Closed Bug 1830076 Opened 1 years ago Closed 1 years ago

AddressSanitizer: heap-use-after-free [@ mozilla::dom::WebTransport::RemoteClosed] with READ of size 4

Categories

(Core :: DOM: Networking, defect, P2)

x86_64
Linux
defect

Tracking

()

RESOLVED FIXED
114 Branch
Tracking Status
firefox-esr102 --- unaffected
firefox112 --- disabled
firefox113 --- disabled
firefox114 --- fixed

People

(Reporter: jkratzer, Assigned: jesup)

References

(Blocks 2 open bugs)

Details

(Keywords: csectype-uaf, sec-high, testcase-wanted, Whiteboard: [necko-triaged][necko-priority-review])

Attachments

(1 file)

Found while fuzzing mozilla-central rev c1dc21363c17 (built with: --enable-address-sanitizer).

I don't currently have a testcase that reproduces this issue.

AddressSanitizer: heap-use-after-free [@ mozilla::dom::WebTransport::RemoteClosed] with READ of size 4

    =================================================================
    ==956325==ERROR: AddressSanitizer: heap-use-after-free on address 0x60f000061d40 at pc 0x7efe84f1f33a bp 0x7ffc43e0c570 sp 0x7ffc43e0c568
    READ of size 4 at 0x60f000061d40 thread T0 (Isolated Web Co)
        #0 0x7efe84f1f339 in mozilla::dom::WebTransport::RemoteClosed(bool, unsigned int const&, nsTSubstring<char> const&) /dom/webtransport/api/WebTransport.cpp:470:7
        #1 0x7efe84f39a2c in mozilla::dom::WebTransportChild::RecvRemoteClosed(bool const&, unsigned int const&, nsTSubstring<char> const&) /dom/webtransport/child/WebTransportChild.cpp:37:17
        #2 0x7efe84f54367 in mozilla::dom::PWebTransportChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PWebTransportChild.cpp:614:85
        #3 0x7efe7cbbb68d in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /ipc/glue/MessageChannel.cpp:1800:25
        #4 0x7efe7cbb812b in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /ipc/glue/MessageChannel.cpp:1725:9
        #5 0x7efe7cbb923d in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /ipc/glue/MessageChannel.cpp:1525:3
        #6 0x7efe7cbba252 in mozilla::ipc::MessageChannel::MessageTask::Run() /ipc/glue/MessageChannel.cpp:1623:14
        #7 0x7efe7b16ef8a in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:555:16
        #8 0x7efe7b161b8a in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:879:26
        #9 0x7efe7b15ea87 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:702:15
        #10 0x7efe7b15f36f in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:491:36
        #11 0x7efe7b1746b1 in operator() /xpcom/threads/TaskController.cpp:218:37
        #12 0x7efe7b1746b1 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /xpcom/threads/nsThreadUtils.h:548:5
        #13 0x7efe7b1a02cb in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1239:16
        #14 0x7efe7b1add64 in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:479:10
        #15 0x7efe7cbc4068 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
        #16 0x7efe7ca12ada in RunInternal /ipc/chromium/src/base/message_loop.cc:369:10
        #17 0x7efe7ca12ada in RunHandler /ipc/chromium/src/base/message_loop.cc:362:3
        #18 0x7efe7ca12ada in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:344:3
        #19 0x7efe85899829 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:148:27
        #20 0x7efe8b4a6c48 in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:738:20
        #21 0x7efe7ca12ada in RunInternal /ipc/chromium/src/base/message_loop.cc:369:10
        #22 0x7efe7ca12ada in RunHandler /ipc/chromium/src/base/message_loop.cc:362:3
        #23 0x7efe7ca12ada in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:344:3
        #24 0x7efe8b4a63c4 in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:673:34
        #25 0x55c7541cb2cd in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
        #26 0x55c7541cb2cd in main /browser/app/nsBrowserApp.cpp:375:18
        #27 0x7efe99829d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
        #28 0x7efe99829e3f in __libc_start_main csu/../csu/libc-start.c:392:3
        #29 0x55c7540f4938 in _start (/home/jkratzer/builds/m-c-20230425154313-asan-opt/firefox+0xfa938) (BuildId: f31e1396c4affebb88e3664275626659)
    
    0x60f000061d40 is located 80 bytes inside of 168-byte region [0x60f000061cf0,0x60f000061d98)
    freed by thread T0 (Isolated Web Co) here:
        #0 0x55c75418cfe6 in free /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3
        #1 0x7efe7afa02aa in SnowWhiteKiller::Visit(nsPurpleBuffer&, nsPurpleBufferEntry*) /xpcom/base/nsCycleCollector.cpp:2511:9
        #2 0x7efe7af79631 in void nsPurpleBuffer::VisitEntries<SnowWhiteKiller>(SnowWhiteKiller&) /xpcom/base/nsCycleCollector.cpp:969:23
        #3 0x7efe7af7a753 in nsCycleCollector::FreeSnowWhiteWithBudget(js::SliceBudget&) /xpcom/base/nsCycleCollector.cpp:2679:14
        #4 0x7efe7cef9b42 in AsyncFreeSnowWhite::Run() /js/xpconnect/src/XPCJSRuntime.cpp:159:9
        #5 0x7efe7b1c6f7e in IdleRunnableWrapper::Run() /xpcom/threads/nsThreadUtils.cpp:326:22
        #6 0x7efe7b16ef8a in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:555:16
        #7 0x7efe7b161b8a in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:879:26
        #8 0x7efe7b15ee6d in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:744:15
        #9 0x7efe7b15f36f in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:491:36
        #10 0x7efe7b1746b1 in operator() /xpcom/threads/TaskController.cpp:218:37
        #11 0x7efe7b1746b1 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /xpcom/threads/nsThreadUtils.h:548:5
        #12 0x7efe7b1a02cb in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1239:16
        #13 0x7efe7b1add64 in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:479:10
        #14 0x7efe7cbc4068 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
        #15 0x7efe7ca12ada in RunInternal /ipc/chromium/src/base/message_loop.cc:369:10
        #16 0x7efe7ca12ada in RunHandler /ipc/chromium/src/base/message_loop.cc:362:3
        #17 0x7efe7ca12ada in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:344:3
        #18 0x7efe85899829 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:148:27
        #19 0x7efe8b4a6c48 in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:738:20
        #20 0x7efe7ca12ada in RunInternal /ipc/chromium/src/base/message_loop.cc:369:10
        #21 0x7efe7ca12ada in RunHandler /ipc/chromium/src/base/message_loop.cc:362:3
        #22 0x7efe7ca12ada in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:344:3
        #23 0x7efe8b4a63c4 in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:673:34
        #24 0x55c7541cb2cd in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
        #25 0x55c7541cb2cd in main /browser/app/nsBrowserApp.cpp:375:18
        #26 0x7efe99829d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    
    previously allocated by thread T0 (Isolated Web Co) here:
        #0 0x55c75418d28e in malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
        #1 0x55c7541d09b5 in moz_xmalloc /memory/mozalloc/mozalloc.cpp:52:15
        #2 0x7efe84f19b60 in operator new /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:33:10
        #3 0x7efe84f19b60 in mozilla::dom::WebTransport::Constructor(mozilla::dom::GlobalObject const&, nsTSubstring<char16_t> const&, mozilla::dom::WebTransportOptions const&, mozilla::ErrorResult&) /dom/webtransport/api/WebTransport.cpp:167:33
        #4 0x7efe807fb820 in mozilla::dom::WebTransport_Binding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/obj-build/dom/bindings/WebTransportBinding.cpp:1726:58
        #5 0x7efe8b89a949 in CallJSNative /js/src/vm/Interpreter.cpp:486:13
        #6 0x7efe8b89a949 in CallJSNativeConstructor /js/src/vm/Interpreter.cpp:502:8
        #7 0x7efe8b89a949 in InternalConstruct(JSContext*, js::AnyConstructArgs const&, js::CallReason) /js/src/vm/Interpreter.cpp:727:10
        #8 0x7efe8b8bc928 in ConstructFromStack /js/src/vm/Interpreter.cpp:755:10
        #9 0x7efe8b8bc928 in js::Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3380:16
        #10 0x7efe8b8964a8 in MaybeEnterInterpreterTrampoline /js/src/vm/Interpreter.cpp:400:10
        #11 0x7efe8b8964a8 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:458:13
        #12 0x7efe8b8978bc in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:612:13
        #13 0x7efe8b899836 in InternalCall /js/src/vm/Interpreter.cpp:647:10
        #14 0x7efe8b899836 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:679:8
        #15 0x7efe8be1bea3 in js::CallSelfHostedFunction(JSContext*, JS::Handle<js::PropertyName*>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /js/src/vm/SelfHosting.cpp:1473:10
        #16 0x7efe8b9c2e95 in AsyncFunctionResume(JSContext*, JS::Handle<js::AsyncFunctionGeneratorObject*>, ResumeKind, JS::Handle<JS::Value>) /js/src/vm/AsyncFunction.cpp:149:8
        #17 0x7efe8bd0ce2c in AsyncFunctionPromiseReactionJob /js/src/builtin/Promise.cpp:2111:12
        #18 0x7efe8bd0ce2c in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) /js/src/builtin/Promise.cpp:2174:12
        #19 0x7efe8b897703 in CallJSNative /js/src/vm/Interpreter.cpp:486:13
        #20 0x7efe8b897703 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:580:12
        #21 0x7efe8b899836 in InternalCall /js/src/vm/Interpreter.cpp:647:10
        #22 0x7efe8b899836 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:679:8
        #23 0x7efe8ba04f6b in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:117:10
        #24 0x7efe7fa78ee3 in mozilla::dom::PromiseJobCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/PromiseBinding.cpp:83:8
        #25 0x7efe7af433ea in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:198:12
        #26 0x7efe7af433ea in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:211:12
        #27 0x7efe7af433ea in mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&) /xpcom/base/CycleCollectedJSContext.cpp:213:18
        #28 0x7efe7af1a1eb in mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool) /xpcom/base/CycleCollectedJSContext.cpp:676:17
        #29 0x7efe7af1b0ff in mozilla::CycleCollectedJSContext::AfterProcessTask(unsigned int) /xpcom/base/CycleCollectedJSContext.cpp:463:3
        #30 0x7efe7ceb147f in XPCJSContext::AfterProcessTask(unsigned int) /js/xpconnect/src/XPCJSContext.cpp:1491:28
        #31 0x7efe7b1a0d92 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1277:24
        #32 0x7efe7b1add64 in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:479:10
        #33 0x7efe7cbc4068 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
        #34 0x7efe7ca12ada in RunInternal /ipc/chromium/src/base/message_loop.cc:369:10
        #35 0x7efe7ca12ada in RunHandler /ipc/chromium/src/base/message_loop.cc:362:3
        #36 0x7efe7ca12ada in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:344:3
        #37 0x7efe85899829 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:148:27
        #38 0x7efe8b4a6c48 in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:738:20
        #39 0x7efe7ca12ada in RunInternal /ipc/chromium/src/base/message_loop.cc:369:10
        #40 0x7efe7ca12ada in RunHandler /ipc/chromium/src/base/message_loop.cc:362:3
        #41 0x7efe7ca12ada in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:344:3
        #42 0x7efe8b4a63c4 in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:673:34
        #43 0x55c7541cb2cd in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
        #44 0x55c7541cb2cd in main /browser/app/nsBrowserApp.cpp:375:18
        #45 0x7efe99829d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    
    SUMMARY: AddressSanitizer: heap-use-after-free /dom/webtransport/api/WebTransport.cpp:470:7 in mozilla::dom::WebTransport::RemoteClosed(bool, unsigned int const&, nsTSubstring<char> const&)
    Shadow bytes around the buggy address:
      0x60f000061a80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x60f000061b00: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x60f000061b80: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
      0x60f000061c00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x60f000061c80: fd fd fd fd fd fa fa fa fa fa fa fa fa fa fd fd
    =>0x60f000061d00: fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd
      0x60f000061d80: fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x60f000061e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x60f000061e80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x60f000061f00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x60f000061f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==956325==ABORTING
Keywords: bugmon
Whiteboard: [bugmon:confirm]
Group: core-security → network-core-security

Not sure how this can happen, as this weak pointer gets cleared in the dtor. Maybe in WebTransport::ResolveWaitingConnection() mChild gets overridden without calling shutdown on the old value and the old value is non-null somehow?

Assignee: nobody → rjesup
Severity: -- → S2
Status: NEW → ASSIGNED
Priority: -- → P2
Whiteboard: [necko-triaged][necko-priority-review]

Should be fixed by bug 1830096

Status: ASSIGNED → RESOLVED
Closed: 1 years ago
Resolution: --- → FIXED
See Also: → 1830096
Group: network-core-security → core-security-release
Depends on: 1830096
See Also: 1830096
Target Milestone: --- → 114 Branch
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: