContext.cpp:1400:9)::*)(bool) const, bool, RefPtr<mozilla::MozPromise<bool, nsresult, true>::Private> > /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:661:5
#13 0x7fc8c78a2e73 in mozilla::MozPromise<bool, nsresult, true>::ThenValue<mozilla::dom::CanonicalBrowsingContext::PendingRemotenessChange::ProcessReady()::$_34, mozilla::dom::CanonicalBrowsingContext::PendingRemotenessChange::ProcessReady()::$_35>::DoResolveOrRejectInternal(mozilla::MozPromise<bool, nsresult, true>::ResolveOrRejectValue&) /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:846:9
#14 0x7fc8becb8153 in mozilla::MozPromise<bool, nsresult, true>::ThenValueBase::ResolveOrRejectRunnable::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:487:21
#15 0x7fc8bdc5872a in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:502:16
#16 0x7fc8bdc28c4b in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:805:26
#17 0x7fc8bdc268f8 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:641:15
#18 0x7fc8bdc2700d in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:425:36
#19 0x7fc8bdc608b1 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:135:37
#20 0x7fc8bdc608b1 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:532:5
#21 0x7fc8bdc41e9f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1152:16
#22 0x7fc8bdc4c16c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:466:10
#23 0x7fc8becf6bea in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#24 0x7fc8bec0c241 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331:10
#25 0x7fc8bec0c241 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324:3
#26 0x7fc8bec0c241 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306:3
#27 0x7fc8c4a6e3a7 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
#28 0x7fc8c80b7a97 in nsAppStartup::Run() /builds/worker/checkouts/gecko/toolkit/components/startup/nsAppStartup.cpp:273:30
#29 0x7fc8c82bade2 in XREMain::XRE_mainRun() /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5249:22
#30 0x7fc8c82bcf0c in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5434:8
#31 0x7fc8c82bdcc3 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5493:21
#32 0x5588e1afad3f in do_main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:225:22
#33 0x5588e1afad3f in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:378:16
#34 0x7fc8dbe1030f in __libc_start_call_main libc-start.c
SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:49:39 in AddRef
Shadow bytes around the buggy address:
0x0c3480026d00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3480026d10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3480026d20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3480026d30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3480026d40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c3480026d50:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3480026d60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3480026d70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3480026d80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3480026d90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3480026da0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==78268==ABORTING
|
|
Assignee | |
Comment 9•2 years ago
|
||
I can reproduce that on the ESR build but not on a nightly ASAN build. All the other issues talk about XSLT, but this looks like a different situation. I'm going to move the XSLT issues to a separate bug, I could only ever trigger a null-crash with those.
|
|
Reporter | |
Comment 10•2 years ago
|
||
(In reply to Peter Van der Beken [:peterv] from comment #9)
All the other issues talk about XSLT, but this looks like a different situation.
Yes, you're totally right. I had conflated two separate bugs here - sorry for the confusion! Curiously, the crashing XSLT pages were what primed my session history to trigger the UAF, so I had initially assumed the bugs were related.
I'm going to move the XSLT issues to a separate bug, I could only ever trigger a null-crash with those.
I went ahead and filed bug 1769155 with the CC list from here - hope it makes sense this way. Since I can't edit my own bugs/comments, I won't be able to clean this one up though.
|
|
Reporter | |
Comment 11•2 years ago
|
||
(In reply to Peter Van der Beken [:peterv] from comment #9)
I can reproduce that on the ESR build but not on a nightly ASAN build.
With the steps from comment 8, I got the UAF reported on
- current ESR (
m-e-20220516145129-asan-opt) - current release with fission disabled (
m-r-20220516184602-asan-opt) - nightly with fission disabled <=
m-c-20220419034149-asan-opt.
It did not trigger in ASAN nightly builds from 2022-04-20 onwards.
|
|
||
Updated•2 years ago
|
See Also: → CVE-2022-38472
|
|
||
Updated•2 years ago
|
|
|
Assignee | |
Comment 12•2 years ago
|
||
Comment on attachment 9276277 [details]
Bug 1765951 - Stop storing BC pointer in nsSHistory. r?smaug!
Security Approval Request
- How easily could an exploit be constructed based on the patch?: Not very easily I think.
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
- Which older supported branches are affected by this flaw?: All
- If not all supported branches, which bug introduced the flaw?: None
- Do you have backports for the affected branches?: Yes
- If not, how different, hard to create, and risky will they be?:
- How likely is this patch to cause regressions; how much testing does it need?: Shouldn't cause regressions, just stops us from crashing with UAF under certain conditions.
- Is Android affected?: Yes
Flags: needinfo?(peterv)
Attachment #9276277 -
Flags: sec-approval?
|
|
Assignee | |
Comment 13•2 years ago
|
||
The patch does seem to fix the issue for me on an ESR asan build. I tried making an automated testcase, but no luck so far.
|
||
Comment 14•2 years ago
|
||
Comment on attachment 9276277 [details]
Bug 1765951 - Stop storing BC pointer in nsSHistory. r?smaug!
approved to land and uplift
Attachment #9276277 -
Flags: sec-approval? → sec-approval+
|
|
||
Updated•2 years ago
|
Severity: -- → S2
Priority: -- → P2
|
||
Comment 15•2 years ago
|
||
Stop storing BC pointer in nsSHistory. r=smaug
https://hg.mozilla.org/integration/autoland/rev/09141d52eefdf0b23a7247fa943cb93c0f183212
https://hg.mozilla.org/mozilla-central/rev/09141d52eefd
Group: dom-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox103:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 103 Branch
|
|
||
Updated•2 years ago
|
status-firefox101:
--- → wontfix
status-firefox102:
--- → affected
status-firefox-esr102:
--- → affected
status-firefox-esr91:
--- → affected
|
||
Comment 16•2 years ago
|
||
This'll need a rebased patch for ESR91. Please attach that and request approval when you get a chance. Beta grafts cleanly as-landed.
status-firefox-esr102:
affected → ---
tracking-firefox102:
--- → +
tracking-firefox103:
--- → +
tracking-firefox-esr91:
--- → 102+
Flags: needinfo?(peterv)
|
|
Assignee | |
Comment 17•2 years ago
|
||
|
|
Assignee | |
Comment 18•2 years ago
|
||
Comment on attachment 9276277 [details]
Bug 1765951 - Stop storing BC pointer in nsSHistory. r?smaug!
Beta/Release Uplift Approval Request
- User impact if declined: UAF
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: No
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Patch uses an ID to keep track of a BrowsingContext, instead of a pointer. When accessing the BC we now check if it's available in the process first, instead of using the pointer (which might be pointing to a freed object).
- String changes made/needed:
- Is Android affected?: Yes
Flags: needinfo?(peterv)
Attachment #9276277 -
Flags: approval-mozilla-beta?
|
|
Assignee | |
Updated•2 years ago
|
Attachment #9280409 -
Flags: approval-mozilla-beta?
|
|
Assignee | |
Comment 19•2 years ago
|
||
Comment on attachment 9280409 [details]
Bug 1765951 - Stop storing BC pointer in nsSHistory. r=smaug
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration:
- User impact if declined: UAF
- Fix Landed on Version: 103
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): See approval-mozilla-beta request on attachment 9276277 [details].
Attachment #9280409 -
Flags: approval-mozilla-beta? → approval-mozilla-esr102?
|
|
Assignee | |
Comment 20•2 years ago
|
||
Comment on attachment 9280409 [details]
Bug 1765951 - Stop storing BC pointer in nsSHistory. r=smaug
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration:
- User impact if declined:
- Fix Landed on Version:
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky):
Attachment #9280409 -
Flags: approval-mozilla-esr91?
|
|
Assignee | |
Updated•2 years ago
|
Attachment #9280409 -
Flags: approval-mozilla-esr102?
|
|
Assignee | |
Comment 21•2 years ago
|
||
Comment on attachment 9276277 [details]
Bug 1765951 - Stop storing BC pointer in nsSHistory. r?smaug!
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration:
- User impact if declined:
- Fix Landed on Version:
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky):
Attachment #9276277 -
Flags: approval-mozilla-esr102?
|
||
Comment 22•2 years ago
|
||
Comment on attachment 9276277 [details]
Bug 1765951 - Stop storing BC pointer in nsSHistory. r?smaug!
Approved for 102 beta 6, thanks.
Attachment #9276277 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
|
|
||
Updated•2 years ago
|
Attachment #9276277 -
Flags: approval-mozilla-esr102?
|
|
||
Comment 23•2 years ago
|
||
| uplift | ||
|
|
||
Comment 24•2 years ago
|
||
Comment on attachment 9280409 [details]
Bug 1765951 - Stop storing BC pointer in nsSHistory. r=smaug
Approved for 91.11esr.
Attachment #9280409 -
Flags: approval-mozilla-esr91? → approval-mozilla-esr91+
|
|
||
Comment 25•2 years ago
|
||
| uplift | ||
|
||
Updated•2 years ago
|
Flags: qe-verify+
|
|
Reporter | |
Comment 26•2 years ago
|
||
Can confirm that with the patch the UAF seems no longer reproducible on my end either.
|
|
||
Updated•2 years ago
|
QA Whiteboard: [qa-triaged]
|
|
||
Updated•2 years ago
|
Flags: sec-bounty? → sec-bounty+
|
||
Comment 27•2 years ago
|
||
I've reproduced this crash using STR from comment 8, on an affected asan ESR 91.10.0 build.
The bug is verified as fixed on the latest asan builds: ESR 91.11, Beta 102.0b9 and latest Nightly 103.0a1.
Status: RESOLVED → VERIFIED
Flags: qe-verify+
|
|
||
Updated•2 years ago
|
Whiteboard: STR in comment 8 → [STR in comment 8][adv-main102+]
|
|
||
Comment 28•2 years ago
|
||
|
|
||
Updated•2 years ago
|
Whiteboard: [STR in comment 8][adv-main102+] → [STR in comment 8][adv-main102+][adv-esr91.11+]
|
|
||
Updated•2 years ago
|
Alias: CVE-2022-34470
|
|
||
Updated•2 years ago
|
Group: core-security-release
|
||
Updated•4 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•