ASAN: Test netwerk/test/unit/test_permmgr.js triggers error

RESOLVED FIXED in Firefox 17

Status

()

Core
Networking: Cookies
--
critical
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: decoder, Assigned: mounir)

Tracking

({regression, sec-critical, testcase})

Trunk
mozilla18
regression, sec-critical, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(blocking-basecamp:+, firefox15 unaffected, firefox16 unaffected, firefox17+ fixed, firefox18+ fixed, firefox-esr10 unaffected)

Details

(Whiteboard: [asan][asan-test-failure][qa-][adv-track-main17-])

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
This xpcshell test at netwerk/test/unit/test_permmgr.js fails with AddressSanitizer on mozilla-central revision c64a9f342156. Reproduced locally and on try server with debug+opt builds. ASan Log:


TEST-PASS | /srv/repos/browser/mozilla-central-decoder/mozilla-central/objdir-ff-asan64dbg/_tests/xpcshell/netwerk/test/unit/test_permmgr.js | [run_test : 71] 6 == 6
=================================================================
==64555== ERROR: AddressSanitizer heap-use-after-free on address 0x2b8f8ec73898 at pc 0x2b8f80ab938d bp 0x7fffb0c748d0 sp 0x7fffb0c748c8
READ of size 4 at 0x2b8f8ec73898 thread T0
    #0 0x2b8f80ab938d in nsPermissionManager::AddInternal(nsIPrincipal*, nsCString const&, unsigned int, long, unsigned int, long, nsPermissionManager::NotifyOperationType, nsPermissionManager::DBOperationType) /srv/repos/browser/mozilla-central-decoder/mozilla-central/extensions/cookie/nsPermissionManager.cpp:737
    #1 0x2b8f80abd44c in nsPermissionManager::RemoveFromPrincipal(nsIPrincipal*, char const*) /srv/repos/browser/mozilla-central-decoder/mozilla-central/extensions/cookie/nsPermissionManager.cpp:803
    #2 0x2b8f813ee1a0 in NS_InvokeByIndex_P /srv/repos/browser/mozilla-central-decoder/mozilla-central/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:165
    #3 0x2b8f802f78a1 in CallMethodHelper::Invoke() /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/xpconnect/src/XPCWrappedNative.cpp:3105
    #4 0x2b8f802f737a in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/xpconnect/src/XPCWrappedNative.cpp:2405
    #5 0x2b8f8030e3b2 in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1470
    #6 0x2b8f822b83fb in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/jscntxtinlines.h:372
    #7 0x2b8f8293d85e in js::mjit::CallCompiler::generateNativeStub() /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/methodjit/MonoIC.cpp:777
    #8 0x2b8f8293cf53 in js::mjit::ic::NativeCall(js::VMFrame&, js::mjit::ic::CallICInfo*) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/methodjit/MonoIC.cpp:1007
    #9 0x2b8f9500cde2 in
    #10 0x2b8f8279382f in js::mjit::EnterMethodJIT(JSContext*, js::StackFrame*, void*, JS::Value*, bool) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/methodjit/MethodJIT.cpp:1016
    #11 0x2b8f82794433 in CheckStackAndEnterMethodJIT(JSContext*, js::StackFrame*, void*, bool) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/methodjit/MethodJIT.cpp:1074
    #12 0x2b8f82297e2b in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/jsinterp.cpp:1464
    #13 0x2b8f822621c8 in js::RunScript(JSContext*, JSScript*, js::StackFrame*) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/jsinterp.cpp:301
    #14 0x2b8f822babb6 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/jsinterp.cpp:486
    #15 0x2b8f822bb264 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/jsinterp.cpp:523
    #16 0x2b8f820bca4f in JS::Evaluate(JSContext*, JS::Handle<JSObject*>, JS::CompileOptions, unsigned short const*, unsigned long, JS::Value*) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/jsapi.cpp:5702
    #17 0x2b8f820be447 in JS::Evaluate(JSContext*, JS::Handle<JSObject*>, JS::CompileOptions, char const*, unsigned long, JS::Value*) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/jsapi.cpp:5717
    #18 0x41119c in ProcessArgs(JSContext*, JSObject*, char**, int) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/xpconnect/shell/xpcshell.cpp:1215
    #19 0x2b8f8710730d in __libc_start_main /build/buildd/eglibc-2.13/csu/libc-start.c:258
0x2b8f8ec73898 is located 24 bytes inside of 32-byte region [0x2b8f8ec73880,0x2b8f8ec738a0)
freed by thread T0 here:
    #0 0x441a71 in __interceptor_free ??:0
    #1 0x2b8f80ac0d2e in ~PermissionKey /srv/repos/browser/mozilla-central-decoder/mozilla-central/../../dist/include/mozilla/mozalloc.h:224
    #2 0x2b8f812f21ef in PL_DHashTableRawRemove /srv/repos/browser/mozilla-central-decoder/mozilla-central/objdir-ff-asan64dbg/xpcom/build/pldhash.cpp:684
    #3 0x2b8f80ab8d2c in nsPermissionManager::AddInternal(nsIPrincipal*, nsCString const&, unsigned int, long, unsigned int, long, nsPermissionManager::NotifyOperationType, nsPermissionManager::DBOperationType) /srv/repos/browser/mozilla-central-decoder/mozilla-central/extensions/cookie/nsPermissionManager.cpp:729
    #4 0x2b8f80abd44c in nsPermissionManager::RemoveFromPrincipal(nsIPrincipal*, char const*) /srv/repos/browser/mozilla-central-decoder/mozilla-central/extensions/cookie/nsPermissionManager.cpp:803
    #5 0x2b8f813ee1a0 in NS_InvokeByIndex_P /srv/repos/browser/mozilla-central-decoder/mozilla-central/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:165
    #6 0x2b8f802f78a1 in CallMethodHelper::Invoke() /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/xpconnect/src/XPCWrappedNative.cpp:3105
    #7 0x2b8f802f737a in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/xpconnect/src/XPCWrappedNative.cpp:2405
    #8 0x2b8f8030e3b2 in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1470
    #9 0x2b8f822b83fb in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/jscntxtinlines.h:372
    #10 0x2b8f8293d85e in js::mjit::CallCompiler::generateNativeStub() /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/methodjit/MonoIC.cpp:777
    #11 0x2b8f8293cf53 in js::mjit::ic::NativeCall(js::VMFrame&, js::mjit::ic::CallICInfo*) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/methodjit/MonoIC.cpp:1007
    #12 0x2b8f9500cde2 in
    #13 0x2b8f8279382f in js::mjit::EnterMethodJIT(JSContext*, js::StackFrame*, void*, JS::Value*, bool) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/methodjit/MethodJIT.cpp:1016
    #14 0x2b8f82794433 in CheckStackAndEnterMethodJIT(JSContext*, js::StackFrame*, void*, bool) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/methodjit/MethodJIT.cpp:1074
    #15 0x2b8f82297e2b in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/jsinterp.cpp:1464
    #16 0x2b8f822621c8 in js::RunScript(JSContext*, JSScript*, js::StackFrame*) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/jsinterp.cpp:301
    #17 0x2b8f822babb6 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/jsinterp.cpp:486
    #18 0x2b8f822bb264 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/jsinterp.cpp:523
    #19 0x2b8f820bca4f in JS::Evaluate(JSContext*, JS::Handle<JSObject*>, JS::CompileOptions, unsigned short const*, unsigned long, JS::Value*) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/jsapi.cpp:5702
    #20 0x2b8f820be447 in JS::Evaluate(JSContext*, JS::Handle<JSObject*>, JS::CompileOptions, char const*, unsigned long, JS::Value*) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/jsapi.cpp:5717
    #21 0x41119c in ProcessArgs(JSContext*, JSObject*, char**, int) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/xpconnect/shell/xpcshell.cpp:1215
    #22 0x2b8f8710730d in __libc_start_main /build/buildd/eglibc-2.13/csu/libc-start.c:258
previously allocated by thread T0 here:
    #0 0x441b31 in __interceptor_malloc ??:0
    #1 0x2b8f7d3ec2cd in moz_xmalloc /srv/repos/browser/mozilla-central-decoder/mozilla-central/memory/mozalloc/mozalloc.cpp:57
    #2 0x2b8f80ab87e8 in operator new(unsigned long) /srv/repos/browser/mozilla-central-decoder/mozilla-central/../../dist/include/mozilla/mozalloc.h:200
    #3 0x2b8f80abc85e in nsPermissionManager::AddFromPrincipal(nsIPrincipal*, char const*, unsigned int, unsigned int, long) /srv/repos/browser/mozilla-central-decoder/mozilla-central/extensions/cookie/nsPermissionManager.cpp:590
    #4 0x2b8f813ee1a0 in NS_InvokeByIndex_P /srv/repos/browser/mozilla-central-decoder/mozilla-central/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:165
    #5 0x2b8f802f78a1 in CallMethodHelper::Invoke() /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/xpconnect/src/XPCWrappedNative.cpp:3105
    #6 0x2b8f802f737a in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/xpconnect/src/XPCWrappedNative.cpp:2405
    #7 0x2b8f8030e3b2 in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1470
    #8 0x2b8f822b83fb in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/jscntxtinlines.h:372
    #9 0x2b8f822b6ec5 in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/jsinterp.cpp:337
    #10 0x2b8f822968e2 in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/jsinterp.cpp:2405
    #11 0x2b8f822621c8 in js::RunScript(JSContext*, JSScript*, js::StackFrame*) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/jsinterp.cpp:301
    #12 0x2b8f822babb6 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/jsinterp.cpp:486
    #13 0x2b8f822bb264 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/jsinterp.cpp:523
    #14 0x2b8f820bca4f in JS::Evaluate(JSContext*, JS::Handle<JSObject*>, JS::CompileOptions, unsigned short const*, unsigned long, JS::Value*) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/jsapi.cpp:5702
    #15 0x2b8f820be447 in JS::Evaluate(JSContext*, JS::Handle<JSObject*>, JS::CompileOptions, char const*, unsigned long, JS::Value*) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/jsapi.cpp:5717
    #16 0x41119c in ProcessArgs(JSContext*, JSObject*, char**, int) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/xpconnect/shell/xpcshell.cpp:1215
    #17 0x2b8f8710730d in __libc_start_main /build/buildd/eglibc-2.13/csu/libc-start.c:258


Marking s-s until triaged.
(Reporter)

Comment 1

5 years ago
It also seems that the following tests fail with the same error:

extensions/cookie/test/unit/test_permmanager_notifications.js
browser/components/privatebrowsing/test/unit/test_privatebrowsingwrapper_removeDataFromDomain.js
browser/components/privatebrowsing/test/unit/test_removeDataFromDomain.js
(Reporter)

Comment 2

5 years ago
Failure seems to be within nsPermissionManager, setting component appropriately.
Component: Networking → Networking: Cookies
(Reporter)

Comment 3

5 years ago
Also responsible for failures in mochitest-other:

chrome://mochitests/content/chrome/extensions/cookie/test/test_app_uninstall.html
chrome://mochitests/content/browser/browser/components/preferences/tests/browser_chunk_permissions.js
(Reporter)

Updated

5 years ago
Whiteboard: [asan][asan-test-failure][orange] → [asan][asan-test-failure]
(Reporter)

Comment 4

5 years ago
Bisected this manually because it causes so many failures:

The first bad revision is:
changeset:   103491:789055abc89d
user:        Mounir Lamouri
date:        Thu Aug 23 11:37:31 2012 -0700
summary:     Bug 777072 - 4/7 - Update nsPermission to use appId/isInBrowserElement. r=sicking


Mounir, can you please check if this bisect is correct and if so, fix the regression? Thanks!
Christian, thanks for your help in tracking this down. I am marking this as assigned to Mounir based on comment 4, in order to make sure it is properly documented for our network security bug quota. Mounir, please let me know if/how I can help.
Assignee: nobody → mounir
Since this seems like it is likely to be sec-critical since it a heap-use-after-free.
Keywords: sec-critical
Whiteboard: [asan][asan-test-failure] → [asan][asan-test-failure][sg:critical]
(Assignee)

Comment 7

5 years ago
I guess we should block on that, unless we want to ship B2G v1 with a known security bug.
blocking-basecamp: --- → ?
(Assignee)

Comment 8

5 years ago
Created attachment 662230 [details] [diff] [review]
Patch

My patch is using |entry| but that object was implicitly freed a few lines before. I move the implicit free after the last use.
Attachment #662230 - Flags: review?(bsmith)
(Assignee)

Updated

5 years ago
status-firefox15: --- → unaffected
status-firefox16: --- → unaffected
status-firefox17: --- → affected
status-firefox18: --- → affected
tracking-firefox17: --- → ?
tracking-firefox18: --- → ?
OS: Linux → All
Hardware: x86_64 → All
Comment on attachment 662230 [details] [diff] [review]
Patch

Review of attachment 662230 [details] [diff] [review]:
-----------------------------------------------------------------

LGTM. Thanks.
Attachment #662230 - Flags: review?(bsmith) → review+
(Assignee)

Updated

5 years ago
Blocks: 792378

Updated

5 years ago
Keywords: regression

Updated

5 years ago
blocking-basecamp: ? → +
(Assignee)

Comment 10

5 years ago
Comment on attachment 662230 [details] [diff] [review]
Patch

https://hg.mozilla.org/integration/mozilla-inbound/rev/bf856d547865
Attachment #662230 - Flags: checkin+
(Assignee)

Updated

5 years ago
status-firefox18: affected → fixed
Target Milestone: --- → mozilla18
(Reporter)

Comment 11

5 years ago
https://hg.mozilla.org/mozilla-central/rev/bf856d547865
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
status-firefox-esr10: --- → unaffected
(Assignee)

Updated

5 years ago
Blocks: 777072
(Assignee)

Comment 12

5 years ago
Comment on attachment 662230 [details] [diff] [review]
Patch

[Approval Request Comment]
Bug caused by (feature/regressing bug #): bug 777072
User impact if declined: security issues
Risk to taking this patch (and alternatives if risky): risk is very low, the patch is trivial (just moving the place we release the object from a few lines
String or UUID changes made by this patch: none
Attachment #662230 - Flags: approval-mozilla-aurora?

Updated

5 years ago
tracking-firefox17: ? → +
tracking-firefox18: ? → +
Comment on attachment 662230 [details] [diff] [review]
Patch

[Triage Comment]
Low risk, sec-critical regression in FF17. Approving for Aurora.
Attachment #662230 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
(Assignee)

Comment 14

5 years ago
Pushed to aurora:
https://hg.mozilla.org/releases/mozilla-aurora/rev/3312e43c5cf4
status-firefox17: affected → fixed
(Assignee)

Updated

5 years ago
Duplicate of this bug: 792378
Whiteboard: [asan][asan-test-failure][sg:critical] → [asan][asan-test-failure][sg:critical][qa-]
Whiteboard: [asan][asan-test-failure][sg:critical][qa-] → [asan][asan-test-failure][sg:critical][qa-][adv-track-main17-]
Group: core-security
Whiteboard: [asan][asan-test-failure][sg:critical][qa-][adv-track-main17-] → [asan][asan-test-failure][qa-][adv-track-main17-]
You need to log in before you can comment on or make changes to this bug.