Closed
Bug 1837612
Opened 2 years ago
Closed 2 years ago
AddressSanitizer: heap-use-after-free [@ IsOtherProcessActor] with READ of size 1
Categories
(Core :: Storage: IndexedDB, defect)
Tracking
()
RESOLVED
INCOMPLETE
People
(Reporter: jkratzer, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: csectype-uaf, sec-high, testcase, Whiteboard: [bugmon:confirm])
Found while fuzzing mozilla-central rev 3a79e9a1c11d (built with: --enable-address-sanitizer --enable-fuzzing).
I don't currently have a reproducible testcase for this issue.
AddressSanitizer: heap-use-after-free [@ IsOtherProcessActor] with READ of size 1
=================================================================
==481215==ERROR: AddressSanitizer: heap-use-after-free on address 0x618000096b78 at pc 0x7f7f628af8a8 bp 0x7f7f48af9950 sp 0x7f7f48af9948
READ of size 1 at 0x618000096b78 thread T6 (IPDL Background)
#0 0x7f7f628af8a7 in IsOtherProcessActor /gecko/ipc/glue/BackgroundImpl.cpp:787:54
#1 0x7f7f628af8a7 in mozilla::ipc::BackgroundParent::IsOtherProcessActor(mozilla::ipc::PBackgroundParent*) /gecko/ipc/glue/BackgroundImpl.cpp:669:10
#2 0x7f7f6ab0fe71 in Stringify /gecko/dom/indexedDB/ActorsParent.cpp:9420:11
#3 0x7f7f6ab0fe71 in operator()<mozilla::NotNull<mozilla::CheckedUnsafePtr<mozilla::dom::indexedDB::(anonymous namespace)::Database> > > /gecko/dom/indexedDB/ActorsParent.cpp:12568:34
#4 0x7f7f6ab0fe71 in transform<mozilla::ArrayIterator<const mozilla::NotNull<mozilla::CheckedUnsafePtr<mozilla::dom::indexedDB::(anonymous namespace)::Database> > &, nsTArray_Impl<mozilla::NotNull<mozilla::CheckedUnsafePtr<mozilla::dom::indexedDB::(anonymous namespace)::Database> >, nsTArrayInfallibleAllocator> >, mozilla::nsTSetInserter<nsTBaseHashSet<nsCStringHashKey> >, (lambda at /dom/indexedDB/ActorsParent.cpp:12566:22)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/stl_algo.h:4304:14
#5 0x7f7f6ab0fe71 in mozilla::dom::indexedDB::(anonymous namespace)::QuotaClient::GetShutdownStatus() const /gecko/dom/indexedDB/ActorsParent.cpp:12564:7
#6 0x7f7f6a566813 in operator() /gecko/dom/quota/ActorsParent.cpp:3414:45
#7 0x7f7f6a566813 in mozilla::dom::quota::QuotaManager::Shutdown()::$_11::__invoke(nsITimer*, void*) /gecko/dom/quota/ActorsParent.cpp:3403:36
#8 0x7f7f60d32211 in operator() /gecko/xpcom/threads/nsTimerImpl.cpp:679:36
#9 0x7f7f60d32211 in matchN<mozilla::Variant<nsTimerImpl::UnknownCallback, nsCOMPtr<nsITimerCallback>, nsCOMPtr<nsIObserver>, nsTimerImpl::FuncCallback, nsTimerImpl::ClosureCallback> &, (lambda at /xpcom/threads/nsTimerImpl.cpp:679:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:680:7)> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:309:16
#10 0x7f7f60d32211 in matchN<mozilla::Variant<nsTimerImpl::UnknownCallback, nsCOMPtr<nsITimerCallback>, nsCOMPtr<nsIObserver>, nsTimerImpl::FuncCallback, nsTimerImpl::ClosureCallback> &, (lambda at /xpcom/threads/nsTimerImpl.cpp:676:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:679:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:680:7)> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:318:14
#11 0x7f7f60d32211 in matchN<mozilla::Variant<nsTimerImpl::UnknownCallback, nsCOMPtr<nsITimerCallback>, nsCOMPtr<nsIObserver>, nsTimerImpl::FuncCallback, nsTimerImpl::ClosureCallback> &, (lambda at /xpcom/threads/nsTimerImpl.cpp:675:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:676:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:679:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:680:7)> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:318:14
#12 0x7f7f60d32211 in matchN<mozilla::Variant<nsTimerImpl::UnknownCallback, nsCOMPtr<nsITimerCallback>, nsCOMPtr<nsIObserver>, nsTimerImpl::FuncCallback, nsTimerImpl::ClosureCallback> &, (lambda at /xpcom/threads/nsTimerImpl.cpp:674:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:675:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:676:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:679:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:680:7)> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:318:14
#13 0x7f7f60d32211 in matchN<mozilla::Variant<nsTimerImpl::UnknownCallback, nsCOMPtr<nsITimerCallback>, nsCOMPtr<nsIObserver>, nsTimerImpl::FuncCallback, nsTimerImpl::ClosureCallback> &, (lambda at /xpcom/threads/nsTimerImpl.cpp:674:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:675:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:676:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:679:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:680:7)> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:902:12
#14 0x7f7f60d32211 in match<(lambda at /xpcom/threads/nsTimerImpl.cpp:674:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:675:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:676:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:679:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:680:7)> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:857:12
#15 0x7f7f60d32211 in nsTimerImpl::Fire(int) /gecko/xpcom/threads/nsTimerImpl.cpp:673:22
#16 0x7f7f60d30945 in nsTimerEvent::Run() /gecko/xpcom/threads/TimerThread.cpp:483:11
#17 0x7f7f60d4c64d in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1234:16
#18 0x7f7f60d59cc4 in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:479:10
#19 0x7f7f6a4ddf22 in SpinEventLoopUntil<(mozilla::ProcessFailureBehavior)1, (lambda at /dom/quota/ActorsParent.cpp:3576:5)> /builds/worker/workspace/obj-build/dist/include/mozilla/SpinEventLoopUntil.h:176:25
#20 0x7f7f6a4ddf22 in mozilla::dom::quota::QuotaManager::Shutdown() /gecko/dom/quota/ActorsParent.cpp:3576:5
#21 0x7f7f6a4d4945 in mozilla::dom::quota::QuotaManager::ShutdownInstance() /gecko/dom/quota/ActorsParent.cpp:2924:16
#22 0x7f7f6a4d486a in mozilla::dom::quota::RecvShutdownQuotaManager() /gecko/dom/quota/ActorsParent.cpp:2581:3
#23 0x7f7f6289f678 in mozilla::ipc::BackgroundParentImpl::RecvShutdownQuotaManager() /gecko/ipc/glue/BackgroundParentImpl.cpp:1040:8
#24 0x7f7f62a5eed1 in mozilla::ipc::PBackgroundParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundParent.cpp:4692:52
#25 0x7f7f6295a725 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /gecko/ipc/glue/MessageChannel.cpp:1811:25
#26 0x7f7f629560af in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /gecko/ipc/glue/MessageChannel.cpp:1736:9
#27 0x7f7f629574e9 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /gecko/ipc/glue/MessageChannel.cpp:1536:3
#28 0x7f7f62958a63 in mozilla::ipc::MessageChannel::MessageTask::Run() /gecko/ipc/glue/MessageChannel.cpp:1634:14
#29 0x7f7f60d4c64d in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1234:16
#30 0x7f7f60d59cc4 in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:479:10
#31 0x7f7f62965969 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:330:5
#32 0x7f7f6279194a in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:368:10
#33 0x7f7f6279194a in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:361:3
#34 0x7f7f6279194a in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:343:3
#35 0x7f7f60d42d7a in nsThread::ThreadFunc(void*) /gecko/xpcom/threads/nsThread.cpp:391:10
#36 0x7f7f871eab3f in _pt_root /gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
#37 0x7f7f87eca608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8
#38 0x7f7f87a75132 in __clone /build/glibc-SzIz7B/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
0x618000096b78 is located 760 bytes inside of 776-byte region [0x618000096880,0x618000096b88)
freed by thread T0 here:
#0 0x56515d22d3a6 in free /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3
#1 0x7f7f6290a63b in operator()<> /gecko/xpcom/threads/nsThreadUtils.h:1164:18
#2 0x7f7f6290a63b in __invoke_impl<void, (lambda at /xpcom/threads/nsThreadUtils.h:1163:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:60:14
#3 0x7f7f6290a63b in __invoke<(lambda at /xpcom/threads/nsThreadUtils.h:1163:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:95:14
#4 0x7f7f6290a63b in __apply_impl<(lambda at /xpcom/threads/nsThreadUtils.h:1163:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1678:14
#5 0x7f7f6290a63b in apply<(lambda at /xpcom/threads/nsThreadUtils.h:1163:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1687:14
#6 0x7f7f6290a63b in apply<(anonymous namespace)::ParentImpl, void ((anonymous namespace)::ParentImpl::*)()> /gecko/xpcom/threads/nsThreadUtils.h:1162:12
#7 0x7f7f6290a63b in mozilla::detail::RunnableMethodImpl<(anonymous namespace)::ParentImpl*, void ((anonymous namespace)::ParentImpl::*)(), false, (mozilla::RunnableKind)0>::Run() /gecko/xpcom/threads/nsThreadUtils.h:1213:13
#8 0x7f7f60d1b27a in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:555:16
#9 0x7f7f60d0bfae in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:879:26
#10 0x7f7f60d08ec7 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:702:15
#11 0x7f7f60d097af in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:491:36
#12 0x7f7f60d20894 in operator() /gecko/xpcom/threads/TaskController.cpp:221:37
#13 0x7f7f60d20894 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_1>::Run() /gecko/xpcom/threads/nsThreadUtils.h:548:5
#14 0x7f7f60d4c2ec in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1240:16
#15 0x7f7f60d49da6 in NS_ProcessNextEvent /gecko/xpcom/threads/nsThreadUtils.cpp:479:10
#16 0x7f7f60d49da6 in SpinEventLoopUntil<(mozilla::ProcessFailureBehavior)1, (lambda at /xpcom/threads/nsThread.cpp:917:22)> /builds/worker/workspace/obj-build/dist/include/mozilla/SpinEventLoopUntil.h:176:25
#17 0x7f7f60d49da6 in nsThread::Shutdown() /gecko/xpcom/threads/nsThread.cpp:916:3
#18 0x7f7f62ded7e9 in mozilla::storage::Connection::shutdownAsyncThread() /gecko/storage/mozStorageConnection.cpp:1254:3
#19 0x7f7f62dfac4f in operator()<> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1164:18
#20 0x7f7f62dfac4f in __invoke_impl<void, (lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:60:14
#21 0x7f7f62dfac4f in __invoke<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:95:14
#22 0x7f7f62dfac4f in __apply_impl<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1678:14
#23 0x7f7f62dfac4f in apply<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1687:14
#24 0x7f7f62dfac4f in apply<mozilla::storage::Connection, void (mozilla::storage::Connection::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1162:12
#25 0x7f7f62dfac4f in mozilla::detail::RunnableMethodImpl<RefPtr<mozilla::storage::Connection>, void (mozilla::storage::Connection::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1213:13
#26 0x7f7f60d1b27a in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:555:16
#27 0x7f7f60d0bfae in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:879:26
#28 0x7f7f60d08ec7 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:702:15
#29 0x7f7f60d097af in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:491:36
#30 0x7f7f60d20894 in operator() /gecko/xpcom/threads/TaskController.cpp:221:37
#31 0x7f7f60d20894 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_1>::Run() /gecko/xpcom/threads/nsThreadUtils.h:548:5
#32 0x7f7f60d4c2ec in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1240:16
#33 0x7f7f60d49da6 in NS_ProcessNextEvent /gecko/xpcom/threads/nsThreadUtils.cpp:479:10
#34 0x7f7f60d49da6 in SpinEventLoopUntil<(mozilla::ProcessFailureBehavior)1, (lambda at /xpcom/threads/nsThread.cpp:917:22)> /builds/worker/workspace/obj-build/dist/include/mozilla/SpinEventLoopUntil.h:176:25
#35 0x7f7f60d49da6 in nsThread::Shutdown() /gecko/xpcom/threads/nsThread.cpp:916:3
#36 0x7f7f62ded7e9 in mozilla::storage::Connection::shutdownAsyncThread() /gecko/storage/mozStorageConnection.cpp:1254:3
#37 0x7f7f62dfac4f in operator()<> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1164:18
#38 0x7f7f62dfac4f in __invoke_impl<void, (lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:60:14
#39 0x7f7f62dfac4f in __invoke<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:95:14
#40 0x7f7f62dfac4f in __apply_impl<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1678:14
#41 0x7f7f62dfac4f in apply<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1687:14
#42 0x7f7f62dfac4f in apply<mozilla::storage::Connection, void (mozilla::storage::Connection::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1162:12
#43 0x7f7f62dfac4f in mozilla::detail::RunnableMethodImpl<RefPtr<mozilla::storage::Connection>, void (mozilla::storage::Connection::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1213:13
#44 0x7f7f60d1b27a in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:555:16
#45 0x7f7f60d0bfae in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:879:26
#46 0x7f7f60d08ec7 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:702:15
#47 0x7f7f60d097af in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:491:36
#48 0x7f7f60d20894 in operator() /gecko/xpcom/threads/TaskController.cpp:221:37
#49 0x7f7f60d20894 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_1>::Run() /gecko/xpcom/threads/nsThreadUtils.h:548:5
#50 0x7f7f60d4c2ec in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1240:16
#51 0x7f7f60d49da6 in NS_ProcessNextEvent /gecko/xpcom/threads/nsThreadUtils.cpp:479:10
#52 0x7f7f60d49da6 in SpinEventLoopUntil<(mozilla::ProcessFailureBehavior)1, (lambda at /xpcom/threads/nsThread.cpp:917:22)> /builds/worker/workspace/obj-build/dist/include/mozilla/SpinEventLoopUntil.h:176:25
#53 0x7f7f60d49da6 in nsThread::Shutdown() /gecko/xpcom/threads/nsThread.cpp:916:3
#54 0x7f7f62ded7e9 in mozilla::storage::Connection::shutdownAsyncThread() /gecko/storage/mozStorageConnection.cpp:1254:3
#55 0x7f7f62dfac4f in operator()<> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1164:18
#56 0x7f7f62dfac4f in __invoke_impl<void, (lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:60:14
#57 0x7f7f62dfac4f in __invoke<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:95:14
#58 0x7f7f62dfac4f in __apply_impl<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1678:14
#59 0x7f7f62dfac4f in apply<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1687:14
#60 0x7f7f62dfac4f in apply<mozilla::storage::Connection, void (mozilla::storage::Connection::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1162:12
#61 0x7f7f62dfac4f in mozilla::detail::RunnableMethodImpl<RefPtr<mozilla::storage::Connection>, void (mozilla::storage::Connection::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1213:13
#62 0x7f7f60d1b27a in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:555:16
previously allocated by thread T6 (IPDL Background) here:
#0 0x56515d22d64e in malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
#1 0x56515d270965 in moz_xmalloc /gecko/memory/mozalloc/mozalloc.cpp:52:15
#2 0x7f7f628b2a9c in operator new /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:33:10
#3 0x7f7f628b2a9c in mozilla::ipc::BackgroundStarterParent::RecvInitBackground(mozilla::ipc::Endpoint<mozilla::ipc::PBackgroundParent>&&) /gecko/ipc/glue/BackgroundImpl.cpp:1103:23
#4 0x7f7f62a8d3c1 in mozilla::ipc::PBackgroundStarterParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundStarterParent.cpp:111:91
#5 0x7f7f6295a725 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /gecko/ipc/glue/MessageChannel.cpp:1811:25
#6 0x7f7f629560af in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /gecko/ipc/glue/MessageChannel.cpp:1736:9
#7 0x7f7f629574e9 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /gecko/ipc/glue/MessageChannel.cpp:1536:3
#8 0x7f7f62958a63 in mozilla::ipc::MessageChannel::MessageTask::Run() /gecko/ipc/glue/MessageChannel.cpp:1634:14
#9 0x7f7f60d4c64d in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1234:16
#10 0x7f7f60d59cc4 in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:479:10
#11 0x7f7f62965969 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:330:5
#12 0x7f7f6279194a in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:368:10
#13 0x7f7f6279194a in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:361:3
#14 0x7f7f6279194a in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:343:3
#15 0x7f7f60d42d7a in nsThread::ThreadFunc(void*) /gecko/xpcom/threads/nsThread.cpp:391:10
#16 0x7f7f871eab3f in _pt_root /gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
#17 0x7f7f87eca608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8
Thread T6 (IPDL Background) created by T0 here:
#0 0x56515d2157ca in pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:208:3
#1 0x7f7f871d92a4 in _PR_CreateThread /gecko/nsprpub/pr/src/pthreads/ptthread.c:458:14
#2 0x7f7f871c6e9e in PR_CreateThread /gecko/nsprpub/pr/src/pthreads/ptthread.c:533:12
#3 0x7f7f60d46b1c in nsThread::Init(nsTSubstring<char> const&) /gecko/xpcom/threads/nsThread.cpp:634:18
#4 0x7f7f60d5756e in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, nsIThreadManager::ThreadCreationOptions, nsIThread**) /gecko/xpcom/threads/nsThreadManager.cpp:548:12
#5 0x7f7f60d650bc in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, already_AddRefed<nsIRunnable>, nsIThreadManager::ThreadCreationOptions) /gecko/xpcom/threads/nsThreadUtils.cpp:175:57
#6 0x7f7f628b0522 in NS_NewNamedThread<16UL> /gecko/xpcom/threads/nsThreadUtils.h:76:10
#7 0x7f7f628b0522 in CreateBackgroundThread /gecko/ipc/glue/BackgroundImpl.cpp:889:7
#8 0x7f7f628b0522 in (anonymous namespace)::ParentImpl::AllocStarter(mozilla::dom::ContentParent*, mozilla::ipc::Endpoint<mozilla::ipc::PBackgroundStarterParent>&&, bool) /gecko/ipc/glue/BackgroundImpl.cpp:821:30
#9 0x7f7f628b0fa1 in Startup /gecko/ipc/glue/BackgroundImpl.cpp:1166:5
#10 0x7f7f628b0fa1 in mozilla::ipc::BackgroundChild::Startup() /gecko/ipc/glue/BackgroundImpl.cpp:694:35
#11 0x7f7f6ae84eec in mozilla::dom::ContentParent::StartUp() /gecko/dom/ipc/ContentParent.cpp:670:3
#12 0x7f7f6d5afced in nsLayoutStatics::Initialize() /gecko/layout/build/nsLayoutStatics.cpp:150:3
#13 0x7f7f6d5afac9 in nsLayoutModuleInitialize() /gecko/layout/build/nsLayoutModule.cpp:104:7
#14 0x7f7f60cdecf3 in nsComponentManagerImpl::Init() /gecko/xpcom/components/nsComponentManager.cpp:371:5
#15 0x7f7f60dd1c85 in NS_InitXPCOM /gecko/xpcom/build/XPCOMInit.cpp:421:51
#16 0x7f7f71f4c675 in ScopedXPCOMStartup::Initialize(bool) /gecko/toolkit/xre/nsAppRunner.cpp:1993:8
#17 0x7f7f71f64052 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /gecko/toolkit/xre/nsAppRunner.cpp:5855:22
#18 0x7f7f71f651c1 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /gecko/toolkit/xre/nsAppRunner.cpp:5915:21
#19 0x56515d26b323 in do_main /gecko/browser/app/nsBrowserApp.cpp:227:22
#20 0x56515d26b323 in main /gecko/browser/app/nsBrowserApp.cpp:445:16
#21 0x7f7f8797a082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: heap-use-after-free /gecko/ipc/glue/BackgroundImpl.cpp:787:54 in IsOtherProcessActor
Shadow bytes around the buggy address:
0x618000096880: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x618000096900: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x618000096980: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x618000096a00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x618000096a80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x618000096b00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]
0x618000096b80: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x618000096c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x618000096c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x618000096d00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x618000096d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==481215==ABORTING
|
||
Updated•2 years ago
|
Group: core-security → dom-core-security
Keywords: csectype-uaf,
sec-high
|
|
||
Comment 1•2 years ago
|
||
Maybe this is more of a sec-moderate, if we only shut down the quota manager at shut down.
|
|
||
Comment 2•2 years ago
|
||
This could also be something fixed by bug 1835647, as it relates to IPC shutdown in a fuzzing build.
|
||
Comment 3•2 years ago
|
||
OK, then let's wait for further information from Jason before jumping on it.
Flags: needinfo?(jkratzer)
|
||
Comment 4•2 years ago
|
||
Bugmon was unable reproduce this issue.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Keywords: bugmon
|
|
||
Comment 5•2 years ago
|
||
Jason, do you have any elements for being this still a problem or can we close this ? Thanks
Flags: needinfo?(jkratzer)
|
Reporter | |
Comment 7•2 years ago
|
||
Unfortunately this has only been reported once by the fuzzers and that testcase was not reproducible. If you think that it may have been fixed we can close this and I'll file a new issue if I see it again.
Flags: needinfo?(jkratzer)
|
|
||
Comment 8•2 years ago
|
||
Yeah, let's close this for now. Would INCOMPLETE be the right way to signal that we do not want to unhide this after a while?
Status: NEW → RESOLVED
Closed: 2 years ago
Flags: needinfo?(continuation)
Resolution: --- → INCOMPLETE
|
|
||
Comment 9•2 years ago
|
||
I'm not really sure what goes into that decision. INCOMPLETE seems fine to me.
Flags: needinfo?(continuation)
|
||
Updated•11 months ago
|
Group: dom-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•