Closed Bug 886174 Opened 11 years ago Closed 11 years ago

ASAN use-after-free in JS_GetGlobalForScopeChain #3

Categories

(Core :: DOM: Core & HTML, defect)

x86_64
Linux
defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 882897
Tracking Status
firefox24 --- affected

People

(Reporter: nils, Assigned: bholley)

References

Details

(4 keywords, Whiteboard: [asan][sg:dupe 882897])

Attachments

(1 file)

Crashes nightly in the same function as bug 882897 and bug 883301 however most of the stack trace and the testcase look quite a bit different, so filling this as a separate bug. ASAN output: ================================================================= ==4880== ERROR: AddressSanitizer: heap-use-after-free on address 0x7f8521091460 at pc 0x7f854772d6b3 bp 0x7fffc1b0cae0 sp 0x7fffc1b0cad8 READ of size 8 at 0x7f8521091460 thread T0 #0 0x7f854772d6b2 in JS_GetGlobalForScopeChain(JSContext*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/js/src/jsapi.cpp:2135:0 #1 0x7f8543af1937 in nsGlobalWindow::DetachFromDocShell() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/dom/base/nsGlobalWindow.cpp:2735:0 #2 0x7f85447eefec in non-virtual thunk to nsDocShell::Destroy() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/docshell/base/nsDocShell.cpp:5005:0 #3 0x7f8542fac0ad in nsDocument::MaybeInitializeFinalizeFrameLoaders() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/content/base/src/nsDocument.cpp:6199:0 #4 0x7f8542ff8356 in nsRunnableMethodImpl<void (nsDocument::*)(), true>::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/../../../dist/include/nsThreadUtils.h:350:0 #5 0x7f8542fc1c08 in nsDocument::FinalizeFrameLoader(nsFrameLoader*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/content/base/src/nsDocument.cpp:6155:0 #6 0x7f854302ec92 in nsFrameLoader::Destroy() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/content/base/src/nsFrameLoader.cpp:1363:0 #7 0x7f85436a5164 in nsGenericHTMLFrameElement::DestroyContent() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/content/html/content/src/nsGenericHTMLFrameElement.cpp:274:0 0x7f8521091460 is located 32 bytes inside of 680-byte region [0x7f8521091440,0x7f85210916e8) freed by thread T0 here: #0 0x441570 in __interceptor_free ??:? #1 0x7f8547826483 in js_free(void*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/obj-firefox/./../../dist/include/js/Utility.h:169:0 #2 0x7f8547826483 in _ZL9js_deleteI13JSCompartmentEvPT_ /builds/slave/m-cen-l64-asan-ntly-0000000000/build/obj-firefox/./../../dist/include/js/Utility.h:491:0 #3 0x7f8547826483 in SweepCompartments(js::FreeOp*, JS::Zone*, bool, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/js/src/jsgc.cpp:2513:0 previously allocated by thread T0 here: #0 0x441630 in malloc ??:? #1 0x7f8547594ddb in js_malloc(unsigned long) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/obj-firefox/./../../dist/include/js/Utility.h:152:0 #2 0x7f8547594ddb in js::MallocProvider<js::ThreadSafeContext>::malloc_(unsigned long) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/js/src/jscntxt.h:544:0 Shadow byte and word: 0x1ff0a421228c: fd 0x1ff0a4212288: fd fd fd fd fd fd fd fd More shadow bytes: 0x1ff0a4212268: 00 00 00 00 00 00 00 00 0x1ff0a4212270: 00 00 00 00 00 fb fb fb 0x1ff0a4212278: fa fa fa fa fa fa fa fa 0x1ff0a4212280: fa fa fa fa fa fa fa fa =>0x1ff0a4212288: fd fd fd fd fd fd fd fd 0x1ff0a4212290: fd fd fd fd fd fd fd fd 0x1ff0a4212298: fd fd fd fd fd fd fd fd 0x1ff0a42122a0: fd fd fd fd fd fd fd fd 0x1ff0a42122a8: fd fd fd fd fd fd fd fd Stats: 263M malloced (245M for red zones) by 352579 calls Stats: 36M realloced by 22833 calls Stats: 235M freed by 220149 calls Stats: 201M really freed by 149822 calls Stats: 241M (61776 full pages) mmaped in 455 calls mmaps by size class: 7:139230; 8:59363; 9:16368; 10:6132; 11:7140; 12:1536; 13:1600; 14:544; 15:192; 16:672; 17:456; 18:26; 19:36; 20:22; 21:1; mallocs by size class: 7:207393; 8:81307; 9:28991; 10:9703; 11:14411; 12:2763; 13:2881; 14:1607; 15:369; 16:1543; 17:1507; 18:39; 19:40; 20:23; 21:2; frees by size class: 7:123595; 8:47062; 9:21054; 10:6663; 11:12752; 12:1843; 13:2468; 14:1446; 15:264; 16:1418; 17:1492; 18:33; 19:36; 20:22; 21:1; rfrees by size class: 7:82701; 8:27450; 9:16734; 10:4712; 11:11203; 12:1336; 13:1640; 14:1300; 15:237; 16:1060; 17:1360; 18:30; 19:36; 20:22; 21:1; Stats: malloc large: 3523 small slow: 5041 ==4880== ABORTING
If it's not a duplicate of the others then it's likely critical
Keywords: sec-critical
Keywords: csec-uaf
Whiteboard: [asan]
Going to presume this is another instance of bug 887334 for the moment, but leaving open so we retest this specific testcase after it's fixed.
Assignee: nobody → bobbyholley+bmo
Blocks: 868130
Depends on: CVE-2013-1738
Whiteboard: [asan] → [asan][sg:dupe 882897]
Now that we've landed the suspected fix, let's get some QA to make sure that this doesn't reproduce on trunk anymore.
Keywords: qawanted
Matt, could you confirm that this is fixed? Thanks.
Flags: needinfo?(mwobensmith)
This appears to not crash latest ASan on Mac, 2013-08-22. However, I tried it on an ASan Mac build from 2013-06-06 (something closer to when this bug was reported) and no crash there either. So, I can't be sure. My Linux ASan builds are busted at the moment, but if Nils would like to confirm that this no longer reproduces, we could say authoritatively that this bug is gone.
Flags: needinfo?(mwobensmith)
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
Group: core-security
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: