1787633 - (CVE-2022-40960) heap-use-after-free in nsComponentManagerImpl::GetServiceLocked() / MOZ_CRASH(nsTextToSubURI not thread-safe)

Status: RESOLVED FIXED

(Core :: DOM: Workers, defect, P2)

Description

[Armin Ebert [:arminius]]

Given new Worker(scriptURL), the parsing of the scriptURL string into an internal nsIURI object already takes place in a newly created worker thread, thus has to be thread-safe.

However there's a special case when parsing javascript: URI strings with a non-UTF-8 charset parameter. (In case of a top-level worker, that charset is taken from the current document.) In order to parse the URI string correctly, the handler then additionally makes use of the nsTextToSubURI service in nsJSProtocolHandler::EnsureUTF8Spec().

This causes the testcase below to crash in a debug build with:

Hit MOZ_CRASH(nsTextToSubURI not thread-safe) at /builds/worker/checkouts/gecko/xpcom/base/nsISupportsImpl.cpp:43

Testcase

<iframe name="f"></iframe>
<script>
let blob = new Blob([], {type: 'text/html;charset=iso-8859-1'});
f.location = URL.createObjectURL(blob);
f.onload = () => new f.Worker('javascript:foo');
</script>

(Notice the Blob() just serves as a workaround to get a non-UTF-8 document since <meta charset> had been deprecated.)

But as release builds don't set MOZ_THREAD_SAFETY_OWNERSHIP_CHECKS_SUPPORTED to crash right away, the worker threads may race. Just continuously spawning a large number of such workers caused ASAN heap-use-after-free reports fairly quickly on my end, e.g. on m-b-20220825185816-asan-opt (105.0b3, linux64):

==3180813==ERROR: AddressSanitizer: heap-use-after-free on address 0x6030000e82a0 at pc 0x7f4653ed31c7 bp 0x7ffc54670610 sp 0x7ffc54670608
READ of size 8 at 0x6030000e82a0 thread T0 (Isolated Web Co)
    #0 0x7f4653ed31c6 in nsComponentManagerImpl::GetServiceLocked(mozilla::Maybe<mozilla::detail::BaseMonitorAutoLock<mozilla::Monitor> >&, (anonymous namespace)::EntryWrapper&, nsID const&, void**) /builds/worker/checkouts/gecko/xpcom/components/nsComponentManager.cpp:927:21
    #1 0x7f4653ed4ac4 in nsComponentManagerImpl::GetServiceByContractID(char const*, nsID const&, void**) /builds/worker/checkouts/gecko/xpcom/components/nsComponentManager.cpp:1164:10
    #2 0x7f4653ed93d2 in CallGetService /builds/worker/checkouts/gecko/xpcom/components/nsComponentManagerUtils.cpp:61:43
    #3 0x7f4653ed93d2 in nsGetServiceByContractIDWithError::operator()(nsID const&, void**) const /builds/worker/checkouts/gecko/xpcom/components/nsComponentManagerUtils.cpp:250:21
    #4 0x7f4653d3a24d in nsCOMPtr_base::assign_from_gs_contractid_with_error(nsGetServiceByContractIDWithError const&, nsID const&) /builds/worker/checkouts/gecko/xpcom/base/nsCOMPtr.cpp:91:7
    #5 0x7f4659910fb3 in nsCOMPtr /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:635:5
    #6 0x7f4659910fb3 in nsJSProtocolHandler::EnsureUTF8Spec(nsTString<char> const&, char const*, nsTSubstring<char>&) /builds/worker/checkouts/gecko/dom/jsurl/nsJSProtocolHandler.cpp:1108:7
    #7 0x7f4659911b04 in nsJSProtocolHandler::CreateNewURI(nsTSubstring<char> const&, char const*, nsIURI*, nsIURI**) /builds/worker/checkouts/gecko/dom/jsurl/nsJSProtocolHandler.cpp:1166:10
    #8 0x7f46542635f2 in NS_NewURI(nsIURI**, nsTSubstring<char> const&, char const*, nsIURI*) /builds/worker/checkouts/gecko/netwerk/base/nsNetUtil.cpp:1903:12
    #9 0x7f46542a127e in NS_NewURI(nsIURI**, nsTSubstring<char> const&, mozilla::NotNull<mozilla::Encoding const*>, nsIURI*) /builds/worker/checkouts/gecko/netwerk/base/nsNetUtil.cpp:1723:10
    #10 0x7f46542a19f0 in NS_NewURI(nsIURI**, nsTSubstring<char16_t> const&, mozilla::NotNull<mozilla::Encoding const*>, nsIURI*) /builds/worker/checkouts/gecko/netwerk/base/nsNetUtil.cpp:1743:10
    #11 0x7f465b483a04 in mozilla::dom::WorkerPrivate::GetLoadInfo(JSContext*, nsPIDOMWindowInner*, mozilla::dom::WorkerPrivate*, nsTSubstring<char16_t> const&, bool, mozilla::dom::WorkerPrivate::LoadGroupBehavior, mozilla::dom::WorkerKind, mozilla::dom::WorkerLoadInfo*) /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:2950:10
    #12 0x7f465b480bfb in mozilla::dom::WorkerPrivate::Constructor(JSContext*, nsTSubstring<char16_t> const&, bool, mozilla::dom::WorkerKind, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, mozilla::dom::WorkerLoadInfo*, mozilla::ErrorResult&, nsTString<char16_t>) /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:2534:9
    #13 0x7f465b447cdf in mozilla::dom::Worker::Constructor(mozilla::dom::GlobalObject const&, nsTSubstring<char16_t> const&, mozilla::dom::WorkerOptions const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/workers/Worker.cpp:43:41
    #14 0x7f4658392d64 in mozilla::dom::Worker_Binding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/obj-build/dom/bindings/WorkerBinding.cpp:1115:52
    #15 0x7f45c9ce1131  (<unknown module>)

0x6030000e82a0 is located 0 bytes inside of 24-byte region [0x6030000e82a0,0x6030000e82b8)
freed by thread T0 (Isolated Web Co) here:
    #0 0x55e1ca4d4ef2 in __interceptor_free /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3
    #1 0x7f465417dc6f in nsTextToSubURI::Release() /builds/worker/checkouts/gecko/intl/uconv/nsTextToSubURI.cpp:20:1
    #2 0x7f465991137d in ~nsCOMPtr_base /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:328:7
    #3 0x7f465991137d in nsJSProtocolHandler::EnsureUTF8Spec(nsTString<char> const&, char const*, nsTSubstring<char>&) /builds/worker/checkouts/gecko/dom/jsurl/nsJSProtocolHandler.cpp:1124:1
    #4 0x7f4659911b04 in nsJSProtocolHandler::CreateNewURI(nsTSubstring<char> const&, char const*, nsIURI*, nsIURI**) /builds/worker/checkouts/gecko/dom/jsurl/nsJSProtocolHandler.cpp:1166:10
    #5 0x7f46542635f2 in NS_NewURI(nsIURI**, nsTSubstring<char> const&, char const*, nsIURI*) /builds/worker/checkouts/gecko/netwerk/base/nsNetUtil.cpp:1903:12
    #6 0x7f46542a127e in NS_NewURI(nsIURI**, nsTSubstring<char> const&, mozilla::NotNull<mozilla::Encoding const*>, nsIURI*) /builds/worker/checkouts/gecko/netwerk/base/nsNetUtil.cpp:1723:10
    #7 0x7f46542a19f0 in NS_NewURI(nsIURI**, nsTSubstring<char16_t> const&, mozilla::NotNull<mozilla::Encoding const*>, nsIURI*) /builds/worker/checkouts/gecko/netwerk/base/nsNetUtil.cpp:1743:10
    #8 0x7f465b483a04 in mozilla::dom::WorkerPrivate::GetLoadInfo(JSContext*, nsPIDOMWindowInner*, mozilla::dom::WorkerPrivate*, nsTSubstring<char16_t> const&, bool, mozilla::dom::WorkerPrivate::LoadGroupBehavior, mozilla::dom::WorkerKind, mozilla::dom::WorkerLoadInfo*) /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:2950:10
    #9 0x7f465b480bfb in mozilla::dom::WorkerPrivate::Constructor(JSContext*, nsTSubstring<char16_t> const&, bool, mozilla::dom::WorkerKind, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, mozilla::dom::WorkerLoadInfo*, mozilla::ErrorResult&, nsTString<char16_t>) /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:2534:9
    #10 0x7f465b447cdf in mozilla::dom::Worker::Constructor(mozilla::dom::GlobalObject const&, nsTSubstring<char16_t> const&, mozilla::dom::WorkerOptions const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/workers/Worker.cpp:43:41
    #11 0x7f4658392d64 in mozilla::dom::Worker_Binding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/obj-build/dom/bindings/WorkerBinding.cpp:1115:52
    #12 0x7f45c9ce1131  (<unknown module>)
    #13 0x7f45c9c1a808  (<unknown module>)
    #14 0x7f45c9c104ed  (<unknown module>)
    #15 0x7f466177ac2a in EnterJit(JSContext*, js::RunState&, unsigned char*) /builds/worker/checkouts/gecko/js/src/jit/Jit.cpp:107:5
    #16 0x7f4661bd45ae in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:417:32
    #17 0x7f4661c006a6 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:575:13
    #18 0x7f4661c0209e in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:610:10
    #19 0x7f4661c0209e in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:642:8
    #20 0x7f46606a4d5f in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:117:10
    #21 0x7f4658841687 in mozilla::dom::Function::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/FunctionBinding.cpp:50:8
    #22 0x7f4656e1e47c in void mozilla::dom::Function::Call<nsCOMPtr<nsIGlobalObject> >(nsCOMPtr<nsIGlobalObject> const&, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/FunctionBinding.h:71:12
    #23 0x7f4656e1e082 in mozilla::dom::CallbackTimeoutHandler::Call(char const*) /builds/worker/checkouts/gecko/dom/base/TimeoutHandler.cpp:167:29
    #24 0x7f4656a4a75b in nsGlobalWindowInner::RunTimeoutHandler(mozilla::dom::Timeout*, nsIScriptContext*) /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowInner.cpp:6485:38
    #25 0x7f4656e1a48b in mozilla::dom::TimeoutManager::RunTimeout(mozilla::TimeStamp const&, mozilla::TimeStamp const&, bool) /builds/worker/checkouts/gecko/dom/base/TimeoutManager.cpp:903:44
    #26 0x7f4656e1961a in mozilla::dom::TimeoutExecutor::MaybeExecute() /builds/worker/checkouts/gecko/dom/base/TimeoutExecutor.cpp:179:11
    #27 0x7f4656e1bdf6 in Notify /builds/worker/checkouts/gecko/dom/base/TimeoutExecutor.cpp:246:5
    #28 0x7f4656e1bdf6 in non-virtual thunk to mozilla::dom::TimeoutExecutor::Notify(nsITimer*) /builds/worker/checkouts/gecko/dom/base/TimeoutExecutor.cpp
    #29 0x7f4653f63cae in match<(lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:656:7), (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:657:7), (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:658:7), (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:661:7), (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:662:7)> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:857:12
    #30 0x7f4653f63cae in nsTimerImpl::Fire(int) /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:655:22
    #31 0x7f4653f0bbdf in nsTimerEvent::Run() /builds/worker/checkouts/gecko/xpcom/threads/TimerThread.cpp:365:11
    #32 0x7f4653f3e822 in mozilla::ThrottledEventQueue::Inner::ExecuteRunnable() /builds/worker/checkouts/gecko/xpcom/threads/ThrottledEventQueue.cpp:254:22
    #33 0x7f4653f36b5f in mozilla::ThrottledEventQueue::Inner::Executor::Run() /builds/worker/checkouts/gecko/xpcom/threads/ThrottledEventQueue.cpp:81:15

previously allocated by thread T0 (Isolated Web Co) here:
    #0 0x55e1ca4d519e in malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
    #1 0x55e1ca519cb5 in moz_xmalloc /builds/worker/checkouts/gecko/memory/mozalloc/mozalloc.cpp:52:15
    #2 0x7f4653e9a54c in operator new /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:33:10
    #3 0x7f4653e9a54c in mozilla::xpcom::CreateInstanceImpl(mozilla::xpcom::ModuleID, nsID const&, void**) /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:10990:37
    #4 0x7f4653ed2cee in CreateInstance /builds/worker/checkouts/gecko/xpcom/components/nsComponentManager.cpp:184:46
    #5 0x7f4653ed2cee in nsComponentManagerImpl::GetServiceLocked(mozilla::Maybe<mozilla::detail::BaseMonitorAutoLock<mozilla::Monitor> >&, (anonymous namespace)::EntryWrapper&, nsID const&, void**) /builds/worker/checkouts/gecko/xpcom/components/nsComponentManager.cpp:975:17
    #6 0x7f4653ed4ac4 in nsComponentManagerImpl::GetServiceByContractID(char const*, nsID const&, void**) /builds/worker/checkouts/gecko/xpcom/components/nsComponentManager.cpp:1164:10
    #7 0x7f4653ed93d2 in CallGetService /builds/worker/checkouts/gecko/xpcom/components/nsComponentManagerUtils.cpp:61:43
    #8 0x7f4653ed93d2 in nsGetServiceByContractIDWithError::operator()(nsID const&, void**) const /builds/worker/checkouts/gecko/xpcom/components/nsComponentManagerUtils.cpp:250:21
    #9 0x7f4653d3a24d in nsCOMPtr_base::assign_from_gs_contractid_with_error(nsGetServiceByContractIDWithError const&, nsID const&) /builds/worker/checkouts/gecko/xpcom/base/nsCOMPtr.cpp:91:7
    #10 0x7f4659910fb3 in nsCOMPtr /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:635:5
    #11 0x7f4659910fb3 in nsJSProtocolHandler::EnsureUTF8Spec(nsTString<char> const&, char const*, nsTSubstring<char>&) /builds/worker/checkouts/gecko/dom/jsurl/nsJSProtocolHandler.cpp:1108:7
    #12 0x7f4659911b04 in nsJSProtocolHandler::CreateNewURI(nsTSubstring<char> const&, char const*, nsIURI*, nsIURI**) /builds/worker/checkouts/gecko/dom/jsurl/nsJSProtocolHandler.cpp:1166:10
    #13 0x7f46542635f2 in NS_NewURI(nsIURI**, nsTSubstring<char> const&, char const*, nsIURI*) /builds/worker/checkouts/gecko/netwerk/base/nsNetUtil.cpp:1903:12
    #14 0x7f46542a127e in NS_NewURI(nsIURI**, nsTSubstring<char> const&, mozilla::NotNull<mozilla::Encoding const*>, nsIURI*) /builds/worker/checkouts/gecko/netwerk/base/nsNetUtil.cpp:1723:10
    #15 0x7f46542a19f0 in NS_NewURI(nsIURI**, nsTSubstring<char16_t> const&, mozilla::NotNull<mozilla::Encoding const*>, nsIURI*) /builds/worker/checkouts/gecko/netwerk/base/nsNetUtil.cpp:1743:10
    #16 0x7f465b483a04 in mozilla::dom::WorkerPrivate::GetLoadInfo(JSContext*, nsPIDOMWindowInner*, mozilla::dom::WorkerPrivate*, nsTSubstring<char16_t> const&, bool, mozilla::dom::WorkerPrivate::LoadGroupBehavior, mozilla::dom::WorkerKind, mozilla::dom::WorkerLoadInfo*) /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:2950:10
    #17 0x7f465b480bfb in mozilla::dom::WorkerPrivate::Constructor(JSContext*, nsTSubstring<char16_t> const&, bool, mozilla::dom::WorkerKind, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, mozilla::dom::WorkerLoadInfo*, mozilla::ErrorResult&, nsTString<char16_t>) /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:2534:9
    #18 0x7f465b447cdf in mozilla::dom::Worker::Constructor(mozilla::dom::GlobalObject const&, nsTSubstring<char16_t> const&, mozilla::dom::WorkerOptions const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/workers/Worker.cpp:43:41
    #19 0x7f4658392d64 in mozilla::dom::Worker_Binding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/obj-build/dom/bindings/WorkerBinding.cpp:1115:52
    #20 0x7f4661c02cdc in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:455:13
    #21 0x7f4661c02cdc in CallJSNativeConstructor /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:471:8
    #22 0x7f4661c02cdc in InternalConstruct(JSContext*, js::AnyConstructArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:690:10
    #23 0x7f4661beef81 in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3356:16
    #24 0x7f4661bd45de in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:427:13
    #25 0x7f4661c006a6 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:575:13
    #26 0x7f4661c0209e in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:610:10
    #27 0x7f4661c0209e in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:642:8
    #28 0x7f46606a4d5f in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:117:10
    #29 0x7f46587411a9 in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventListenerBinding.cpp:62:8
    #30 0x7f465947d574 in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:65:12
    #31 0x7f465947d030 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1310:43
    #32 0x7f465947e5eb in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1506:17
    #33 0x7f465946c79e in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:348:17
    #34 0x7f465946b001 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:550:16
    #35 0x7f465946f1d0 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1119:11
    #36 0x7f4659474b41 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp

SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/checkouts/gecko/xpcom/components/nsComponentManager.cpp:927:21 in nsComponentManagerImpl::GetServiceLocked(mozilla::Maybe<mozilla::detail::BaseMonitorAutoLock<mozilla::Monitor> >&, (anonymous namespace)::EntryWrapper&, nsID const&, void**)
Shadow bytes around the buggy address:
  0x0c0680015000: 00 00 00 00 fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c0680015010: fa fa fd fd fd fd fa fa 00 00 00 fa fa fa 00 00
  0x0c0680015020: 00 00 fa fa fd fd fd fa fa fa fd fd fd fa fa fa
  0x0c0680015030: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 06
  0x0c0680015040: fa fa 00 00 00 07 fa fa 00 00 00 00 fa fa fd fd
=>0x0c0680015050: fd fd fa fa[fd]fd fd fa fa fa 00 00 00 fa fa fa
  0x0c0680015060: fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0680015070: fa fa fd fd fd fd fa fa 00 00 00 00 fa fa 00 00
  0x0c0680015080: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
  0x0c0680015090: fa fa fa fa fa fa 00 00 00 00 fa fa 00 00 00 00
  0x0c06800150a0: fa fa 00 00 00 00 fa fa fd fd fd fd fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==3180813==ABORTING

Comment 1

[Masatoshi Kimura [:emk]]

Valentin Gosu changed nsJSProtocolHandler::EnsureUTF8Spec() to make this function "threadd-safe" (but seemed to fail according to this bug).

Comment 2

[Masatoshi Kimura [:emk]]

Maybe we should make UnEscapeNonAsciiURI callable without creating an nsTextToSubURI instance.

Comment 3

[Masatoshi Kimura [:emk]]

Attachment: Bug 1787633 - Make nsTextToSubURI::UnEscapeNonAsciiURI static. r?m_kato

Comment 4

[Masatoshi Kimura [:emk]]

Comment on attachment 9292336 [details]
Bug 1787633 - Make nsTextToSubURI::UnEscapeNonAsciiURI static. r?m_kato

Security Approval Request

• How easily could an exploit be constructed based on the patch?: I believe it is not so easy. This patch should look like a code cleanup.
• Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
• Which older supported branches are affected by this flaw?: all supported branches
• If not all supported branches, which bug introduced the flaw?: N/A
• Do you have backports for the affected branches?: No
• If not, how different, hard to create, and risky will they be?: No backport needed, the trunk patch should apply cleanly.
• How likely is this patch to cause regressions; how much testing does it need?: Very unlikely to cause regressions. Existing automated tests should catch regressions.
• Is Android affected?: Yes

Comment 5

[Tom Ritter [:tjr] (OOTO until 4/30 at least)]

Comment on attachment 9292336 [details]
Bug 1787633 - Make nsTextToSubURI::UnEscapeNonAsciiURI static. r?m_kato

Approved to land and request uplift

Comment 6

[Masatoshi Kimura [:emk]]

How can I land a security patch? I got the following message when I clicked "View Stack in Lando".

Revision/Diff Not Available
The revision or diff you've requested does not exist or you do not have permission to view it.

Comment 7

[Masatoshi Kimura [:emk]]

Comment on attachment 9292336 [details]
Bug 1787633 - Make nsTextToSubURI::UnEscapeNonAsciiURI static. r?m_kato

Beta/Release Uplift Approval Request

• User impact if declined: heap-use-after-free exploit
• Is this code covered by automated tests?: No
• Has the fix been verified in Nightly?: Yes
• Needs manual test from QE?: No
• If yes, steps to reproduce:
• List of other uplifts needed: None
• Risk to taking this patch: Low
• Why is the change risky/not risky? (and alternatives if risky): This change only makes a few functions static.
• String changes made/needed: none
• Is Android affected?: Yes

ESR Uplift Approval Request

• If this is not a sec:{high,crit} bug, please state case for ESR consideration: This is a sec:high bug.
• User impact if declined: heap-use-after-free exploit
• Fix Landed on Version: 105
• Risk to taking this patch: Low
• Why is the change risky/not risky? (and alternatives if risky): This change only makes a few functions static.

Comment 8

[Tom Ritter [:tjr] (OOTO until 4/30 at least)]

It's likely you were logged out of Lando and thus need to create a new and re-add your phabricator API token. This is a guess, because I had to do that myself.

Comment 9

[Masatoshi Kimura [:emk]]

Thank you, it is working.

Comment 10

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

Make nsTextToSubURI::UnEscapeNonAsciiURI static. r=m_kato
https://hg.mozilla.org/integration/autoland/rev/0a8a7082d2564f0eee3b07de9b2fa9f7cd224e12
https://hg.mozilla.org/mozilla-central/rev/0a8a7082d256

Comment 11

[Ryan VanderMeulen [:RyanVM]]

Comment on attachment 9292336 [details]
Bug 1787633 - Make nsTextToSubURI::UnEscapeNonAsciiURI static. r?m_kato

Approved for 105.0b9 and 102.3esr.

Comment 12

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-beta/rev/3b1152c7e68b

Comment 13

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-esr102/rev/c581112d97d4

Comment 14

[Frederik Braun [:freddy]]

Attachment: advisory.txt

Comment 15

[Masatoshi Kimura [:emk]]

Please make bug 1789556 public to land the test without asking sec-approval. Since this bug is already public, there is no point in hiding bug 1789556.

Comment 16

[Masatoshi Kimura [:emk]]

Bug 1789556 is now public.