Closed
Bug 886174
Opened 11 years ago
Closed 11 years ago
ASAN use-after-free in JS_GetGlobalForScopeChain #3
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 882897
Tracking | Status | |
---|---|---|
firefox24 | --- | affected |
People
(Reporter: nils, Assigned: bholley)
References
Details
(4 keywords, Whiteboard: [asan][sg:dupe 882897])
Attachments
(1 file)
1.39 KB,
text/plain
|
Details |
Crashes nightly in the same function as bug 882897 and bug 883301 however most of the stack trace and the testcase look quite a bit different, so filling this as a separate bug.
ASAN output:
=================================================================
==4880== ERROR: AddressSanitizer: heap-use-after-free on address 0x7f8521091460 at pc 0x7f854772d6b3 bp 0x7fffc1b0cae0 sp 0x7fffc1b0cad8
READ of size 8 at 0x7f8521091460 thread T0
#0 0x7f854772d6b2 in JS_GetGlobalForScopeChain(JSContext*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/js/src/jsapi.cpp:2135:0
#1 0x7f8543af1937 in nsGlobalWindow::DetachFromDocShell() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/dom/base/nsGlobalWindow.cpp:2735:0
#2 0x7f85447eefec in non-virtual thunk to nsDocShell::Destroy() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/docshell/base/nsDocShell.cpp:5005:0
#3 0x7f8542fac0ad in nsDocument::MaybeInitializeFinalizeFrameLoaders() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/content/base/src/nsDocument.cpp:6199:0
#4 0x7f8542ff8356 in nsRunnableMethodImpl<void (nsDocument::*)(), true>::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/../../../dist/include/nsThreadUtils.h:350:0
#5 0x7f8542fc1c08 in nsDocument::FinalizeFrameLoader(nsFrameLoader*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/content/base/src/nsDocument.cpp:6155:0
#6 0x7f854302ec92 in nsFrameLoader::Destroy() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/content/base/src/nsFrameLoader.cpp:1363:0
#7 0x7f85436a5164 in nsGenericHTMLFrameElement::DestroyContent() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/content/html/content/src/nsGenericHTMLFrameElement.cpp:274:0
0x7f8521091460 is located 32 bytes inside of 680-byte region [0x7f8521091440,0x7f85210916e8)
freed by thread T0 here:
#0 0x441570 in __interceptor_free ??:?
#1 0x7f8547826483 in js_free(void*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/obj-firefox/./../../dist/include/js/Utility.h:169:0
#2 0x7f8547826483 in _ZL9js_deleteI13JSCompartmentEvPT_ /builds/slave/m-cen-l64-asan-ntly-0000000000/build/obj-firefox/./../../dist/include/js/Utility.h:491:0
#3 0x7f8547826483 in SweepCompartments(js::FreeOp*, JS::Zone*, bool, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/js/src/jsgc.cpp:2513:0
previously allocated by thread T0 here:
#0 0x441630 in malloc ??:?
#1 0x7f8547594ddb in js_malloc(unsigned long) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/obj-firefox/./../../dist/include/js/Utility.h:152:0
#2 0x7f8547594ddb in js::MallocProvider<js::ThreadSafeContext>::malloc_(unsigned long) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/js/src/jscntxt.h:544:0
Shadow byte and word:
0x1ff0a421228c: fd
0x1ff0a4212288: fd fd fd fd fd fd fd fd
More shadow bytes:
0x1ff0a4212268: 00 00 00 00 00 00 00 00
0x1ff0a4212270: 00 00 00 00 00 fb fb fb
0x1ff0a4212278: fa fa fa fa fa fa fa fa
0x1ff0a4212280: fa fa fa fa fa fa fa fa
=>0x1ff0a4212288: fd fd fd fd fd fd fd fd
0x1ff0a4212290: fd fd fd fd fd fd fd fd
0x1ff0a4212298: fd fd fd fd fd fd fd fd
0x1ff0a42122a0: fd fd fd fd fd fd fd fd
0x1ff0a42122a8: fd fd fd fd fd fd fd fd
Stats: 263M malloced (245M for red zones) by 352579 calls
Stats: 36M realloced by 22833 calls
Stats: 235M freed by 220149 calls
Stats: 201M really freed by 149822 calls
Stats: 241M (61776 full pages) mmaped in 455 calls
mmaps by size class: 7:139230; 8:59363; 9:16368; 10:6132; 11:7140; 12:1536; 13:1600; 14:544; 15:192; 16:672; 17:456; 18:26; 19:36; 20:22; 21:1;
mallocs by size class: 7:207393; 8:81307; 9:28991; 10:9703; 11:14411; 12:2763; 13:2881; 14:1607; 15:369; 16:1543; 17:1507; 18:39; 19:40; 20:23; 21:2;
frees by size class: 7:123595; 8:47062; 9:21054; 10:6663; 11:12752; 12:1843; 13:2468; 14:1446; 15:264; 16:1418; 17:1492; 18:33; 19:36; 20:22; 21:1;
rfrees by size class: 7:82701; 8:27450; 9:16734; 10:4712; 11:11203; 12:1336; 13:1640; 14:1300; 15:237; 16:1060; 17:1360; 18:30; 19:36; 20:22; 21:1;
Stats: malloc large: 3523 small slow: 5041
==4880== ABORTING
Comment 1•11 years ago
|
||
If it's not a duplicate of the others then it's likely critical
Keywords: sec-critical
Comment 2•11 years ago
|
||
Going to presume this is another instance of bug 887334 for the moment, but leaving open so we retest this specific testcase after it's fixed.
Assignee: nobody → bobbyholley+bmo
Blocks: 868130
status-firefox24:
--- → affected
Depends on: CVE-2013-1738
Whiteboard: [asan] → [asan][sg:dupe 882897]
Assignee | ||
Comment 3•11 years ago
|
||
Now that we've landed the suspected fix, let's get some QA to make sure that this doesn't reproduce on trunk anymore.
Keywords: qawanted
Comment 4•11 years ago
|
||
Matt, could you confirm that this is fixed? Thanks.
Flags: needinfo?(mwobensmith)
Comment 5•11 years ago
|
||
This appears to not crash latest ASan on Mac, 2013-08-22. However, I tried it on an ASan Mac build from 2013-06-06 (something closer to when this bug was reported) and no crash there either. So, I can't be sure.
My Linux ASan builds are busted at the moment, but if Nils would like to confirm that this no longer reproduces, we could say authoritatively that this bug is gone.
Flags: needinfo?(mwobensmith)
Updated•11 years ago
|
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
Updated•11 years ago
|
Group: core-security
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•