Closed Bug 795750 Opened 13 years ago Closed 13 years ago

Heap-use-after-free in HttpBaseChannel::SetNotificationCallbacks

Categories

(Core :: Audio/Video, defect)

Product:
Core
Component:
Audio/Video
Platform:
x86_64
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox17 --- unaffected
firefox18 + fixed
firefox-esr10 --- unaffected
firefox-esr17 --- unaffected

People

(Reporter: inferno, Unassigned)

References

Details

(Keywords: csectype-uaf, reporter-external, sec-critical, Whiteboard: [asan]fixed by 795892 [adv-main18+])

Attachments

(1 file)

Testcase (run from http context)
322.84 KB, application/x-zip-compressed
Details
Reproduce on trunk. Run testcases with Multiple firefox instances from a HTTP CONTEXT. ================================================================= ==13495== ERROR: AddressSanitizer heap-use-after-free on address 0x7fc18c196388 at pc 0x7fc1c5da11ee bp 0x7fff9b818dd0 sp 0x7fff9b818dc8 READ of size 8 at 0x7fc18c196388 thread T0 #0 0x7fc1c5da11ed in nsCOMPtr_base::assign_with_AddRef(nsISupports*) src/objdir-ff-asan-sym/xpcom/build/nsCOMPtr.cpp:48 #1 0x7fc1b90aafca in nsCOMPtr<nsIInterfaceRequestor>::operator=(nsIInterfaceRequestor*) src/../../../../dist/include/nsCOMPtr.h:622 #2 0x7fc1b990fe2b in mozilla::net::HttpBaseChannel::SetNotificationCallbacks(nsIInterfaceRequestor*) src/netwerk/protocol/http/HttpBaseChannel.cpp:285 #3 0x7fc1b991056e in non-virtual thunk to mozilla::net::HttpBaseChannel::SetNotificationCallbacks(nsIInterfaceRequestor*) src/gfx/cairo/cairo/src/cairo-surface-subsurface.c:0 #4 0x7fc1bc19617a in nsCORSListenerProxy::Init(nsIChannel*, bool) src/content/base/src/nsCrossSiteListenerProxy.cpp:383 #5 0x7fc1bfd980f2 in mozilla::ChannelMediaResource::OpenChannel(nsIStreamListener**) src/content/media/MediaResource.cpp:453 #6 0x7fc1bfd94bec in mozilla::ChannelMediaResource::CacheClientSeek(long, bool) src/content/media/MediaResource.cpp:809 #7 0x7fc1bfd9c60c in mozilla::ChannelMediaResource::Resume() src/content/media/MediaResource.cpp:684 #8 0x7fc1bfd9eba5 in mozilla::ChannelMediaResource::CacheClientResume() src/content/media/MediaResource.cpp:824 #9 0x7fc1bff0376a in nsMediaCache::Update() src/content/media/nsMediaCache.cpp:1315 #10 0x7fc1bff256b0 in UpdateEvent::Run() src/content/media/nsMediaCache.cpp:1342 #11 0x7fc1c6156580 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:612 #12 0x7fc1c5de8ecb in NS_ProcessNextEvent_P(nsIThread*, bool) src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:220 #13 0x7fc1c48323b6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:82 #14 0x7fc1c640ee11 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:208 #15 0x7fc1c640ec46 in MessageLoop::RunHandler() src/ipc/chromium/src/base/message_loop.cc:201 #16 0x7fc1c640eb2b in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:175 #17 0x7fc1c3cd9dda in nsBaseAppShell::Run() src/widget/xpwidgets/nsBaseAppShell.cpp:163 #18 0x7fc1c290c9b4 in nsAppStartup::Run() src/toolkit/components/startup/nsAppStartup.cpp:290 #19 0x7fc1b8f7fa4d in XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:3782 #20 0x7fc1b8f858c5 in XREMain::XRE_main(int, char**, nsXREAppData const*) src/toolkit/xre/nsAppRunner.cpp:3848 #21 0x7fc1b8f88774 in XRE_main src/toolkit/xre/nsAppRunner.cpp:3923 #22 0x40d013 in do_main(int, char**) src/browser/app/nsBrowserApp.cpp:174 #23 0x40a755 in main src/browser/app/nsBrowserApp.cpp:279 #24 0x7fc1d6e7dc4c in ?? ??:0 0x7fc18c196388 is located 8 bytes inside of 120-byte region [0x7fc18c196380,0x7fc18c1963f8) freed by thread T0 here: #0 0x4c4af0 in free ??:0 #1 0x7fc1d3d09586 in moz_free src/memory/mozalloc/mozalloc.cpp:51 #2 0x7fc1bc193ceb in operator delete(void*) src/../../../dist/include/mozilla/mozalloc.h:224 #3 0x7fc1bc193f8b in non-virtual thunk to nsCORSListenerProxy::Release() src/gfx/cairo/cairo/src/cairo-surface-subsurface.c:0 #4 0x7fc1b8f438db in ~nsCOMPtr_base src/../../dist/include/nsCOMPtr.h:408 #5 0x7fc1b909bbc9 in nsCOMPtr<nsIInterfaceRequestor>::~nsCOMPtr() src/../../dist/include/nsCOMPtr.h:447 #6 0x7fc1b909bab6 in nsCOMPtr<nsIInterfaceRequestor>::~nsCOMPtr() src/../../dist/include/nsCOMPtr.h:447 #7 0x7fc1c5dbcbbd in nsGetInterface::operator()(nsID const&, void**) const src/objdir-ff-asan-sym/xpcom/build/nsIInterfaceRequestorUtils.cpp:22 #8 0x7fc1c5da271c in nsCOMPtr_base::assign_from_helper(nsCOMPtr_helper const&, nsID const&) src/objdir-ff-asan-sym/xpcom/build/nsCOMPtr.cpp:110 #9 0x7fc1b97526e5 in nsCOMPtr src/../../../dist/include/nsCOMPtr.h:603 #10 0x7fc1b975250f in nsCOMPtr src/../../../dist/include/nsCOMPtr.h:605 #11 0x7fc1b9910270 in mozilla::net::PrivateBrowsingChannel<mozilla::net::HttpBaseChannel>::CanSetCallbacks(nsIInterfaceRequestor*) const src/netwerk/protocol/http/../../base/src/PrivateBrowsingChannel.h:69 #12 0x7fc1b990fd7a in mozilla::net::HttpBaseChannel::SetNotificationCallbacks(nsIInterfaceRequestor*) src/netwerk/protocol/http/HttpBaseChannel.cpp:281 #13 0x7fc1b991056e in non-virtual thunk to mozilla::net::HttpBaseChannel::SetNotificationCallbacks(nsIInterfaceRequestor*) src/gfx/cairo/cairo/src/cairo-surface-subsurface.c:0 #14 0x7fc1bc19617a in nsCORSListenerProxy::Init(nsIChannel*, bool) src/content/base/src/nsCrossSiteListenerProxy.cpp:383 #15 0x7fc1bfd980f2 in mozilla::ChannelMediaResource::OpenChannel(nsIStreamListener**) src/content/media/MediaResource.cpp:453 #16 0x7fc1bfd94bec in mozilla::ChannelMediaResource::CacheClientSeek(long, bool) src/content/media/MediaResource.cpp:809 #17 0x7fc1bfd9c60c in mozilla::ChannelMediaResource::Resume() src/content/media/MediaResource.cpp:684 #18 0x7fc1bfd9eba5 in mozilla::ChannelMediaResource::CacheClientResume() src/content/media/MediaResource.cpp:824 #19 0x7fc1bff0376a in nsMediaCache::Update() src/content/media/nsMediaCache.cpp:1315 #20 0x7fc1bff256b0 in UpdateEvent::Run() src/content/media/nsMediaCache.cpp:1342 #21 0x7fc1c6156580 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:612 #22 0x7fc1c5de8ecb in NS_ProcessNextEvent_P(nsIThread*, bool) src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:220 #23 0x7fc1c48323b6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:82 #24 0x7fc1c640ee11 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:208 #25 0x7fc1c640ec46 in MessageLoop::RunHandler() src/ipc/chromium/src/base/message_loop.cc:201 #26 0x7fc1c640eb2b in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:175 #27 0x7fc1c3cd9dda in nsBaseAppShell::Run() src/widget/xpwidgets/nsBaseAppShell.cpp:163 #28 0x7fc1c290c9b4 in nsAppStartup::Run() src/toolkit/components/startup/nsAppStartup.cpp:290 #29 0x7fc1b8f7fa4d in XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:3782 previously allocated by thread T0 here: #0 0x4c4bb0 in __interceptor_malloc ??:0 #1 0x7fc1d3d096da in moz_xmalloc src/memory/mozalloc/mozalloc.cpp:57 #2 0x7fc1bfd97fc7 in operator new(unsigned long) src/../../dist/include/mozilla/mozalloc.h:200 #3 0x7fc1bfd94bec in mozilla::ChannelMediaResource::CacheClientSeek(long, bool) src/content/media/MediaResource.cpp:809 #4 0x7fc1bfd9c60c in mozilla::ChannelMediaResource::Resume() src/content/media/MediaResource.cpp:684 #5 0x7fc1bfd9eba5 in mozilla::ChannelMediaResource::CacheClientResume() src/content/media/MediaResource.cpp:824 #6 0x7fc1bff0376a in nsMediaCache::Update() src/content/media/nsMediaCache.cpp:1315 #7 0x7fc1bff256b0 in UpdateEvent::Run() src/content/media/nsMediaCache.cpp:1342 #8 0x7fc1c6156580 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:612 #9 0x7fc1c5de8ecb in NS_ProcessNextEvent_P(nsIThread*, bool) src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:220 #10 0x7fc1c48323b6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:82 #11 0x7fc1c640ee11 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:208 #12 0x7fc1c640ec46 in MessageLoop::RunHandler() src/ipc/chromium/src/base/message_loop.cc:201 #13 0x7fc1c640eb2b in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:175 #14 0x7fc1c3cd9dda in nsBaseAppShell::Run() src/widget/xpwidgets/nsBaseAppShell.cpp:163 #15 0x7fc1c290c9b4 in nsAppStartup::Run() src/toolkit/components/startup/nsAppStartup.cpp:290 #16 0x7fc1b8f7fa4d in XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:3782 #17 0x7fc1b8f858c5 in XREMain::XRE_main(int, char**, nsXREAppData const*) src/toolkit/xre/nsAppRunner.cpp:3848 #18 0x7fc1b8f88774 in XRE_main src/toolkit/xre/nsAppRunner.cpp:3923 #19 0x40d013 in do_main(int, char**) src/browser/app/nsBrowserApp.cpp:174 #20 0x40a755 in main src/browser/app/nsBrowserApp.cpp:279 #21 0x7fc1d6e7dc4c in ?? ??:0 Shadow byte and word: 0x1ff831832c71: fd 0x1ff831832c70: fd fd fd fd fd fd fd fd More shadow bytes: 0x1ff831832c50: fa fa fa fa fa fa fa fa 0x1ff831832c58: fa fa fa fa fa fa fa fa 0x1ff831832c60: fa fa fa fa fa fa fa fa 0x1ff831832c68: fa fa fa fa fa fa fa fa =>0x1ff831832c70: fd fd fd fd fd fd fd fd 0x1ff831832c78: fd fd fd fd fd fd fd fd 0x1ff831832c80: fa fa fa fa fa fa fa fa 0x1ff831832c88: fa fa fa fa fa fa fa fa 0x1ff831832c90: 00 00 00 00 00 00 fb fb Stats: 280M malloced (304M for red zones) by 469173 calls Stats: 43M realloced by 26239 calls Stats: 247M freed by 339851 calls Stats: 111M really freed by 226634 calls Stats: 496M (127067 full pages) mmaped in 124 calls mmaps by size class: 8:311277; 9:32764; 10:12285; 11:14329; 12:3072; 13:2048; 14:1280; 15:384; 16:1024; 17:1248; 18:176; 19:40; 20:20; mallocs by size class: 8:384265; 9:41466; 10:13341; 11:19330; 12:3522; 13:2170; 14:1679; 15:399; 16:1328; 17:1419; 18:189; 19:44; 20:21; frees by size class: 8:273477; 9:31661; 10:9748; 11:16124; 12:2388; 13:1845; 14:1423; 15:339; 16:1243; 17:1389; 18:157; 19:39; 20:18; rfrees by size class: 8:197449; 9:12316; 10:2910; 11:9874; 12:916; 13:664; 14:741; 15:199; 16:941; 17:595; 18:24; 19:4; 20:1; Stats: malloc large: 1673 small slow: 2655 ==13495== ABORTING
Component: General → Video/Audio
Product: Firefox → Core
Either DOM or V/A
Please retest with the patch from bug 795892 applied (or update your tree to the current tip).
Depends on: 795892
Yes patch (pretty obvious refptr one) from 795892 fixes it. I caught this regression way faster though :)
Keywords: csec-uaf
Status: NEW → RESOLVED
Closed: 13 years ago
status-firefox-esr10: --- → unaffected
status-firefox17: --- → unaffected
status-firefox18: --- → fixed
tracking-firefox18: --- → +
Resolution: --- → FIXED
Whiteboard: fixed by 795892
Whiteboard: fixed by 795892 → [asan] fixed by 795892
Whiteboard: [asan] fixed by 795892 → [asan]fixed by 795892
status-firefox-esr17: --- → unaffected
Whiteboard: [asan]fixed by 795892 → [asan]fixed by 795892 [adv-main18+]
Alias: CVE-2013-0765
Alias: CVE-2013-0765
Group: core-security
rforbes-bugspam-for-setting-that-bounty-flag-20130719
Flags: sec-bounty+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: