Closed Bug 1846526 Opened 1 year ago Closed 1 year ago

AddressSanitizer: heap-use-after-free [@ operator!] with READ of size 4

Categories

(Core :: DOM: Service Workers, defect)

Product:
Core
Component:
DOM: Service Workers
Platform:
x86
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
118 Branch
Tracking Flags:
Tracking Status
firefox-esr102 117+ fixed
firefox-esr115 117+ fixed
firefox116 --- wontfix
firefox117 + fixed
firefox118 + fixed

People

(Reporter: jkratzer, Assigned: jesup)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-uaf, sec-high, testcase-wanted, Whiteboard: [bugmon:confirm] [adv-main117+r] [adv-esr115.2+r] [adv-esr102.15+r])

Attachments

(2 files)

Detailed Crash Information
18.18 KB, text/plain
Details
Bug 1846526: Handle IPC error condition r=nika
48 bytes, text/x-phabricator-request
dveditz
: approval-mozilla-beta+
RyanVM
: approval-mozilla-esr102+
RyanVM
: approval-mozilla-esr115+
dveditz
: sec-approval+
Details | Review

Found while fuzzing mozilla-central rev ce5b2b0d4bc0 (built with: --enable-address-sanitizer --enable-fuzzing).

I don't currently have a working testcase for this issue.

AddressSanitizer: heap-use-after-free [@ operator!] with READ of size 4

    =================================================================
    ==121183==ERROR: AddressSanitizer: heap-use-after-free on address 0x63b90f20 at pc 0xe08b0db0 bp 0xff86c998 sp 0xff86c990
    READ of size 4 at 0x63b90f20 thread T0
        #0 0xe08b0daf in operator! /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:350:36
        #1 0xe08b0daf in Ensure /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:1362:9
        #2 0xe08b0daf in mozilla::dom::FetchEventOpChild::SendFetchEvent(mozilla::dom::PRemoteWorkerControllerChild*, mozilla::dom::ParentToParentServiceWorkerFetchEventOpArgs&&, nsCOMPtr<nsIInterceptedChannel>, RefPtr<mozilla::dom::ServiceWorkerRegistrationInfo>, RefPtr<mozilla::dom::FetchServicePromises>&&, RefPtr<mozilla::dom::KeepAliveToken>&&) /gecko/dom/serviceworkers/FetchEventOpChild.cpp:202:32
        #3 0xe09ae249 in mozilla::dom::ServiceWorkerPrivate::SendFetchEventInternal(RefPtr<mozilla::dom::ServiceWorkerRegistrationInfo>&&, mozilla::dom::ParentToParentServiceWorkerFetchEventOpArgs&&, nsCOMPtr<nsIInterceptedChannel>&&, RefPtr<mozilla::dom::FetchServicePromises>&&) /gecko/dom/serviceworkers/ServiceWorkerPrivate.cpp:986:3
        #4 0xe09bab03 in mozilla::dom::ServiceWorkerPrivate::SendFetchEvent(nsCOMPtr<nsIInterceptedChannel>, nsILoadGroup*, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&) /gecko/dom/serviceworkers/ServiceWorkerPrivate.cpp:958:10
        #5 0xe0a0dbea in mozilla::dom::(anonymous namespace)::ContinueDispatchFetchEventRunnable::Run() /gecko/dom/serviceworkers/ServiceWorkerManager.cpp:2048:33
        #6 0xd48aaf41 in mozilla::PermissionManager::WhenPermissionsAvailable(nsIPrincipal*, nsIRunnable*) /gecko/extensions/permissions/PermissionManager.cpp:3500:16
        #7 0xe0954ac9 in mozilla::dom::ServiceWorkerManager::DispatchFetchEvent(nsIInterceptedChannel*, mozilla::ErrorResult&) /gecko/dom/serviceworkers/ServiceWorkerManager.cpp:2235:14
        #8 0xe0953d4e in mozilla::dom::ServiceWorkerInterceptController::ChannelIntercepted(nsIInterceptedChannel*) /gecko/dom/serviceworkers/ServiceWorkerInterceptController.cpp:165:8
        #9 0xd350c2a7 in ChannelIntercepted /gecko/netwerk/protocol/http/ParentChannelListener.cpp:218:34
        #10 0xd350c2a7 in non-virtual thunk to mozilla::net::ParentChannelListener::ChannelIntercepted(nsIInterceptedChannel*) /gecko/netwerk/protocol/http/ParentChannelListener.cpp
        #11 0xd34471e5 in mozilla::net::InterceptedHttpChannel::AsyncOpenInternal() /gecko/netwerk/protocol/http/InterceptedHttpChannel.cpp:189:20
        #12 0xd344f870 in mozilla::net::InterceptedHttpChannel::AsyncOpen(nsIStreamListener*) /gecko/netwerk/protocol/http/InterceptedHttpChannel.cpp:617:3
        #13 0xd344fb47 in non-virtual thunk to mozilla::net::InterceptedHttpChannel::AsyncOpen(nsIStreamListener*) /gecko/netwerk/protocol/http/InterceptedHttpChannel.cpp
        #14 0xd360c61a in mozilla::net::nsHttpChannel::OpenRedirectChannel(nsresult) /gecko/netwerk/protocol/http/nsHttpChannel.cpp:2986:26
        #15 0xd3608547 in mozilla::net::nsHttpChannel::ContinueAsyncRedirectChannelToURI(nsresult) /gecko/netwerk/protocol/http/nsHttpChannel.cpp:2954:10
        #16 0xd3672164 in mozilla::net::nsHttpChannel::OnRedirectVerifyCallback(nsresult) /gecko/netwerk/protocol/http/nsHttpChannel.cpp:8684:14
        #17 0xd3672a3a in non-virtual thunk to mozilla::net::nsHttpChannel::OnRedirectVerifyCallback(nsresult) /gecko/netwerk/protocol/http/nsHttpChannel.cpp
        #18 0xd23449b8 in mozilla::net::nsAsyncVerifyRedirectCallbackEvent::Run() /gecko/netwerk/base/nsAsyncRedirectVerifyHelper.cpp:41:22
        #19 0xd1e35694 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:559:16
        #20 0xd1e173f7 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:886:26
        #21 0xd1e12bde in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:709:15
        #22 0xd1e13861 in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:495:36
        #23 0xd1e3fae0 in operator() /gecko/xpcom/threads/TaskController.cpp:218:37
        #24 0xd1e3fae0 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /gecko/xpcom/threads/nsThreadUtils.h:548:5
        #25 0xd1e79569 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1199:16
        #26 0xd1e8caca in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:480:10
        #27 0xd41a7aed in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:85:21
        #28 0xd3f44b4c in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:370:10
        #29 0xd3f44b4c in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:363:3
        #30 0xd3f44b4c in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:345:3
        #31 0xe0ebf3bf in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:148:27
        #32 0xe7e5b669 in nsAppStartup::Run() /gecko/toolkit/components/startup/nsAppStartup.cpp:295:30
        #33 0xe825488a in XREMain::XRE_mainRun() /gecko/toolkit/xre/nsAppRunner.cpp:5672:22
        #34 0xe82578e1 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /gecko/toolkit/xre/nsAppRunner.cpp:5873:8
        #35 0xe82596a2 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /gecko/toolkit/xre/nsAppRunner.cpp:5929:21
        #36 0xe8287641 in mozilla::BootstrapImpl::XRE_main(int, char**, mozilla::BootstrapConfig const&) /gecko/toolkit/xre/Bootstrap.cpp:45:12
        #37 0x567b91ea in do_main /gecko/browser/app/nsBrowserApp.cpp:227:22
        #38 0x567b91ea in main /gecko/browser/app/nsBrowserApp.cpp:445:16
        #39 0xf7915518  (/lib/i386-linux-gnu/libc.so.6+0x21518) (BuildId: 0494f075afbcfa9004eaaedccbea53807b7bf669)
        #40 0xf79155f2 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x215f2) (BuildId: 0494f075afbcfa9004eaaedccbea53807b7bf669)
        #41 0x566d0ce0 in _start (/home/worker/builds/linux32-m-c-20230730210800-fuzzing-asan-opt/firefox-bin+0xe7ce0) (BuildId: 1892929de9b1fbcf552cf2884abc0b34ac0b9fa6)
    
    0x63b90f20 is located 928 bytes inside of 952-byte region [0x63b90b80,0x63b90f38)
    freed by thread T0 here:
        #0 0x56775f66 in free /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3
        #1 0xe08b1846 in operator delete /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:51:10
        #2 0xe08b1846 in mozilla::dom::FetchEventOpChild::~FetchEventOpChild() /gecko/dom/serviceworkers/FetchEventOpChild.cpp:205:41
        #3 0xdfefcbb9 in DeallocPFetchEventOpChild /gecko/dom/workers/remoteworkers/RemoteWorkerControllerChild.cpp:45:3
        #4 0xdfefcbb9 in mozilla::dom::PRemoteWorkerControllerChild::DeallocManagee(int, mozilla::ipc::IProtocol*) /builds/worker/workspace/obj-build/ipc/ipdl/PRemoteWorkerControllerChild.cpp:312:58
        #5 0xd233e683 in mozilla::ipc::IProtocol::ActorDealloc() /builds/worker/workspace/obj-build/dist/include/mozilla/ipc/ProtocolUtils.h:318:18
        #6 0xd41cc1fc in mozilla::ipc::ActorLifecycleProxy::~ActorLifecycleProxy() /gecko/ipc/glue/ProtocolUtils.cpp:261:11
        #7 0xdfefca37 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/ipc/ProtocolUtils.h:643:3
        #8 0xdfefca37 in mozilla::dom::PRemoteWorkerControllerChild::RemoveManagee(int, mozilla::ipc::IProtocol*) /builds/worker/workspace/obj-build/ipc/ipdl/PRemoteWorkerControllerChild.cpp:299:13
        #9 0xdfef9849 in mozilla::dom::PRemoteWorkerControllerChild::SendPFetchEventOpConstructor(mozilla::dom::PFetchEventOpChild*, mozilla::dom::ParentToParentServiceWorkerFetchEventOpArgs const&) /builds/worker/workspace/obj-build/ipc/ipdl/PRemoteWorkerControllerChild.cpp:164:14
        #10 0xe08b0c3c in mozilla::dom::FetchEventOpChild::SendFetchEvent(mozilla::dom::PRemoteWorkerControllerChild*, mozilla::dom::ParentToParentServiceWorkerFetchEventOpArgs&&, nsCOMPtr<nsIInterceptedChannel>, RefPtr<mozilla::dom::ServiceWorkerRegistrationInfo>, RefPtr<mozilla::dom::FetchServicePromises>&&, RefPtr<mozilla::dom::KeepAliveToken>&&) /gecko/dom/serviceworkers/FetchEventOpChild.cpp:200:23
        #11 0xe09ae249 in mozilla::dom::ServiceWorkerPrivate::SendFetchEventInternal(RefPtr<mozilla::dom::ServiceWorkerRegistrationInfo>&&, mozilla::dom::ParentToParentServiceWorkerFetchEventOpArgs&&, nsCOMPtr<nsIInterceptedChannel>&&, RefPtr<mozilla::dom::FetchServicePromises>&&) /gecko/dom/serviceworkers/ServiceWorkerPrivate.cpp:986:3
        #12 0xe09bab03 in mozilla::dom::ServiceWorkerPrivate::SendFetchEvent(nsCOMPtr<nsIInterceptedChannel>, nsILoadGroup*, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&) /gecko/dom/serviceworkers/ServiceWorkerPrivate.cpp:958:10
        #13 0xe0a0dbea in mozilla::dom::(anonymous namespace)::ContinueDispatchFetchEventRunnable::Run() /gecko/dom/serviceworkers/ServiceWorkerManager.cpp:2048:33
        #14 0xd48aaf41 in mozilla::PermissionManager::WhenPermissionsAvailable(nsIPrincipal*, nsIRunnable*) /gecko/extensions/permissions/PermissionManager.cpp:3500:16
        #15 0xe0954ac9 in mozilla::dom::ServiceWorkerManager::DispatchFetchEvent(nsIInterceptedChannel*, mozilla::ErrorResult&) /gecko/dom/serviceworkers/ServiceWorkerManager.cpp:2235:14
        #16 0xe0953d4e in mozilla::dom::ServiceWorkerInterceptController::ChannelIntercepted(nsIInterceptedChannel*) /gecko/dom/serviceworkers/ServiceWorkerInterceptController.cpp:165:8
        #17 0xd350c2a7 in ChannelIntercepted /gecko/netwerk/protocol/http/ParentChannelListener.cpp:218:34
        #18 0xd350c2a7 in non-virtual thunk to mozilla::net::ParentChannelListener::ChannelIntercepted(nsIInterceptedChannel*) /gecko/netwerk/protocol/http/ParentChannelListener.cpp
        #19 0xd34471e5 in mozilla::net::InterceptedHttpChannel::AsyncOpenInternal() /gecko/netwerk/protocol/http/InterceptedHttpChannel.cpp:189:20
        #20 0xd344f870 in mozilla::net::InterceptedHttpChannel::AsyncOpen(nsIStreamListener*) /gecko/netwerk/protocol/http/InterceptedHttpChannel.cpp:617:3
        #21 0xd344fb47 in non-virtual thunk to mozilla::net::InterceptedHttpChannel::AsyncOpen(nsIStreamListener*) /gecko/netwerk/protocol/http/InterceptedHttpChannel.cpp
        #22 0xd360c61a in mozilla::net::nsHttpChannel::OpenRedirectChannel(nsresult) /gecko/netwerk/protocol/http/nsHttpChannel.cpp:2986:26
        #23 0xd3608547 in mozilla::net::nsHttpChannel::ContinueAsyncRedirectChannelToURI(nsresult) /gecko/netwerk/protocol/http/nsHttpChannel.cpp:2954:10
        #24 0xd3672164 in mozilla::net::nsHttpChannel::OnRedirectVerifyCallback(nsresult) /gecko/netwerk/protocol/http/nsHttpChannel.cpp:8684:14
        #25 0xd3672a3a in non-virtual thunk to mozilla::net::nsHttpChannel::OnRedirectVerifyCallback(nsresult) /gecko/netwerk/protocol/http/nsHttpChannel.cpp
        #26 0xd23449b8 in mozilla::net::nsAsyncVerifyRedirectCallbackEvent::Run() /gecko/netwerk/base/nsAsyncRedirectVerifyHelper.cpp:41:22
        #27 0xd1e35694 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:559:16
        #28 0xd1e173f7 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:886:26
        #29 0xd1e12bde in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:709:15
        #30 0xd1e13861 in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:495:36
        #31 0xd1e3fae0 in operator() /gecko/xpcom/threads/TaskController.cpp:218:37
        #32 0xd1e3fae0 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /gecko/xpcom/threads/nsThreadUtils.h:548:5
        #33 0xd1e79569 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1199:16
        #34 0xd1e8caca in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:480:10
    
    previously allocated by thread T0 here:
        #0 0x567761b0 in malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
        #1 0x567c00e6 in moz_xmalloc /gecko/memory/mozalloc/mozalloc.cpp:52:15
        #2 0xe08b0bdb in operator new /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:33:10
        #3 0xe08b0bdb in mozilla::dom::FetchEventOpChild::SendFetchEvent(mozilla::dom::PRemoteWorkerControllerChild*, mozilla::dom::ParentToParentServiceWorkerFetchEventOpArgs&&, nsCOMPtr<nsIInterceptedChannel>, RefPtr<mozilla::dom::ServiceWorkerRegistrationInfo>, RefPtr<mozilla::dom::FetchServicePromises>&&, RefPtr<mozilla::dom::KeepAliveToken>&&) /gecko/dom/serviceworkers/FetchEventOpChild.cpp:194:30
        #4 0xe09ae249 in mozilla::dom::ServiceWorkerPrivate::SendFetchEventInternal(RefPtr<mozilla::dom::ServiceWorkerRegistrationInfo>&&, mozilla::dom::ParentToParentServiceWorkerFetchEventOpArgs&&, nsCOMPtr<nsIInterceptedChannel>&&, RefPtr<mozilla::dom::FetchServicePromises>&&) /gecko/dom/serviceworkers/ServiceWorkerPrivate.cpp:986:3
        #5 0xe09bab03 in mozilla::dom::ServiceWorkerPrivate::SendFetchEvent(nsCOMPtr<nsIInterceptedChannel>, nsILoadGroup*, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&) /gecko/dom/serviceworkers/ServiceWorkerPrivate.cpp:958:10
        #6 0xe0a0dbea in mozilla::dom::(anonymous namespace)::ContinueDispatchFetchEventRunnable::Run() /gecko/dom/serviceworkers/ServiceWorkerManager.cpp:2048:33
        #7 0xd48aaf41 in mozilla::PermissionManager::WhenPermissionsAvailable(nsIPrincipal*, nsIRunnable*) /gecko/extensions/permissions/PermissionManager.cpp:3500:16
        #8 0xe0954ac9 in mozilla::dom::ServiceWorkerManager::DispatchFetchEvent(nsIInterceptedChannel*, mozilla::ErrorResult&) /gecko/dom/serviceworkers/ServiceWorkerManager.cpp:2235:14
        #9 0xe0953d4e in mozilla::dom::ServiceWorkerInterceptController::ChannelIntercepted(nsIInterceptedChannel*) /gecko/dom/serviceworkers/ServiceWorkerInterceptController.cpp:165:8
        #10 0xd350c2a7 in ChannelIntercepted /gecko/netwerk/protocol/http/ParentChannelListener.cpp:218:34
        #11 0xd350c2a7 in non-virtual thunk to mozilla::net::ParentChannelListener::ChannelIntercepted(nsIInterceptedChannel*) /gecko/netwerk/protocol/http/ParentChannelListener.cpp
        #12 0xd34471e5 in mozilla::net::InterceptedHttpChannel::AsyncOpenInternal() /gecko/netwerk/protocol/http/InterceptedHttpChannel.cpp:189:20
        #13 0xd344f870 in mozilla::net::InterceptedHttpChannel::AsyncOpen(nsIStreamListener*) /gecko/netwerk/protocol/http/InterceptedHttpChannel.cpp:617:3
        #14 0xd344fb47 in non-virtual thunk to mozilla::net::InterceptedHttpChannel::AsyncOpen(nsIStreamListener*) /gecko/netwerk/protocol/http/InterceptedHttpChannel.cpp
        #15 0xd360c61a in mozilla::net::nsHttpChannel::OpenRedirectChannel(nsresult) /gecko/netwerk/protocol/http/nsHttpChannel.cpp:2986:26
        #16 0xd3608547 in mozilla::net::nsHttpChannel::ContinueAsyncRedirectChannelToURI(nsresult) /gecko/netwerk/protocol/http/nsHttpChannel.cpp:2954:10
        #17 0xd3672164 in mozilla::net::nsHttpChannel::OnRedirectVerifyCallback(nsresult) /gecko/netwerk/protocol/http/nsHttpChannel.cpp:8684:14
        #18 0xd3672a3a in non-virtual thunk to mozilla::net::nsHttpChannel::OnRedirectVerifyCallback(nsresult) /gecko/netwerk/protocol/http/nsHttpChannel.cpp
        #19 0xd23449b8 in mozilla::net::nsAsyncVerifyRedirectCallbackEvent::Run() /gecko/netwerk/base/nsAsyncRedirectVerifyHelper.cpp:41:22
        #20 0xd1e35694 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:559:16
        #21 0xd1e173f7 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:886:26
        #22 0xd1e12bde in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:709:15
        #23 0xd1e13861 in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:495:36
        #24 0xd1e3fae0 in operator() /gecko/xpcom/threads/TaskController.cpp:218:37
        #25 0xd1e3fae0 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /gecko/xpcom/threads/nsThreadUtils.h:548:5
        #26 0xd1e79569 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1199:16
        #27 0xd1e8caca in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:480:10
        #28 0xd41a7aed in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:85:21
        #29 0xd3f44b4c in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:370:10
        #30 0xd3f44b4c in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:363:3
        #31 0xd3f44b4c in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:345:3
        #32 0xe0ebf3bf in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:148:27
        #33 0xe7e5b669 in nsAppStartup::Run() /gecko/toolkit/components/startup/nsAppStartup.cpp:295:30
        #34 0xe825488a in XREMain::XRE_mainRun() /gecko/toolkit/xre/nsAppRunner.cpp:5672:22
    
    SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:350:36 in operator!
    Shadow bytes around the buggy address:
      0x63b90c80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x63b90d00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x63b90d80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x63b90e00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x63b90e80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    =>0x63b90f00: fd fd fd fd[fd]fd fd fa fa fa fa fa fa fa fa fa
      0x63b90f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x63b91000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x63b91080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x63b91100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x63b91180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==121183==ABORTING
Group: core-security, dom-core-security
Group: dom-core-security
Assignee: nobody → rjesup
Status: NEW → ASSIGNED
Group: core-security → dom-core-security
Keywords: csectype-uaf, sec-high

Comment on attachment 9346938 [details]
Bug 1846526: Handle IPC error condition r=nika

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: Hard. A comment mentions that it may have been destroyed, but it'd be quite hard to go from there to an exploit.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Yes
  • Which older supported branches are affected by this flaw?: all
  • If not all supported branches, which bug introduced the flaw?: None
  • Do you have backports for the affected branches?: No
  • If not, how different, hard to create, and risky will they be?: trivial
  • How likely is this patch to cause regressions; how much testing does it need?: very unlikely to cause regressions
  • Is Android affected?: Yes
Attachment #9346938 - Flags: sec-approval?

Comment on attachment 9346938 [details]
Bug 1846526: Handle IPC error condition r=nika

sec-approval+ = dveditz
a=dveditz for beta 117 uplift so we can get max real-world feedback

Attachment #9346938 - Flags: sec-approval?
Attachment #9346938 - Flags: sec-approval+
Attachment #9346938 - Flags: approval-mozilla-beta+

https://hg.mozilla.org/mozilla-central/rev/6d48f2fd0bf9

Group: dom-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
status-firefox118: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 118 Branch
See Also: → 1847298
QA Whiteboard: [post-critsmash-triage] [qa-triaged]

Comment on attachment 9346938 [details]
Bug 1846526: Handle IPC error condition r=nika

Approved for 115.2esr and 102.15esr.

Attachment #9346938 - Flags: approval-mozilla-esr115+
Attachment #9346938 - Flags: approval-mozilla-esr102+
Whiteboard: [bugmon:confirm] → [bugmon:confirm] [adv-main117+r] [adv-esr115.2+r] [adv-esr102.15+r]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: