Closed Bug 976838 Opened 11 years ago Closed 6 years ago

Deleting ProcessLink before ::Open may access uninitialized mTransport/mIOLoop

Categories

(Core :: IPC, defect, P3)

defect

Tracking

()

RESOLVED FIXED

People

(Reporter: johns, Unassigned)

References

Details

(Keywords: csectype-uninitialized, sec-other)

Attachments

(1 file)

In bug 974933, we're crashing deleting a PluginModuleParent -> PPluginModuleParent -> MessageChannel -> ProcessLink. I believe I've tracked this down to ProcessLink::Open not being called due to an abort [1], which means mTransport and mIOLoop are never initialized, resulting in a bogus |mTransport->set_listener(0)| [2] [1] http://dxr.mozilla.org/mozilla-central/source/dom/plugins/ipc/PluginModuleParent.cpp#101 [2] http://dxr.mozilla.org/mozilla-central/source/ipc/glue/MessageLink.cpp#69
Looks like this was introduced in bug 901789. Unsure if this code gets used in b2g
Attachment #8381782 - Flags: review?(bent.mozilla)
Comment on attachment 8381782 [details] [diff] [review] Initialize mTransport/mIOLoop in constructor Review of attachment 8381782 [details] [diff] [review]: ----------------------------------------------------------------- Thanks!
Attachment #8381782 - Flags: review?(bent.mozilla) → review+
Let's backport this as far as it needs to go.
I'm going to say sec-high. Feel free to adjust.
@bent Do you know if this code is only used by plugin-IPC or should it apply to b2g as well?
Flags: needinfo?(bent.mozilla)
Well, now that I'm looking at this more closely I'm not sure this is such a big deal after all. The issue isn't that PluginModuleParent is created/destroyed and Open never called, it's that ProcessLink could be created and destroyed with Open never being called. I don't see anywhere where that could happen given this: http://mxr.mozilla.org/mozilla-central/source/ipc/glue/MessageChannel.cpp#296 We should still fix this though. Am I missing anything here?
Flags: needinfo?(bent.mozilla)
Comment on attachment 8381782 [details] [diff] [review] Initialize mTransport/mIOLoop in constructor Review of attachment 8381782 [details] [diff] [review]: ----------------------------------------------------------------- ::: ipc/glue/MessageLink.cpp @@ +59,5 @@ > ProcessLink::ProcessLink(MessageChannel *aChan) > : MessageLink(aChan), > + mExistingListener(nullptr), > + mTransport(nullptr), > + mIOLoop(nullptr) Oh, please make sure these are in the correct order.
The crash at https://crash-stats.mozilla.com/report/index/eb39173b-4faa-4dcc-b47e-ca1862140219 clearly indicates that we're operating on poisoned memory. Uninitialized is a possibility although bent's right that this seems unlikely. It's also possible that we're just operating on a dead object and have a dangling pointer. Here are the possibilities I can think of: * double-deleting the PluginModuleParent * the channel is a member of PluginModuleParent so that's not a problem * in MessageChannel::Clear the pointer mLink * in ProcessLink::~ProcessLink the pointer to mTransport * in Channel::set_listener the pointer to channel_impl_ My intuition is that we're somehow deleting the PluginModuleParent nested inside its own destructor somehow.
You're right, I was under the impression ::Open() was called directly from ModuleParent::Open. If that's not happening, that can't be the cause. Argh.
No longer blocks: 974933
Keywords: sec-high
John, what sort of security rating should this get? Is this not actually an issue after all? Or maybe something like sec-moderate? Thanks.
I think per comment 7 this isn't a security issue, though it should probably stay protected until the memory corruption issue it's talking about is resolved (or, the relevant comments all hidden, I guess)
Keywords: sec-other
Group: core-security → dom-core-security
Is this still relevant?
Probably still relevant, but there have been some changes to the IPC core over the past few years. :billm might know.
Flags: needinfo?(jld) → needinfo?(wmccloskey)
The original crash seems to have gone away. There's a patch that initializes some stuff, which is nice. But I don't think this stuff should ever be accessed before Open, when it's currently initialized. The patch still seems nice to guard against unspecified badness, but I don't think we need to spend too much time wondering how the crash might have happened or got fixed. Perhaps we should just take the patch and close the bug. Does that sound okay to you Jed?
Flags: needinfo?(wmccloskey) → needinfo?(jld)
Seems reasonable.
Flags: needinfo?(jld)
Assignee: john → nobody
Status: ASSIGNED → NEW
Priority: -- → P2
Moving to p3 because no activity for at least 1 year(s). See https://github.com/mozilla/bug-handling/blob/master/policy/triage-bugzilla.md#how-do-you-triage for more information
Priority: P2 → P3
This was actually fixed by the patch for bug 1044322.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Group: dom-core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: