Closed
Bug 1828130
Opened 1 year ago
Closed 1 year ago
AddressSanitizer: heap-use-after-free [@ AddRef] with READ of size 8 in SetScriptLoader
Categories
(Core :: DOM: Workers, defect, P2)
Tracking
()
VERIFIED
FIXED
114 Branch
| Tracking | Status | |
|---|---|---|
| firefox-esr102 | --- | unaffected |
| firefox112 | --- | unaffected |
| firefox113 | + | fixed |
| firefox114 | + | verified |
People
(Reporter: jkratzer, Assigned: allstars.chh)
References
(Blocks 1 open bug, Regression)
Details
(4 keywords, Whiteboard: [bugmon:bisected,confirmed][adv-main113+r])
Attachments
(2 files, 1 obsolete file)
|
3.75 KB,
application/octet-stream
|
Details | |
|
48 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-beta+
freddy
:
sec-approval+
|
Details | Review |
Testcase found while fuzzing mozilla-central rev 5c9aa60ea6f4 (built with: --enable-address-sanitizer --enable-fuzzing).
Testcase can be reproduced using the following commands:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 5c9aa60ea6f4 --asan --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.zip
AddressSanitizer: heap-use-after-free [@ AddRef] with READ of size 8
=================================================================
==2746764==ERROR: AddressSanitizer: heap-use-after-free on address 0x6110000e2580 at pc 0x7f87244874b1 bp 0x7f86fd1f8670 sp 0x7f86fd1f8668
READ of size 8 at 0x6110000e2580 thread T20
#0 0x7f87244874b0 in AddRef /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:53:39
#1 0x7f87244874b0 in AddRef /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:419:35
#2 0x7f87244874b0 in assign_with_AddRef /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:64:7
#3 0x7f87244874b0 in operator= /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:210:5
#4 0x7f87244874b0 in SetScriptLoader /builds/worker/workspace/obj-build/dist/include/mozilla/dom/workerinternals/WorkerModuleLoader.h:49:13
#5 0x7f87244874b0 in mozilla::dom::workerinternals::loader::WorkerModuleLoader::CreateDynamicImportLoader() /dom/workers/loader/WorkerModuleLoader.cpp:70:3
#6 0x7f8724487612 in mozilla::dom::workerinternals::loader::WorkerModuleLoader::CreateDynamicImport(JSContext*, nsIURI*, JS::loader::LoadedScript*, JS::Handle<JS::Value>, JS::Handle<JSString*>, JS::Handle<JSObject*>) /dom/workers/loader/WorkerModuleLoader.cpp:83:3
#7 0x7f871bb10030 in JS::loader::ModuleLoaderBase::HostImportModuleDynamically(JSContext*, JS::Handle<JS::Value>, JS::Handle<JSObject*>, JS::Handle<JSObject*>) /js/loader/ModuleLoaderBase.cpp:317:47
#8 0x7f872b240d46 in js::StartDynamicModuleImport(JSContext*, JS::Handle<JSScript*>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) /js/src/builtin/ModuleObject.cpp:2356:8
#9 0x7f872b1b1ddf in js::Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:4576:11
#10 0x7f872b194988 in MaybeEnterInterpreterTrampoline /js/src/vm/Interpreter.cpp:400:10
#11 0x7f872b194988 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:458:13
#12 0x7f872b19a373 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) /js/src/vm/Interpreter.cpp:845:13
#13 0x7f872b231651 in js::ModuleObject::execute(JSContext*, JS::Handle<js::ModuleObject*>) /js/src/builtin/ModuleObject.cpp:1284:10
#14 0x7f872b521077 in InnerModuleEvaluation(JSContext*, JS::Handle<js::ModuleObject*>, JS::MutableHandle<JS::GCVector<js::ModuleObject*, 0ul, js::SystemAllocPolicy>>, unsigned long, unsigned long*) /js/src/vm/Modules.cpp
#15 0x7f872b513dba in js::ModuleEvaluate(JSContext*, JS::Handle<js::ModuleObject*>, JS::MutableHandle<JS::Value>) /js/src/vm/Modules.cpp:1280:13
#16 0x7f871bb1ddf9 in JS::loader::ModuleLoaderBase::EvaluateModuleInContext(JSContext*, JS::loader::ModuleLoadRequest*, JS::ModuleErrorBehaviour) /js/loader/ModuleLoaderBase.cpp:1233:13
#17 0x7f871bb1d512 in JS::loader::ModuleLoaderBase::EvaluateModule(JS::loader::ModuleLoadRequest*) /js/loader/ModuleLoaderBase.cpp:1175:10
#18 0x7f8724341b91 in EvaluateModule /builds/worker/workspace/obj-build/dist/include/js/loader/ModuleLoadRequest.h:113:47
#19 0x7f8724341b91 in mozilla::dom::workerinternals::loader::WorkerScriptLoader::EvaluateScript(JSContext*, JS::loader::ScriptLoadRequest*) /dom/workers/ScriptLoader.cpp:1126:28
#20 0x7f87243411d9 in mozilla::dom::workerinternals::loader::WorkerScriptLoader::ProcessPendingRequests(JSContext*) /dom/workers/ScriptLoader.cpp:848:10
#21 0x7f8724488be5 in mozilla::dom::workerinternals::loader::WorkerModuleLoader::OnModuleLoadComplete(JS::loader::ModuleLoadRequest*) /dom/workers/loader/WorkerModuleLoader.cpp:186:28
#22 0x7f871bb0c6ad in JS::loader::ModuleLoadRequest::LoadFinished() /js/loader/ModuleLoadRequest.cpp:213:12
#23 0x7f871bb0cee2 in JS::loader::ModuleLoadRequest::DependenciesLoaded() /js/loader/ModuleLoadRequest.cpp:179:3
#24 0x7f871bb0c019 in JS::loader::ModuleLoaderBase::StartFetchingModuleDependencies(JS::loader::ModuleLoadRequest*) /js/loader/ModuleLoaderBase.cpp:853:15
#25 0x7f871bb15ff1 in JS::loader::ModuleLoaderBase::OnFetchComplete(JS::loader::ModuleLoadRequest*, nsresult) /js/loader/ModuleLoaderBase.cpp:568:5
#26 0x7f872434c6b1 in OnFetchComplete /builds/worker/workspace/obj-build/dist/include/js/loader/ModuleLoadRequest.h:108:21
#27 0x7f872434c6b1 in mozilla::dom::workerinternals::loader::ScriptExecutorRunnable::ProcessModuleScript(JSContext*, mozilla::dom::WorkerPrivate*) /dom/workers/ScriptLoader.cpp:1568:18
#28 0x7f872434ce9c in mozilla::dom::workerinternals::loader::ScriptExecutorRunnable::WorkerRun(JSContext*, mozilla::dom::WorkerPrivate*) /dom/workers/ScriptLoader.cpp:1618:12
#29 0x7f87243be6b4 in mozilla::dom::WorkerRunnable::Run() /dom/workers/WorkerRunnable.cpp:377:12
#30 0x7f8719cd795b in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1233:16
#31 0x7f8719ce4874 in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:479:10
#32 0x7f87243aa66b in mozilla::dom::WorkerPrivate::RunCurrentSyncLoop() /dom/workers/WorkerPrivate.cpp:4374:9
#33 0x7f87216a9fc5 in mozilla::dom::AutoSyncLoopHolder::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/dom/WorkerPrivate.h:1608:27
#34 0x7f872434e572 in mozilla::dom::workerinternals::(anonymous namespace)::LoadAllScripts(mozilla::dom::WorkerPrivate*, mozilla::UniquePtr<mozilla::dom::SerializedStackHolder, mozilla::DefaultDelete<mozilla::dom::SerializedStackHolder>>, nsTArray<nsTString<char16_t>> const&, bool, mozilla::dom::WorkerScriptType, mozilla::ErrorResult&, mozilla::Encoding const*) /dom/workers/ScriptLoader.cpp:254:16
#35 0x7f872434ddb4 in mozilla::dom::workerinternals::LoadMainScript(mozilla::dom::WorkerPrivate*, mozilla::UniquePtr<mozilla::dom::SerializedStackHolder, mozilla::DefaultDelete<mozilla::dom::SerializedStackHolder>>, nsTSubstring<char16_t> const&, mozilla::dom::WorkerScriptType, mozilla::ErrorResult&, mozilla::Encoding const*) /dom/workers/ScriptLoader.cpp:1749:3
#36 0x7f87243d6e0a in mozilla::dom::(anonymous namespace)::CompileScriptRunnable::WorkerRun(JSContext*, mozilla::dom::WorkerPrivate*) /dom/workers/WorkerPrivate.cpp:380:5
#37 0x7f87243be6b4 in mozilla::dom::WorkerRunnable::Run() /dom/workers/WorkerRunnable.cpp:377:12
#38 0x7f8719cd795b in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1233:16
#39 0x7f8719ce4874 in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:479:10
#40 0x7f872439f0f1 in mozilla::dom::WorkerPrivate::DoRunLoop(JSContext*) /dom/workers/WorkerPrivate.cpp:3280:7
#41 0x7f872436c7ee in mozilla::dom::workerinternals::(anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /dom/workers/RuntimeService.cpp:2149:42
#42 0x7f8719cd795b in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1233:16
#43 0x7f8719ce4874 in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:479:10
