AddressSanitizer: heap-use-after-free [@ CanSend] with READ of size 1 in fuzzing builds (only)
Categories
(Core :: DOM: postMessage, defect, P2)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr102 | --- | unaffected |
firefox-esr115 | --- | wontfix |
firefox114 | --- | unaffected |
firefox115 | --- | wontfix |
firefox116 | --- | fixed |
People
(Reporter: jkratzer, Unassigned)
References
(Blocks 1 open bug, Regression)
Details
(5 keywords, Whiteboard: [bugmon:bisected,confirmed][fuzzing only][adv-main116-])
Attachments
(2 files)
Testcase found while fuzzing mozilla-central rev 23a3b1b5a2b7 (built with: --enable-address-sanitizer --enable-fuzzing).
Testcase can be reproduced using the following commands:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build d49f009b89ad --asan --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
AddressSanitizer: heap-use-after-free [@ CanSend] with READ of size 1
=================================================================
==20923==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000071df1 at pc 0x7f2d822ae04f bp 0x7fff4adbcfb0 sp 0x7fff4adbcfa8
READ of size 1 at 0x607000071df1 thread T0 (Isolated Web Co)
#0 0x7f2d822ae04e in CanSend /builds/worker/workspace/obj-build/dist/include/mozilla/ipc/ProtocolUtils.h:222:33
#1 0x7f2d822ae04e in mozilla::ipc::IProtocol::ChannelSend(mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /ipc/glue/ProtocolUtils.cpp:481:7
#2 0x7f2d8af210c2 in mozilla::dom::PMessagePortChild::SendPostMessages(mozilla::Span<mozilla::dom::MessageData const, 18446744073709551615ul>) /builds/worker/workspace/obj-build/ipc/ipdl/PMessagePortChild.cpp:108:21
#3 0x7f2d8af1fe47 in mozilla::dom::MessagePort::PostMessage(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Sequence<JSObject*> const&, mozilla::ErrorResult&) /dom/messagechannel/MessagePort.cpp:405:11
#4 0x7f2d8affa84d in mozilla::dom::PackAndPostMessage(JSContext*, mozilla::dom::MessagePort*, nsTSubstring<char16_t> const&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /dom/streams/Transferable.cpp:72:10
#5 0x7f2d8affc356 in mozilla::dom::PackAndPostMessageHandlingError(JSContext*, mozilla::dom::MessagePort*, nsTSubstring<char16_t> const&, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /dom/streams/Transferable.cpp:287:3
#6 0x7f2d8aff05f3 in mozilla::dom::CrossRealmReadableUnderlyingSourceAlgorithms::CancelCallback(JSContext*, mozilla::dom::Optional<JS::Handle<JS::Value>> const&, mozilla::ErrorResult&) /dom/streams/Transferable.cpp:731:19
#7 0x7f2d8afc0b70 in mozilla::dom::ReadableStreamDefaultController::CancelSteps(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&) /dom/streams/ReadableStreamDefaultController.cpp:590:40
#8 0x7f2d8afa8851 in mozilla::dom::streams_abstract::ReadableStreamCancel(JSContext*, mozilla::dom::ReadableStream*, JS::Handle<JS::Value>, mozilla::ErrorResult&) /dom/streams/ReadableStream.cpp:402:19
#9 0x7f2d8aff4eee in operator() /dom/streams/ReadableStreamPipeTo.cpp:878:22
#10 0x7f2d8aff4eee in mozilla::dom::PipeToPump::OnDestErrored(JSContext*, JS::Handle<JS::Value>)::$_0::__invoke(JSContext*, mozilla::dom::PipeToPump*, JS::Handle<mozilla::Maybe<JS::Value>>, mozilla::ErrorResult&) /dom/streams/ReadableStreamPipeTo.cpp:873:9
#11 0x7f2d8afca852 in mozilla::dom::PipeToPump::ShutdownWithActionAfterFinishedWrite(JSContext*, already_AddRefed<mozilla::dom::Promise> (*)(JSContext*, mozilla::dom::PipeToPump*, JS::Handle<mozilla::Maybe<JS::Value>>, mozilla::ErrorResult&), JS::Handle<mozilla::Maybe<JS::Value>>) /dom/streams/ReadableStreamPipeTo.cpp:503:23
#12 0x7f2d8afc7139 in mozilla::dom::PipeToPump::ShutdownWithAction(JSContext*, already_AddRefed<mozilla::dom::Promise> (*)(JSContext*, mozilla::dom::PipeToPump*, JS::Handle<mozilla::Maybe<JS::Value>>, mozilla::ErrorResult&), JS::Handle<mozilla::Maybe<JS::Value>>) /dom/streams/ReadableStreamPipeTo.cpp:431:3
#13 0x7f2d8afc7edd in mozilla::dom::PipeToPump::OnDestErrored(JSContext*, JS::Handle<JS::Value>) /dom/streams/ReadableStreamPipeTo.cpp
#14 0x7f2d8af48054 in mozilla::dom::(anonymous namespace)::PromiseNativeHandlerShim::RejectedCallback(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&) /dom/promise/Promise.cpp:489:12
#15 0x7f2d8af48b43 in mozilla::dom::NativeHandlerCallback(JSContext*, unsigned int, JS::Value*) /dom/promise/Promise.cpp
#16 0x7f2d91df71c3 in CallJSNative /js/src/vm/Interpreter.cpp:486:13
#17 0x7f2d91df71c3 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:580:12
#18 0x7f2d91df92f6 in InternalCall /js/src/vm/Interpreter.cpp:647:10
#19 0x7f2d91df92f6 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:679:8
#20 0x7f2d9227a33b in Call /js/src/vm/Interpreter.h:116:10
#21 0x7f2d9227a33b in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) /js/src/builtin/Promise.cpp:2240:10
#22 0x7f2d91df71c3 in CallJSNative /js/src/vm/Interpreter.cpp:486:13
#23 0x7f2d91df71c3 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:580:12
#24 0x7f2d91df92f6 in InternalCall /js/src/vm/Interpreter.cpp:647:10
#25 0x7f2d91df92f6 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:679:8
#26 0x7f2d91f65e9b in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:117:10
#27 0x7f2d85698c83 in mozilla::dom::PromiseJobCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/PromiseBinding.cpp:83:8
#28 0x7f2d803dd77d in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:198:12
#29 0x7f2d803dd77d in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:211:12
#30 0x7f2d803dd77d in mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&) /xpcom/base/CycleCollectedJSContext.cpp:213:18
#31 0x7f2d803b3ffb in mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool) /xpcom/base/CycleCollectedJSContext.cpp:676:17
#32 0x7f2d87f0d254 in LeaveMicroTask /builds/worker/workspace/obj-build/dist/include/mozilla/CycleCollectedJSContext.h:246:7
#33 0x7f2d87f0d254 in ~nsAutoMicroTask /builds/worker/workspace/obj-build/dist/include/mozilla/CycleCollectedJSContext.h:394:13
#34 0x7f2d87f0d254 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /dom/events/EventListenerManager.cpp:1243:3
#35 0x7f2d87f0ed1f in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /dom/events/EventListenerManager.cpp:1427:21
#36 0x7f2d87ef6bf4 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:342:17
#37 0x7f2d87ef4a03 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:545:16
#38 0x7f2d87efad85 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /dom/events/EventDispatcher.cpp:1133:11
#39 0x7f2d8c52c4b6 in nsDocumentViewer::LoadComplete(nsresult) /layout/base/nsDocumentViewer.cpp:1082:7
#40 0x7f2d90753e28 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /docshell/base/nsDocShell.cpp:6393:20
#41 0x7f2d90752990 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /docshell/base/nsDocShell.cpp:5786:7
#42 0x7f2d907556f6 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /docshell/base/nsDocShell.cpp
#43 0x7f2d828ae103 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /uriloader/base/nsDocLoader.cpp:1380:3
#44 0x7f2d828ac8dd in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /uriloader/base/nsDocLoader.cpp:978:14
#45 0x7f2d828a7da8 in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /uriloader/base/nsDocLoader.cpp:797:9
#46 0x7f2d828aaefa in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /uriloader/base/nsDocLoader.cpp:680:5
#47 0x7f2d907a94aa in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /docshell/base/nsDocShell.cpp:13848:23
#48 0x7f2d80a50323 in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /netwerk/base/nsLoadGroup.cpp:631:22
#49 0x7f2d80a53844 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /netwerk/base/nsLoadGroup.cpp:535:10
#50 0x7f2d843c623e in DoUnblockOnload /dom/base/Document.cpp:11646:18
#51 0x7f2d843c623e in mozilla::dom::Document::UnblockOnload(bool) /dom/base/Document.cpp:11584:9
#52 0x7f2d843fea0f in mozilla::dom::Document::DispatchContentLoadedEvents() /dom/base/Document.cpp:8117:3
#53 0x7f2d8452d7eb in operator()<> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1164:18
#54 0x7f2d8452d7eb in __invoke_impl<void, (lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7/../../../../include/c++/7/bits/invoke.h:60:14
#55 0x7f2d8452d7eb in __invoke<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7/../../../../include/c++/7/bits/invoke.h:95:14
#56 0x7f2d8452d7eb in __apply_impl<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7/../../../../include/c++/7/tuple:1662:14
#57 0x7f2d8452d7eb in apply<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7/../../../../include/c++/7/tuple:1671:14
#58 0x7f2d8452d7eb in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1162:12
#59 0x7f2d8452d7eb in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1213:13
#60 0x7f2d805f8800 in mozilla::SchedulerGroup::Runnable::Run() /xpcom/threads/SchedulerGroup.cpp:114:20
#61 0x7f2d8061344a in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:555:16
#62 0x7f2d806041ba in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:879:26
#63 0x7f2d806010b7 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:702:15
#64 0x7f2d8060199f in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:491:36
#65 0x7f2d80618b31 in operator() /xpcom/threads/TaskController.cpp:218:37
#66 0x7f2d80618b31 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /xpcom/threads/nsThreadUtils.h:548:5
#67 0x7f2d80644927 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1240:16
#68 0x7f2d80652264 in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:479:10
#69 0x7f2d8227475e in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
#70 0x7f2d8209df6a in RunInternal /ipc/chromium/src/base/message_loop.cc:368:10
#71 0x7f2d8209df6a in RunHandler /ipc/chromium/src/base/message_loop.cc:361:3
#72 0x7f2d8209df6a in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:343:3
#73 0x7f2d8ba62d39 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:148:27
#74 0x7f2d9199c1ce in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:724:20
#75 0x7f2d8209df6a in RunInternal /ipc/chromium/src/base/message_loop.cc:368:10
#76 0x7f2d8209df6a in RunHandler /ipc/chromium/src/base/message_loop.cc:361:3
#77 0x7f2d8209df6a in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:343:3
#78 0x7f2d9199b85e in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:659:34
#79 0x55dcf263b77e in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#80 0x55dcf263b77e in main /browser/app/nsBrowserApp.cpp:375:18
#81 0x7f2da7229d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#82 0x7f2da7229e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#83 0x55dcf2564d98 in _start (/home/jkratzer/crashes/15988/26eef7a5_2023-05-29_08-00-53-0/m-c-20230527212147-fuzzing-asan-opt/firefox+0x107d98) (BuildId: ac428ac7318de9179dd366ff9025896796c7a971)
0x607000071df1 is located 17 bytes inside of 80-byte region [0x607000071de0,0x607000071e30)
freed by thread T0 (Isolated Web Co) here:
#0 0x55dcf25fd446 in free /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3
#1 0x7f2d821aa06d in operator delete /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:51:10
#2 0x7f2d821aa06d in Release /builds/worker/workspace/obj-build/dist/include/mozilla/dom/MessagePortChild.h:22:3
#3 0x7f2d821aa06d in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:54:40
#4 0x7f2d821aa06d in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:420:36
#5 0x7f2d821aa06d in ~RefPtr /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:85:7
#6 0x7f2d821aa06d in mozilla::ipc::BackgroundChildImpl::DeallocPMessagePortChild(mozilla::dom::PMessagePortChild*) /ipc/glue/BackgroundChildImpl.cpp:451:1
#7 0x7f2d822a9531 in mozilla::ipc::ActorLifecycleProxy::~ActorLifecycleProxy() /ipc/glue/ProtocolUtils.cpp:260:11
#8 0x7f2d8233bcb5 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/ipc/ProtocolUtils.h:602:3
#9 0x7f2d8233bcb5 in mozilla::ipc::PBackgroundChild::ClearSubtree() /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:7364:9
#10 0x7f2d82342f58 in mozilla::ipc::PBackgroundChild::OnChannelError() /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:7019:5
#11 0x7f2d8226d490 in mozilla::ipc::MessageChannel::CloseWithError() /ipc/glue/MessageChannel.cpp
#12 0x7f2d822b780b in FatalError /ipc/chromium/src/chrome/common/ipc_message_utils.h:117:5
#13 0x7f2d822b780b in IPC::ParamTraits<JSStructuredCloneData>::Write(IPC::MessageWriter*, JSStructuredCloneData const&) /ipc/glue/SerializedStructuredCloneBuffer.cpp:20:14
#14 0x7f2d8a90a4a6 in WriteParam<const JSStructuredCloneData &> /ipc/chromium/src/chrome/common/ipc_message_utils.h:442:3
#15 0x7f2d8a90a4a6 in Write /builds/worker/workspace/obj-build/dist/include/mozilla/ipc/SerializedStructuredCloneBuffer.h:77:5
#16 0x7f2d8a90a4a6 in WriteParam<const mozilla::SerializedStructuredCloneBuffer &> /ipc/chromium/src/chrome/common/ipc_message_utils.h:442:3
#17 0x7f2d8a90a4a6 in IPC::ParamTraits<mozilla::dom::ClonedMessageData>::Write(IPC::MessageWriter*, mozilla::dom::ClonedMessageData const&) /builds/worker/workspace/obj-build/ipc/ipdl/DOMTypes.cpp:127:5
#18 0x7f2d8af3428a in WriteParam<const mozilla::dom::MessageData> /ipc/chromium/src/chrome/common/ipc_message_utils.h:442:3
#19 0x7f2d8af3428a in void IPC::WriteSequenceParam<mozilla::dom::MessageData const>(IPC::MessageWriter*, std::remove_reference<mozilla::dom::MessageData const>::type*, unsigned long) /ipc/chromium/src/chrome/common/ipc_message_utils.h:594:7
#20 0x7f2d8af20f8d in Write /ipc/chromium/src/chrome/common/ipc_message_utils.h:1023:5
#21 0x7f2d8af20f8d in WriteParam<mozilla::Span<const mozilla::dom::MessageData, 18446744073709551615UL> &> /ipc/chromium/src/chrome/common/ipc_message_utils.h:442:3
#22 0x7f2d8af20f8d in mozilla::dom::PMessagePortChild::SendPostMessages(mozilla::Span<mozilla::dom::MessageData const, 18446744073709551615ul>) /builds/worker/workspace/obj-build/ipc/ipdl/PMessagePortChild.cpp:91:5
#23 0x7f2d8af1fe47 in mozilla::dom::MessagePort::PostMessage(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Sequence<JSObject*> const&, mozilla::ErrorResult&) /dom/messagechannel/MessagePort.cpp:405:11
#24 0x7f2d8affa84d in mozilla::dom::PackAndPostMessage(JSContext*, mozilla::dom::MessagePort*, nsTSubstring<char16_t> const&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /dom/streams/Transferable.cpp:72:10
#25 0x7f2d8affc356 in mozilla::dom::PackAndPostMessageHandlingError(JSContext*, mozilla::dom::MessagePort*, nsTSubstring<char16_t> const&, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /dom/streams/Transferable.cpp:287:3
#26 0x7f2d8aff05f3 in mozilla::dom::CrossRealmReadableUnderlyingSourceAlgorithms::CancelCallback(JSContext*, mozilla::dom::Optional<JS::Handle<JS::Value>> const&, mozilla::ErrorResult&) /dom/streams/Transferable.cpp:731:19
#27 0x7f2d8afc0b70 in mozilla::dom::ReadableStreamDefaultController::CancelSteps(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&) /dom/streams/ReadableStreamDefaultController.cpp:590:40
#28 0x7f2d8afa8851 in mozilla::dom::streams_abstract::ReadableStreamCancel(JSContext*, mozilla::dom::ReadableStream*, JS::Handle<JS::Value>, mozilla::ErrorResult&) /dom/streams/ReadableStream.cpp:402:19
#29 0x7f2d8aff4eee in operator() /dom/streams/ReadableStreamPipeTo.cpp:878:22
#30 0x7f2d8aff4eee in mozilla::dom::PipeToPump::OnDestErrored(JSContext*, JS::Handle<JS::Value>)::$_0::__invoke(JSContext*, mozilla::dom::PipeToPump*, JS::Handle<mozilla::Maybe<JS::Value>>, mozilla::ErrorResult&) /dom/streams/ReadableStreamPipeTo.cpp:873:9
#31 0x7f2d8afca852 in mozilla::dom::PipeToPump::ShutdownWithActionAfterFinishedWrite(JSContext*, already_AddRefed<mozilla::dom::Promise> (*)(JSContext*, mozilla::dom::PipeToPump*, JS::Handle<mozilla::Maybe<JS::Value>>, mozilla::ErrorResult&), JS::Handle<mozilla::Maybe<JS::Value>>) /dom/streams/ReadableStreamPipeTo.cpp:503:23
#32 0x7f2d8afc7139 in mozilla::dom::PipeToPump::ShutdownWithAction(JSContext*, already_AddRefed<mozilla::dom::Promise> (*)(JSContext*, mozilla::dom::PipeToPump*, JS::Handle<mozilla::Maybe<JS::Value>>, mozilla::ErrorResult&), JS::Handle<mozilla::Maybe<JS::Value>>) /dom/streams/ReadableStreamPipeTo.cpp:431:3
#33 0x7f2d8afc7edd in mozilla::dom::PipeToPump::OnDestErrored(JSContext*, JS::Handle<JS::Value>) /dom/streams/ReadableStreamPipeTo.cpp
#34 0x7f2d8af48054 in mozilla::dom::(anonymous namespace)::PromiseNativeHandlerShim::RejectedCallback(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&) /dom/promise/Promise.cpp:489:12
#35 0x7f2d8af48b43 in mozilla::dom::NativeHandlerCallback(JSContext*, unsigned int, JS::Value*) /dom/promise/Promise.cpp
#36 0x7f2d91df71c3 in CallJSNative /js/src/vm/Interpreter.cpp:486:13
#37 0x7f2d91df71c3 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:580:12
#38 0x7f2d91df92f6 in InternalCall /js/src/vm/Interpreter.cpp:647:10
#39 0x7f2d91df92f6 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:679:8
#40 0x7f2d9227a33b in Call /js/src/vm/Interpreter.h:116:10
#41 0x7f2d9227a33b in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) /js/src/builtin/Promise.cpp:2240:10
#42 0x7f2d91df71c3 in CallJSNative /js/src/vm/Interpreter.cpp:486:13
#43 0x7f2d91df71c3 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:580:12
#44 0x7f2d91df92f6 in InternalCall /js/src/vm/Interpreter.cpp:647:10
#45 0x7f2d91df92f6 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:679:8
#46 0x7f2d91f65e9b in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:117:10
#47 0x7f2d85698c83 in mozilla::dom::PromiseJobCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/PromiseBinding.cpp:83:8
#48 0x7f2d803dd77d in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:198:12
#49 0x7f2d803dd77d in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:211:12
#50 0x7f2d803dd77d in mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&) /xpcom/base/CycleCollectedJSContext.cpp:213:18
previously allocated by thread T0 (Isolated Web Co) here:
#0 0x55dcf25fd6ee in malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
#1 0x55dcf2640995 in moz_xmalloc /memory/mozalloc/mozalloc.cpp:52:15
#2 0x7f2d821a9f86 in operator new /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:33:10
#3 0x7f2d821a9f86 in mozilla::ipc::BackgroundChildImpl::AllocPMessagePortChild(nsID const&, nsID const&, unsigned int const&) /ipc/glue/BackgroundChildImpl.cpp:442:41
#4 0x7f2d82316c53 in mozilla::ipc::PBackgroundChild::SendPMessagePortConstructor(nsID const&, nsID const&, unsigned int const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:3480:40
#5 0x7f2d8af1e5c9 in mozilla::dom::MessagePort::ConnectToPBackground() /dom/messagechannel/MessagePort.cpp:788:42
#6 0x7f2d8af2447b in mozilla::dom::MessagePort::CloneAndDisentangle(mozilla::dom::UniqueMessagePortId&) /dom/messagechannel/MessagePort.cpp:724:16
#7 0x7f2d8afd9f20 in mozilla::dom::WritableStream::Transfer(JSContext*, mozilla::dom::UniqueMessagePortId&) /dom/streams/Transferable.cpp:956:21
#8 0x7f2d846f1822 in mozilla::dom::StructuredCloneHolder::CustomWriteTransferHandler(JSContext*, JS::Handle<JSObject*>, unsigned int*, JS::TransferableOwnership*, void**, unsigned long*) /dom/base/StructuredCloneHolder.cpp:1468:22
#9 0x7f2d91d3f858 in JSStructuredCloneWriter::transferOwnership() /js/src/vm/StructuredClone.cpp:2304:12
#10 0x7f2d91d25428 in JSStructuredCloneWriter::write(JS::Handle<JS::Value>) /js/src/vm/StructuredClone.cpp:2437:10
#11 0x7f2d91d23116 in WriteStructuredClone(JSContext*, JS::Handle<JS::Value>, JSStructuredCloneData*, JS::StructuredCloneScope, JS::CloneDataPolicy const&, JSStructuredCloneCallbacks const*, void*, JS::Value const&) /js/src/vm/StructuredClone.cpp:751:10
#12 0x7f2d91d56581 in JS_WriteStructuredClone /js/src/vm/StructuredClone.cpp:3873:10
#13 0x7f2d91d56581 in JSAutoStructuredCloneBuffer::write(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::CloneDataPolicy const&, JSStructuredCloneCallbacks const*, void*) /js/src/vm/StructuredClone.cpp:3994:13
#14 0x7f2d846e3064 in mozilla::dom::StructuredCloneHolderBase::Write(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::CloneDataPolicy const&) /dom/base/StructuredCloneHolder.cpp:276:17
#15 0x7f2d846e39fb in mozilla::dom::StructuredCloneHolder::Write(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::CloneDataPolicy const&, mozilla::ErrorResult&) /dom/base/StructuredCloneHolder.cpp:363:35
#16 0x7f2d83f92862 in nsContentUtils::StructuredClone(JSContext*, nsIGlobalObject*, JS::Handle<JS::Value>, mozilla::dom::StructuredSerializeOptions const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /dom/base/nsContentUtils.cpp:10151:10
#17 0x7f2d864994d5 in mozilla::dom::Window_Binding::structuredClone(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/WindowBinding.cpp:20467:24
#18 0x7f2d870f6271 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::MaybeCrossOriginObjectThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:3335:13
#19 0x7f2d91df71c3 in CallJSNative /js/src/vm/Interpreter.cpp:486:13
#20 0x7f2d91df71c3 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:580:12
#21 0x7f2d91e1c366 in InternalCall /js/src/vm/Interpreter.cpp:647:10
#22 0x7f2d91e1c366 in CallFromStack /js/src/vm/Interpreter.cpp:652:10
#23 0x7f2d91e1c366 in js::Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3395:16
#24 0x7f2d91df5f15 in MaybeEnterInterpreterTrampoline /js/src/vm/Interpreter.cpp:400:10
#25 0x7f2d91df5f15 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:458:13
#26 0x7f2d91df737c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:612:13
#27 0x7f2d91df92f6 in InternalCall /js/src/vm/Interpreter.cpp:647:10
#28 0x7f2d91df92f6 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:679:8
#29 0x7f2d91f65e9b in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:117:10
#30 0x7f2d86a96c3f in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventListenerBinding.cpp:62:8
#31 0x7f2d87f0d8b6 in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:65:12
#32 0x7f2d87f0d18c in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /dom/events/EventListenerManager.cpp:1235:43
#33 0x7f2d87f0ed1f in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /dom/events/EventListenerManager.cpp:1427:21
#34 0x7f2d87ef6bf4 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:342:17
#35 0x7f2d87ef4a03 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:545:16
#36 0x7f2d87efad85 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /dom/events/EventDispatcher.cpp:1133:11
SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/obj-build/dist/include/mozilla/ipc/ProtocolUtils.h:222:33 in CanSend
Shadow bytes around the buggy address:
0x607000071b00: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
0x607000071b80: fd fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
0x607000071c00: fa fa fa fa fd fd fd fd fd fd fd fd fd fa fa fa
0x607000071c80: fa fa fd fd fd fd fd fd fd fd fd fa fa fa fa fa
0x607000071d00: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa 00 00
=>0x607000071d80: 00 00 00 00 00 00 00 fa fa fa fa fa fd fd[fd]fd
0x607000071e00: fd fd fd fd fd fd fa fa fa fa fd fd fd fd fd fd
0x607000071e80: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
0x607000071f00: fd fd fa fa fa fa fd fd fd fd fd fd fd fd fd fd
0x607000071f80: fa fa fa fa fd fd fd fd fd fd fd fd fd fa fa fa
0x607000072000: fa fa fd fd fd fd fd fd fd fd fd fd fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==20923==ABORTING
Reporter | ||
Comment 1•1 year ago
|
||
Comment 2•1 year ago
|
||
Unable to reproduce bug 1835647 using build mozilla-central 20230526040655-d49f009b89ad. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Updated•1 year ago
|
Comment 3•1 year ago
|
||
(In reply to Bugmon [:jkratzer for issues] from comment #2)
Unable to reproduce bug 1835647 using build mozilla-central 20230526040655-d49f009b89ad. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Hi Jason, is this intermittently failing such that bugmon did not catch it?
Comment 4•1 year ago
|
||
From the stacks, we're hitting an error while serializing a structured clone (I'm guessing due to the very large array), which seems to be causing the PBackgroundChild to shut down, which causes the PMessagePortChild to be destroyed, because it is [ManualDealloc]. However, it is also refcounted, and MessagePort has a strong reference to it, causing the UAF. That seems like a dangerous combination.
Bug 1807049 changed how channel shutdown works a bit, so I wonder if it caused this to pop up. I'm not sure how exactly, though.
Maybe making PMessagePort refcounted (eg at the IPDL layer) would help?
Reporter | ||
Comment 5•1 year ago
|
||
Looks like I put in the wrong original revision in comment 0. I've updated the rev and have re-enabled bugmon.
Reporter | ||
Updated•1 year ago
|
Comment 6•1 year ago
|
||
Looks like it's more about MessagePort per comment #4, should we change the component?
Updated•1 year ago
|
Comment 7•1 year ago
|
||
Verified bug as reproducible on mozilla-central 20230530093928-23a3b1b5a2b7.
Unable to bisect testcase (Testcase reproduces on start build!):
Start: e6db23e10c7bb8069462cdfd7c1c705bc6389a83 (20220531040928)
End: 23a3b1b5a2b78d86456189221e567423206bc00a (20230530093928)
BuildFlags: BuildFlags(asan=True, tsan=False, debug=False, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)
Successfully recorded a pernosco session. A link to the pernosco session will be added here shortly.
Updated•1 year ago
|
Reporter | ||
Comment 9•1 year ago
|
||
The bisection is unfortunately not accurate. Bugmon only checks that the testcase triggers a crash and not what crash it triggers. On the starting build it produces the following assertion:
Assertion failure: new_size >= header_->payload_size, at /builds/worker/checkouts/gecko/ipc/chromium/src/base/pickle.cc:477
Comment 10•1 year ago
|
||
It looks like that's a release assert, so at least that is safe...
Comment 11•1 year ago
|
||
I'm trying to find time this week.
Updated•1 year ago
|
Comment 12•1 year ago
|
||
(In reply to Andrew McCreight [:mccr8] from comment #4)
From the stacks, we're hitting an error while serializing a structured clone (I'm guessing due to the very large array), which seems to be causing the PBackgroundChild to shut down, which causes the PMessagePortChild to be destroyed, because it is [ManualDealloc]. However, it is also refcounted, and MessagePort has a strong reference to it, causing the UAF. That seems like a dangerous combination.
Bug 1807049 changed how channel shutdown works a bit, so I wonder if it caused this to pop up. I'm not sure how exactly, though.
Maybe making PMessagePort refcounted (eg at the IPDL layer) would help?
(In reply to Andrew McCreight [:mccr8] from comment #10)
It looks like that's a release assert, so at least that is safe...
I am not really following here (I did not look into stack or pernosco), but do we have a UAF situation here now or not? I'd assume that your last comment just refers to the (apparently unrelated) assertion from comment 9 and the original comment 0 is still a thing?
Updated•1 year ago
|
Comment 13•1 year ago
|
||
The severity field for this bug is set to S3. However, the bug is flagged with the sec-high
keyword.
:smaug, could you consider increasing the severity of this security bug?
For more information, please visit BugBot documentation.
Comment 14•1 year ago
|
||
(In reply to Jens Stutte [:jstutte] from comment #12)
I am not really following here (I did not look into stack or pernosco), but do we have a UAF situation here now or not? I'd assume that your last comment just refers to the (apparently unrelated) assertion from comment 9 and the original comment 0 is still a thing?
I meant that we apparently went from having a release assert to having a use-after-free (the current state).
Comment 15•1 year ago
|
||
:asuth, did you have any additional reason for setting S3 here? I'd assume it is more S2 then.
Updated•1 year ago
|
Comment 16•1 year ago
|
||
FWIW, in a debug build (which is what I had handy) on ccd237b210e954d96155880519ff534b005130b3 (on May 26, before bug 1807049 landed) and then with bug 1807049 applied on top, I just get a crash from "IPDL protocol error: JSStructuredCloneData over 4Gb in size" with this test case. I'll update my local tree later today and see if that changes with a new build.
Comment 17•1 year ago
•
|
||
Locally I haven't managed to reproduce this yet.
There is always MOZ_CRASH "JSStructuredCloneData over 4Gb in size", but that is safe, both on opt and debug.
Comment 18•1 year ago
|
||
You'll probably need an ASan build then.
Comment 19•1 year ago
|
||
Maybe this is related to one of the workarounds for IPC fuzzing we have in fuzzing builds.
Updated•1 year ago
|
Comment 20•1 year ago
|
||
Can't reproduce using a local asan build either. I get an exception in the web console that structured clone failed.
Jason, any hints how to reproduce this using local build (since that is need to fix this).
Comment 21•1 year ago
|
||
Do you have ac_add_options --enable-fuzzing
in your local build? That might be necessary. (There's also the fuzzing.enabled pref but I think that won't matter for this.)
Comment 22•1 year ago
|
||
Yes I have. and --enable-address-sanitizer and --enable-undefined-sanitizer and fuzzing.enabled is enabled in the FF profile.
Comment 23•1 year ago
•
|
||
It seems like this involves some IPC invariants where it may be worth making ActorLifecycleProxy even more generous in how long it keeps things alive. The pernosco trace shows that we're in the call to IPC::WriteParam inside PMessagePortChild::SendPostMessages when Channel::CloseWithError is called. That error handling destroys the subtree which invokes MessagePortChild::ActorDestroy which results in the MessagePort::Closed() method pulling a strong reference out from under the call to SendPostMessages which then later goes on to call ChannelSend() which ends up as a UAF. The other thing that was avoiding the UAF was the ActorLifecycleProxy but that also got cleared out by PBackgroundChild::ClearSubtree.
That said, if we don't think this is something where IPC should be protecting callers from ActorDestroy being called inside a SendFoo method by deferring the ActorLifecycleProxy clearing to a microtask checkpoint or subsequent task, we can add a kungfudeathgrip (for the actor) just before the call to mActor->SendPostMessages in MessagePort::PostMessage. (edit: Uh, and I guess we also could just have the kung fu death grip anyways. Like, I'm not advocating for not doing that, just don't want to miss having the discussion about making ActorLifecycleProxy provide even more protection.)
Comment 24•1 year ago
|
||
It looks like this is actually a fuzzing-only regression from bug 1807049, and the change to handle FatalError
by closing the channel. In non-fuzzing builds we'll always crash before calling CloseWithError
in IProtocol::HandleFatalError
, meaning that this particular codepath is unreachable: https://searchfox.org/mozilla-central/rev/887d4b5da89a11920ed0fd96b7b7f066927a67db/ipc/glue/ProtocolUtils.cpp#170,175.
The issue is caused because callers of FatalError
did not previously expect the channel to be synchronously closed, as the error handling in that case was always handled using crashing, which was in turn disabled on Fuzzing builds. I originally made the change to make fuzzing also close the channel, so that fuzzing wouldn't run into errors which would otherwise be unreachable.
Self-assigning to fix up the lifetimes here so that the error is applied asynchronously in this case. I think it might makes sense to keep the synchronous approach for KillHard
, but I could be convinced otherwise.
Comment 25•1 year ago
|
||
Set release status flags based on info from the regressing bug 1807049
Comment 26•1 year ago
|
||
I'll change this from sec-high to sec-other because it is fuzzing only. Feel free to unhide it if you want.
Comment 27•1 year ago
|
||
This should avoid potential fuzzing-only issues which would be caused by
the actor being torn down synchronously after a FatalError or KillHard.
Instead, the state is set to error synchronously, blocking all further
message sending/receiving, and the notification is made async, similar
to how it is handled for normal channel errors.
Reporter | ||
Updated•1 year ago
|
Comment 28•1 year ago
|
||
Switch FatalError to asynchronously report channel errors under fuzzing, r=ipc-reviewers,mccr8
https://hg.mozilla.org/integration/autoland/rev/8d866439b46959713be34afadc51c1625f9a969a
https://hg.mozilla.org/mozilla-central/rev/8d866439b469
Comment 29•1 year ago
|
||
The patch landed in nightly and beta is affected.
:nika, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- If no, please set
status-firefox115
towontfix
.
For more information, please visit BugBot documentation.
Updated•1 year ago
|
Updated•1 year ago
|
Comment 30•1 year ago
|
||
Verified bug as fixed on rev mozilla-central 20230610094613-463e881a627c.
Comment 31•1 year ago
|
||
As I noted earlier in comment 24, this only impacts fuzzing builds. For that reason, this isn't worth an uplift.
Updated•1 year ago
|
Updated•1 year ago
|
Description
•