Closed Bug 1684331 Opened 4 years ago Closed 3 years ago

heap-use-after-free in [@ mozilla::ipc::ActorLifecycleProxy::~ActorLifecycleProxy]

Categories

(Core :: DOM: Service Workers, defect, P2)

Product:
Core
Component:
DOM: Service Workers
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1683490

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-uaf, sec-high) 

==521==ERROR: AddressSanitizer: heap-use-after-free on address 0x61e000030080 at pc 0x42a82c95fc77 bp 0x36ec29d8d590 sp 0x36ec29d8d588
READ of size 8 at 0x61e000030080 thread T14 (Worker Launcher)
    #0 0x42a82c95fc76 in mozilla::ipc::IProtocol::ActorDealloc() src/objdir-ff-ubsan/dist/include/mozilla/ipc/ProtocolUtils.h:335:18
    #1 0x42a82ea92c12 in mozilla::ipc::ActorLifecycleProxy::~ActorLifecycleProxy() src/ipc/glue/ProtocolUtils.cpp:277:11
    #2 0x42a82ea9309e in mozilla::ipc::ActorLifecycleProxy::Release() src/objdir-ff-ubsan/dist/include/mozilla/ipc/ProtocolUtils.h:663:3
    #3 0x42a82eae6e94 in mozilla::RefPtrTraits<mozilla::ipc::ActorLifecycleProxy>::Release(mozilla::ipc::ActorLifecycleProxy*) src/objdir-ff-ubsan/dist/include/mozilla/RefPtr.h:50:40
    #4 0x42a82eae6e34 in RefPtr<mozilla::ipc::ActorLifecycleProxy>::ConstRemovingRefPtrTraits<mozilla::ipc::ActorLifecycleProxy>::Release(mozilla::ipc::ActorLifecycleProxy*) src/objdir-ff-ubsan/dist/include/mozilla/RefPtr.h:381:36
    #5 0x42a82ea72919 in RefPtr<mozilla::ipc::ActorLifecycleProxy>::~RefPtr() src/objdir-ff-ubsan/dist/include/mozilla/RefPtr.h:81:7
    #6 0x42a82f9ab584 in mozilla::dom::PRemoteWorkerChild::OnMessageReceived(IPC::Message const&)::$_8::~$_8() src/objdir-ff-ubsan/ipc/ipdl/PRemoteWorkerChild.cpp:480:52
    #7 0x42a82f9e7324 in std::_Function_base::_Base_manager<mozilla::dom::PRemoteWorkerChild::OnMessageReceived(IPC::Message const&)::$_8>::_M_destroy(std::_Any_data&, std::integral_constant<bool, false>) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/std_function.h:207:4
    #8 0x42a82f9e6979 in std::_Function_base::_Base_manager<mozilla::dom::PRemoteWorkerChild::OnMessageReceived(IPC::Message const&)::$_8>::_M_manager(std::_Any_data&, std::_Any_data const&, std::_Manager_operation) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/std_function.h:231:8
    #9 0x42a82c05268d in std::_Function_base::~_Function_base() /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/std_function.h:276:2
    #10 0x42a82f9ab627 in std::function<void (mozilla::dom::ServiceWorkerOpResult const&)>::~function() /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/std_function.h:147:11
    #11 0x42a83afc3eb4 in mozilla::dom::ServiceWorkerOp::ServiceWorkerOp(mozilla::dom::ServiceWorkerOpArgs&&, std::function<void (mozilla::dom::ServiceWorkerOpResult const&)>&&)::$_19::~$_19() src/dom/serviceworkers/ServiceWorkerOp.cpp:412:7
    #12 0x42a83b0249c9 in mozilla::Maybe<mozilla::dom::ServiceWorkerOp::ServiceWorkerOp(mozilla::dom::ServiceWorkerOpArgs&&, std::function<void (mozilla::dom::ServiceWorkerOpResult const&)>&&)::$_19>::reset() src/objdir-ff-ubsan/dist/include/mozilla/Maybe.h:665:19
    #13 0x42a83b024749 in mozilla::MozPromise<mozilla::dom::ServiceWorkerOpResult, nsresult, true>::ThenValue<mozilla::dom::ServiceWorkerOp::ServiceWorkerOp(mozilla::dom::ServiceWorkerOpArgs&&, std::function<void (mozilla::dom::ServiceWorkerOpResult const&)>&&)::$_19>::DoResolveOrRejectInternal(mozilla::MozPromise<mozilla::dom::ServiceWorkerOpResult, nsresult, true>::ResolveOrRejectValue&) src/objdir-ff-ubsan/dist/include/mozilla/MozPromise.h:911:30
    #14 0x42a83a8d91e1 in mozilla::MozPromise<mozilla::dom::ServiceWorkerOpResult, nsresult, true>::ThenValueBase::DoResolveOrReject(mozilla::MozPromise<mozilla::dom::ServiceWorkerOpResult, nsresult, true>::ResolveOrRejectValue&) src/objdir-ff-ubsan/dist/include/mozilla/MozPromise.h:597:7
    #15 0x42a83a8d8aba in mozilla::MozPromise<mozilla::dom::ServiceWorkerOpResult, nsresult, true>::ThenValueBase::ResolveOrRejectRunnable::Run() src/objdir-ff-ubsan/dist/include/mozilla/MozPromise.h:476:21
    #16 0x42a82c437deb in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1200:14
    #17 0x42a82c430bf1 in NS_ProcessPendingEvents(nsIThread*, unsigned int) src/xpcom/threads/nsThreadUtils.cpp:496:19
    #18 0x42a82c42fa13 in nsThread::ThreadFunc(void*) src/xpcom/threads/nsThread.cpp:461:7
    #19 0x472a3475dff9 in _pt_root src/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #20 0x6d607a28d6da in start_thread /build/glibc-2ORdQG/glibc-2.27/nptl/pthread_create.c:463
    #21 0x6d607a5c6a3e in clone /build/glibc-2ORdQG/glibc-2.27/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

0x61e000030080 is located 0 bytes inside of 2616-byte region [0x61e000030080,0x61e000030ab8)
freed by thread T14 (Worker Launcher) here:
    #0 0x5579e292a98d in free /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:123:3
    #1 0x42a82e9b953f in operator delete(void*) src/objdir-ff-ubsan/dist/include/mozilla/cxxalloc.h:51:10
    #2 0x42a82e9b953f in (anonymous namespace)::ChildImpl::Release() src/ipc/glue/BackgroundImpl.cpp:494:3
    #3 0x42a82e9b9434 in mozilla::RefPtrTraits<(anonymous namespace)::ChildImpl>::Release((anonymous namespace)::ChildImpl*) src/objdir-ff-ubsan/dist/include/mozilla/RefPtr.h:50:40
    #4 0x42a82e9b93d4 in RefPtr<(anonymous namespace)::ChildImpl>::ConstRemovingRefPtrTraits<(anonymous namespace)::ChildImpl>::Release((anonymous namespace)::ChildImpl*) src/objdir-ff-ubsan/dist/include/mozilla/RefPtr.h:381:36
    #5 0x42a82e9b0bb9 in RefPtr<(anonymous namespace)::ChildImpl>::~RefPtr() src/objdir-ff-ubsan/dist/include/mozilla/RefPtr.h:81:7
    #6 0x42a82e9bcdb0 in (anonymous namespace)::ChildImpl::ThreadLocalInfo::~ThreadLocalInfo() src/ipc/glue/BackgroundImpl.cpp:271:10
    #7 0x42a82e9bcc16 in (anonymous namespace)::ChildImpl::ThreadLocalDestructor(void*) src/ipc/glue/BackgroundImpl.cpp:1638:5
    #8 0x472a34747f4b in PR_SetThreadPrivate src/nsprpub/pr/src/threads/prtpd.c:185:9
    #9 0x42a82e9daeec in (anonymous namespace)::ChildImpl::ThreadInfoWrapper::CloseForCurrentThread() src/ipc/glue/BackgroundImpl.cpp:369:11
    #10 0x42a82e95cf23 in (anonymous namespace)::ChildImpl::CloseForCurrentThread() src/ipc/glue/BackgroundImpl.cpp:1593:38
    #11 0x42a82e95ceb4 in mozilla::ipc::BackgroundChild::CloseForCurrentThread() src/ipc/glue/BackgroundImpl.cpp:723:3
    #12 0x42a82c42f94e in nsThread::ThreadFunc(void*) src/xpcom/threads/nsThread.cpp:443:5
    #13 0x472a3475dff9 in _pt_root src/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #14 0x6d607a28d6da in start_thread /build/glibc-2ORdQG/glibc-2.27/nptl/pthread_create.c:463

previously allocated by thread T14 (Worker Launcher) here:
    #0 0x5579e292ac0d in malloc /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
    #1 0x5579e296d784 in moz_xmalloc src/memory/mozalloc/mozalloc.cpp:52:15
    #2 0x42a82e9afbc1 in operator new(unsigned long) src/objdir-ff-ubsan/dist/include/mozilla/cxxalloc.h:33:10
    #3 0x42a82e9afbc1 in ParentContentActorCreateFunc((anonymous namespace)::ChildImpl::ThreadLocalInfo*, unsigned int, nsIEventTarget*, (anonymous namespace)::ChildImpl**) src/ipc/glue/BackgroundImpl.cpp:811:35
    #4 0x42a82e9d98e8 in (anonymous namespace)::ChildImpl::ThreadInfoWrapper::GetOrCreateForCurrentThread(nsIEventTarget*) src/ipc/glue/BackgroundImpl.cpp:412:7
    #5 0x42a82e95ccbb in (anonymous namespace)::ChildImpl::GetOrCreateForCurrentThread(nsIEventTarget*) src/ipc/glue/BackgroundImpl.cpp:1569:45
    #6 0x42a82e95cc54 in mozilla::ipc::BackgroundChild::GetOrCreateForCurrentThread(nsIEventTarget*) src/ipc/glue/BackgroundImpl.cpp:704:10
    #7 0x42a83a8a61eb in mozilla::dom::RemoteWorkerService::InitializeOnTargetThread() src/dom/workers/remoteworkers/RemoteWorkerService.cpp:117:34
    #8 0x42a83a8c7adc in mozilla::dom::RemoteWorkerService::InitializeOnMainThread()::$_28::operator()() const src/dom/workers/remoteworkers/RemoteWorkerService.cpp:99:44
    #9 0x42a83a8c79bd in mozilla::detail::RunnableFunction<mozilla::dom::RemoteWorkerService::InitializeOnMainThread()::$_28>::Run() src/objdir-ff-ubsan/dist/include/nsThreadUtils.h:534:5
    #10 0x42a82c437deb in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1200:14
    #11 0x42a82c443709 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:548:10
    #12 0x42a82ea89a24 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:332:5
    #13 0x42a82e7734bf in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:334:10
    #14 0x42a82e773414 in MessageLoop::RunHandler() src/ipc/chromium/src/base/message_loop.cc:327:3
    #15 0x42a82e773381 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:309:3
    #16 0x42a82c42f949 in nsThread::ThreadFunc(void*) src/xpcom/threads/nsThread.cpp:441:10
    #17 0x472a3475dff9 in _pt_root src/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #18 0x6d607a28d6da in start_thread /build/glibc-2ORdQG/glibc-2.27/nptl/pthread_create.c:463

Thread T14 (Worker Launcher) created by T0 (Web Content) here:
    #0 0x5579e291567a in pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cpp:214:3
    #1 0x472a34740279 in _PR_CreateThread src/nsprpub/pr/src/pthreads/ptthread.c:458:14
    #2 0x472a34723455 in PR_CreateThread src/nsprpub/pr/src/pthreads/ptthread.c:533:12
    #3 0x42a82c4324d1 in nsThread::Init(nsTSubstring<char> const&) src/xpcom/threads/nsThread.cpp:658:8
    #4 0x42a82c442420 in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) src/xpcom/threads/nsThreadManager.cpp:641:12
    #5 0x42a82c44f710 in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, already_AddRefed<nsIRunnable>, unsigned int) src/xpcom/threads/nsThreadUtils.cpp:169:57
    #6 0x42a82cae3f1f in nsresult NS_NewNamedThread<16ul>(char const (&) [16ul], nsIThread**, nsIRunnable*, unsigned int) src/objdir-ff-ubsan/dist/include/nsThreadUtils.h:85:10
    #7 0x42a83a8a589b in mozilla::dom::RemoteWorkerService::InitializeOnMainThread() src/dom/workers/remoteworkers/RemoteWorkerService.cpp:82:17
    #8 0x42a83a8a542b in mozilla::dom::RemoteWorkerService::Initialize() src/dom/workers/remoteworkers/RemoteWorkerService.cpp:49:28
    #9 0x42a83a41ba15 in mozilla::dom::ContentChild::RecvRemoteType(nsTString<char> const&) src/dom/ipc/ContentChild.cpp:2642:5
    #10 0x42a82ef84eb2 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) src/objdir-ff-ubsan/ipc/ipdl/PContentChild.cpp:11096:56
    #11 0x42a83a42ec22 in mozilla::dom::ContentChild::OnMessageReceived(IPC::Message const&) src/dom/ipc/ContentChild.cpp:3605:25
    #12 0x42a82ea771d2 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2153:25
    #13 0x42a82ea712d7 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2077:9
    #14 0x42a82ea733c4 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1925:3
    #15 0x42a82ea749c9 in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1956:13
    #16 0x42a82c3f46d9 in mozilla::RunnableTask::Run() src/xpcom/threads/TaskController.cpp:459:16
    #17 0x42a82c3d8bd2 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:739:26
    #18 0x42a82c3d5a10 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:598:15
    #19 0x42a82c3d5e19 in mozilla::TaskController::ProcessPendingMTTask(bool) src/xpcom/threads/TaskController.cpp:382:36
    #20 0x42a82c3dafea in mozilla::TaskController::InitializeInternal()::$_3::operator()() const src/xpcom/threads/TaskController.cpp:123:37
    #21 0x42a82c3daf5d in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() src/objdir-ff-ubsan/dist/include/nsThreadUtils.h:534:5
    #22 0x42a82c437deb in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1200:14
    #23 0x42a82c443709 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:548:10
    #24 0x42a82ea86604 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:87:21
    #25 0x42a82ea88de4 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:270:30
    #26 0x42a82e7734bf in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:334:10
    #27 0x42a82e773414 in MessageLoop::RunHandler() src/ipc/chromium/src/base/message_loop.cc:327:3
    #28 0x42a82e773381 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:309:3
    #29 0x42a83b44a08b in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
    #30 0x42a8446dab03 in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:902:20
    #31 0x42a82ea88c0d in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:237:9
    #32 0x42a82e7734bf in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:334:10
    #33 0x42a82e773414 in MessageLoop::RunHandler() src/ipc/chromium/src/base/message_loop.cc:327:3
    #34 0x42a82e773381 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:309:3
    #35 0x42a8446d9b59 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:733:34
    #36 0x42a8446f78d6 in mozilla::BootstrapImpl::XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/Bootstrap.cpp:67:12
    #37 0x5579e295d55e in content_process_main(mozilla::Bootstrap*, int, char**) src/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #38 0x5579e295dde2 in main src/browser/app/nsBrowserApp.cpp:305:18
    #39 0x6d607a4c6b96 in __libc_start_main /build/glibc-2ORdQG/glibc-2.27/csu/../csu/libc-start.c:310

A Pernosco session is available here: https://pernos.co/debug/5GgEZBMz1A36Coiilglqkg/index.html

I added a see also to bug 1683490 which seems to be instances of this crash in the wild. I may have my holidays mixed up, but I am so very thankful for :tsmith and the rest of the fuzzing team for continually providing invaluable re-creations of complicated situations with exact traces via pernosco!

Severity: -- → S3
Priority: -- → P2
Keywords: sec-high

Can you share the test case the Pernosco session is based on?

Flags: needinfo?(twsmith)

(In reply to Simon Giesecke [:sg] [he/him] from comment #3)

Can you share the test case the Pernosco session is based on?

Unfortunately the test case that triggered this issue is large and unreliable. I also hit another (variation?) bug while trying again to reduce it. It is logged as bug 1687597.

Flags: needinfo?(twsmith)
See Also: → 1687597

I think this was probably fixed by bug 1683490 as of Jan 26th. Is it possible to confirm that the large test case no longer seems to trigger this issue? Thanks!

Flags: needinfo?(twsmith)

I was unable to reproduce the issue. Also the fuzzers are no longer seeing this issue. It was last reported while fuzzing m-c 20210113-77dc70a7ac25.

Flags: needinfo?(twsmith)

Duping to bug 1683490 then, noting that the provided pernosco trace on this bug was invaluable.

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE
Group: dom-core-security
You need to log in before you can comment on or make changes to this bug.