Closed
Bug 966001
Opened 10 years ago
Closed 10 years ago
heap-use-after-free in mozilla::dom::HTMLMediaElement::LookupMediaElementURITable()
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
INCOMPLETE
People
(Reporter: tsmith, Unassigned)
Details
(Keywords: crash, csectype-uaf, sec-high)
Attachments
(1 file)
|
8.25 KB,
text/plain
|
Details |
Found by the BlackBerry Security Automated Analysis Team's fuzzing framework ALF.
At this time we do not have a test case that will reproduce the issue.
==20409==ERROR: AddressSanitizer: heap-use-after-free on address 0x6160005148a0 at pc 0x7fb81eff39be bp 0x7fff480660d0 sp 0x7fff480660c8
READ of size 8 at 0x6160005148a0 thread T0
#0 0x7fb81eff39bd (libxul.so!mozilla::dom::HTMLMediaElement::LookupMediaElementURITable(nsIURI*)+0x3cd)
Line 803 of "../../../../dist/include/nsCOMPtr.h"
#1 0x7fb81efeefce (libxul.so!mozilla::dom::HTMLMediaElement::LoadResource()+0x55e)
Line 1109 of "/builds/slave/m-in-l64-asan-0000000000000000/build/content/html/content/src/HTMLMediaElement.cpp"
#2 0x7fb81efed19a (libxul.so!mozilla::dom::HTMLMediaElement::SelectResource()+0x77a)
Line 817 of "/builds/slave/m-in-l64-asan-0000000000000000/build/content/html/content/src/HTMLMediaElement.cpp"
#3 0x7fb81efebf98 (libxul.so!mozilla::dom::HTMLMediaElement::SelectResourceWrapper()+0x8)
Line 767 of "/builds/slave/m-in-l64-asan-0000000000000000/build/content/html/content/src/HTMLMediaElement.cpp"
#4 0x7fb81f00d4ec (libxul.so!nsRunnableMethodImpl<void (mozilla::dom::HTMLMediaElement::*)(), void, true>::Run()+0x6c)
Line 383 of "../../../../dist/include/nsThreadUtils.h"
#5 0x7fb81f011585 (libxul.so!mozilla::dom::nsSyncSection::Run()+0xa5)
Line 693 of "/builds/slave/m-in-l64-asan-0000000000000000/build/content/html/content/src/HTMLMediaElement.cpp"
#6 0x7fb81dfe2d98 (libxul.so!nsBaseAppShell::RunSyncSectionsInternal(bool, unsigned int)+0x228)
Line 313 of "/builds/slave/m-in-l64-asan-0000000000000000/build/widget/xpwidgets/nsBaseAppShell.cpp"
#7 0x7fb81dfe35a8 (libxul.so!non-virtual thunk to nsBaseAppShell::AfterProcessNextEvent(nsIThreadInternal*, unsigned int, bool)+0x48)
Line 90 of "/builds/slave/m-in-l64-asan-0000000000000000/build/widget/xpwidgets/nsBaseAppShell.h"
#8 0x7fb81b3d6dec (libxul.so!nsThread::ProcessNextEvent(bool, bool*)+0x106c)
Line 651 of "/builds/slave/m-in-l64-asan-0000000000000000/build/xpcom/threads/nsThread.cpp"
#9 0x7fb81b2aabb1 (libxul.so!NS_ProcessNextEvent(nsIThread*, bool)+0xb1)
Line 263 of "/builds/slave/m-in-l64-asan-0000000000000000/build/xpcom/glue/nsThreadUtils.cpp"
#10 0x7fb81bc08051 (libxul.so!mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)+0x311)
Line 95 of "/builds/slave/m-in-l64-asan-0000000000000000/build/ipc/glue/MessagePump.cpp"
#11 0x7fb81bb7d023 (libxul.so!MessageLoop::Run()+0x1c3)
Line 226 of "/builds/slave/m-in-l64-asan-0000000000000000/build/ipc/chromium/src/base/message_loop.cc"
#12 0x7fb81dfe1dac (libxul.so!nsBaseAppShell::Run()+0x5c)
Line 157 of "/builds/slave/m-in-l64-asan-0000000000000000/build/widget/xpwidgets/nsBaseAppShell.cpp"
#13 0x7fb820d497c6 (libxul.so!nsAppStartup::Run()+0xc6)
Line 276 of "/builds/slave/m-in-l64-asan-0000000000000000/build/toolkit/components/startup/nsAppStartup.cpp"
#14 0x7fb820b61e15 (libxul.so!XREMain::XRE_mainRun()+0x1de5)
Line 4023 of "/builds/slave/m-in-l64-asan-0000000000000000/build/toolkit/xre/nsAppRunner.cpp"
#15 0x7fb820b62d4a (libxul.so!XREMain::XRE_main(int, char**, nsXREAppData const*)+0x4fa)
Line 4091 of "/builds/slave/m-in-l64-asan-0000000000000000/build/toolkit/xre/nsAppRunner.cpp"
#16 0x7fb820b63c7b (libxul.so!XRE_main+0x3ab)
Line 4331 of "/builds/slave/m-in-l64-asan-0000000000000000/build/toolkit/xre/nsAppRunner.cpp"
#17 0x459dcd (firefox!main+0x94d)
Line 280 of "/builds/slave/m-in-l64-asan-0000000000000000/build/browser/app/nsBrowserApp.cpp"
#18 0x7fb82b9eb76c (libc.so.6!__libc_start_main+0xec)
Line 226 of "libc-start.c"
#19 0x45934c (firefox!_start+0x28)
0x6160005148a0 is located 32 bytes inside of 544-byte region [0x616000514880,0x616000514aa0)
freed by thread T0 here:
#0 0x446255 (firefox!free+0x55)
Line 64 of "/builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc"
#1 0x7fb81b86b3db (libxul.so!mozilla::net::nsHttpTransaction::DeleteSelfOnConsumerThread()+0x32b)
Line 1778 of "/builds/slave/m-in-l64-asan-0000000000000000/build/netwerk/protocol/http/nsHttpTransaction.cpp"
#2 0x7fb81b86b9f2 (libxul.so!mozilla::net::nsHttpTransaction::Release()+0x52)
Line 1836 of "/builds/slave/m-in-l64-asan-0000000000000000/build/netwerk/protocol/http/nsHttpTransaction.cpp"
#3 0x7fb81b538ee5 (libxul.so!nsInputStreamPump::OnStateStop()+0x405)
Line 703 of "/builds/slave/m-in-l64-asan-0000000000000000/build/netwerk/base/src/nsInputStreamPump.cpp"
#4 0x7fb81b537643 (libxul.so!nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*)+0x493)
Line 438 of "/builds/slave/m-in-l64-asan-0000000000000000/build/netwerk/base/src/nsInputStreamPump.cpp"
#5 0x7fb81b3a1864 (libxul.so!nsInputStreamReadyEvent::Run()+0x64)
Line 85 of "/builds/slave/m-in-l64-asan-0000000000000000/build/xpcom/io/nsStreamUtils.cpp"
#6 0x7fb81b2aabb1 (libxul.so!NS_ProcessNextEvent(nsIThread*, bool)+0xb1)
Line 263 of "/builds/slave/m-in-l64-asan-0000000000000000/build/xpcom/glue/nsThreadUtils.cpp"
#7 0x7fb81bc08051 (libxul.so!mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)+0x311)
Line 95 of "/builds/slave/m-in-l64-asan-0000000000000000/build/ipc/glue/MessagePump.cpp"
#8 0x7fb81bb7d023 (libxul.so!MessageLoop::Run()+0x1c3)
Line 226 of "/builds/slave/m-in-l64-asan-0000000000000000/build/ipc/chromium/src/base/message_loop.cc"
#9 0x7fb81dfe1dac (libxul.so!nsBaseAppShell::Run()+0x5c)
Line 157 of "/builds/slave/m-in-l64-asan-0000000000000000/build/widget/xpwidgets/nsBaseAppShell.cpp"
#10 0x7fb820b62d4a (libxul.so!XREMain::XRE_main(int, char**, nsXREAppData const*)+0x4fa)
Line 4091 of "/builds/slave/m-in-l64-asan-0000000000000000/build/toolkit/xre/nsAppRunner.cpp"
#11 0x7fb820b63c7b (libxul.so!XRE_main+0x3ab)
Line 4331 of "/builds/slave/m-in-l64-asan-0000000000000000/build/toolkit/xre/nsAppRunner.cpp"
#12 0x459dcd (firefox!main+0x94d)
Line 280 of "/builds/slave/m-in-l64-asan-0000000000000000/build/browser/app/nsBrowserApp.cpp"
#13 0x7fb82b9eb76c (libc.so.6!__libc_start_main+0xec)
Line 226 of "libc-start.c"
previously allocated by thread T0 here:
#0 0x446395 (firefox!malloc+0x55)
Line 74 of "/builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc"
#1 0x7fb8270af588 (libmozalloc.so!moz_xmalloc+0x8)
Line 52 of "/builds/slave/m-in-l64-asan-0000000000000000/build/memory/mozalloc/mozalloc.cpp"
#2 0x7fb81b7d6b70 (libxul.so!mozilla::net::nsHttpChannel::ContinueConnect()+0x4e0)
Line 376 of "/builds/slave/m-in-l64-asan-0000000000000000/build/netwerk/protocol/http/nsHttpChannel.cpp"
#3 0x7fb81b7f39de (libxul.so!mozilla::net::nsHttpChannel::OnCacheEntryAvailable(nsICacheEntry*, bool, nsIApplicationCache*, tag_nsresult)+0xbe)
Line 2994 of "/builds/slave/m-in-l64-asan-0000000000000000/build/netwerk/protocol/http/nsHttpChannel.cpp"
Shadow bytes around the buggy address:
0x0c2c8009a8c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2c8009a8d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2c8009a8e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2c8009a8f0: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
0x0c2c8009a900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c2c8009a910: fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd
0x0c2c8009a920: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2c8009a930: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2c8009a940: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2c8009a950: fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2c8009a960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==20409==ABORTING
|
||
Updated•10 years ago
|
Severity: normal → critical
Status: UNCONFIRMED → NEW
Ever confirmed: true
|
||
Updated•10 years ago
|
Keywords: testcase-wanted
|
||
Comment 1•10 years ago
|
||
If I read the code and stack trace correctly, we somehow end up having dead element in gElementTable table. It is rather scary to keep raw pointers in the hashtable. But I haven't figured out yet what causes the issue.
|
||
Updated•10 years ago
|
|
|
||
Comment 2•10 years ago
|
||
Btw, I spent some time to try to figure out what could cause this, and the code looks suspicious, but the state transitions are so complicated that I couldn't find the testcase.
|
|
||
Comment 3•10 years ago
|
||
In other words someone more familiar with audio/video handling should look at this.
|
|
||
Comment 4•10 years ago
|
||
Chris, could you maybe look into this a bit? Thanks.
Flags: needinfo?(cpearce)
|
||
Comment 5•10 years ago
|
||
Do we have a testcase?
|
|
||
Comment 6•10 years ago
|
||
Nope, just the stack of the use, the free, and the allocation. Sometimes that can be enough to figure out what is happening.
|
|
||
Comment 7•10 years ago
|
||
If this is hard to reproduce, it is probably less exploitable, so I'm reducing this to sec-high.
Keywords: sec-critical → sec-high
|
|
||
Comment 8•10 years ago
|
||
It's not obvious why we're crashing from that stack. If it's not a top crasher, I'm too busy to look at this sorry.
Flags: needinfo?(cpearce)
|
Reporter | |
Comment 9•10 years ago
|
||
Still no test case but I did come across a heap-buffer-overflow with the same call stack. Not sure if this will provide clues but figured I'd post it.
|
|
||
Comment 10•10 years ago
|
||
It sounds like there's no path forward here. Please feel free to reopen this bug or file another if you get some more information.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → INCOMPLETE
|
|
||
Comment 11•10 years ago
|
||
One path forward would be to someone familiar with the code to look at the suspicious code paths. The code is certainly error prone.
|
||
Updated•10 years ago
|
|
||
Updated•9 years ago
|
Group: core-security → core-security-release
|
||
Updated•9 years ago
|
Keywords: testcase-wanted
|
||
Updated•8 years ago
|
Group: core-security-release
|
Assignee | |
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•