Closed Bug 1818357 Opened 2 years ago Closed 2 years ago

heap-use-after-free in [@ mozilla::net::nsStreamLoader::WriteSegmentFun]

Categories

(Core :: Networking, defect, P1)

defect

Tracking

()

RESOLVED FIXED
113 Branch
Tracking Status
firefox-esr102 112+ fixed
firefox110 --- wontfix
firefox111 --- wontfix
firefox112 + fixed
firefox113 + fixed

People

(Reporter: tsmith, Assigned: valentin)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-race, sec-high, Whiteboard: [necko-triaged] [necko-priority-queue][adv-main112+r][adv-esr102.10+r])

Attachments

(1 file)

Found while fuzzing m-c 20230215-7b385abd39b4 (--enable-address-sanitizer --enable-fuzzing)

A reduced/reliable test case is not available. I will create a Pernosco session and attach the link shortly.

==325993==ERROR: AddressSanitizer: heap-use-after-free on address 0x6210018ca500 at pc 0x7f307886f935 bp 0x7f2fc2f777f0 sp 0x7f2fc2f777e8
READ of size 16 at 0x6210018ca500 thread T46 (StreamTrans #4)
    #0 0x7f307886f934 in new_<const char &> /builds/worker/workspace/obj-build/dist/include/mozilla/Vector.h:251:12
    #1 0x7f307886f934 in copyConstruct<char> /builds/worker/workspace/obj-build/dist/include/mozilla/Vector.h:284:7
    #2 0x7f307886f934 in internalAppend<char> /builds/worker/workspace/obj-build/dist/include/mozilla/Vector.h:1441:3
    #3 0x7f307886f934 in append<char> /builds/worker/workspace/obj-build/dist/include/mozilla/Vector.h:1431:3
    #4 0x7f307886f934 in append<char> /builds/worker/workspace/obj-build/dist/include/mozilla/Vector.h:1514:10
    #5 0x7f307886f934 in mozilla::net::nsStreamLoader::WriteSegmentFun(nsIInputStream*, void*, char const*, unsigned int, unsigned int, unsigned int*) /builds/worker/checkouts/gecko/netwerk/base/nsStreamLoader.cpp:112:20
    #6 0x7f30787678cd in nsBufferedInputStream::ReadSegments(nsresult (*)(nsIInputStream*, void*, char const*, unsigned int, unsigned int, unsigned int*), void*, unsigned int, unsigned int*) /builds/worker/checkouts/gecko/netwerk/base/nsBufferedStreams.cpp:439:12
    #7 0x7f307e446056 in mozilla::RemoteLazyInputStream::ReadSegments(nsresult (*)(nsIInputStream*, void*, char const*, unsigned int, unsigned int, unsigned int*), void*, unsigned int, unsigned int*) /builds/worker/checkouts/gecko/dom/file/ipc/RemoteLazyInputStream.cpp:414:25
    #8 0x7f307886fa64 in mozilla::net::nsStreamLoader::OnDataAvailable(nsIRequest*, nsIInputStream*, unsigned long, unsigned int) /builds/worker/checkouts/gecko/netwerk/base/nsStreamLoader.cpp:125:24
    #9 0x7f307879d3ca in nsInputStreamPump::OnStateTransfer() /builds/worker/checkouts/gecko/netwerk/base/nsInputStreamPump.cpp:584:22
    #10 0x7f307879c15e in nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) /builds/worker/checkouts/gecko/netwerk/base/nsInputStreamPump.cpp:411:21
    #11 0x7f307e4648da in mozilla::(anonymous namespace)::InputStreamCallbackRunnable::Run() /builds/worker/checkouts/gecko/dom/file/ipc/RemoteLazyInputStream.cpp:58:16
    #12 0x7f307841f9cb in nsThreadPool::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:343:14
    #13 0x7f30784120d4 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1219:16
    #14 0x7f307841bd84 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:477:10
    #15 0x7f3079c23374 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300:20
    #16 0x7f3079aa0c97 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
    #17 0x7f3079aa0c97 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
    #18 0x7f3079aa0c97 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
    #19 0x7f3078409a25 in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:384:10
    #20 0x7f309a9db628 in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #21 0x7f309b61a608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8
    #22 0x7f309b1c5132 in __clone /build/glibc-SzIz7B/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