#44 0x7f871b8c4c11 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:300:20
#45 0x7f871b6eea6a in RunInternal /ipc/chromium/src/base/message_loop.cc:369:10
#46 0x7f871b6eea6a in RunHandler /ipc/chromium/src/base/message_loop.cc:362:3
#47 0x7f871b6eea6a in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:344:3
#48 0x7f8719ccdbf2 in nsThread::ThreadFunc(void*) /xpcom/threads/nsThread.cpp:391:10
#49 0x7f873feeab5f in _pt_root /nsprpub/pr/src/pthreads/ptthread.c:201:5
#50 0x7f8740694b42 in start_thread nptl/pthread_create.c:442:8
#51 0x7f87407269ff misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
0x6110000e2580 is located 0 bytes inside of 200-byte region [0x6110000e2580,0x6110000e2648)
freed by thread T20 here:
#0 0x55aff30ac826 in free /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3
#1 0x7f872434858a in mozilla::dom::workerinternals::loader::WorkerScriptLoader::Release() /dom/workers/ScriptLoader.cpp:1284:1
#2 0x7f872433c2dd in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:54:40
#3 0x7f872433c2dd in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:420:36
#4 0x7f872433c2dd in ~RefPtr /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:85:7
#5 0x7f872433c2dd in mozilla::dom::workerinternals::loader::WorkerScriptLoader::WorkerScriptLoader(mozilla::dom::WorkerPrivate*, mozilla::UniquePtr<mozilla::dom::SerializedStackHolder, mozilla::DefaultDelete<mozilla::dom::SerializedStackHolder>>, nsISerialEventTarget*, mozilla::dom::WorkerScriptType, mozilla::ErrorResult&) /dom/workers/ScriptLoader.cpp:519:1
#6 0x7f87244872cf in mozilla::dom::workerinternals::loader::WorkerModuleLoader::CreateDynamicImportLoader() /dom/workers/loader/WorkerModuleLoader.cpp:70:23
#7 0x7f8724487612 in mozilla::dom::workerinternals::loader::WorkerModuleLoader::CreateDynamicImport(JSContext*, nsIURI*, JS::loader::LoadedScript*, JS::Handle<JS::Value>, JS::Handle<JSString*>, JS::Handle<JSObject*>) /dom/workers/loader/WorkerModuleLoader.cpp:83:3
#8 0x7f871bb10030 in JS::loader::ModuleLoaderBase::HostImportModuleDynamically(JSContext*, JS::Handle<JS::Value>, JS::Handle<JSObject*>, JS::Handle<JSObject*>) /js/loader/ModuleLoaderBase.cpp:317:47
#9 0x7f872b240d46 in js::StartDynamicModuleImport(JSContext*, JS::Handle<JSScript*>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) /js/src/builtin/ModuleObject.cpp:2356:8
#10 0x7f872b1b1ddf in js::Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:4576:11
#11 0x7f872b194988 in MaybeEnterInterpreterTrampoline /js/src/vm/Interpreter.cpp:400:10
#12 0x7f872b194988 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:458:13
#13 0x7f872b19a373 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) /js/src/vm/Interpreter.cpp:845:13
#14 0x7f872b231651 in js::ModuleObject::execute(JSContext*, JS::Handle<js::ModuleObject*>) /js/src/builtin/ModuleObject.cpp:1284:10
#15 0x7f872b521077 in InnerModuleEvaluation(JSContext*, JS::Handle<js::ModuleObject*>, JS::MutableHandle<JS::GCVector<js::ModuleObject*, 0ul, js::SystemAllocPolicy>>, unsigned long, unsigned long*) /js/src/vm/Modules.cpp
#16 0x7f872b513dba in js::ModuleEvaluate(JSContext*, JS::Handle<js::ModuleObject*>, JS::MutableHandle<JS::Value>) /js/src/vm/Modules.cpp:1280:13
#17 0x7f871bb1ddf9 in JS::loader::ModuleLoaderBase::EvaluateModuleInContext(JSContext*, JS::loader::ModuleLoadRequest*, JS::ModuleErrorBehaviour) /js/loader/ModuleLoaderBase.cpp:1233:13
#18 0x7f871bb1d512 in JS::loader::ModuleLoaderBase::EvaluateModule(JS::loader::ModuleLoadRequest*) /js/loader/ModuleLoaderBase.cpp:1175:10
#19 0x7f8724341b91 in EvaluateModule /builds/worker/workspace/obj-build/dist/include/js/loader/ModuleLoadRequest.h:113:47
#20 0x7f8724341b91 in mozilla::dom::workerinternals::loader::WorkerScriptLoader::EvaluateScript(JSContext*, JS::loader::ScriptLoadRequest*) /dom/workers/ScriptLoader.cpp:1126:28
#21 0x7f87243411d9 in mozilla::dom::workerinternals::loader::WorkerScriptLoader::ProcessPendingRequests(JSContext*) /dom/workers/ScriptLoader.cpp:848:10
#22 0x7f8724488be5 in mozilla::dom::workerinternals::loader::WorkerModuleLoader::OnModuleLoadComplete(JS::loader::ModuleLoadRequest*) /dom/workers/loader/WorkerModuleLoader.cpp:186:28
#23 0x7f871bb0c6ad in JS::loader::ModuleLoadRequest::LoadFinished() /js/loader/ModuleLoadRequest.cpp:213:12
#24 0x7f871bb0cee2 in JS::loader::ModuleLoadRequest::DependenciesLoaded() /js/loader/ModuleLoadRequest.cpp:179:3
#25 0x7f871bb0c019 in JS::loader::ModuleLoaderBase::StartFetchingModuleDependencies(JS::loader::ModuleLoadRequest*) /js/loader/ModuleLoaderBase.cpp:853:15
#26 0x7f871bb15ff1 in JS::loader::ModuleLoaderBase::OnFetchComplete(JS::loader::ModuleLoadRequest*, nsresult) /js/loader/ModuleLoaderBase.cpp:568:5
#27 0x7f872434c6b1 in OnFetchComplete /builds/worker/workspace/obj-build/dist/include/js/loader/ModuleLoadRequest.h:108:21
#28 0x7f872434c6b1 in mozilla::dom::workerinternals::loader::ScriptExecutorRunnable::ProcessModuleScript(JSContext*, mozilla::dom::WorkerPrivate*) /dom/workers/ScriptLoader.cpp:1568:18
#29 0x7f872434ce9c in mozilla::dom::workerinternals::loader::ScriptExecutorRunnable::WorkerRun(JSContext*, mozilla::dom::WorkerPrivate*) /dom/workers/ScriptLoader.cpp:1618:12
#30 0x7f87243be6b4 in mozilla::dom::WorkerRunnable::Run() /dom/workers/WorkerRunnable.cpp:377:12
#31 0x7f8719cd795b in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1233:16
#32 0x7f8719ce4874 in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:479:10
#33 0x7f87243aa66b in mozilla::dom::WorkerPrivate::RunCurrentSyncLoop() /dom/workers/WorkerPrivate.cpp:4374:9
#34 0x7f87216a9fc5 in mozilla::dom::AutoSyncLoopHolder::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/dom/WorkerPrivate.h:1608:27
#35 0x7f872434e572 in mozilla::dom::workerinternals::(anonymous namespace)::LoadAllScripts(mozilla::dom::WorkerPrivate*, mozilla::UniquePtr<mozilla::dom::SerializedStackHolder, mozilla::DefaultDelete<mozilla::dom::SerializedStackHolder>>, nsTArray<nsTString<char16_t>> const&, bool, mozilla::dom::WorkerScriptType, mozilla::ErrorResult&, mozilla::Encoding const*) /dom/workers/ScriptLoader.cpp:254:16
previously allocated by thread T20 here:
#0 0x55aff30acace in malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
#1 0x55aff30efd75 in moz_xmalloc /memory/mozalloc/mozalloc.cpp:52:15
#2 0x7f8724487249 in operator new /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:33:10
#3 0x7f8724487249 in mozilla::dom::workerinternals::loader::WorkerModuleLoader::CreateDynamicImportLoader() /dom/workers/loader/WorkerModuleLoader.cpp:70:19
#4 0x7f8724487612 in mozilla::dom::workerinternals::loader::WorkerModuleLoader::CreateDynamicImport(JSContext*, nsIURI*, JS::loader::LoadedScript*, JS::Handle<JS::Value>, JS::Handle<JSString*>, JS::Handle<JSObject*>) /dom/workers/loader/WorkerModuleLoader.cpp:83:3
#5 0x7f871bb10030 in JS::loader::ModuleLoaderBase::HostImportModuleDynamically(JSContext*, JS::Handle<JS::Value>, JS::Handle<JSObject*>, JS::Handle<JSObject*>) /js/loader/ModuleLoaderBase.cpp:317:47
#6 0x7f872b240d46 in js::StartDynamicModuleImport(JSContext*, JS::Handle<JSScript*>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) /js/src/builtin/ModuleObject.cpp:2356:8
#7 0x7f872b1b1ddf in js::Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:4576:11
#8 0x7f872b194988 in MaybeEnterInterpreterTrampoline /js/src/vm/Interpreter.cpp:400:10
#9 0x7f872b194988 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:458:13
#10 0x7f872b19a373 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) /js/src/vm/Interpreter.cpp:845:13
#11 0x7f872b231651 in js::ModuleObject::execute(JSContext*, JS::Handle<js::ModuleObject*>) /js/src/builtin/ModuleObject.cpp:1284:10
#12 0x7f872b521077 in InnerModuleEvaluation(JSContext*, JS::Handle<js::ModuleObject*>, JS::MutableHandle<JS::GCVector<js::ModuleObject*, 0ul, js::SystemAllocPolicy>>, unsigned long, unsigned long*) /js/src/vm/Modules.cpp
#13 0x7f872b513dba in js::ModuleEvaluate(JSContext*, JS::Handle<js::ModuleObject*>, JS::MutableHandle<JS::Value>) /js/src/vm/Modules.cpp:1280:13
#14 0x7f871bb1ddf9 in JS::loader::ModuleLoaderBase::EvaluateModuleInContext(JSContext*, JS::loader::ModuleLoadRequest*, JS::ModuleErrorBehaviour) /js/loader/ModuleLoaderBase.cpp:1233:13
#15 0x7f871bb1d512 in JS::loader::ModuleLoaderBase::EvaluateModule(JS::loader::ModuleLoadRequest*) /js/loader/ModuleLoaderBase.cpp:1175:10
#16 0x7f8724341b91 in EvaluateModule /builds/worker/workspace/obj-build/dist/include/js/loader/ModuleLoadRequest.h:113:47
#17 0x7f8724341b91 in mozilla::dom::workerinternals::loader::WorkerScriptLoader::EvaluateScript(JSContext*, JS::loader::ScriptLoadRequest*) /dom/workers/ScriptLoader.cpp:1126:28
#18 0x7f87243411d9 in mozilla::dom::workerinternals::loader::WorkerScriptLoader::ProcessPendingRequests(JSContext*) /dom/workers/ScriptLoader.cpp:848:10
#19 0x7f8724488be5 in mozilla::dom::workerinternals::loader::WorkerModuleLoader::OnModuleLoadComplete(JS::loader::ModuleLoadRequest*) /dom/workers/loader/WorkerModuleLoader.cpp:186:28
#20 0x7f871bb0c6ad in JS::loader::ModuleLoadRequest::LoadFinished() /js/loader/ModuleLoadRequest.cpp:213:12
#21 0x7f871bb0cee2 in JS::loader::ModuleLoadRequest::DependenciesLoaded() /js/loader/ModuleLoadRequest.cpp:179:3
#22 0x7f871bb0c019 in JS::loader::ModuleLoaderBase::StartFetchingModuleDependencies(JS::loader::ModuleLoadRequest*) /js/loader/ModuleLoaderBase.cpp:853:15
#23 0x7f871bb15ff1 in JS::loader::ModuleLoaderBase::OnFetchComplete(JS::loader::ModuleLoadRequest*, nsresult) /js/loader/ModuleLoaderBase.cpp:568:5
#24 0x7f872434c6b1 in OnFetchComplete /builds/worker/workspace/obj-build/dist/include/js/loader/ModuleLoadRequest.h:108:21
#25 0x7f872434c6b1 in mozilla::dom::workerinternals::loader::ScriptExecutorRunnable::ProcessModuleScript(JSContext*, mozilla::dom::WorkerPrivate*) /dom/workers/ScriptLoader.cpp:1568:18
#26 0x7f872434ce9c in mozilla::dom::workerinternals::loader::ScriptExecutorRunnable::WorkerRun(JSContext*, mozilla::dom::WorkerPrivate*) /dom/workers/ScriptLoader.cpp:1618:12
#27 0x7f87243be6b4 in mozilla::dom::WorkerRunnable::Run() /dom/workers/WorkerRunnable.cpp:377:12
#28 0x7f8719cd795b in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1233:16
#29 0x7f8719ce4874 in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:479:10
#30 0x7f87243aa66b in mozilla::dom::WorkerPrivate::RunCurrentSyncLoop() /dom/workers/WorkerPrivate.cpp:4374:9
#31 0x7f87216a9fc5 in mozilla::dom::AutoSyncLoopHolder::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/dom/WorkerPrivate.h:1608:27
#32 0x7f872434e572 in mozilla::dom::workerinternals::(anonymous namespace)::LoadAllScripts(mozilla::dom::WorkerPrivate*, mozilla::UniquePtr<mozilla::dom::SerializedStackHolder, mozilla::DefaultDelete<mozilla::dom::SerializedStackHolder>>, nsTArray<nsTString<char16_t>> const&, bool, mozilla::dom::WorkerScriptType, mozilla::ErrorResult&, mozilla::Encoding const*) /dom/workers/ScriptLoader.cpp:254:16
#33 0x7f872434ddb4 in mozilla::dom::workerinternals::LoadMainScript(mozilla::dom::WorkerPrivate*, mozilla::UniquePtr<mozilla::dom::SerializedStackHolder, mozilla::DefaultDelete<mozilla::dom::SerializedStackHolder>>, nsTSubstring<char16_t> const&, mozilla::dom::WorkerScriptType, mozilla::ErrorResult&, mozilla::Encoding const*) /dom/workers/ScriptLoader.cpp:1749:3
Thread T20 created by T0 (Isolated Web Co) here:
#0 0x55aff30951da in pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:208:3
#1 0x7f873fed92c4 in _PR_CreateThread /nsprpub/pr/src/pthreads/ptthread.c:458:14
#2 0x7f873fec6ebe in PR_CreateThread /nsprpub/pr/src/pthreads/ptthread.c:533:12
#3 0x7f8719cd19bc in nsThread::Init(nsTSubstring<char> const&) /xpcom/threads/nsThread.cpp:633:18
#4 0x7f87243d18ea in mozilla::dom::WorkerThread::Create(mozilla::dom::WorkerThreadFriendKey const&) /dom/workers/WorkerThread.cpp:102:7
#5 0x7f8724331737 in mozilla::dom::workerinternals::RuntimeService::ScheduleWorker(mozilla::dom::WorkerPrivate&) /dom/workers/RuntimeService.cpp:1331:37
#6 0x7f872433007c in mozilla::dom::workerinternals::RuntimeService::RegisterWorker(mozilla::dom::WorkerPrivate&) /dom/workers/RuntimeService.cpp:1213:19
#7 0x7f872439759b in mozilla::dom::WorkerPrivate::Constructor(JSContext*, nsTSubstring<char16_t> const&, bool, mozilla::dom::WorkerKind, mozilla::dom::RequestCredentials, mozilla::dom::WorkerType, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, mozilla::dom::WorkerLoadInfo*, mozilla::ErrorResult&, nsTString<char16_t>, std::function<void (bool)>&&, std::function<void ()>&&) /dom/workers/WorkerPrivate.cpp:2653:24
#8 0x7f872434ef26 in mozilla::dom::Worker::Constructor(mozilla::dom::GlobalObject const&, nsTSubstring<char16_t> const&, mozilla::dom::WorkerOptions const&, mozilla::ErrorResult&) /dom/workers/Worker.cpp:43:41
#9 0x7f871fb6ef17 in mozilla::dom::Worker_Binding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/obj-build/dom/bindings/WorkerBinding.cpp:1173:52
#10 0x7f872b198e29 in CallJSNative /js/src/vm/Interpreter.cpp:486:13
#11 0x7f872b198e29 in CallJSNativeConstructor /js/src/vm/Interpreter.cpp:502:8
#12 0x7f872b198e29 in InternalConstruct(JSContext*, js::AnyConstructArgs const&, js::CallReason) /js/src/vm/Interpreter.cpp:727:10
#13 0x7f872b1bace8 in ConstructFromStack /js/src/vm/Interpreter.cpp:755:10
#14 0x7f872b1bace8 in js::Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3380:16
#15 0x7f872b194988 in MaybeEnterInterpreterTrampoline /js/src/vm/Interpreter.cpp:400:10
#16 0x7f872b194988 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:458:13
#17 0x7f872b195d9c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:612:13
#18 0x7f872b197d16 in InternalCall /js/src/vm/Interpreter.cpp:647:10
#19 0x7f872b197d16 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:679:8
#20 0x7f872b303910 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:117:10
#21 0x7f87200a88ef in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventListenerBinding.cpp:62:8
#22 0x7f872150a4a6 in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:65:12
#23 0x7f8721509d7c in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /dom/events/EventListenerManager.cpp:1327:43
#24 0x7f872150b738 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /dom/events/EventListenerManager.cpp:1502:17
#25 0x7f87214f37b3 in HandleEvent /builds/worker/workspace/obj-build/dist/include/mozilla/EventListenerManager.h:395:5
#26 0x7f87214f37b3 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:347:17
#27 0x7f87214f1986 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:549:16
#28 0x7f87214f7004 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /dom/events/EventDispatcher.cpp:1122:11
#29 0x7f87214fe351 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /dom/events/EventDispatcher.cpp
#30 0x7f871debf553 in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /dom/base/nsINode.cpp:1390:17
#31 0x7f871d572c07 in nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch) /dom/base/nsContentUtils.cpp:4645:28
#32 0x7f871d572954 in nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*) /dom/base/nsContentUtils.cpp:4615:10
#33 0x7f871da17fc3 in mozilla::dom::Document::DispatchContentLoadedEvents() /dom/base/Document.cpp:8008:3
#34 0x7f871db42b7b in operator()<> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1164:18
#35 0x7f871db42b7b in __invoke_impl<void, (lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7/../../../../include/c++/7/bits/invoke.h:60:14
#36 0x7f871db42b7b in __invoke<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7/../../../../include/c++/7/bits/invoke.h:95:14
#37 0x7f871db42b7b in __apply_impl<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7/../../../../include/c++/7/tuple:1662:14
#38 0x7f871db42b7b in apply<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7/../../../../include/c++/7/tuple:1671:14
#39 0x7f871db42b7b in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1162:12
#40 0x7f871db42b7b in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1213:13
#41 0x7f8719c8bef0 in mozilla::SchedulerGroup::Runnable::Run() /xpcom/threads/SchedulerGroup.cpp:114:20
#42 0x7f8719ca6ade in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:553:16
#43 0x7f8719c9768d in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:869:26
#44 0x7f8719c947e7 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:700:15
#45 0x7f8719c950cf in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:464:36
#46 0x7f8719cac3a1 in operator() /xpcom/threads/TaskController.cpp:191:37
#47 0x7f8719cac3a1 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /xpcom/threads/nsThreadUtils.h:548:5
#48 0x7f8719cd70cb in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1239:16
#49 0x7f8719ce4874 in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:479:10
#50 0x7f871b8c33ee in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
#51 0x7f871b6eea6a in RunInternal /ipc/chromium/src/base/message_loop.cc:369:10
#52 0x7f871b6eea6a in RunHandler /ipc/chromium/src/base/message_loop.cc:362:3
#53 0x7f871b6eea6a in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:344:3
#54 0x7f8724ff8d29 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:148:27
#55 0x7f872ad3f578 in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:738:20
#56 0x7f871b6eea6a in RunInternal /ipc/chromium/src/base/message_loop.cc:369:10
#57 0x7f871b6eea6a in RunHandler /ipc/chromium/src/base/message_loop.cc:362:3
#58 0x7f871b6eea6a in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:344:3
#59 0x7f872ad3ec7a in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:673:34
#60 0x55aff30eab5e in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#61 0x55aff30eab5e in main /browser/app/nsBrowserApp.cpp:375:18
#62 0x7f8740629d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:53:39 in AddRef
Shadow bytes around the buggy address:
0x6110000e2300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x6110000e2380: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa
0x6110000e2400: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x6110000e2480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x6110000e2500: 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x6110000e2580:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x6110000e2600: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
0x6110000e2680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x6110000e2700: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x6110000e2780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x6110000e2800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==2746764==ABORTING
|
Reporter | |
Comment 1•1 year ago
|
||
|
||
Updated•1 year ago
|
Group: core-security → dom-core-security
|
|
||
Comment 2•1 year ago
|
||
This looks like another worker module loader issue.
Keywords: csectype-uaf,
sec-high
Summary: AddressSanitizer: heap-use-after-free [@ AddRef] with READ of size 8 → AddressSanitizer: heap-use-after-free [@ AddRef] with READ of size 8 in SetScriptLoader
|
Assignee | |
Updated•1 year ago
|
Assignee: nobody → allstars.chh
|
||
Updated•1 year ago
|
Severity: -- → S2
Priority: -- → P3
|
|
||
Updated•1 year ago
|
Priority: P3 → P2
|
||
Comment 3•1 year ago
|
||
Verified bug as reproducible on mozilla-central 20230418091934-41551018c977.
The bug appears to have been introduced in the following build range:
Start: de950ce244bc78cf5c2af9eb7f08c66d18976f20 (20230314220808)
End: ae1c0551cea5d1632c37c34e13404f32f559c8d5 (20230314222352)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=de950ce244bc78cf5c2af9eb7f08c66d18976f20&tochange=ae1c0551cea5d1632c37c34e13404f32f559c8d5
Keywords: regression
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
|
||
Comment 4•1 year ago
|
||
Set release status flags based on info from the regressing bug 1540913
status-firefox112:
--- → unaffected
status-firefox113:
--- → affected
status-firefox114:
--- → affected
status-firefox-esr102:
--- → unaffected
|
|
Assignee | |
Comment 5•1 year ago
|
||
When StrongWorkerRef::CreateImpl failed, the lambda provided in
StrongWorkerRef::Create won't be moved, so 'self' will be released when it is
out of scope.
Also add a boolean to check if CreateDynamicImportLoader succeeds.
|
||
Updated•1 year ago
|
Attachment #9329300 -
Attachment description: Bug 1828130 - Remove bogus self RefPtr and bail out if CreateDynamicImportLoader failed. → Bug 1828130:
|
|
Assignee | |
Comment 6•1 year ago
|
||
Comment on attachment 9329300 [details]
Bug 1828130:
Security Approval Request
- How easily could an exploit be constructed based on the patch?: It will be very difficult. As this patch adds the check to see if the creation is succeeded or not.
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
- Which older supported branches are affected by this flaw?: 113
- If not all supported branches, which bug introduced the flaw?: Bug 1540913
- Do you have backports for the affected branches?: No
- If not, how different, hard to create, and risky will they be?: This patch can be used to backport.
- How likely is this patch to cause regressions; how much testing does it need?: Unlikely, this patch only checks if for the creation is succeeded.
This test is contained in this patch. - Is Android affected?: Yes
Attachment #9329300 -
Flags: sec-approval?
|
||
Comment 7•1 year ago
|
||
Comment on attachment 9329300 [details]
Bug 1828130:
Please separate out the test into a separate patch we can land later, thank you.
https://firefox-source-docs.mozilla.org/bug-mgmt/processes/fixing-security-bugs.html#landing-your-patch
Attachment #9329300 -
Flags: sec-approval?
|
|
Assignee | |
Comment 8•1 year ago
|
||
|
|
||
Comment 9•1 year ago
|
||
Comment on attachment 9329356 [details]
Bug 1828130: test.
Revision D175943 was moved to bug 1828992. Setting attachment 9329356 [details] to obsolete.
Attachment #9329356 -
Attachment is obsolete: true
|
|
Assignee | |
Comment 10•1 year ago
|
||
Comment on attachment 9329300 [details]
Bug 1828130:
Security Approval Request
- How easily could an exploit be constructed based on the patch?: It will be very difficult. As this patch adds the check to see if the creation is succeeded or not.
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
- Which older supported branches are affected by this flaw?: 113
- If not all supported branches, which bug introduced the flaw?: Bug 1540913
- Do you have backports for the affected branches?: No
- If not, how different, hard to create, and risky will they be?: This patch can be used to backport.
- How likely is this patch to cause regressions; how much testing does it need?: Unlikely, this patch only checks if the creation is succeeded.
- Is Android affected?: Yes
Attachment #9329300 -
Flags: sec-approval?
|
||
Comment 11•1 year ago
|
||
Comment on attachment 9329300 [details]
Bug 1828130:
Approval to land. Please request uplift to beta, in order to fix both affected branches.
Attachment #9329300 -
Flags: sec-approval? → sec-approval+
|
||
Updated•1 year ago
|
tracking-firefox113:
--- → +
tracking-firefox114:
--- → +
|
|
||
Comment 12•1 year ago
|
||
Group: dom-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → 114 Branch
|
|
||
Comment 13•1 year ago
|
||
Verified bug as fixed on rev mozilla-central 20230421211246-38967ad7e8f2.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
|
|
Assignee | |
Comment 14•1 year ago
|
||
Comment on attachment 9329300 [details]
Bug 1828130:
Beta/Release Uplift Approval Request
- User impact if declined: SIGSEGV crash in opt build.
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): This just adds another check for the result in CreateDynamicImportLoader, and bail out if the result is failed.
- String changes made/needed: no
- Is Android affected?: Yes
Attachment #9329300 -
Flags: approval-mozilla-beta?
|
|
||
Comment 15•1 year ago
|
||
Comment on attachment 9329300 [details]
Bug 1828130:
Approved for 113.0b7.
Attachment #9329300 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
|
|
||
Comment 16•1 year ago
|
||
| uplift | ||
|
||
Updated•1 year ago
|
Flags: qe-verify-
|
||
Updated•1 year ago
|
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed][adv-main113+r]
|
||
Updated•11 months ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•