Closed Bug 1768251 Opened 3 years ago Closed 3 years ago

AddressSanitizer: heap-use-after-free [@ get] with READ of size 8

Categories

(Core :: DOM: Streams, defect, P1)

Product:
Core
Component:
DOM: Streams
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
102 Branch
Tracking Flags:
Tracking Status
firefox-esr91 --- unaffected
firefox100 --- wontfix
firefox101 + fixed
firefox102 + verified

People

(Reporter: jkratzer, Assigned: mgaudet)

References

(Blocks 1 open bug, Regression)

Details

(4 keywords, Whiteboard: [bugmon:bisected,confirmed][adv-main101+r])

Attachments

(3 files)

Detailed Crash Information
19.18 KB, text/plain
Details
Testcase
525 bytes, text/plain
Details
Bug 1768251 - Start reducing use of MOZ_KnownLive in PipeTo operations r?smaug
48 bytes, text/x-phabricator-request
RyanVM
: approval-mozilla-beta+
tjr
: sec-approval+
Details | Review

Testcase found while fuzzing mozilla-central rev fe0b18ac5fe1 (built with: --enable-address-sanitizer --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build fe0b18ac5fe1 --asan --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

AddressSanitizer: heap-use-after-free [@ get] with READ of size 8

    =================================================================
    ==1314891==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000069de8 at pc 0x7fb7602a90eb bp 0x7ffd9451d2b0 sp 0x7ffd9451d2a8
    READ of size 8 at 0x607000069de8 thread T0 (Isolated Web Co)
        #0 0x7fb7602a90ea in get /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:286:27
        #1 0x7fb7602a90ea in operator mozilla::dom::WritableStream * /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:299:12
        #2 0x7fb7602a90ea in GetStream /builds/worker/workspace/obj-build/dist/include/mozilla/dom/WritableStreamDefaultWriter.h:39:46
        #3 0x7fb7602a90ea in mozilla::dom::WritableStreamDefaultWriterWrite(JSContext*, mozilla::dom::WritableStreamDefaultWriter*, JS::Handle<JS::Value>, mozilla::ErrorResult&) /dom/streams/WritableStreamDefaultWriter.cpp:296:26
        #4 0x7fb760272629 in mozilla::dom::PipeToPump::OnReadFulfilled(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&) /dom/streams/ReadableStreamPipeTo.cpp:605:23
        #5 0x7fb760282448 in mozilla::dom::PipeToReadRequest::ChunkSteps(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&) /dom/streams/ReadableStreamPipeTo.cpp:638:17
        #6 0x7fb76024f5d4 in mozilla::dom::ReadableStreamFulfillReadRequest(JSContext*, mozilla::dom::ReadableStream*, JS::Handle<JS::Value>, bool, mozilla::ErrorResult&) /dom/streams/ReadableStream.cpp:650:16
        #7 0x7fb760251c52 in mozilla::dom::ReadableByteStreamControllerEnqueue(JSContext*, mozilla::dom::ReadableByteStreamController*, JS::Handle<JSObject*>, mozilla::ErrorResult&) /dom/streams/ReadableByteStreamController.cpp:891:7
        #8 0x7fb75b4f43b7 in mozilla::dom::BodyStream::EnqueueChunkWithSizeIntoStream(JSContext*, mozilla::dom::ReadableStream*, unsigned long, mozilla::ErrorResult&) /dom/base/BodyStream.cpp:420:3
        #9 0x7fb75b4f4baf in mozilla::dom::BodyStream::OnInputStreamReady(nsIAsyncInputStream*) /dom/base/BodyStream.cpp:485:3
        #10 0x7fb75850ddad in mozilla::NonBlockingAsyncInputStream::RunAsyncWaitCallback(mozilla::NonBlockingAsyncInputStream::AsyncWaitRunnable*, already_AddRefed<nsIInputStreamCallback>) /xpcom/io/NonBlockingAsyncInputStream.cpp:398:13
        #11 0x7fb75850c73e in mozilla::NonBlockingAsyncInputStream::AsyncWaitRunnable::Run() /xpcom/io/NonBlockingAsyncInputStream.cpp:33:14
        #12 0x7fb7585e53ff in mozilla::SchedulerGroup::Runnable::Run() /xpcom/threads/SchedulerGroup.cpp:140:20
        #13 0x7fb758632172 in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:467:16
        #14 0x7fb7585f81c5 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:780:26
        #15 0x7fb7585f5378 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:612:15
        #16 0x7fb7585f5aa0 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:390:36
        #17 0x7fb75863acc1 in operator() /xpcom/threads/TaskController.cpp:124:37
        #18 0x7fb75863acc1 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
        #19 0x7fb758618b37 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1180:16
        #20 0x7fb758622c9c in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:465:10
        #21 0x7fb759d205ef in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
        #22 0x7fb759b980d1 in RunInternal /ipc/chromium/src/base/message_loop.cc:380:10
        #23 0x7fb759b980d1 in RunHandler /ipc/chromium/src/base/message_loop.cc:373:3
        #24 0x7fb759b980d1 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:355:3
        #25 0x7fb7609f5d47 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:137:27
        #26 0x7fb7658ae1ef in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:874:20
        #27 0x7fb759b980d1 in RunInternal /ipc/chromium/src/base/message_loop.cc:380:10
        #28 0x7fb759b980d1 in RunHandler /ipc/chromium/src/base/message_loop.cc:373:3
        #29 0x7fb759b980d1 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:355:3
        #30 0x7fb7658ad39b in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:733:34
        #31 0x562a5d76cb9d in content_process_main(mozilla::Bootstrap*, int, char**) /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
        #32 0x562a5d76cfd0 in main /browser/app/nsBrowserApp.cpp:327:18
        #33 0x7fb77e2000b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
        #34 0x562a5d6acfe9 in _start (/home/jkratzer/builds/mc-asan/firefox+0x5efe9) (BuildId: 46d88e4a8666787a164e87a6b4fb84c15945a760)
    