0x6210018ca500 is located 0 bytes inside of 4096-byte region [0x6210018ca500,0x6210018cb500)
freed by thread T45 (StreamTrans #3) here:
    #0 0x55d2f99499d2 in free /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3
    #1 0x7f3078763cd9 in operator delete[] /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:60:10
    #2 0x7f3078763cd9 in nsBufferedStream::Close() /builds/worker/checkouts/gecko/netwerk/base/nsBufferedStreams.cpp:82:5
    #3 0x7f3078769232 in Close /builds/worker/checkouts/gecko/netwerk/base/nsBufferedStreams.cpp:377:21
    #4 0x7f3078769232 in CloseWithStatus /builds/worker/checkouts/gecko/netwerk/base/nsBufferedStreams.cpp:648:67
    #5 0x7f3078769232 in non-virtual thunk to nsBufferedInputStream::CloseWithStatus(nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsBufferedStreams.cpp
    #6 0x7f307e443a9c in mozilla::RemoteLazyInputStream::Close() /builds/worker/checkouts/gecko/dom/file/ipc/RemoteLazyInputStream.cpp:494:23
    #7 0x7f307e4487ef in mozilla::RemoteLazyInputStream::CloseWithStatus(nsresult) /builds/worker/checkouts/gecko/dom/file/ipc/RemoteLazyInputStream.cpp:665:67
    #8 0x7f30787dc6d1 in operator() /builds/worker/checkouts/gecko/netwerk/base/nsInputStreamPump.cpp:215:33
    #9 0x7f30787dc6d1 in mozilla::detail::RunnableFunction<nsInputStreamPump::Cancel(nsresult)::$_4>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:546:5
    #10 0x7f307841f9cb in nsThreadPool::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:343:14
    #11 0x7f30784120d4 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1219:16
    #12 0x7f307841bd84 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:477:10
    #13 0x7f3079c23374 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300:20
    #14 0x7f3079aa0c97 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
    #15 0x7f3079aa0c97 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
    #16 0x7f3079aa0c97 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
    #17 0x7f3078409a25 in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:384:10
    #18 0x7f309a9db628 in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #19 0x7f309b61a608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8

previously allocated by thread T53 (RemoteLzyStream) here:
    #0 0x55d2f9949c7e in malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
    #1 0x7f30787641d5 in operator new[] /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:47:10
    #2 0x7f30787641d5 in nsBufferedStream::Init(nsISupports*, unsigned int) /builds/worker/checkouts/gecko/netwerk/base/nsBufferedStreams.cpp:71:13
    #3 0x7f30787665f7 in nsBufferedInputStream::Init(nsIInputStream*, unsigned int) /builds/worker/checkouts/gecko/netwerk/base/nsBufferedStreams.cpp:321:35
    #4 0x7f307879e633 in NS_NewBufferedInputStream(nsIInputStream**, already_AddRefed<nsIInputStream>, unsigned int) /builds/worker/checkouts/gecko/netwerk/base/nsNetUtil.cpp:1354:14
    #5 0x7f307e4449fe in mozilla::RemoteLazyInputStream::EnsureAsyncRemoteStream() /builds/worker/checkouts/gecko/dom/file/ipc/RemoteLazyInputStream.cpp:1056:19
    #6 0x7f307e4686b3 in operator() /builds/worker/checkouts/gecko/dom/file/ipc/RemoteLazyInputStream.cpp:824:23
    #7 0x7f307e4686b3 in std::_Function_handler<void (mozilla::Maybe<mozilla::ipc::IPCStream>&&), mozilla::RemoteLazyInputStream::StreamNeeded()::$_2::operator()() const::'lambda'(mozilla::Maybe<mozilla::ipc::IPCStream> const&)>::_M_invoke(std::_Any_data const&, mozilla::Maybe<mozilla::ipc::IPCStream>&&) /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/std_function.h:316:2
    #8 0x7f307e462798 in mozilla::PRemoteLazyInputStreamChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PRemoteLazyInputStreamChild.cpp:263:27
    #9 0x7f3079c1a129 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1800:25
    #10 0x7f3079c1713d in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1725:9
    #11 0x7f3079c17d0e in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1525:3
    #12 0x7f3079c18f3e in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1623:14
    #13 0x7f30784120d4 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1219:16
    #14 0x7f307841bd84 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:477:10
    #15 0x7f3079c235c0 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:330:5
    #16 0x7f3079aa0c97 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
    #17 0x7f3079aa0c97 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
    #18 0x7f3079aa0c97 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
    #19 0x7f3078409a25 in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:384:10
    #20 0x7f309a9db628 in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #21 0x7f309b61a608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8

Thread T46 (StreamTrans #4) created by T6 (Backgro~Pool #1) here:
    #0 0x55d2f9932b6c in pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:208:3
    #1 0x7f309a9cb6f9 in _PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:458:14
    #2 0x7f309a9bcb6e in PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:533:12
    #3 0x7f307840cecb in nsThread::Init(nsTSubstring<char> const&) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:619:18
    #4 0x7f3078419ad0 in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, nsIThreadManager::ThreadCreationOptions, nsIThread**) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadManager.cpp:548:12
    #5 0x7f307842641c in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, already_AddRefed<nsIRunnable>, nsIThreadManager::ThreadCreationOptions) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:173:57
    #6 0x7f307841e1c3 in NS_NewNamedThread /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:165:10
    #7 0x7f307841e1c3 in nsThreadPool::PutEvent(already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:126:17
    #8 0x7f3078420acd in nsThreadPool::Dispatch(already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:395:5
    #9 0x7f30788718ed in mozilla::net::nsStreamTransportService::Dispatch(already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/checkouts/gecko/netwerk/base/nsStreamTransportService.cpp:293:16
    #10 0x7f307836137f in Dispatch /builds/worker/workspace/obj-build/dist/include/nsIEventTarget.h:38:14
    #11 0x7f307836137f in nsAStreamCopier::PostContinuationEvent_Locked() /builds/worker/checkouts/gecko/xpcom/io/nsStreamUtils.cpp:463:21
    #12 0x7f307835c291 in PostContinuationEvent /builds/worker/checkouts/gecko/xpcom/io/nsStreamUtils.cpp:455:12
    #13 0x7f307835c291 in OnOutputStreamReady /builds/worker/checkouts/gecko/xpcom/io/nsStreamUtils.cpp:425:5
    #14 0x7f307835c291 in non-virtual thunk to nsAStreamCopier::OnOutputStreamReady(nsIAsyncOutputStream*) /builds/worker/checkouts/gecko/xpcom/io/nsStreamUtils.cpp
    #15 0x7f3079be4a75 in operator() /builds/worker/checkouts/gecko/ipc/glue/DataPipe.cpp:579:35
    #16 0x7f3079be4a75 in already_AddRefed<mozilla::CancelableRunnable> NS_NewCancelableRunnableFunction<mozilla::ipc::DataPipeSender::AsyncWait(nsIOutputStreamCallback*, unsigned int, unsigned int, nsIEventTarget*)::$_6>(char const*, mozilla::ipc::DataPipeSender::AsyncWait(nsIOutputStreamCallback*, unsigned int, unsigned int, nsIEventTarget*)::$_6&&)::FuncCancelableRunnable::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:665:9
    #17 0x7f307841f9cb in nsThreadPool::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:343:14
    #18 0x7f30784120d4 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1219:16
    #19 0x7f307841bd84 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:477:10
    #20 0x7f3079c23374 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300:20
    #21 0x7f3079aa0c97 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
    #22 0x7f3079aa0c97 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
    #23 0x7f3079aa0c97 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
    #24 0x7f3078409a25 in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:384:10
    #25 0x7f309a9db628 in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #26 0x7f309b61a608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8

Thread T6 (Backgro~Pool #1) created by T0 (Isolated Web Co) here:
    #0 0x55d2f9932b6c in pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:208:3
    #1 0x7f309a9cb6f9 in _PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:458:14
    #2 0x7f309a9bcb6e in PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:533:12
    #3 0x7f307840cecb in nsThread::Init(nsTSubstring<char> const&) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:619:18
    #4 0x7f3078419ad0 in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, nsIThreadManager::ThreadCreationOptions, nsIThread**) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadManager.cpp:548:12
    #5 0x7f307842641c in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, already_AddRefed<nsIRunnable>, nsIThreadManager::ThreadCreationOptions) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:173:57
    #6 0x7f307841e1c3 in NS_NewNamedThread /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:165:10
    #7 0x7f307841e1c3 in nsThreadPool::PutEvent(already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:126:17
    #8 0x7f3078420acd in nsThreadPool::Dispatch(already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:395:5
    #9 0x7f30783f0361 in mozilla::TaskQueue::DispatchLocked(nsCOMPtr<nsIRunnable>&, unsigned int, mozilla::AbstractThread::DispatchReason) /builds/worker/checkouts/gecko/xpcom/threads/TaskQueue.cpp:122:26
    #10 0x7f30784305fe in mozilla::TaskQueue::Dispatch(already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/workspace/obj-build/dist/include/mozilla/TaskQueue.h:73:14
    #11 0x7f3079bd7639 in (anonymous namespace)::ChildImpl::ThreadInfoWrapper::InitStarter(mozilla::ipc::Endpoint<mozilla::ipc::PBackgroundStarterChild>&&) /builds/worker/checkouts/gecko/ipc/glue/BackgroundImpl.cpp:365:18
    #12 0x7f3079b91802 in InitStarter<mozilla::dom::ContentChild> /builds/worker/checkouts/gecko/ipc/glue/BackgroundImpl.cpp:350:7
    #13 0x7f3079b91802 in InitContentStarter /builds/worker/checkouts/gecko/ipc/glue/BackgroundImpl.cpp:1254:38
    #14 0x7f3079b91802 in mozilla::ipc::BackgroundChild::InitContentStarter(mozilla::dom::ContentChild*) /builds/worker/checkouts/gecko/ipc/glue/BackgroundImpl.cpp:724:3
    #15 0x7f30803f6d8c in mozilla::dom::ContentProcess::Init(int, char**) /builds/worker/checkouts/gecko/dom/ipc/ContentProcess.cpp:237:3
    #16 0x7f308629e095 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:641:21
    #17 0x55d2f9986824 in content_process_main(mozilla::Bootstrap*, int, char**) /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #18 0x55d2f9986ce7 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:353:18
    #19 0x7f309b0ca082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

Thread T45 (StreamTrans #3) created by T6 (Backgro~Pool #1) here:
    #0 0x55d2f9932b6c in pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:208:3
    #1 0x7f309a9cb6f9 in _PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:458:14
    #2 0x7f309a9bcb6e in PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:533:12
    #3 0x7f307840cecb in nsThread::Init(nsTSubstring<char> const&) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:619:18
    #4 0x7f3078419ad0 in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, nsIThreadManager::ThreadCreationOptions, nsIThread**) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadManager.cpp:548:12
    #5 0x7f307842641c in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, already_AddRefed<nsIRunnable>, nsIThreadManager::ThreadCreationOptions) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:173:57
    #6 0x7f307841e1c3 in NS_NewNamedThread /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:165:10
    #7 0x7f307841e1c3 in nsThreadPool::PutEvent(already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:126:17
    #8 0x7f3078420acd in nsThreadPool::Dispatch(already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:395:5
    #9 0x7f30788718ed in mozilla::net::nsStreamTransportService::Dispatch(already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/checkouts/gecko/netwerk/base/nsStreamTransportService.cpp:293:16
    #10 0x7f307836137f in Dispatch /builds/worker/workspace/obj-build/dist/include/nsIEventTarget.h:38:14
    #11 0x7f307836137f in nsAStreamCopier::PostContinuationEvent_Locked() /builds/worker/checkouts/gecko/xpcom/io/nsStreamUtils.cpp:463:21
    #12 0x7f307835c291 in PostContinuationEvent /builds/worker/checkouts/gecko/xpcom/io/nsStreamUtils.cpp:455:12
    #13 0x7f307835c291 in OnOutputStreamReady /builds/worker/checkouts/gecko/xpcom/io/nsStreamUtils.cpp:425:5
    #14 0x7f307835c291 in non-virtual thunk to nsAStreamCopier::OnOutputStreamReady(nsIAsyncOutputStream*) /builds/worker/checkouts/gecko/xpcom/io/nsStreamUtils.cpp
    #15 0x7f3079be4a75 in operator() /builds/worker/checkouts/gecko/ipc/glue/DataPipe.cpp:579:35
    #16 0x7f3079be4a75 in already_AddRefed<mozilla::CancelableRunnable> NS_NewCancelableRunnableFunction<mozilla::ipc::DataPipeSender::AsyncWait(nsIOutputStreamCallback*, unsigned int, unsigned int, nsIEventTarget*)::$_6>(char const*, mozilla::ipc::DataPipeSender::AsyncWait(nsIOutputStreamCallback*, unsigned int, unsigned int, nsIEventTarget*)::$_6&&)::FuncCancelableRunnable::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:665:9
    #17 0x7f307841f9cb in nsThreadPool::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:343:14
    #18 0x7f30784120d4 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1219:16
    #19 0x7f307841bd84 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:477:10
    #20 0x7f3079c23374 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300:20
    #21 0x7f3079aa0c97 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
    #22 0x7f3079aa0c97 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
    #23 0x7f3079aa0c97 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
    #24 0x7f3078409a25 in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:384:10
    #25 0x7f309a9db628 in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #26 0x7f309b61a608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8

Thread T53 (RemoteLzyStream) created by T48 (DOM Worker) here:
    #0 0x55d2f9932b6c in pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:208:3
    #1 0x7f309a9cb6f9 in _PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:458:14
    #2 0x7f309a9bcb6e in PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:533:12
    #3 0x7f307840cecb in nsThread::Init(nsTSubstring<char> const&) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:619:18
    #4 0x7f3078419ad0 in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, nsIThreadManager::ThreadCreationOptions, nsIThread**) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadManager.cpp:548:12
    #5 0x7f307842641c in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, already_AddRefed<nsIRunnable>, nsIThreadManager::ThreadCreationOptions) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:173:57
    #6 0x7f307e4531a5 in NS_NewNamedThread<16UL> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:85:10
    #7 0x7f307e4531a5 in mozilla::RemoteLazyInputStreamThread::Initialize() /builds/worker/checkouts/gecko/dom/file/ipc/RemoteLazyInputStreamThread.cpp:90:17
    #8 0x7f307e448694 in mozilla::RemoteLazyInputStreamThread::GetOrCreate() /builds/worker/checkouts/gecko/dom/file/ipc/RemoteLazyInputStreamThread.cpp:80:29
    #9 0x7f307e4422e4 in mozilla::BindChildActor(nsID, mozilla::ipc::Endpoint<mozilla::PRemoteLazyInputStreamChild>) /builds/worker/checkouts/gecko/dom/file/ipc/RemoteLazyInputStream.cpp:160:18
    #10 0x7f307e44e3fa in mozilla::RemoteLazyInputStream::IPCRead(IPC::MessageReader*) /builds/worker/checkouts/gecko/dom/file/ipc/RemoteLazyInputStream.cpp:1389:7
    #11 0x7f307e44eb2e in IPC::ParamTraits<mozilla::RemoteLazyInputStream*>::Read(IPC::MessageReader*, RefPtr<mozilla::RemoteLazyInputStream>*) /builds/worker/checkouts/gecko/dom/file/ipc/RemoteLazyInputStream.cpp:1422:14
    #12 0x7f307e4577c7 in Read /builds/worker/checkouts/gecko/ipc/chromium/src/chrome/common/ipc_message_utils.h:866:12
    #13 0x7f307e4577c7 in ReadParam<RefPtr<mozilla::RemoteLazyInputStream> > /builds/worker/checkouts/gecko/ipc/chromium/src/chrome/common/ipc_message_utils.h:331:10
    #14 0x7f307e4577c7 in IPC::ParamTraits<mozilla::RemoteLazyStream>::Read(IPC::MessageReader*) /builds/worker/workspace/obj-build/ipc/ipdl/IPCBlob.cpp:292:23
    #15 0x7f307e459448 in ReadParam<mozilla::RemoteLazyStream> /builds/worker/checkouts/gecko/ipc/chromium/src/chrome/common/ipc_message_utils.h:328:12
    #16 0x7f307e459448 in IPC::ParamTraits<mozilla::dom::IPCBlob>::Read(IPC::MessageReader*) /builds/worker/workspace/obj-build/ipc/ipdl/IPCBlob.cpp:498:20
    #17 0x7f307e43f8dd in bool IPC::ReadParam<mozilla::dom::IPCBlob>(IPC::MessageReader*, mozilla::dom::IPCBlob*) /builds/worker/checkouts/gecko/ipc/chromium/src/chrome/common/ipc_message_utils.h:314:18
    #18 0x7f30804d8787 in std::enable_if<std::is_same_v<mozilla::dom::IPCBlob*, std::remove_reference<decltype(fp0(std::add_rvalue_reference<unsigned int>::type std::declval<unsigned int>()()))>::type>, bool>::type IPC::ReadSequenceParam<IPC::ParamTraits<nsTArray<mozilla::dom::IPCBlob>>::Read(IPC::MessageReader*, nsTArray<mozilla::dom::IPCBlob>*)::'lambda'(unsigned int), mozilla::dom::IPCBlob>(IPC::MessageReader*, unsigned int&&) /builds/worker/checkouts/gecko/ipc/chromium/src/chrome/common/ipc_message_utils.h:500:12
    #19 0x7f3080488f5f in Read /builds/worker/workspace/obj-build/dist/include/ipc/IPCMessageUtilsSpecializations.h:172:12
    #20 0x7f3080488f5f in ReadParam<nsTArray<mozilla::dom::IPCBlob> > /builds/worker/checkouts/gecko/ipc/chromium/src/chrome/common/ipc_message_utils.h:331:10
    #21 0x7f3080488f5f in IPC::ParamTraits<mozilla::dom::ClonedMessageData>::Read(IPC::MessageReader*) /builds/worker/workspace/obj-build/ipc/ipdl/DOMTypes.cpp:156:20
    #22 0x7f308048bf05 in ReadParam<mozilla::dom::ClonedMessageData> /builds/worker/checkouts/gecko/ipc/chromium/src/chrome/common/ipc_message_utils.h:328:12
    #23 0x7f308048bf05 in IPC::ParamTraits<mozilla::dom::MessageDataType>::Read(IPC::MessageReader*) /builds/worker/workspace/obj-build/ipc/ipdl/DOMTypes.cpp:705:23
    #24 0x7f308048c773 in ReadParam<mozilla::dom::MessageDataType> /builds/worker/checkouts/gecko/ipc/chromium/src/chrome/common/ipc_message_utils.h:328:12
    #25 0x7f308048c773 in IPC::ParamTraits<mozilla::dom::MessageData>::Read(IPC::MessageReader*) /builds/worker/workspace/obj-build/ipc/ipdl/DOMTypes.cpp:783:20
    #26 0x7f3080a0d648 in ReadParam<mozilla::dom::MessageData> /builds/worker/checkouts/gecko/ipc/chromium/src/chrome/common/ipc_message_utils.h:314:18
    #27 0x7f3080a0d648 in std::enable_if<std::is_same_v<mozilla::dom::MessageData*, std::remove_reference<decltype(fp0(std::add_rvalue_reference<unsigned int>::type std::declval<unsigned int>()()))>::type>, bool>::type IPC::ReadSequenceParam<IPC::ParamTraits<nsTArray<mozilla::dom::MessageData>>::Read(IPC::MessageReader*, nsTArray<mozilla::dom::MessageData>*)::'lambda'(unsigned int), mozilla::dom::MessageData>(IPC::MessageReader*, unsigned int&&) /builds/worker/checkouts/gecko/ipc/chromium/src/chrome/common/ipc_message_utils.h:500:12
    #28 0x7f3080a04987 in Read /builds/worker/workspace/obj-build/dist/include/ipc/IPCMessageUtilsSpecializations.h:172:12
    #29 0x7f3080a04987 in ReadParam<nsTArray<mozilla::dom::MessageData> > /builds/worker/checkouts/gecko/ipc/chromium/src/chrome/common/ipc_message_utils.h:331:10
    #30 0x7f3080a04987 in mozilla::dom::PMessagePortChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PMessagePortChild.cpp:250:28
    #31 0x7f3079cc7d41 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6306:32
    #32 0x7f3079c1a129 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1800:25
    #33 0x7f3079c1713d in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1725:9
    #34 0x7f3079c17d0e in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1525:3
    #35 0x7f3079c18f3e in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1623:14
    #36 0x7f30784120d4 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1219:16
    #37 0x7f307841bd84 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:477:10
    #38 0x7f308091ebdc in mozilla::dom::WorkerPrivate::DoRunLoop(JSContext*) /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:3275:7
    #39 0x7f30808f5422 in mozilla::dom::workerinternals::(anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp:2044:42
    #40 0x7f30784120d4 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1219:16
    #41 0x7f307841bd84 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:477:10
    #42 0x7f3079c23374 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300:20
    #43 0x7f3079aa0c97 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
    #44 0x7f3079aa0c97 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
    #45 0x7f3079aa0c97 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
    #46 0x7f3078409a25 in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:384:10
    #47 0x7f309a9db628 in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #48 0x7f309b61a608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8

Thread T48 (DOM Worker) created by T0 (Isolated Web Co) here:
    #0 0x55d2f9932b6c in pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:208:3
    #1 0x7f309a9cb6f9 in _PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:458:14
    #2 0x7f309a9bcb6e in PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:533:12
    #3 0x7f307840cecb in nsThread::Init(nsTSubstring<char> const&) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:619:18
    #4 0x7f308094634a in mozilla::dom::WorkerThread::Create(mozilla::dom::WorkerThreadFriendKey const&) /builds/worker/checkouts/gecko/dom/workers/WorkerThread.cpp:102:7
    #5 0x7f30808cb607 in mozilla::dom::workerinternals::RuntimeService::ScheduleWorker(mozilla::dom::WorkerPrivate&) /builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp:1325:37
    #6 0x7f30808ca6f8 in mozilla::dom::workerinternals::RuntimeService::RegisterWorker(mozilla::dom::WorkerPrivate&) /builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp:1207:19
    #7 0x7f3080918eae in mozilla::dom::WorkerPrivate::Constructor(JSContext*, nsTSubstring<char16_t> const&, bool, mozilla::dom::WorkerKind, mozilla::dom::RequestCredentials, mozilla::dom::WorkerType, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, mozilla::dom::WorkerLoadInfo*, mozilla::ErrorResult&, nsTString<char16_t>) /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:2648:24
    #8 0x7f3080959118 in mozilla::dom::RemoteWorkerChild::ExecWorkerOnMainThread(mozilla::dom::RemoteWorkerData&&) /builds/worker/checkouts/gecko/dom/workers/remoteworkers/RemoteWorkerChild.cpp:452:41
    #9 0x7f308098f18a in operator() /builds/worker/checkouts/gecko/dom/workers/remoteworkers/RemoteWorkerChild.cpp:307:29
    #10 0x7f308098f18a in mozilla::detail::RunnableFunction<mozilla::dom::RemoteWorkerChild::ExecWorker(mozilla::dom::RemoteWorkerData const&)::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:546:5
    #11 0x7f30783d286f in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:114:20
    #12 0x7f30783e6ae9 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:541:16
    #13 0x7f30783dce7c in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:855:26
    #14 0x7f30783da0f8 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:686:15
    #15 0x7f30783da820 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:464:36
    #16 0x7f30783ecfc1 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:188:37
    #17 0x7f30783ecfc1 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_2>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:546:5
    #18 0x7f307841180e in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1225:16
    #19 0x7f307841bd84 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:477:10
    #20 0x7f3079c21d2e in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
    #21 0x7f3079aa0c97 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
    #22 0x7f3079aa0c97 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
    #23 0x7f3079aa0c97 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
    #24 0x7f3081276ca9 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
    #25 0x7f308629e928 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:742:20
    #26 0x7f3079aa0c97 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
    #27 0x7f3079aa0c97 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
    #28 0x7f3079aa0c97 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
    #29 0x7f308629e0bf in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:675:34
    #30 0x55d2f9986824 in content_process_main(mozilla::Bootstrap*, int, char**) /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #31 0x55d2f9986ce7 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:353:18
    #32 0x7f309b0ca082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
Keywords: sec-high

Apparently, nsBufferedInputStream is not thread safe. We should add a lock to protect its members.

Severity: -- → S2
Priority: -- → P1
Whiteboard: [necko-triaged] [necko-priority-queue]

I am able to reproduce the issue reliably enough to test patches if needed.

The problem seems to be with nsBufferedStream::mBuffer
We release it in nsBufferedStream::Close on one thread while using it on the other.
Considering that we're using the buffer while calling into an external function, (nsStreamLoader::WriteSegmentFun from nsBufferedInputStream::ReadSegments) I think mBuffere should be protected by a RecursiveMutex, so we don't cause a deadlock if nsStreamLoader::WriteSegmentFun or some other closure decides to close the stream.

Assignee: nobody → valentin.gosu

It needs to be a recursive mutex instead of a regular one in case
nsStreamLoader::WriteSegmentFun closes the stream while holding the mutex.

Hi Tyson, could you check that the attached patch fixes the issue? Thanks!

Flags: needinfo?(twsmith)

Comment on attachment 9321415 [details]
Bug 1818357 - [ESR102] Guard nsBufferedStream::mBuffer with recursive mutex r=#necko,jesup

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: Not straightforward but an attacker could deduce the root cause from the patch and find a way to exercise that scenario - though an exploit would probably still be racy.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Yes
  • Which older supported branches are affected by this flaw?: all
  • If not all supported branches, which bug introduced the flaw?: None
  • Do you have backports for the affected branches?: Yes
  • If not, how different, hard to create, and risky will they be?: Applies cleanly to esr102
  • How likely is this patch to cause regressions; how much testing does it need?: The risk of regressions is low. This patch shouldn't cause an observable change in behaviour. We just protect mBuffer using a recursive mutex.
  • Is Android affected?: Yes
Attachment #9321415 - Flags: sec-approval?

I am unable to reproduce the issue with the patch applied.

Flags: needinfo?(twsmith)

Thank you!

Comment on attachment 9321415 [details]
Bug 1818357 - [ESR102] Guard nsBufferedStream::mBuffer with recursive mutex r=#necko,jesup

Approved to land and uplift

Attachment #9321415 - Flags: sec-approval? → sec-approval+

Comment on attachment 9321415 [details]
Bug 1818357 - [ESR102] Guard nsBufferedStream::mBuffer with recursive mutex r=#necko,jesup

Beta/Release Uplift Approval Request

  • User impact if declined: Use-after-free
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): We guard the use of mBuffer with a recursive mutex.
  • String changes made/needed:
  • Is Android affected?: Yes
Attachment #9321415 - Flags: approval-mozilla-beta?
Group: network-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → 113 Branch
Attachment #9321415 - Flags: approval-mozilla-esr102?

Comment on attachment 9321415 [details]
Bug 1818357 - [ESR102] Guard nsBufferedStream::mBuffer with recursive mutex r=#necko,jesup

Approved for 112.0b3

Attachment #9321415 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

Comment on attachment 9321415 [details]
Bug 1818357 - [ESR102] Guard nsBufferedStream::mBuffer with recursive mutex r=#necko,jesup

Approved for 102.10esr

Attachment #9321415 - Flags: approval-mozilla-esr102? → approval-mozilla-esr102+
Attachment #9321415 - Attachment description: Bug 1818357 - Guard nsBufferedStream::mBuffer with recursive mutex r=#necko → Bug 1818357 - [ESR102] Guard nsBufferedStream::mBuffer with recursive mutex r=#necko,jesup

MOZ_GUARDED_BY wasn't available in ESR. I removed it from the ESR patch.

Flags: needinfo?(valentin.gosu)
Flags: qe-verify-
Whiteboard: [necko-triaged] [necko-priority-queue] → [necko-triaged] [necko-priority-queue][adv-main112+r]
Whiteboard: [necko-triaged] [necko-priority-queue][adv-main112+r] → [necko-triaged] [necko-priority-queue][adv-main112+r][adv-esr102.10+r]

Given bug 1826206 and its patch, is this RecursiveMutex still needed? If not, perhaps we can replace this with an assert somewhere about tread usage?

Flags: needinfo?(valentin.gosu)

I agree that bug 1826206 addressed the root cause of this.
I'm ➕ on replacing it with a thread assert.

Flags: needinfo?(valentin.gosu)
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: