Closed
Bug 1830076
Opened 1 years ago
Closed 1 years ago
AddressSanitizer: heap-use-after-free [@ mozilla::dom::WebTransport::RemoteClosed] with READ of size 4
Categories
(Core :: DOM: Networking, defect, P2)
Tracking
()
RESOLVED
FIXED
114 Branch
Tracking | Status | |
---|---|---|
firefox-esr102 | --- | unaffected |
firefox112 | --- | disabled |
firefox113 | --- | disabled |
firefox114 | --- | fixed |
People
(Reporter: jkratzer, Assigned: jesup)
References
(Blocks 2 open bugs)
Details
(Keywords: csectype-uaf, sec-high, testcase-wanted, Whiteboard: [necko-triaged][necko-priority-review])
Attachments
(1 file)
13.75 KB,
text/plain
|
Details |
Found while fuzzing mozilla-central rev c1dc21363c17 (built with: --enable-address-sanitizer).
I don't currently have a testcase that reproduces this issue.
AddressSanitizer: heap-use-after-free [@ mozilla::dom::WebTransport::RemoteClosed] with READ of size 4
=================================================================
==956325==ERROR: AddressSanitizer: heap-use-after-free on address 0x60f000061d40 at pc 0x7efe84f1f33a bp 0x7ffc43e0c570 sp 0x7ffc43e0c568
READ of size 4 at 0x60f000061d40 thread T0 (Isolated Web Co)
#0 0x7efe84f1f339 in mozilla::dom::WebTransport::RemoteClosed(bool, unsigned int const&, nsTSubstring<char> const&) /dom/webtransport/api/WebTransport.cpp:470:7
#1 0x7efe84f39a2c in mozilla::dom::WebTransportChild::RecvRemoteClosed(bool const&, unsigned int const&, nsTSubstring<char> const&) /dom/webtransport/child/WebTransportChild.cpp:37:17
#2 0x7efe84f54367 in mozilla::dom::PWebTransportChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PWebTransportChild.cpp:614:85
#3 0x7efe7cbbb68d in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /ipc/glue/MessageChannel.cpp:1800:25
#4 0x7efe7cbb812b in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /ipc/glue/MessageChannel.cpp:1725:9
#5 0x7efe7cbb923d in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /ipc/glue/MessageChannel.cpp:1525:3
#6 0x7efe7cbba252 in mozilla::ipc::MessageChannel::MessageTask::Run() /ipc/glue/MessageChannel.cpp:1623:14
#7 0x7efe7b16ef8a in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:555:16
#8 0x7efe7b161b8a in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:879:26
#9 0x7efe7b15ea87 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:702:15
#10 0x7efe7b15f36f in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:491:36
#11 0x7efe7b1746b1 in operator() /xpcom/threads/TaskController.cpp:218:37
#12 0x7efe7b1746b1 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /xpcom/threads/nsThreadUtils.h:548:5
#13 0x7efe7b1a02cb in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1239:16
#14 0x7efe7b1add64 in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:479:10
#15 0x7efe7cbc4068 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
#16 0x7efe7ca12ada in RunInternal /ipc/chromium/src/base/message_loop.cc:369:10
#17 0x7efe7ca12ada in RunHandler /ipc/chromium/src/base/message_loop.cc:362:3
#18 0x7efe7ca12ada in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:344:3
#19 0x7efe85899829 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:148:27
#20 0x7efe8b4a6c48 in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:738:20
#21 0x7efe7ca12ada in RunInternal /ipc/chromium/src/base/message_loop.cc:369:10
#22 0x7efe7ca12ada in RunHandler /ipc/chromium/src/base/message_loop.cc:362:3
#23 0x7efe7ca12ada in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:344:3
#24 0x7efe8b4a63c4 in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:673:34
#25 0x55c7541cb2cd in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#26 0x55c7541cb2cd in main /browser/app/nsBrowserApp.cpp:375:18
#27 0x7efe99829d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#28 0x7efe99829e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#29 0x55c7540f4938 in _start (/home/jkratzer/builds/m-c-20230425154313-asan-opt/firefox+0xfa938) (BuildId: f31e1396c4affebb88e3664275626659)
0x60f000061d40 is located 80 bytes inside of 168-byte region [0x60f000061cf0,0x60f000061d98)
freed by thread T0 (Isolated Web Co) here:
#0 0x55c75418cfe6 in free /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3
#1 0x7efe7afa02aa in SnowWhiteKiller::Visit(nsPurpleBuffer&, nsPurpleBufferEntry*) /xpcom/base/nsCycleCollector.cpp:2511:9
#2 0x7efe7af79631 in void nsPurpleBuffer::VisitEntries<SnowWhiteKiller>(SnowWhiteKiller&) /xpcom/base/nsCycleCollector.cpp:969:23
#3 0x7efe7af7a753 in nsCycleCollector::FreeSnowWhiteWithBudget(js::SliceBudget&) /xpcom/base/nsCycleCollector.cpp:2679:14
#4 0x7efe7cef9b42 in AsyncFreeSnowWhite::Run() /js/xpconnect/src/XPCJSRuntime.cpp:159:9
#5 0x7efe7b1c6f7e in IdleRunnableWrapper::Run() /xpcom/threads/nsThreadUtils.cpp:326:22
#6 0x7efe7b16ef8a in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:555:16
#7 0x7efe7b161b8a in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:879:26
#8 0x7efe7b15ee6d in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:744:15
#9 0x7efe7b15f36f in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:491:36
#10 0x7efe7b1746b1 in operator() /xpcom/threads/TaskController.cpp:218:37
#11 0x7efe7b1746b1 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /xpcom/threads/nsThreadUtils.h:548:5
#12 0x7efe7b1a02cb in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1239:16
#13 0x7efe7b1add64 in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:479:10
#14 0x7efe7cbc4068 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
#15 0x7efe7ca12ada in RunInternal /ipc/chromium/src/base/message_loop.cc:369:10
#16 0x7efe7ca12ada in RunHandler /ipc/chromium/src/base/message_loop.cc:362:3
#17 0x7efe7ca12ada in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:344:3
#18 0x7efe85899829 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:148:27
#19 0x7efe8b4a6c48 in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:738:20
#20 0x7efe7ca12ada in RunInternal /ipc/chromium/src/base/message_loop.cc:369:10
#21 0x7efe7ca12ada in RunHandler /ipc/chromium/src/base/message_loop.cc:362:3
#22 0x7efe7ca12ada in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:344:3
#23 0x7efe8b4a63c4 in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:673:34
#24 0x55c7541cb2cd in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#25 0x55c7541cb2cd in main /browser/app/nsBrowserApp.cpp:375:18
#26 0x7efe99829d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
previously allocated by thread T0 (Isolated Web Co) here:
#0 0x55c75418d28e in malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
#1 0x55c7541d09b5 in moz_xmalloc /memory/mozalloc/mozalloc.cpp:52:15
#2 0x7efe84f19b60 in operator new /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:33:10
#3 0x7efe84f19b60 in mozilla::dom::WebTransport::Constructor(mozilla::dom::GlobalObject const&, nsTSubstring<char16_t> const&, mozilla::dom::WebTransportOptions const&, mozilla::ErrorResult&) /dom/webtransport/api/WebTransport.cpp:167:33
#4 0x7efe807fb820 in mozilla::dom::WebTransport_Binding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/obj-build/dom/bindings/WebTransportBinding.cpp:1726:58
#5 0x7efe8b89a949 in CallJSNative /js/src/vm/Interpreter.cpp:486:13
#6 0x7efe8b89a949 in CallJSNativeConstructor /js/src/vm/Interpreter.cpp:502:8
#7 0x7efe8b89a949 in InternalConstruct(JSContext*, js::AnyConstructArgs const&, js::CallReason) /js/src/vm/Interpreter.cpp:727:10
#8 0x7efe8b8bc928 in ConstructFromStack /js/src/vm/Interpreter.cpp:755:10
#9 0x7efe8b8bc928 in js::Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3380:16
#10 0x7efe8b8964a8 in MaybeEnterInterpreterTrampoline /js/src/vm/Interpreter.cpp:400:10
#11 0x7efe8b8964a8 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:458:13
#12 0x7efe8b8978bc in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:612:13
#13 0x7efe8b899836 in InternalCall /js/src/vm/Interpreter.cpp:647:10
#14 0x7efe8b899836 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:679:8
#15 0x7efe8be1bea3 in js::CallSelfHostedFunction(JSContext*, JS::Handle<js::PropertyName*>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /js/src/vm/SelfHosting.cpp:1473:10
#16 0x7efe8b9c2e95 in AsyncFunctionResume(JSContext*, JS::Handle<js::AsyncFunctionGeneratorObject*>, ResumeKind, JS::Handle<JS::Value>) /js/src/vm/AsyncFunction.cpp:149:8
#17 0x7efe8bd0ce2c in AsyncFunctionPromiseReactionJob /js/src/builtin/Promise.cpp:2111:12
#18 0x7efe8bd0ce2c in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) /js/src/builtin/Promise.cpp:2174:12
#19 0x7efe8b897703 in CallJSNative /js/src/vm/Interpreter.cpp:486:13
#20 0x7efe8b897703 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:580:12
#21 0x7efe8b899836 in InternalCall /js/src/vm/Interpreter.cpp:647:10
#22 0x7efe8b899836 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:679:8
#23 0x7efe8ba04f6b in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:117:10
#24 0x7efe7fa78ee3 in mozilla::dom::PromiseJobCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/PromiseBinding.cpp:83:8
#25 0x7efe7af433ea in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:198:12
#26 0x7efe7af433ea in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:211:12
#27 0x7efe7af433ea in mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&) /xpcom/base/CycleCollectedJSContext.cpp:213:18
#28 0x7efe7af1a1eb in mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool) /xpcom/base/CycleCollectedJSContext.cpp:676:17
#29 0x7efe7af1b0ff in mozilla::CycleCollectedJSContext::AfterProcessTask(unsigned int) /xpcom/base/CycleCollectedJSContext.cpp:463:3
#30 0x7efe7ceb147f in XPCJSContext::AfterProcessTask(unsigned int) /js/xpconnect/src/XPCJSContext.cpp:1491:28
#31 0x7efe7b1a0d92 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1277:24
#32 0x7efe7b1add64 in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:479:10
#33 0x7efe7cbc4068 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
#34 0x7efe7ca12ada in RunInternal /ipc/chromium/src/base/message_loop.cc:369:10
#35 0x7efe7ca12ada in RunHandler /ipc/chromium/src/base/message_loop.cc:362:3
#36 0x7efe7ca12ada in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:344:3
#37 0x7efe85899829 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:148:27
#38 0x7efe8b4a6c48 in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:738:20
#39 0x7efe7ca12ada in RunInternal /ipc/chromium/src/base/message_loop.cc:369:10
#40 0x7efe7ca12ada in RunHandler /ipc/chromium/src/base/message_loop.cc:362:3
#41 0x7efe7ca12ada in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:344:3
#42 0x7efe8b4a63c4 in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:673:34
#43 0x55c7541cb2cd in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#44 0x55c7541cb2cd in main /browser/app/nsBrowserApp.cpp:375:18
#45 0x7efe99829d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
SUMMARY: AddressSanitizer: heap-use-after-free /dom/webtransport/api/WebTransport.cpp:470:7 in mozilla::dom::WebTransport::RemoteClosed(bool, unsigned int const&, nsTSubstring<char> const&)
Shadow bytes around the buggy address:
0x60f000061a80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x60f000061b00: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x60f000061b80: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
0x60f000061c00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x60f000061c80: fd fd fd fd fd fa fa fa fa fa fa fa fa fa fd fd
=>0x60f000061d00: fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd
0x60f000061d80: fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa
0x60f000061e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x60f000061e80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x60f000061f00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x60f000061f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==956325==ABORTING
Reporter | ||
Comment 1•1 years ago
|
||
Reporter | ||
Updated•1 years ago
|
Keywords: testcase → testcase-wanted
Reporter | ||
Updated•1 years ago
|
Blocks: fuzzing-webtransport
Updated•1 years ago
|
Group: core-security → network-core-security
Comment 2•1 years ago
|
||
Not sure how this can happen, as this weak pointer gets cleared in the dtor. Maybe in WebTransport::ResolveWaitingConnection() mChild gets overridden without calling shutdown on the old value and the old value is non-null somehow?
Keywords: csectype-uaf,
sec-high
Assignee | ||
Updated•1 years ago
|
Assignee: nobody → rjesup
Severity: -- → S2
Status: NEW → ASSIGNED
Priority: -- → P2
Whiteboard: [necko-triaged][necko-priority-review]
Updated•1 years ago
|
status-firefox112:
--- → disabled
status-firefox113:
--- → disabled
status-firefox114:
--- → disabled
status-firefox-esr102:
--- → unaffected
Assignee | ||
Comment 3•1 years ago
•
|
||
Should be fixed by bug 1830096
Status: ASSIGNED → RESOLVED
Closed: 1 years ago
Resolution: --- → FIXED
Updated•1 years ago
|
Updated•1 year ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•