    0x607000069de8 is located 56 bytes inside of 80-byte region [0x607000069db0,0x607000069e00)
    freed by thread T0 (Isolated Web Co) here:
        #0 0x562a5d72f262 in __interceptor_free /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3
        #1 0x7fb758458fa5 in SnowWhiteKiller::Visit(nsPurpleBuffer&, nsPurpleBufferEntry*) /xpcom/base/nsCycleCollector.cpp:2444:9
        #2 0x7fb758436946 in void nsPurpleBuffer::VisitEntries<SnowWhiteKiller>(SnowWhiteKiller&) /xpcom/base/nsCycleCollector.cpp:939:23
        #3 0x7fb7584371e2 in nsCycleCollector::FreeSnowWhiteWithBudget(js::SliceBudget&) /xpcom/base/nsCycleCollector.cpp:2612:14
        #4 0x7fb75a0432fc in AsyncFreeSnowWhite::Run() /js/xpconnect/src/XPCJSRuntime.cpp:150:9
        #5 0x7fb758630d49 in IdleRunnableWrapper::Run() /xpcom/threads/nsThreadUtils.cpp:309:22
        #6 0x7fb758632172 in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:467:16
        #7 0x7fb7585f81c5 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:780:26
        #8 0x7fb7585f5695 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:654:15
        #9 0x7fb7585f5aa0 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:390:36
        #10 0x7fb75863acf4 in operator() /xpcom/threads/TaskController.cpp:127:37
        #11 0x7fb75863acf4 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_1>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
        #12 0x7fb758618b37 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1180:16
        #13 0x7fb758622c9c in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:465:10
        #14 0x7fb75fc1e9af in bool mozilla::SpinEventLoopUntil<(mozilla::ProcessFailureBehavior)1, mozilla::dom::ContentChild::ProvideWindowCommon(mozilla::dom::BrowserChild*, nsIOpenWindowInfo*, unsigned int, bool, nsIURI*, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, bool, bool, bool, nsDocShellLoadState*, bool*, mozilla::dom::BrowsingContext**)::$_9>(nsTSubstring<char> const&, mozilla::dom::ContentChild::ProvideWindowCommon(mozilla::dom::BrowserChild*, nsIOpenWindowInfo*, unsigned int, bool, nsIURI*, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, bool, bool, bool, nsDocShellLoadState*, bool*, mozilla::dom::BrowsingContext**)::$_9&&, nsIThread*) /builds/worker/workspace/obj-build/dist/include/mozilla/SpinEventLoopUntil.h:176:25
        #15 0x7fb75fc1b3b6 in mozilla::dom::ContentChild::ProvideWindowCommon(mozilla::dom::BrowserChild*, nsIOpenWindowInfo*, unsigned int, bool, nsIURI*, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, bool, bool, bool, nsDocShellLoadState*, bool*, mozilla::dom::BrowsingContext**) /dom/ipc/ContentChild.cpp:1257:5
        #16 0x7fb75fc7f7a5 in mozilla::dom::BrowserChild::ProvideWindow(nsIOpenWindowInfo*, unsigned int, bool, nsIURI*, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, bool, bool, bool, nsDocShellLoadState*, bool*, mozilla::dom::BrowsingContext**) /dom/ipc/BrowserChild.cpp:816:14
        #17 0x7fb7657f76ab in nsWindowWatcher::OpenWindowInternal(mozIDOMWindowProxy*, nsTSubstring<char> const&, nsTSubstring<char> const&, nsTSubstring<char> const&, bool, bool, bool, nsIArray*, bool, bool, bool, nsPIWindowWatcher::PrintKind, nsDocShellLoadState*, mozilla::dom::BrowsingContext**) /toolkit/components/windowwatcher/nsWindowWatcher.cpp:876:24
        #18 0x7fb7657fc328 in nsWindowWatcher::OpenWindow2(mozIDOMWindowProxy*, nsTSubstring<char> const&, nsTSubstring<char> const&, nsTSubstring<char> const&, bool, bool, bool, nsISupports*, bool, bool, bool, nsPIWindowWatcher::PrintKind, nsDocShellLoadState*, mozilla::dom::BrowsingContext**) /toolkit/components/windowwatcher/nsWindowWatcher.cpp:387:10
        #19 0x7fb75b4806d6 in nsGlobalWindowOuter::OpenInternal(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, bool, bool, bool, bool, bool, nsIArray*, nsISupports*, nsDocShellLoadState*, bool, nsGlobalWindowOuter::PrintKind, mozilla::dom::BrowsingContext**) /dom/base/nsGlobalWindowOuter.cpp:7059:21
        #20 0x7fb75b486597 in nsGlobalWindowOuter::OpenJS(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::dom::BrowsingContext**) /dom/base/nsGlobalWindowOuter.cpp:5687:10
        #21 0x7fb75b485ff0 in nsGlobalWindowOuter::OpenOuter(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /dom/base/nsGlobalWindowOuter.cpp:5651:17
        #22 0x7fb75b419e52 in nsGlobalWindowInner::Open(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /dom/base/nsGlobalWindowInner.cpp:4109:3
        #23 0x7fb75cd76f09 in mozilla::dom::Window_Binding::open(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/WindowBinding.cpp:2665:59
        #24 0x7fb75d5c7a5b in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::MaybeCrossOriginObjectThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:3271:13
        #25 0x7fb7675c3d74 in CallJSNative /js/src/vm/Interpreter.cpp:420:13
        #26 0x7fb7675c3d74 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:507:12
        #27 0x7fb7675b105e in InternalCall /js/src/vm/Interpreter.cpp:574:10
        #28 0x7fb7675b105e in CallFromStack /js/src/vm/Interpreter.cpp:578:10
        #29 0x7fb7675b105e in Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3314:16
        #30 0x7fb767595be1 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:389:13
        #31 0x7fb7675c3eaf in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:539:13
        #32 0x7fb7675c5a3a in InternalCall /js/src/vm/Interpreter.cpp:574:10
        #33 0x7fb7675c5a3a in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:605:8
        #34 0x7fb765d0215d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:117:10
    
    previously allocated by thread T0 (Isolated Web Co) here:
        #0 0x562a5d72f50e in __interceptor_malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
        #1 0x562a5d77328d in moz_xmalloc /memory/mozalloc/mozalloc.cpp:52:15
        #2 0x7fb7602a1289 in operator new /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:33:10
        #3 0x7fb7602a1289 in mozilla::dom::AcquireWritableStreamDefaultWriter(mozilla::dom::WritableStream*, mozilla::ErrorResult&) /dom/streams/WritableStream.cpp:689:7
        #4 0x7fb76025cfe0 in mozilla::dom::ReadableStreamPipeTo(mozilla::dom::ReadableStream*, mozilla::dom::WritableStream*, bool, bool, bool, mozilla::dom::AbortSignal*, mozilla::ErrorResult&) /dom/streams/ReadableStreamPipeTo.cpp:941:7
        #5 0x7fb76025edc6 in mozilla::dom::ReadableStream::PipeTo(mozilla::dom::WritableStream&, mozilla::dom::StreamPipeOptions const&, mozilla::ErrorResult&) /dom/streams/ReadableStream.cpp:812:10
        #6 0x7fb75c591993 in pipeTo /builds/worker/workspace/obj-build/dom/bindings/ReadableStreamBinding.cpp:680:60
        #7 0x7fb75c591993 in mozilla::dom::ReadableStream_Binding::pipeTo_promiseWrapper(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/ReadableStreamBinding.cpp:696:13
        #8 0x7fb75d5c498a in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ConvertExceptionsToPromises>(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:3271:13
        #9 0x7fb7675c3d74 in CallJSNative /js/src/vm/Interpreter.cpp:420:13
        #10 0x7fb7675c3d74 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:507:12
        #11 0x7fb7675b105e in InternalCall /js/src/vm/Interpreter.cpp:574:10
        #12 0x7fb7675b105e in CallFromStack /js/src/vm/Interpreter.cpp:578:10
        #13 0x7fb7675b105e in Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3314:16
        #14 0x7fb767595be1 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:389:13
        #15 0x7fb7675c3eaf in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:539:13
        #16 0x7fb7675c5a3a in InternalCall /js/src/vm/Interpreter.cpp:574:10
        #17 0x7fb7675c5a3a in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:605:8
        #18 0x7fb765d0215d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:117:10
        #19 0x7fb75d1f1cb9 in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventListenerBinding.cpp:62:8
        #20 0x7fb75df7e3a4 in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:65:12
        #21 0x7fb75df7de60 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /dom/events/EventListenerManager.cpp:1310:43
        #22 0x7fb75df7f48f in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /dom/events/EventListenerManager.cpp:1507:17
        #23 0x7fb75df6d3be in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:348:17
        #24 0x7fb75df6bc31 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:550:16
        #25 0x7fb75df6fe23 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /dom/events/EventDispatcher.cpp:1119:11
        #26 0x7fb75df75bf9 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /dom/events/EventDispatcher.cpp
        #27 0x7fb75b9febf4 in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /dom/base/nsINode.cpp:1354:17
        #28 0x7fb75b333de7 in nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch) /dom/base/nsContentUtils.cpp:4350:28
        #29 0x7fb75b333aae in nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*) /dom/base/nsContentUtils.cpp:4320:10
        #30 0x7fb75b670256 in mozilla::dom::Document::DispatchContentLoadedEvents() /dom/base/Document.cpp:8023:3
        #31 0x7fb75b76287d in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1147:12
        #32 0x7fb75b76287d in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1153:12
        #33 0x7fb75b76287d in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1200:13
        #34 0x7fb7585e53ff in mozilla::SchedulerGroup::Runnable::Run() /xpcom/threads/SchedulerGroup.cpp:140:20
        #35 0x7fb758632172 in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:467:16
        #36 0x7fb7585f81c5 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:780:26
        #37 0x7fb7585f5378 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:612:15
    
    SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:286:27 in get
    Shadow bytes around the buggy address:
      0x0c0e80005360: fa fa 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
      0x0c0e80005370: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fd fd
      0x0c0e80005380: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
      0x0c0e80005390: fd fd fd fd fd fa fa fa fa fa fd fd fd fd fd fd
      0x0c0e800053a0: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
    =>0x0c0e800053b0: fd fa fa fa fa fa fd fd fd fd fd fd fd[fd]fd fd
      0x0c0e800053c0: fa fa fa fa 00 00 00 00 00 00 00 00 00 fa fa fa
      0x0c0e800053d0: fa fa 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
      0x0c0e800053e0: 00 00 00 00 00 00 00 00 04 fa fa fa fa fa fd fd
      0x0c0e800053f0: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
      0x0c0e80005400: fd fd fd fd fd fa fa fa fa fa fd fd fd fd fd fd
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==1314891==ABORTING
Attached file Testcase

Hmm.

So, the detailed ASAN report has enough for us to say the following:

  1. We have a WritableStreamDefaultWriter, allocated during the pipeTo operation here which is getting freed by the cycle collector.
  2. The UAF happens when we run PipeToPump::OnReadFullfilled. (Also, we seemingly incorrectly assert MOZ_KnownLive(mWriter), the aforementioned WritableStreamDefaultReader

So far I'm not sure why this is happening yet: Cursory inspection does show the mWriter field of the PipeToPump being both traversed and unlinked, seemingly correctly. Going up the stack, the PipeToReadRequest also seems correctly managed; at this point, the request is RefPtr held

I'll see if I can't get more information before EOD here.

So, before the ReadRequest is put into the stack allocated RefPtr, it resides in the ReadableStreamDefaultReader's LinkedList of ReadRequests

Not sure it's this bug, but I suspect one thing should change: That LinkedList should be an AutoCleanLinkedList;

(RTFM -- probably will be good after rebuild)

Priority: -- → P1

OK -- pernosco trace is uploaded -- I'm out of time for the day, but will continue on this on Monday, including re-evaluating AutoCleanLinkedList.

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220506222931-d6ef5a49cd7d.
The bug appears to have been introduced in the following build range:

Start: 0d1d9fa72512cf8da0bc8c0fdd63f3fb3ff0a468 (20220322200148)
End: 39b9b2ea812745fc89d98d71c5601758d83342e1 (20220322213301)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=0d1d9fa72512cf8da0bc8c0fdd63f3fb3ff0a468&tochange=39b9b2ea812745fc89d98d71c5601758d83342e1

Keywords: regression
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]

Here's the promised Pernosco Trace: I'll look closer on Monday.

Group: core-security → dom-core-security
Keywords: csectype-uaf
Regressed by: 1759597

Looking at the Pernosco trace, this is definitely an error in the use of MOZ_KnownLive.

Essentially, while we are processing PipeToPump::OnReadFullfilled, instead of acquiring a strong ref to mWriter, we use MOZ_KnownLive to pass the value of mWriter directly to WritableStreamDefaultWriterWrite

The problem is that during WritableStreamDefaultWriterWrite, we call WritableStreamDefaultControllerGetChunkSize, which in turn calls the size callback defined in user-controlled JS.

While we are running this JS, the reader's Closed promise resolves, which ends up running the handler we attached here, which in turn starts the process of shutting down the pipe, and then clears out all the pipe's internal references; leading to the writer being freed, and the subsequent UAF (as the raw pointer value was passed to WritableStreamDefaultWriterWrite).

This particular bug goes away if I instead store a strong ref to the writer -- (there's another MOZ_KnownLive that I'll also remove simultaneously in this file).

I'm going to do a bit more investigation to see if everything else seems OK in this area, then post a patch.

Sounds like bug 1765832 will help preventing such situation. MOZ_KnownLive in each call site is hard to understand.

See Also: → 1765832
Assignee: nobody → mgaudet
Status: NEW → ASSIGNED

Comment on attachment 9275720 [details]
Bug 1768251 - Start reducing use of MOZ_KnownLive in PipeTo operations r?smaug

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: It would take a little bit of effort to figure out how to arrange the pieces to have UAF happen.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Unknown
  • Which older supported branches are affected by this flaw?: 100, 101
  • If not all supported branches, which bug introduced the flaw?: Bug 1759597
  • Do you have backports for the affected branches?: No
  • If not, how different, hard to create, and risky will they be?: Patch should apply cleanly to all supported branches.
  • How likely is this patch to cause regressions; how much testing does it need?: extremely unlikely to cause any regressions: We're incrementing a ref count where previously it was elided, for the duration of a stack frame.
  • Is Android affected?: Yes
Attachment #9275720 - Flags: sec-approval?
Has Regression Range: --- → yes

Comment on attachment 9275720 [details]
Bug 1768251 - Start reducing use of MOZ_KnownLive in PipeTo operations r?smaug

Approved to land and uplift

Attachment #9275720 - Flags: sec-approval? → sec-approval+

Comment on attachment 9275720 [details]
Bug 1768251 - Start reducing use of MOZ_KnownLive in PipeTo operations r?smaug

Beta/Release Uplift Approval Request

  • User impact if declined: Potential security flaw ending up in release
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Adds reference counting where needed
  • String changes made/needed:
  • Is Android affected?: Yes

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration:
  • User impact if declined: potential security flaw ending up in ESR
  • Fix Landed on Version: (landing now on 102)
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Adding reference counting.
Attachment #9275720 - Flags: approval-mozilla-esr102?
Attachment #9275720 - Flags: approval-mozilla-beta?
Attachment #9275720 - Flags: approval-mozilla-esr102?
Keywords: sec-high

Start reducing use of MOZ_KnownLive in PipeTo operations r=smaug,saschanaz
https://hg.mozilla.org/integration/autoland/rev/bdbe66ea38189182a505549d2388617361b32f36
https://hg.mozilla.org/mozilla-central/rev/bdbe66ea3818

Group: dom-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox102: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 102 Branch

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220511214930-ce64ea6b6488.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox102: fixedverified
Keywords: bugmon

Comment on attachment 9275720 [details]
Bug 1768251 - Start reducing use of MOZ_KnownLive in PipeTo operations r?smaug

Approved for 101.0b6.

Attachment #9275720 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed][adv-main101+r]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: