Closed Bug 1943912 Opened 1 year ago Closed 1 year ago

Use after free at process shutdown

Categories

(Core :: Gecko Profiler, defect)

Product:
Core
Component:
Gecko Profiler
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
136 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- wontfix
firefox-esr128 136+ fixed
firefox134 --- wontfix
firefox135 --- wontfix
firefox136 + fixed

People

(Reporter: julienw, Assigned: canova)

Details

(Keywords: csectype-uaf, sec-moderate, Whiteboard: [adv-main136+r][adv-esr128.8+r])

Attachments

(2 files)

Bug 1943912 - Do not reset the chunk manager while shutdown r?#profiler
48 bytes, text/x-phabricator-request
Details | Review
Bug 1943912 - Do not reset the chunk manager while shutdown
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-esr128+
Details | Review

I've spotted this crash in a test:

https://treeherder.mozilla.org/logviewer?job_id=491704916&repo=try&lineNumber=2282

It looks like it's an use after free at https://searchfox.org/mozilla-central/rev/a965e3c683ecc035dee1de72bd33a8d91b1203ed/tools/profiler/gecko/ProfilerChild.cpp#149

Nazım, I think you touched the code to grab profiles at shutdown recently, might it be related?

Flags: needinfo?(canaltinova)

It's not related to the code that I was touching but it's close enough as they are both shutdown issues.

Looking at the lifetime and ownership of the mChunkManager, it's a bit tricky, we have a single place that owns it, but we also keep pointers to it in 2 places, which is not great:

mChunkManager normally is stored inside the static core buffer as owned or as a pointer. But owned version is always used for backtrace buffer, never the core profiler buffer.

For the pointer, it's ownership is always in ActivePS, so we store this as a UniquePtr here. so we construct it when it's constructed, and we destroy it when it's destroyed.

Probably we are arriving to ProfilerChild::ResetChunkManager after we are done destructing ActivePS. So by the time we are at ProfilerChild::ResetChunkManager, the chunk manager will be already destroyed.

ProfilerChild::ResetChunkManager is used in 2 places:

  • ProfilerChild::RecvStop
  • ProfilerChild::Destroy

ProfilerChild::RecvStop totally makes sense as we are getting this stop signal from the ProfilerParent and we are SURE that we have ActivePS. But we can't say the same for ProfilerChild::Destroy. We will most likely arrive here after the profiler stopped and we are done profiling. So I think we can safely remove this call from ProfilerChild::Destroy because it doesn't matter if we clear the ChunkManager that will be destroyed (or already has been destroyed).

So I think removing this from here would solve this issue. On the other hand, we should also think about how not to use a raw pointer here. But this might be a bit more tricky to change.

Flags: needinfo?(canaltinova)

We don't need to reset it as it's already during process shutdown and
ChunkManager will be removed anyways.

Assignee: nobody → canaltinova
Status: NEW → ASSIGNED
Group: core-security → dom-core-security
Pushed by canaltinova@gmail.com: https://hg.mozilla.org/integration/autoland/rev/bf0fade667c8 Do not reset the chunk manager while shutdown r=profiler-reviewers,aabh

https://hg.mozilla.org/mozilla-central/rev/bf0fade667c8

Group: dom-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
status-firefox136: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 136 Branch

Sorry NI added in error

Flags: needinfo?(canaltinova)

:canova could you add an esr128 uplift request on this?

Flags: needinfo?(canaltinova)
QA Whiteboard: [post-critsmash-triage]
Flags: qe-verify-
Attachment #9464663 - Flags: approval-mozilla-esr128?

esr128 Uplift Approval Request

  • User impact if declined: potential use after free during shutdown
  • Code covered by automated testing: yes
  • Fix verified in Nightly: yes
  • Needs manual QE test: no
  • Steps to reproduce for manual QE testing: none
  • Risk associated with taking this patch: little risk
  • Explanation of risk level: it's fixing a uaf during shutdown
  • String changes made/needed: none
  • Is Android affected?: yes

esr128 Uplift Approval Request

  • User impact if declined: potential use after free during shutdown
  • Code covered by automated testing: yes
  • Fix verified in Nightly: yes
  • Needs manual QE test: no
  • Steps to reproduce for manual QE testing: none
  • Risk associated with taking this patch: little risk
  • Explanation of risk level: it's fixing a uaf during shutdown, and only when the profiler is active
  • String changes made/needed: none
  • Is Android affected?: yes
Attachment #9464663 - Flags: approval-mozilla-esr128? → approval-mozilla-esr128+
Flags: needinfo?(canaltinova)
Whiteboard: [adv-main136+r][adv-esr128.8+r]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: