Closed
Bug 966001
Opened 10 years ago
Closed 10 years ago
heap-use-after-free in mozilla::dom::HTMLMediaElement::LookupMediaElementURITable()
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
INCOMPLETE
People
(Reporter: tsmith, Unassigned)
Details
(Keywords: crash, csectype-uaf, sec-high)
Attachments
(1 file)
8.25 KB,
text/plain
|
Details |
Found by the BlackBerry Security Automated Analysis Team's fuzzing framework ALF. At this time we do not have a test case that will reproduce the issue. ==20409==ERROR: AddressSanitizer: heap-use-after-free on address 0x6160005148a0 at pc 0x7fb81eff39be bp 0x7fff480660d0 sp 0x7fff480660c8 READ of size 8 at 0x6160005148a0 thread T0 #0 0x7fb81eff39bd (libxul.so!mozilla::dom::HTMLMediaElement::LookupMediaElementURITable(nsIURI*)+0x3cd) Line 803 of "../../../../dist/include/nsCOMPtr.h" #1 0x7fb81efeefce (libxul.so!mozilla::dom::HTMLMediaElement::LoadResource()+0x55e) Line 1109 of "/builds/slave/m-in-l64-asan-0000000000000000/build/content/html/content/src/HTMLMediaElement.cpp" #2 0x7fb81efed19a (libxul.so!mozilla::dom::HTMLMediaElement::SelectResource()+0x77a) Line 817 of "/builds/slave/m-in-l64-asan-0000000000000000/build/content/html/content/src/HTMLMediaElement.cpp" #3 0x7fb81efebf98 (libxul.so!mozilla::dom::HTMLMediaElement::SelectResourceWrapper()+0x8) Line 767 of "/builds/slave/m-in-l64-asan-0000000000000000/build/content/html/content/src/HTMLMediaElement.cpp" #4 0x7fb81f00d4ec (libxul.so!nsRunnableMethodImpl<void (mozilla::dom::HTMLMediaElement::*)(), void, true>::Run()+0x6c) Line 383 of "../../../../dist/include/nsThreadUtils.h" #5 0x7fb81f011585 (libxul.so!mozilla::dom::nsSyncSection::Run()+0xa5) Line 693 of "/builds/slave/m-in-l64-asan-0000000000000000/build/content/html/content/src/HTMLMediaElement.cpp" #6 0x7fb81dfe2d98 (libxul.so!nsBaseAppShell::RunSyncSectionsInternal(bool, unsigned int)+0x228) Line 313 of "/builds/slave/m-in-l64-asan-0000000000000000/build/widget/xpwidgets/nsBaseAppShell.cpp" #7 0x7fb81dfe35a8 (libxul.so!non-virtual thunk to nsBaseAppShell::AfterProcessNextEvent(nsIThreadInternal*, unsigned int, bool)+0x48) Line 90 of "/builds/slave/m-in-l64-asan-0000000000000000/build/widget/xpwidgets/nsBaseAppShell.h" #8 0x7fb81b3d6dec (libxul.so!nsThread::ProcessNextEvent(bool, bool*)+0x106c) Line 651 of "/builds/slave/m-in-l64-asan-0000000000000000/build/xpcom/threads/nsThread.cpp" #9 0x7fb81b2aabb1 (libxul.so!NS_ProcessNextEvent(nsIThread*, bool)+0xb1) Line 263 of "/builds/slave/m-in-l64-asan-0000000000000000/build/xpcom/glue/nsThreadUtils.cpp" #10 0x7fb81bc08051 (libxul.so!mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)+0x311) Line 95 of "/builds/slave/m-in-l64-asan-0000000000000000/build/ipc/glue/MessagePump.cpp" #11 0x7fb81bb7d023 (libxul.so!MessageLoop::Run()+0x1c3) Line 226 of "/builds/slave/m-in-l64-asan-0000000000000000/build/ipc/chromium/src/base/message_loop.cc" #12 0x7fb81dfe1dac (libxul.so!nsBaseAppShell::Run()+0x5c) Line 157 of "/builds/slave/m-in-l64-asan-0000000000000000/build/widget/xpwidgets/nsBaseAppShell.cpp" #13 0x7fb820d497c6 (libxul.so!nsAppStartup::Run()+0xc6) Line 276 of "/builds/slave/m-in-l64-asan-0000000000000000/build/toolkit/components/startup/nsAppStartup.cpp" #14 0x7fb820b61e15 (libxul.so!XREMain::XRE_mainRun()+0x1de5) Line 4023 of "/builds/slave/m-in-l64-asan-0000000000000000/build/toolkit/xre/nsAppRunner.cpp" #15 0x7fb820b62d4a (libxul.so!XREMain::XRE_main(int, char**, nsXREAppData const*)+0x4fa) Line 4091 of "/builds/slave/m-in-l64-asan-0000000000000000/build/toolkit/xre/nsAppRunner.cpp" #16 0x7fb820b63c7b (libxul.so!XRE_main+0x3ab) Line 4331 of "/builds/slave/m-in-l64-asan-0000000000000000/build/toolkit/xre/nsAppRunner.cpp" #17 0x459dcd (firefox!main+0x94d) Line 280 of "/builds/slave/m-in-l64-asan-0000000000000000/build/browser/app/nsBrowserApp.cpp" #18 0x7fb82b9eb76c (libc.so.6!__libc_start_main+0xec) Line 226 of "libc-start.c" #19 0x45934c (firefox!_start+0x28) 0x6160005148a0 is located 32 bytes inside of 544-byte region [0x616000514880,0x616000514aa0) freed by thread T0 here: #0 0x446255 (firefox!free+0x55) Line 64 of "/builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc" #1 0x7fb81b86b3db (libxul.so!mozilla::net::nsHttpTransaction::DeleteSelfOnConsumerThread()+0x32b) Line 1778 of "/builds/slave/m-in-l64-asan-0000000000000000/build/netwerk/protocol/http/nsHttpTransaction.cpp" #2 0x7fb81b86b9f2 (libxul.so!mozilla::net::nsHttpTransaction::Release()+0x52) Line 1836 of "/builds/slave/m-in-l64-asan-0000000000000000/build/netwerk/protocol/http/nsHttpTransaction.cpp" #3 0x7fb81b538ee5 (libxul.so!nsInputStreamPump::OnStateStop()+0x405) Line 703 of "/builds/slave/m-in-l64-asan-0000000000000000/build/netwerk/base/src/nsInputStreamPump.cpp" #4 0x7fb81b537643 (libxul.so!nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*)+0x493) Line 438 of "/builds/slave/m-in-l64-asan-0000000000000000/build/netwerk/base/src/nsInputStreamPump.cpp" #5 0x7fb81b3a1864 (libxul.so!nsInputStreamReadyEvent::Run()+0x64) Line 85 of "/builds/slave/m-in-l64-asan-0000000000000000/build/xpcom/io/nsStreamUtils.cpp" #6 0x7fb81b2aabb1 (libxul.so!NS_ProcessNextEvent(nsIThread*, bool)+0xb1) Line 263 of "/builds/slave/m-in-l64-asan-0000000000000000/build/xpcom/glue/nsThreadUtils.cpp" #7 0x7fb81bc08051 (libxul.so!mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)+0x311) Line 95 of "/builds/slave/m-in-l64-asan-0000000000000000/build/ipc/glue/MessagePump.cpp" #8 0x7fb81bb7d023 (libxul.so!MessageLoop::Run()+0x1c3) Line 226 of "/builds/slave/m-in-l64-asan-0000000000000000/build/ipc/chromium/src/base/message_loop.cc" #9 0x7fb81dfe1dac (libxul.so!nsBaseAppShell::Run()+0x5c) Line 157 of "/builds/slave/m-in-l64-asan-0000000000000000/build/widget/xpwidgets/nsBaseAppShell.cpp" #10 0x7fb820b62d4a (libxul.so!XREMain::XRE_main(int, char**, nsXREAppData const*)+0x4fa) Line 4091 of "/builds/slave/m-in-l64-asan-0000000000000000/build/toolkit/xre/nsAppRunner.cpp" #11 0x7fb820b63c7b (libxul.so!XRE_main+0x3ab) Line 4331 of "/builds/slave/m-in-l64-asan-0000000000000000/build/toolkit/xre/nsAppRunner.cpp" #12 0x459dcd (firefox!main+0x94d) Line 280 of "/builds/slave/m-in-l64-asan-0000000000000000/build/browser/app/nsBrowserApp.cpp" #13 0x7fb82b9eb76c (libc.so.6!__libc_start_main+0xec) Line 226 of "libc-start.c" previously allocated by thread T0 here: #0 0x446395 (firefox!malloc+0x55) Line 74 of "/builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc" #1 0x7fb8270af588 (libmozalloc.so!moz_xmalloc+0x8) Line 52 of "/builds/slave/m-in-l64-asan-0000000000000000/build/memory/mozalloc/mozalloc.cpp" #2 0x7fb81b7d6b70 (libxul.so!mozilla::net::nsHttpChannel::ContinueConnect()+0x4e0) Line 376 of "/builds/slave/m-in-l64-asan-0000000000000000/build/netwerk/protocol/http/nsHttpChannel.cpp" #3 0x7fb81b7f39de (libxul.so!mozilla::net::nsHttpChannel::OnCacheEntryAvailable(nsICacheEntry*, bool, nsIApplicationCache*, tag_nsresult)+0xbe) Line 2994 of "/builds/slave/m-in-l64-asan-0000000000000000/build/netwerk/protocol/http/nsHttpChannel.cpp" Shadow bytes around the buggy address: 0x0c2c8009a8c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2c8009a8d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2c8009a8e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2c8009a8f0: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa 0x0c2c8009a900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c2c8009a910: fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd 0x0c2c8009a920: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2c8009a930: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2c8009a940: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2c8009a950: fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2c8009a960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 ASan internal: fe ==20409==ABORTING
Updated•10 years ago
|
Severity: normal → critical
Status: UNCONFIRMED → NEW
Ever confirmed: true
Updated•10 years ago
|
Keywords: testcase-wanted
Comment 1•10 years ago
|
||
If I read the code and stack trace correctly, we somehow end up having dead element in gElementTable table. It is rather scary to keep raw pointers in the hashtable. But I haven't figured out yet what causes the issue.
Updated•10 years ago
|
Comment 2•10 years ago
|
||
Btw, I spent some time to try to figure out what could cause this, and the code looks suspicious, but the state transitions are so complicated that I couldn't find the testcase.
Comment 3•10 years ago
|
||
In other words someone more familiar with audio/video handling should look at this.
Comment 4•10 years ago
|
||
Chris, could you maybe look into this a bit? Thanks.
Flags: needinfo?(cpearce)
Comment 5•10 years ago
|
||
Do we have a testcase?
Comment 6•10 years ago
|
||
Nope, just the stack of the use, the free, and the allocation. Sometimes that can be enough to figure out what is happening.
Comment 7•10 years ago
|
||
If this is hard to reproduce, it is probably less exploitable, so I'm reducing this to sec-high.
Keywords: sec-critical → sec-high
Comment 8•10 years ago
|
||
It's not obvious why we're crashing from that stack. If it's not a top crasher, I'm too busy to look at this sorry.
Flags: needinfo?(cpearce)
Reporter | ||
Comment 9•10 years ago
|
||
Still no test case but I did come across a heap-buffer-overflow with the same call stack. Not sure if this will provide clues but figured I'd post it.
Comment 10•10 years ago
|
||
It sounds like there's no path forward here. Please feel free to reopen this bug or file another if you get some more information.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → INCOMPLETE
Comment 11•10 years ago
|
||
One path forward would be to someone familiar with the code to look at the suspicious code paths. The code is certainly error prone.
Updated•10 years ago
|
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•9 years ago
|
Keywords: testcase-wanted
Updated•8 years ago
|
Group: core-security-release
Assignee | ||
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•