Closed
Bug 1626728
(CVE-2020-6820)
Opened 5 years ago
Closed 5 years ago
AddressSanitizer: heap-use-after-free /home/fuzzer/firefox/src/dist/include/mozilla/ipc/ProtocolUtils.h:229:31 in Id
Categories
(Core :: Storage: Cache API, defect, P1)
Tracking
()
People
(Reporter: rs, Assigned: asuth)
References
Details
(Keywords: csectype-uaf, reporter-external, sec-critical)
Attachments
(4 files)
|
19.70 KB,
text/x-log
|
Details | |
|
47 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-beta+
RyanVM
:
approval-mozilla-release+
RyanVM
:
approval-mozilla-esr68+
dveditz
:
sec-approval+
|
Details | Review |
|
13.25 KB,
patch
|
Details | Diff | Splinter Review | |
|
94.07 KB,
text/plain
|
Details |
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
Steps to reproduce:
Reproduced in 75.0b8 firefox
After the last advisory I thought that this had been fixed in Firefox 74, Bug 1610880 CVE-2020-6805 . It's related? or am I missing something.
Actual results:
=================================================================
==7841==ERROR: AddressSanitizer: heap-use-after-free on address 0x6080006452a8 at pc 0x7f1255bf90b0 bp 0x7f11c984d690 sp 0x7f11c984d688 READ of size 4 at 0x6080006452a8 thread T24 (IPDL Background)
#0 0x7f1255bf90af in Id /home/fuzzer/firefox/src/dist/include/mozilla/ipc/ProtocolUtils.h:229:31
#1 0x7f1255bf90af in mozilla::dom::cache::PCacheStreamControlParent::SendCloseAll() /home/fuzzer/firefox/src/ipc/ipdl/PCacheStreamControlParent.cpp:75:61
#2 0x7f1259f86832 in mozilla::dom::cache::Context::CancelAll() /home/fuzzer/firefox/checkout/dom/cache/Context.cpp:820:23
#3 0x7f1259fbd3ed in Abort /home/fuzzer/firefox/checkout/dom/cache/Manager.cpp:1930:12
#4 0x7f1259fbd3ed in mozilla::dom::cache::Manager::Factory::Abort(nsTSubstring<char> const&) /home/fuzzer/firefox/checkout/dom/cache/Manager.cpp:292:20
#5 0x7f125b893b2c in mozilla::dom::quota::QuotaManager::OpenDirectoryInternal(mozilla::dom::Nullable<mozilla::dom::quota::PersistenceType> const&, mozilla::dom::quota::OriginScope const&, mozilla::dom::Nullable<mozilla::dom::quota::Client::Type> const&, bool, mozilla::dom::quota::OpenDirectoryListener*) /home/fuzzer/firefox/checkout/dom/quota/ActorsParent.cpp:6756:25
#6 0x7f125b8ba0e5 in mozilla::dom::quota::(anonymous namespace)::NormalOriginOperationBase::Open() /home/fuzzer/firefox/checkout/dom/quota/ActorsParent.cpp:8392:30
#7 0x7f125b8b9a77 in mozilla::dom::quota::(anonymous namespace)::OriginOperationBase::Run() /home/fuzzer/firefox/checkout/dom/quota/ActorsParent.cpp
#8 0x7f125b8c35a7 in RunImmediately /home/fuzzer/firefox/checkout/dom/quota/ActorsParent.cpp:1262:5
#9 0x7f125b8c35a7 in mozilla::dom::quota::(anonymous namespace)::Quota::RecvPQuotaRequestConstructor(mozilla::dom::quota::PQuotaRequestParent*, mozilla::dom::quota::RequestParams const&) /home/fuzzer/firefox/checkout/dom/quota/ActorsParent.cpp:8841:7
#10 0x7f1255712cd6 in mozilla::dom::quota::PQuotaParent::OnMessageReceived(IPC::Message const&) /home/fuzzer/firefox/src/ipc/ipdl/PQuotaParent.cpp:350:28
#11 0x7f1255ab6306 in mozilla::ipc::PBackgroundParent::OnMessageReceived(IPC::Message const&) /home/fuzzer/firefox/src/ipc/ipdl/PBackgroundParent.cpp:3599:32
#12 0x7f1254f62281 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /home/fuzzer/firefox/checkout/ipc/glue/MessageChannel.cpp:2187:25
#13 0x7f1254f5e9b1 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /home/fuzzer/firefox/checkout/ipc/glue/MessageChannel.cpp:2111:9
#14 0x7f1254f6067a in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /home/fuzzer/firefox/checkout/ipc/glue/MessageChannel.cpp:1959:3
#15 0x7f1254f60ff7 in mozilla::ipc::MessageChannel::MessageTask::Run() /home/fuzzer/firefox/checkout/ipc/glue/MessageChannel.cpp:1990:13
#16 0x7f1253d15d00 in nsThread::ProcessNextEvent(bool, bool*) /home/fuzzer/firefox/checkout/xpcom/threads/nsThread.cpp:1220:14
#17 0x7f1253d1e981 in NS_ProcessNextEvent(nsIThread*, bool) /home/fuzzer/firefox/checkout/xpcom/threads/nsThreadUtils.cpp:481:10
#18 0x7f1254f6c2d5 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /home/fuzzer/firefox/checkout/ipc/glue/MessagePump.cpp:302:20
#19 0x7f1254e7c322 in RunInternal /home/fuzzer/firefox/checkout/ipc/chromium/src/base/message_loop.cc:315:10
#20 0x7f1254e7c322 in RunHandler /home/fuzzer/firefox/checkout/ipc/chromium/src/base/message_loop.cc:308:3
#21 0x7f1254e7c322 in MessageLoop::Run() /home/fuzzer/firefox/checkout/ipc/chromium/src/base/message_loop.cc:290:3
#22 0x7f1253d10531 in nsThread::ThreadFunc(void*) /home/fuzzer/firefox/checkout/xpcom/threads/nsThread.cpp:464:10
#23 0x7f126ae772e8 in _pt_root /home/fuzzer/firefox/checkout/nsprpub/pr/src/pthreads/ptthread.c:201:5
#24 0x7f126e78d668 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x9668)
#25 0x7f126e34b322 in clone /build/glibc-t7JzpG/glibc-2.30/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
0x6080006452a8 is located 8 bytes inside of 96-byte region [0x6080006452a0,0x608000645300)
freed by thread T24 (IPDL Background) here:
#0 0x55fd68bddc7d in free (/home/fuzzer/firefox/src/dist/bin/firefox+0xbbc7d)
#1 0x7f1254ed7c23 in mozilla::ipc::BackgroundParentImpl::DeallocPCacheStreamControlParent(mozilla::dom::cache::PCacheStreamControlParent*) /home/fuzzer/firefox/checkout/ipc/glue/BackgroundParentImpl.cpp:993:3
#2 0x7f1254f82913 in mozilla::ipc::ActorLifecycleProxy::~ActorLifecycleProxy() /home/fuzzer/firefox/checkout/ipc/glue/ProtocolUtils.cpp:249:11
#3 0x7f1255ab33dc in mozilla::ipc::PBackgroundParent::RemoveManagee(int, mozilla::ipc::IProtocol*) /home/fuzzer/firefox/src/ipc/ipdl/PBackgroundParent.cpp
#4 0x7f1255bf9634 in mozilla::dom::cache::PCacheStreamControlParent::Send__delete__(mozilla::dom::cache::PCacheStreamControlParent*) /home/fuzzer/firefox/src/ipc/ipdl/PCacheStreamControlParent.cpp:125:10
#5 0x7f1259fc7e43 in NoteClosed /home/fuzzer/firefox/checkout/dom/cache/StreamControl.cpp:29:3
#6 0x7f1259fc7e43 in NoteClosedOnOwningThread /home/fuzzer/firefox/checkout/dom/cache/ReadStream.cpp:399:13
#7 0x7f1259fc7e43 in mozilla::dom::cache::ReadStream::Inner::NoteClosed() /home/fuzzer/firefox/checkout/dom/cache/ReadStream.cpp:363:5
#8 0x7f1259fcab60 in mozilla::dom::cache::StreamControl::CloseAllReadStreams() /home/fuzzer/firefox/checkout/dom/cache/StreamControl.cpp:68:21
#9 0x7f1259f80de1 in NotifyCloseAll /home/fuzzer/firefox/checkout/dom/cache/CacheStreamControlParent.cpp:163:3
#10 0x7f1259f80de1 in mozilla::dom::cache::CacheStreamControlParent::CloseAll() /home/fuzzer/firefox/checkout/dom/cache/CacheStreamControlParent.cpp:143:3
#11 0x7f1259f86832 in mozilla::dom::cache::Context::CancelAll() /home/fuzzer/firefox/checkout/dom/cache/Context.cpp:820:23
#12 0x7f1259fbd3ed in Abort /home/fuzzer/firefox/checkout/dom/cache/Manager.cpp:1930:12
#13 0x7f1259fbd3ed in mozilla::dom::cache::Manager::Factory::Abort(nsTSubstring<char> const&) /home/fuzzer/firefox/checkout/dom/cache/Manager.cpp:292:20
#14 0x7f125b893b2c in mozilla::dom::quota::QuotaManager::OpenDirectoryInternal(mozilla::dom::Nullable<mozilla::dom::quota::PersistenceType> const&, mozilla::dom::quota::OriginScope const&, mozilla::dom::Nullable<mozilla::dom::quota::Client::Type> const&, bool, mozilla::dom::quota::OpenDirectoryListener*) /home/fuzzer/firefox/checkout/dom/quota/ActorsParent.cpp:6756:25
#15 0x7f125b8ba0e5 in mozilla::dom::quota::(anonymous namespace)::NormalOriginOperationBase::Open() /home/fuzzer/firefox/checkout/dom/quota/ActorsParent.cpp:8392:30
#16 0x7f125b8b9a77 in mozilla::dom::quota::(anonymous namespace)::OriginOperationBase::Run() /home/fuzzer/firefox/checkout/dom/quota/ActorsParent.cpp
#17 0x7f125b8c35a7 in RunImmediately /home/fuzzer/firefox/checkout/dom/quota/ActorsParent.cpp:1262:5
#18 0x7f125b8c35a7 in mozilla::dom::quota::(anonymous namespace)::Quota::RecvPQuotaRequestConstructor(mozilla::dom::quota::PQuotaRequestParent*, mozilla::dom::quota::RequestParams const&) /home/fuzzer/firefox/checkout/dom/quota/ActorsParent.cpp:8841:7
#19 0x7f1255712cd6 in mozilla::dom::quota::PQuotaParent::OnMessageReceived(IPC::Message const&) /home/fuzzer/firefox/src/ipc/ipdl/PQuotaParent.cpp:350:28
#20 0x7f1255ab6306 in mozilla::ipc::PBackgroundParent::OnMessageReceived(IPC::Message const&) /home/fuzzer/firefox/src/ipc/ipdl/PBackgroundParent.cpp:3599:32
#21 0x7f1254f62281 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /home/fuzzer/firefox/checkout/ipc/glue/MessageChannel.cpp:2187:25
#22 0x7f1254f5e9b1 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /home/fuzzer/firefox/checkout/ipc/glue/MessageChannel.cpp:2111:9
#23 0x7f1254f6067a in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /home/fuzzer/firefox/checkout/ipc/glue/MessageChannel.cpp:1959:3
#24 0x7f1254f60ff7 in mozilla::ipc::MessageChannel::MessageTask::Run() /home/fuzzer/firefox/checkout/ipc/glue/MessageChannel.cpp:1990:13
#25 0x7f1253d15d00 in nsThread::ProcessNextEvent(bool, bool*) /home/fuzzer/firefox/checkout/xpcom/threads/nsThread.cpp:1220:14
#26 0x7f1253d1e981 in NS_ProcessNextEvent(nsIThread*, bool) /home/fuzzer/firefox/checkout/xpcom/threads/nsThreadUtils.cpp:481:10
#27 0x7f1254f6c2d5 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /home/fuzzer/firefox/checkout/ipc/glue/MessagePump.cpp:302:20
#28 0x7f1254e7c322 in RunInternal /home/fuzzer/firefox/checkout/ipc/chromium/src/base/message_loop.cc:315:10
#29 0x7f1254e7c322 in RunHandler /home/fuzzer/firefox/checkout/ipc/chromium/src/base/message_loop.cc:308:3
#30 0x7f1254e7c322 in MessageLoop::Run() /home/fuzzer/firefox/checkout/ipc/chromium/src/base/message_loop.cc:290:3
#31 0x7f1253d10531 in nsThread::ThreadFunc(void*) /home/fuzzer/firefox/checkout/xpcom/threads/nsThread.cpp:464:10
#32 0x7f126ae772e8 in _pt_root /home/fuzzer/firefox/checkout/nsprpub/pr/src/pthreads/ptthread.c:201:5
#33 0x7f126e78d668 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x9668)
previously allocated by thread T24 (IPDL Background) here:
#0 0x55fd68bddefd in malloc (/home/fuzzer/firefox/src/dist/bin/firefox+0xbbefd)
#1 0x55fd68c134cd in moz_xmalloc /home/fuzzer/firefox/checkout/memory/mozalloc/mozalloc.cpp:52:15
#2 0x7f1259f65f00 in operator new /home/fuzzer/firefox/src/dist/include/mozilla/cxxalloc.h:33:10
#3 0x7f1259f65f00 in mozilla::dom::cache::AutoParentOpResult::SerializeReadStream(nsID const&, mozilla::dom::cache::StreamList*, mozilla::dom::cache::CacheReadStream*) /home/fuzzer/firefox/checkout/dom/cache/AutoUtils.cpp:497:13
#4 0x7f1259f652eb in mozilla::dom::cache::AutoParentOpResult::SerializeResponseBody(mozilla::dom::cache::SavedResponse const&, mozilla::dom::cache::StreamList*, mozilla::dom::cache::CacheResponse*) /home/fuzzer/firefox/checkout/dom/cache/AutoUtils.cpp:481:3
#5 0x7f1259f75d20 in mozilla::dom::cache::CacheOpParent::OnOpComplete(mozilla::ErrorResult&&, mozilla::dom::cache::CacheOpResult const&, long, nsTArray<mozilla::dom::cache::SavedResponse> const&, nsTArray<mozilla::dom::cache::SavedRequest> const&, mozilla::dom::cache::StreamList*) /home/fuzzer/firefox/checkout/dom/cache/CacheOpParent.cpp:174:12
#6 0x7f1259fbb7f3 in mozilla::dom::cache::Manager::Listener::OnOpComplete(mozilla::ErrorResult&&, mozilla::dom::cache::CacheOpResult const&, mozilla::dom::cache::SavedResponse const&, mozilla::dom::cache::StreamList*) /home/fuzzer/firefox/checkout/dom/cache/Manager.cpp:1497:3
#7 0x7f1259fd988b in mozilla::dom::cache::Manager::CacheMatchAction::Complete(mozilla::dom::cache::Manager::Listener*, mozilla::ErrorResult&&) /home/fuzzer/firefox/checkout/dom/cache/Manager.cpp:557:18
#8 0x7f1259fd8e12 in mozilla::dom::cache::Manager::BaseAction::CompleteOnInitiatingThread(nsresult) /home/fuzzer/firefox/checkout/dom/cache/Manager.cpp:436:7
#9 0x7f1259f84c81 in mozilla::dom::cache::Context::ActionRunnable::Run() /home/fuzzer/firefox/checkout/dom/cache/Context.cpp:651:16
#10 0x7f1253d15d00 in nsThread::ProcessNextEvent(bool, bool*) /home/fuzzer/firefox/checkout/xpcom/threads/nsThread.cpp:1220:14
#11 0x7f1253d1e981 in NS_ProcessNextEvent(nsIThread*, bool) /home/fuzzer/firefox/checkout/xpcom/threads/nsThreadUtils.cpp:481:10
#12 0x7f1254f6c2cb in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /home/fuzzer/firefox/checkout/ipc/glue/MessagePump.cpp:332:5
#13 0x7f1254e7c322 in RunInternal /home/fuzzer/firefox/checkout/ipc/chromium/src/base/message_loop.cc:315:10
#14 0x7f1254e7c322 in RunHandler /home/fuzzer/firefox/checkout/ipc/chromium/src/base/message_loop.cc:308:3
#15 0x7f1254e7c322 in MessageLoop::Run() /home/fuzzer/firefox/checkout/ipc/chromium/src/base/message_loop.cc:290:3
#16 0x7f1253d10531 in nsThread::ThreadFunc(void*) /home/fuzzer/firefox/checkout/xpcom/threads/nsThread.cpp:464:10
#17 0x7f126ae772e8 in _pt_root /home/fuzzer/firefox/checkout/nsprpub/pr/src/pthreads/ptthread.c:201:5
#18 0x7f126e78d668 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x9668)
Thread T24 (IPDL Background) created by T0 here:
#0 0x55fd68bc868a in pthread_create (/home/fuzzer/firefox/src/dist/bin/firefox+0xa668a)
#1 0x7f126ae656d3 in _PR_CreateThread /home/fuzzer/firefox/checkout/nsprpub/pr/src/pthreads/ptthread.c:458:14
#2 0x7f126ae4f70e in PR_CreateThread /home/fuzzer/firefox/checkout/nsprpub/pr/src/pthreads/ptthread.c:533:12
#3 0x7f1253d12832 in nsThread::Init(nsTSubstring<char> const&) /home/fuzzer/firefox/checkout/xpcom/threads/nsThread.cpp:670:8
#4 0x7f1253d1db7c in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) /home/fuzzer/firefox/checkout/xpcom/threads/nsThreadManager.cpp:621:12
#5 0x7f1253d21383 in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, nsIRunnable*, unsigned int) /home/fuzzer/firefox/checkout/xpcom/threads/nsThreadUtils.cpp:139:57
#6 0x7f1254f11b60 in NS_NewNamedThread<16> /home/fuzzer/firefox/src/dist/include/nsThreadUtils.h:65:10
#7 0x7f1254f11b60 in (anonymous namespace)::ParentImpl::CreateBackgroundThread() /home/fuzzer/firefox/checkout/ipc/glue/BackgroundImpl.cpp:1325:7
#8 0x7f1254f16080 in RunOnMainThread /home/fuzzer/firefox/checkout/ipc/glue/BackgroundImpl.cpp:1620:30
#9 0x7f1254f16080 in (anonymous namespace)::ParentImpl::CreateActorHelper::Run() /home/fuzzer/firefox/checkout/ipc/glue/BackgroundImpl.cpp:1639:17
#10 0x7f1253d15d00 in nsThread::ProcessNextEvent(bool, bool*) /home/fuzzer/firefox/checkout/xpcom/threads/nsThread.cpp:1220:14
#11 0x7f1253d1e981 in NS_ProcessNextEvent(nsIThread*, bool) /home/fuzzer/firefox/checkout/xpcom/threads/nsThreadUtils.cpp:481:10
#12 0x7f1253d1e25c in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /home/fuzzer/firefox/checkout/xpcom/threads/nsThreadManager.cpp:694:36)> /home/fuzzer/firefox/src/dist/include/nsThreadUtils.h:342:25
#13 0x7f1253d1e25c in nsThreadManager::SpinEventLoopUntilInternal(nsINestedEventLoopCondition*, bool) /home/fuzzer/firefox/checkout/xpcom/threads/nsThreadManager.cpp:694:8
#14 0x7f1253d4b361 in NS_InvokeByIndex /home/fuzzer/firefox/checkout/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:106
#15 0x7f1255df1c28 in Invoke /home/fuzzer/firefox/checkout/js/xpconnect/src/XPCWrappedNative.cpp:1634:10
#16 0x7f1255df1c28 in Call /home/fuzzer/firefox/checkout/js/xpconnect/src/XPCWrappedNative.cpp:1175:19
#17 0x7f1255df1c28 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /home/fuzzer/firefox/checkout/js/xpconnect/src/XPCWrappedNative.cpp:1141:23
#18 0x7f1255df7d81 in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /home/fuzzer/firefox/checkout/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:947:10
#19 0x7f1260a4740c in CallJSNative /home/fuzzer/firefox/checkout/js/src/vm/Interpreter.cpp:477:13
#20 0x7f1260a4740c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /home/fuzzer/firefox/checkout/js/src/vm/Interpreter.cpp:569:12
#21 0x7f1260a30e07 in CallFromStack /home/fuzzer/firefox/checkout/js/src/vm/Interpreter.cpp:636:10
#22 0x7f1260a30e07 in Interpret(JSContext*, js::RunState&) /home/fuzzer/firefox/checkout/js/src/vm/Interpreter.cpp:3046:16
#23 0x7f1260a15278 in js::RunScript(JSContext*, js::RunState&) /home/fuzzer/firefox/checkout/js/src/vm/Interpreter.cpp:449:10
#24 0x7f1260a47c8e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /home/fuzzer/firefox/checkout/js/src/vm/Interpreter.cpp:604:13
#25 0x7f1260a49809 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /home/fuzzer/firefox/checkout/js/src/vm/Interpreter.cpp:649:8
#26 0x7f1260fcf438 in js::fun_apply(JSContext*, unsigned int, JS::Value*) /home/fuzzer/firefox/checkout/js/src/vm/JSFunction.cpp:1214:10
#27 0x7f1260a4740c in CallJSNative /home/fuzzer/firefox/checkout/js/src/vm/Interpreter.cpp:477:13
#28 0x7f1260a4740c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /home/fuzzer/firefox/checkout/js/src/vm/Interpreter.cpp:569:12
#29 0x7f1260a30e07 in CallFromStack /home/fuzzer/firefox/checkout/js/src/vm/Interpreter.cpp:636:10
#30 0x7f1260a30e07 in Interpret(JSContext*, js::RunState&) /home/fuzzer/firefox/checkout/js/src/vm/Interpreter.cpp:3046:16
#31 0x7f1260a15278 in js::RunScript(JSContext*, js::RunState&) /home/fuzzer/firefox/checkout/js/src/vm/Interpreter.cpp:449:10
#32 0x7f1260a47c8e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /home/fuzzer/firefox/checkout/js/src/vm/Interpreter.cpp:604:13
#33 0x7f1260a49809 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /home/fuzzer/firefox/checkout/js/src/vm/Interpreter.cpp:649:8
#34 0x7f1260c03e30 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/fuzzer/firefox/checkout/js/src/jsapi.cpp:2735:10
#35 0x7f1255de2499 in nsXPCWrappedJS::CallMethod(unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) /home/fuzzer/firefox/checkout/js/xpconnect/src/XPCWrappedJSClass.cpp:959:17
#36 0x7f1253d4c9f1 in PrepareAndDispatch /home/fuzzer/firefox/checkout/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:125:37
#37 0x7f1253d4b8fa in SharedStub (/home/fuzzer/firefox/src/dist/bin/libxul.so+0x2cca8fa)
#38 0x7f12607cbd27 in nsXREDirProvider::DoStartup() /home/fuzzer/firefox/checkout/toolkit/xre/nsXREDirProvider.cpp:957:11
#39 0x7f12607ad0e7 in XREMain::XRE_mainRun() /home/fuzzer/firefox/checkout/toolkit/xre/nsAppRunner.cpp:4348:16
#40 0x7f12607afa0b in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/fuzzer/firefox/checkout/toolkit/xre/nsAppRunner.cpp:4690:8
#41 0x7f12607b0920 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/fuzzer/firefox/checkout/toolkit/xre/nsAppRunner.cpp:4741:21
#42 0x55fd68c109ab in do_main /home/fuzzer/firefox/checkout/browser/app/nsBrowserApp.cpp:217:22
#43 0x55fd68c109ab in main /home/fuzzer/firefox/checkout/browser/app/nsBrowserApp.cpp:331:16
#44 0x7f126e2501e2 in __libc_start_main /build/glibc-t7JzpG/glibc-2.30/csu/../csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: heap-use-after-free /home/fuzzer/firefox/src/dist/include/mozilla/ipc/ProtocolUtils.h:229:31 in Id
Shadow bytes around the buggy address:
0x0c10800c0a00: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x0c10800c0a10: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
0x0c10800c0a20: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
0x0c10800c0a30: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x0c10800c0a40: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
=>0x0c10800c0a50: fa fa fa fa fd[fd]fd fd fd fd fd fd fd fd fd fd
0x0c10800c0a60: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
0x0c10800c0a70: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x0c10800c0a80: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
0x0c10800c0a90: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
0x0c10800c0aa0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==7841==ABORTING
Firefox 73b (old crash)
==============================================================
==7356==ERROR: AddressSanitizer: heap-use-after-free on address 0x60800081a3a8 at pc 0x7fa5dcb48b30 bp 0x7fa5d1d2a950 sp 0x7fa5d1d2a948
READ of size 4 at 0x60800081a3a8 thread T23 (IPDL Background)
#0 0x7fa5dcb48b2f in Id /home/fuzzer/dev/firefox/dist/include/mozilla/ipc/ProtocolUtils.h:230:31
#1 0x7fa5dcb48b2f in mozilla::dom::cache::PCacheStreamControlParent::SendCloseAll() /home/fuzzer/dev/firefox/ipc/ipdl/PCacheStreamControlParent.cpp:75:61
#2 0x7fa5e0be61f2 in mozilla::dom::cache::Context::CancelAll() /home/fuzzer/dev/src/dom/cache/Context.cpp:819:23
#3 0x7fa5e0c1c78d in Abort /home/fuzzer/dev/src/dom/cache/Manager.cpp:1930:12
#4 0x7fa5e0c1c78d in mozilla::dom::cache::Manager::Factory::Abort(nsTSubstring<char> const&) /home/fuzzer/dev/src/dom/cache/Manager.cpp:292:20
#5 0x7fa5e236f38c in mozilla::dom::quota::QuotaManager::OpenDirectoryInternal(mozilla::dom::Nullable<mozilla::dom::quota::PersistenceType> const&, mozilla::dom::quota::OriginScope const&, mozilla::dom::Nullable<mozilla::dom::quota::Client::Type> const&, bool, mozilla::dom::quota::OpenDirectoryListener*) /home/fuzzer/dev/src/dom/quota/ActorsParent.cpp:6705:25
#6 0x7fa5e2393047 in mozilla::dom::quota::(anonymous namespace)::OriginOperationBase::Run() /home/fuzzer/dev/src/dom/quota/ActorsParent.cpp
#7 0x7fa5e239c251 in RunImmediately /home/fuzzer/dev/src/dom/quota/ActorsParent.cpp:1260:5
#8 0x7fa5e239c251 in mozilla::dom::quota::(anonymous namespace)::Quota::RecvPQuotaRequestConstructor(mozilla::dom::quota::PQuotaRequestParent*, mozilla::dom::quota::RequestParams const&) /home/fuzzer/dev/src/dom/quota/ActorsParent.cpp:8765:7
#9 0x7fa5dc788d12 in mozilla::dom::quota::PQuotaParent::OnMessageReceived(IPC::Message const&) /home/fuzzer/dev/firefox/ipc/ipdl/PQuotaParent.cpp:350:28
#10 0x7fa5dca4bb21 in mozilla::ipc::PBackgroundParent::OnMessageReceived(IPC::Message const&) /home/fuzzer/dev/firefox/ipc/ipdl/PBackgroundParent.cpp:3522:32
#11 0x7fa5dc198c26 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /home/fuzzer/dev/src/ipc/glue/MessageChannel.cpp:2215:25
#12 0x7fa5dc195413 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /home/fuzzer/dev/src/ipc/glue/MessageChannel.cpp:2137:9
#13 0x7fa5dc196cd9 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /home/fuzzer/dev/src/ipc/glue/MessageChannel.cpp:1976:3
#14 0x7fa5dc197297 in mozilla::ipc::MessageChannel::MessageTask::Run() /home/fuzzer/dev/src/ipc/glue/MessageChannel.cpp:2007:13
#15 0x7fa5db08d320 in nsThread::ProcessNextEvent(bool, bool*) /home/fuzzer/dev/src/xpcom/threads/nsThread.cpp:1220:14
#16 0x7fa5db095fb1 in NS_ProcessNextEvent(nsIThread*, bool) /home/fuzzer/dev/src/xpcom/threads/nsThreadUtils.cpp:486:10
#17 0x7fa5dc1a102a in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /home/fuzzer/dev/src/ipc/glue/MessagePump.cpp:302:20
#18 0x7fa5dc0d42a2 in RunInternal /home/fuzzer/dev/src/ipc/chromium/src/base/message_loop.cc:315:10
#19 0x7fa5dc0d42a2 in RunHandler /home/fuzzer/dev/src/ipc/chromium/src/base/message_loop.cc:308:3
#20 0x7fa5dc0d42a2 in MessageLoop::Run() /home/fuzzer/dev/src/ipc/chromium/src/base/message_loop.cc:290:3
#21 0x7fa5db087b51 in nsThread::ThreadFunc(void*) /home/fuzzer/dev/src/xpcom/threads/nsThread.cpp:464:10
#22 0x7fa5f05ef2e8 in _pt_root /home/fuzzer/dev/src/nsprpub/pr/src/pthreads/ptthread.c:201:5
#23 0x7fa5f3f05668 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x9668)
#24 0x7fa5f3ac3322 in clone /build/glibc-4WA41p/glibc-2.30/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
0x60800081a3a8 is located 8 bytes inside of 96-byte region [0x60800081a3a0,0x60800081a400)
freed by thread T23 (IPDL Background) here:
#0 0x561c133c195d in free (/home/fuzzer/dev/firefox/dist/bin/firefox+0xb895d)
#1 0x7fa5dc12ce3b in mozilla::ipc::BackgroundParentImpl::DeallocPCacheStreamControlParent(mozilla::dom::cache::PCacheStreamControlParent*) /home/fuzzer/dev/src/ipc/glue/BackgroundParentImpl.cpp:956:3
#2 0x7fa5dc1a536f in mozilla::ipc::ActorLifecycleProxy::~ActorLifecycleProxy() /home/fuzzer/dev/src/ipc/glue/ProtocolUtils.cpp:253:11
#3 0x7fa5dca48f7a in mozilla::ipc::PBackgroundParent::RemoveManagee(int, mozilla::ipc::IProtocol*) /home/fuzzer/dev/firefox/ipc/ipdl/PBackgroundParent.cpp
#4 0x7fa5dcb48f18 in mozilla::dom::cache::PCacheStreamControlParent::Send__delete__(mozilla::dom::cache::PCacheStreamControlParent*) /home/fuzzer/dev/firefox/ipc/ipdl/PCacheStreamControlParent.cpp:125:10
#5 0x7fa5e0c271f3 in NoteClosed /home/fuzzer/dev/src/dom/cache/StreamControl.cpp:29:3
#6 0x7fa5e0c271f3 in NoteClosedOnOwningThread /home/fuzzer/dev/src/dom/cache/ReadStream.cpp:399:13
#7 0x7fa5e0c271f3 in mozilla::dom::cache::ReadStream::Inner::NoteClosed() /home/fuzzer/dev/src/dom/cache/ReadStream.cpp:363:5
#8 0x7fa5e0c29f10 in mozilla::dom::cache::StreamControl::CloseAllReadStreams() /home/fuzzer/dev/src/dom/cache/StreamControl.cpp:63:21
#9 0x7fa5e0be07b1 in NotifyCloseAll /home/fuzzer/dev/src/dom/cache/CacheStreamControlParent.cpp:163:3
#10 0x7fa5e0be07b1 in mozilla::dom::cache::CacheStreamControlParent::CloseAll() /home/fuzzer/dev/src/dom/cache/CacheStreamControlParent.cpp:143:3
#11 0x7fa5e0be61f2 in mozilla::dom::cache::Context::CancelAll() /home/fuzzer/dev/src/dom/cache/Context.cpp:819:23
#12 0x7fa5e0c1c78d in Abort /home/fuzzer/dev/src/dom/cache/Manager.cpp:1930:12
#13 0x7fa5e0c1c78d in mozilla::dom::cache::Manager::Factory::Abort(nsTSubstring<char> const&) /home/fuzzer/dev/src/dom/cache/Manager.cpp:292:20
#14 0x7fa5e236f38c in mozilla::dom::quota::QuotaManager::OpenDirectoryInternal(mozilla::dom::Nullable<mozilla::dom::quota::PersistenceType> const&, mozilla::dom::quota::OriginScope const&, mozilla::dom::Nullable<mozilla::dom::quota::Client::Type> const&, bool, mozilla::dom::quota::OpenDirectoryListener*) /home/fuzzer/dev/src/dom/quota/ActorsParent.cpp:6705:25
#15 0x7fa5e2393047 in mozilla::dom::quota::(anonymous namespace)::OriginOperationBase::Run() /home/fuzzer/dev/src/dom/quota/ActorsParent.cpp
#16 0x7fa5e239c251 in RunImmediately /home/fuzzer/dev/src/dom/quota/ActorsParent.cpp:1260:5
#17 0x7fa5e239c251 in mozilla::dom::quota::(anonymous namespace)::Quota::RecvPQuotaRequestConstructor(mozilla::dom::quota::PQuotaRequestParent*, mozilla::dom::quota::RequestParams const&) /home/fuzzer/dev/src/dom/quota/ActorsParent.cpp:8765:7
#18 0x7fa5dc788d12 in mozilla::dom::quota::PQuotaParent::OnMessageReceived(IPC::Message const&) /home/fuzzer/dev/firefox/ipc/ipdl/PQuotaParent.cpp:350:28
#19 0x7fa5dca4bb21 in mozilla::ipc::PBackgroundParent::OnMessageReceived(IPC::Message const&) /home/fuzzer/dev/firefox/ipc/ipdl/PBackgroundParent.cpp:3522:32
#20 0x7fa5dc198c26 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /home/fuzzer/dev/src/ipc/glue/MessageChannel.cpp:2215:25
#21 0x7fa5dc195413 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /home/fuzzer/dev/src/ipc/glue/MessageChannel.cpp:2137:9
#22 0x7fa5dc196cd9 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /home/fuzzer/dev/src/ipc/glue/MessageChannel.cpp:1976:3
#23 0x7fa5dc197297 in mozilla::ipc::MessageChannel::MessageTask::Run() /home/fuzzer/dev/src/ipc/glue/MessageChannel.cpp:2007:13
#24 0x7fa5db08d320 in nsThread::ProcessNextEvent(bool, bool*) /home/fuzzer/dev/src/xpcom/threads/nsThread.cpp:1220:14
#25 0x7fa5db095fb1 in NS_ProcessNextEvent(nsIThread*, bool) /home/fuzzer/dev/src/xpcom/threads/nsThreadUtils.cpp:486:10
#26 0x7fa5dc1a102a in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /home/fuzzer/dev/src/ipc/glue/MessagePump.cpp:302:20
#27 0x7fa5dc0d42a2 in RunInternal /home/fuzzer/dev/src/ipc/chromium/src/base/message_loop.cc:315:10
#28 0x7fa5dc0d42a2 in RunHandler /home/fuzzer/dev/src/ipc/chromium/src/base/message_loop.cc:308:3
#29 0x7fa5dc0d42a2 in MessageLoop::Run() /home/fuzzer/dev/src/ipc/chromium/src/base/message_loop.cc:290:3
#30 0x7fa5db087b51 in nsThread::ThreadFunc(void*) /home/fuzzer/dev/src/xpcom/threads/nsThread.cpp:464:10
#31 0x7fa5f05ef2e8 in _pt_root /home/fuzzer/dev/src/nsprpub/pr/src/pthreads/ptthread.c:201:5
#32 0x7fa5f3f05668 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x9668)
previously allocated by thread T23 (IPDL Background) here:
#0 0x561c133c1bdd in malloc (/home/fuzzer/dev/firefox/dist/bin/firefox+0xb8bdd)
#1 0x561c133f6e8d in moz_xmalloc /home/fuzzer/dev/src/memory/mozalloc/mozalloc.cpp:52:15
#2 0x7fa5e0bc5c90 in operator new /home/fuzzer/dev/firefox/dist/include/mozilla/cxxalloc.h:33:10
#3 0x7fa5e0bc5c90 in mozilla::dom::cache::AutoParentOpResult::SerializeReadStream(nsID const&, mozilla::dom::cache::StreamList*, mozilla::dom::cache::CacheReadStream*) /home/fuzzer/dev/src/dom/cache/AutoUtils.cpp:497:13
#4 0x7fa5e0bc507b in mozilla::dom::cache::AutoParentOpResult::SerializeResponseBody(mozilla::dom::cache::SavedResponse const&, mozilla::dom::cache::StreamList*, mozilla::dom::cache::CacheResponse*) /home/fuzzer/dev/src/dom/cache/AutoUtils.cpp:481:3
#5 0x7fa5e0bd56f0 in mozilla::dom::cache::CacheOpParent::OnOpComplete(mozilla::ErrorResult&&, mozilla::dom::cache::CacheOpResult const&, long, nsTArray<mozilla::dom::cache::SavedResponse> const&, nsTArray<mozilla::dom::cache::SavedRequest> const&, mozilla::dom::cache::StreamList*) /home/fuzzer/dev/src/dom/cache/CacheOpParent.cpp:174:12
#6 0x7fa5e0c1ab93 in mozilla::dom::cache::Manager::Listener::OnOpComplete(mozilla::ErrorResult&&, mozilla::dom::cache::CacheOpResult const&, mozilla::dom::cache::SavedResponse const&, mozilla::dom::cache::StreamList*) /home/fuzzer/dev/src/dom/cache/Manager.cpp:1497:3
#7 0x7fa5e0c3903b in mozilla::dom::cache::Manager::CacheMatchAction::Complete(mozilla::dom::cache::Manager::Listener*, mozilla::ErrorResult&&) /home/fuzzer/dev/src/dom/cache/Manager.cpp:557:18
#8 0x7fa5e0c385c2 in mozilla::dom::cache::Manager::BaseAction::CompleteOnInitiatingThread(nsresult) /home/fuzzer/dev/src/dom/cache/Manager.cpp:436:7
#9 0x7fa5e0be45f1 in mozilla::dom::cache::Context::ActionRunnable::Run() /home/fuzzer/dev/src/dom/cache/Context.cpp:650:16
#10 0x7fa5db08d320 in nsThread::ProcessNextEvent(bool, bool*) /home/fuzzer/dev/src/xpcom/threads/nsThread.cpp:1220:14
#11 0x7fa5db095fb1 in NS_ProcessNextEvent(nsIThread*, bool) /home/fuzzer/dev/src/xpcom/threads/nsThreadUtils.cpp:486:10
#12 0x7fa5dc1a1173 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /home/fuzzer/dev/src/ipc/glue/MessagePump.cpp:332:5
#13 0x7fa5dc0d42a2 in RunInternal /home/fuzzer/dev/src/ipc/chromium/src/base/message_loop.cc:315:10
#14 0x7fa5dc0d42a2 in RunHandler /home/fuzzer/dev/src/ipc/chromium/src/base/message_loop.cc:308:3
#15 0x7fa5dc0d42a2 in MessageLoop::Run() /home/fuzzer/dev/src/ipc/chromium/src/base/message_loop.cc:290:3
#16 0x7fa5db087b51 in nsThread::ThreadFunc(void*) /home/fuzzer/dev/src/xpcom/threads/nsThread.cpp:464:10
#17 0x7fa5f05ef2e8 in _pt_root /home/fuzzer/dev/src/nsprpub/pr/src/pthreads/ptthread.c:201:5
#18 0x7fa5f3f05668 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x9668)
Thread T23 (IPDL Background) created by T0 here:
#0 0x561c133ac36a in pthread_create (/home/fuzzer/dev/firefox/dist/bin/firefox+0xa336a)
#1 0x7fa5f05dd6d3 in _PR_CreateThread /home/fuzzer/dev/src/nsprpub/pr/src/pthreads/ptthread.c:458:14
#2 0x7fa5f05c770e in PR_CreateThread /home/fuzzer/dev/src/nsprpub/pr/src/pthreads/ptthread.c:533:12
#3 0x7fa5db089e52 in nsThread::Init(nsTSubstring<char> const&) /home/fuzzer/dev/src/xpcom/threads/nsThread.cpp:670:8
#4 0x7fa5db0951b1 in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) /home/fuzzer/dev/src/xpcom/threads/nsThreadManager.cpp:621:12
#5 0x7fa5db098943 in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, nsIRunnable*, unsigned int) /home/fuzzer/dev/src/xpcom/threads/nsThreadUtils.cpp:139:57
#6 0x7fa5dc16038c in NS_NewNamedThread<16> /home/fuzzer/dev/firefox/dist/include/nsThreadUtils.h:69:10
#7 0x7fa5dc16038c in (anonymous namespace)::ParentImpl::CreateBackgroundThread() /home/fuzzer/dev/src/ipc/glue/BackgroundImpl.cpp:943:7
#8 0x7fa5dc16484c in RunOnMainThread /home/fuzzer/dev/src/ipc/glue/BackgroundImpl.cpp:1243:30
#9 0x7fa5dc16484c in (anonymous namespace)::ParentImpl::CreateActorHelper::Run() /home/fuzzer/dev/src/ipc/glue/BackgroundImpl.cpp:1262:17
#10 0x7fa5db08d320 in nsThread::ProcessNextEvent(bool, bool*) /home/fuzzer/dev/src/xpcom/threads/nsThread.cpp:1220:14
#11 0x7fa5db095fb1 in NS_ProcessNextEvent(nsIThread*, bool) /home/fuzzer/dev/src/xpcom/threads/nsThreadUtils.cpp:486:10
#12 0x7fa5db09588c in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /home/fuzzer/dev/src/xpcom/threads/nsThreadManager.cpp:694:36)> /home/fuzzer/dev/firefox/dist/include/nsThreadUtils.h:346:25
#13 0x7fa5db09588c in nsThreadManager::SpinEventLoopUntilInternal(nsINestedEventLoopCondition*, bool) /home/fuzzer/dev/src/xpcom/threads/nsThreadManager.cpp:694:8
#14 0x7fa5db0c2921 in NS_InvokeByIndex /home/fuzzer/dev/src/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:106
#15 0x7fa5dcd2a144 in Invoke /home/fuzzer/dev/src/js/xpconnect/src/XPCWrappedNative.cpp:1643:10
#16 0x7fa5dcd2a144 in Call /home/fuzzer/dev/src/js/xpconnect/src/XPCWrappedNative.cpp:1184:19
#17 0x7fa5dcd2a144 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /home/fuzzer/dev/src/js/xpconnect/src/XPCWrappedNative.cpp:1150:23
#18 0x7fa5dcd30241 in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /home/fuzzer/dev/src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:947:10
#19 0x7fa5e72b68d8 in CallJSNative /home/fuzzer/dev/src/js/src/vm/Interpreter.cpp:470:13
#20 0x7fa5e72b68d8 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /home/fuzzer/dev/src/js/src/vm/Interpreter.cpp:562:12
#21 0x7fa5e72a0131 in CallFromStack /home/fuzzer/dev/src/js/src/vm/Interpreter.cpp:629:10
#22 0x7fa5e72a0131 in Interpret(JSContext*, js::RunState&) /home/fuzzer/dev/src/js/src/vm/Interpreter.cpp:3042:16
#23 0x7fa5e728437b in js::RunScript(JSContext*, js::RunState&) /home/fuzzer/dev/src/js/src/vm/Interpreter.cpp:442:10
#24 0x7fa5e72b7151 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /home/fuzzer/dev/src/js/src/vm/Interpreter.cpp:597:13
#25 0x7fa5e72b8cb9 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /home/fuzzer/dev/src/js/src/vm/Interpreter.cpp:642:8
#26 0x7fa5e7807338 in js::fun_apply(JSContext*, unsigned int, JS::Value*) /home/fuzzer/dev/src/js/src/vm/JSFunction.cpp:1224:10
#27 0x7fa5e72b68d8 in CallJSNative /home/fuzzer/dev/src/js/src/vm/Interpreter.cpp:470:13
#28 0x7fa5e72b68d8 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /home/fuzzer/dev/src/js/src/vm/Interpreter.cpp:562:12
#29 0x7fa5e72a0131 in CallFromStack /home/fuzzer/dev/src/js/src/vm/Interpreter.cpp:629:10
#30 0x7fa5e72a0131 in Interpret(JSContext*, js::RunState&) /home/fuzzer/dev/src/js/src/vm/Interpreter.cpp:3042:16
#31 0x7fa5e728437b in js::RunScript(JSContext*, js::RunState&) /home/fuzzer/dev/src/js/src/vm/Interpreter.cpp:442:10
#32 0x7fa5e72b7151 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /home/fuzzer/dev/src/js/src/vm/Interpreter.cpp:597:13
#33 0x7fa5e72b8cb9 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /home/fuzzer/dev/src/js/src/vm/Interpreter.cpp:642:8
#34 0x7fa5e7438c60 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/fuzzer/dev/src/js/src/jsapi.cpp:2734:10
#35 0x7fa5dcd1a899 in nsXPCWrappedJS::CallMethod(unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) /home/fuzzer/dev/src/js/xpconnect/src/XPCWrappedJSClass.cpp:959:17
#36 0x7fa5db0c3fb1 in PrepareAndDispatch /home/fuzzer/dev/src/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:125:37
#37 0x7fa5db0c2eba in SharedStub (/home/fuzzer/dev/firefox/dist/bin/libxul.so+0x2090eba)
#38 0x7fa5e70671f7 in nsXREDirProvider::DoStartup() /home/fuzzer/dev/src/toolkit/xre/nsXREDirProvider.cpp:957:11
#39 0x7fa5e7048487 in XREMain::XRE_mainRun() /home/fuzzer/dev/src/toolkit/xre/nsAppRunner.cpp:4359:16
#40 0x7fa5e704adae in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/fuzzer/dev/src/toolkit/xre/nsAppRunner.cpp:4701:8
#41 0x7fa5e704bcc0 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/fuzzer/dev/src/toolkit/xre/nsAppRunner.cpp:4752:21
#42 0x561c133f448c in do_main /home/fuzzer/dev/src/browser/app/nsBrowserApp.cpp:217:22
#43 0x561c133f448c in main /home/fuzzer/dev/src/browser/app/nsBrowserApp.cpp:331:16
#44 0x7fa5f39c81e2 in __libc_start_main /build/glibc-4WA41p/glibc-2.30/csu/../csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: heap-use-after-free /home/fuzzer/dev/firefox/dist/include/mozilla/ipc/ProtocolUtils.h:230:31 in Id
Shadow bytes around the buggy address:
0x0c10800fb420: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c10800fb430: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c10800fb440: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x0c10800fb450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c10800fb460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c10800fb470: fa fa fa fa fd[fd]fd fd fd fd fd fd fd fd fd fd
0x0c10800fb480: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
0x0c10800fb490: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c10800fb4a0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
0x0c10800fb4b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c10800fb4c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==7356==ABORTING
Crash Annotation GraphicsCriticalError: |[C0][GFX1-]: Receive IPC close with reason=AbnormalShutdown (t=27.9675) [GFX1-]: Receive IPC close with reason=AbnormalShutdown
Exiting due to channel error.
Exiting due to channel error.
Exiting due to channel error
|
||
Updated•5 years ago
|
Group: firefox-core-security → dom-core-security
Component: Untriaged → Storage: Quota Manager
Keywords: csectype-uaf,
sec-high
Product: Firefox → Core
|
||
Comment 1•5 years ago
|
||
Looks like it's a different issue from Bug 1610880.
It's an issue on DOM Cache itself and it seems that it's double free.
Component: Storage: Quota Manager → Storage: Cache API
|
|
||
Comment 2•5 years ago
|
||
Francisco, do you have STR so that we can easily create a test to verify once we fix this?
Flags: needinfo?(rs)
|
||
Updated•5 years ago
|
Priority: -- → P1
|
Reporter | |
Comment 3•5 years ago
|
||
Right now I don’t have reproducer. If it’s a double free then it looks pretty bad.
|
|
Reporter | |
Updated•5 years ago
|
Flags: needinfo?(rs)
|
|
||
Updated•5 years ago
|
Assignee: nobody → ttung
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
|
||
Comment 4•5 years ago
|
||
Francisco, is this something you're seeing in the wild?
Flags: needinfo?(rs)
|
|
Reporter | |
Comment 5•5 years ago
|
||
(In reply to Ryan VanderMeulen [:RyanVM] from comment #4)
Francisco, is this something you're seeing in the wild?
Yes, but I assumed wrongly it was fixed a previous release (and reviewing logs I saw that it had happened again). Please take the necessary considerations as the other bug that I have open.
Do you know since which version is affected? Is it recent like the previous one?
Flags: needinfo?(rs)
|
||
Updated•5 years ago
|
Keywords: sec-high → sec-critical
|
||
Updated•5 years ago
|
status-firefox74:
--- → affected
status-firefox75:
--- → affected
status-firefox76:
--- → affected
status-firefox-esr68:
--- → ?
tracking-firefox74:
--- → +
tracking-firefox75:
--- → +
tracking-firefox76:
--- → +
|
|
||
Updated•5 years ago
|
tracking-firefox-esr68:
--- → 75+
|
|
||
Updated•5 years ago
|
|
|
||
Updated•5 years ago
|
Assignee: ttung → bugmail
|
Assignee | |
Comment 6•5 years ago
|
||
|
||
Comment 7•5 years ago
|
||
Comment on attachment 9137897 [details]
Bug 1626728 - Normalize shutdown. r=perry
Not sure what we're waiting for here, but you have sec-approval to land it when it's ready. Don't land the test you're working on until after we ship, please.
Attachment #9137897 -
Flags: sec-approval+
|
|
Assignee | |
Comment 8•5 years ago
|
||
Comment on attachment 9137897 [details]
Bug 1626728 - Normalize shutdown. r=perry
Beta/Release Uplift Approval Request
- User impact if declined: Crashes.
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: No
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Reasonably straightforward move of shutdown code. Tests will catch it real quick.
- String changes made/needed: none
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: (sec-bug)
- User impact if declined: Crashes.
- Fix Landed on Version:
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Reasonably straightforward move of shutdown code. Tests will catch it real quick.
- String or UUID changes made by this patch: none
Attachment #9137897 -
Flags: approval-mozilla-release?
Attachment #9137897 -
Flags: approval-mozilla-esr68?
Attachment #9137897 -
Flags: approval-mozilla-beta?
|
|
||
Comment 9•5 years ago
|
||
Comment on attachment 9137897 [details]
Bug 1626728 - Normalize shutdown. r=perry
Approved for all the things.
Attachment #9137897 -
Flags: approval-mozilla-release?
Attachment #9137897 -
Flags: approval-mozilla-release+
Attachment #9137897 -
Flags: approval-mozilla-esr68?
Attachment #9137897 -
Flags: approval-mozilla-esr68+
Attachment #9137897 -
Flags: approval-mozilla-beta?
Attachment #9137897 -
Flags: approval-mozilla-beta+
|
|
||
Comment 10•5 years ago
|
||
| uplift | ||
https://hg.mozilla.org/mozilla-central/rev/b7170a7eaacb354090144be20ab92672e91a8a79
https://hg.mozilla.org/releases/mozilla-beta/rev/1036ae72b56eb85f57ab8f862dad10708f6d894e
https://hg.mozilla.org/releases/mozilla-release/rev/70743aa8b7b63b07c0f9fe38db77e2f997eb49eb (default - 75rc)
https://hg.mozilla.org/releases/mozilla-release/rev/a3ad5b3c6671398bcc9d08cecda0df64d8b3a488 (FIREFOX_74_0_X_RELBRANCH - 74.0.1)
https://hg.mozilla.org/releases/mozilla-esr68/rev/a3dd5ee8c5f25e3d2b068b1d9accee3a22f7d971 (default - 68.7rc)
https://hg.mozilla.org/releases/mozilla-esr68/rev/48349d4b20773c8a197810cf339f296dac496547 (FIREFOX_ESR_68_6_X_RELBRANCH - 68.6.1esr)
Group: dom-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla76
|
|
||
Comment 11•5 years ago
|
||
Backed out for assertion failures. Failure log:
https://treeherder.mozilla.org/logviewer.html#?job_id=296050163&repo=mozilla-central
https://hg.mozilla.org/mozilla-central/rev/ecaceb8b82959de97b832ac4548f8dcd49796ef7
https://hg.mozilla.org/releases/mozilla-beta/rev/eb1f8bc1622dd41183ef8995cd1d9f2e300d9db7
https://hg.mozilla.org/releases/mozilla-release/rev/58224a758c40251a138ca485446bd028933e0c9e (default)
https://hg.mozilla.org/releases/mozilla-release/rev/f192f2df04f6781b349f3465fdc6936dbf8b0f32 (FIREFOX_74_0_X_RELBRANCH)
https://hg.mozilla.org/releases/mozilla-esr68/rev/0ced814f5aebd874996fb31fd95423f132c3eb33 (default)
https://hg.mozilla.org/releases/mozilla-esr68/rev/8447d31cf5a55f81a8697baa9a73d05e37f28143 (FIREFOX_ESR_68_6_X_RELBRANCH)
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
|
|
||
Updated•5 years ago
|
Status: REOPENED → ASSIGNED
Target Milestone: mozilla76 → ---
|
|
Assignee | |
Comment 12•5 years ago
|
||
This was the best progress of my attempts to reproduce the crasher observed in the report. A pernosco trace of a run with this is at:
https://pernos.co/debug/v9umy5cl-WNOgZvyl36Fsg/index.html
The test was a little spammy to try and make sure that we had streams alive during the transition when clear-site-data was running, so it's not really great.
A less spammy pernosco trace for a version of the test that didn't work at all, but has less stuff going on is:
https://pernos.co/debug/J6kE03rCtZbBYPyPfq3CrQ/index.html
- In this trace, the original test is mainly running intact with Cache API stuff added, but accidentally disabled. The cache API activity observed is specific to the service worker being loaded by the scriptloader from the SW's (chrome-namespace) cache storage.
|
|
Assignee | |
Comment 13•5 years ago
|
||
The interesting lines are:
2:41.82 pid:9574 !!!!! initiating clear-site-data invocation
2:45.42 pid:9574 !!!!! clear-site-data completed
|
|
||
Comment 14•5 years ago
|
||
| uplift | ||
https://hg.mozilla.org/mozilla-central/rev/6639deb894172375b05d6791f5f8c7d53ca79723
https://hg.mozilla.org/releases/mozilla-beta/rev/73e370ab953934f942a489b21b41d36297e6cdf8
https://hg.mozilla.org/releases/mozilla-release/rev/31422fcc61f28c91f62023ebba8ef279776b4e27 (default)
https://hg.mozilla.org/releases/mozilla-release/rev/63afe468c6a580c6c01623fd60c8393fc2c2a4e0 (FIREFOX_74_0_X_RELBRANCH)
https://hg.mozilla.org/releases/mozilla-esr68/rev/3353f680e068e3a5c21263a909382557c6bb4397 (default)
https://hg.mozilla.org/releases/mozilla-esr68/rev/34be991778717f46f759eed8f85233bfa8032a8b (FIREFOX_ESR_68_6_X_RELBRANCH)
Status: ASSIGNED → RESOLVED
Closed: 5 years ago → 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla76
|
|
||
Updated•5 years ago
|
Flags: sec-bounty?
|
|
||
Comment 15•5 years ago
|
||
I didn't proceed with this much further today.
CacheStreamControlParent::CloseAll
- NotifyCloseAll [1]
- StreamControl::CloseAllReadStreams() [1a]
- ReadStream::Inner::CloseStream() [1b]
- ReadStream::Inner::NoteClosed
if owning thread : StreamControl::NoteClosed
- Unused << SendCloseAll() [2]
Here is what I found out:
- We can use QMS:Clear*Request to replace clear-site-data if we just want to write a test for reproducing
- Using
cache.matchand a clear request in QMS, I can ensure the test run [1] [1a] [2] (and the deletion always happen in [2]). The problem for me is that in [1a], themReadStreamListis always empty. Which means I couldn't make it run into [1b]
Checking when do we increase and decrease the member of mReadStreamList, I found:
They look like it's a sync call and thus I stuck on finding a way to insert an Abort between increasing and decreasing. If I can do that, then I believe I can write a test to reproduce the issue.
|
|
||
Updated•5 years ago
|
Alias: CVE-2020-6820
|
|
Reporter | |
Comment 17•5 years ago
|
||
I don't have access to bug 1600570 marked as duplicated. Is it possible to have access?
|
|
||
Comment 18•5 years ago
|
||
Francisco: We had a backlog entry to rewrite StreamList::Close. This bug supersedes that backlog item.
|
|
Reporter | |
Comment 19•5 years ago
|
||
(In reply to Frederik Braun [:freddy] from comment #18)
Francisco: We had a backlog entry to rewrite
StreamList::Close. This bug supersedes that backlog item.
Roger that, thank you very much for clarifying!
|
|
||
Updated•4 years ago
|
Flags: sec-bounty? → sec-bounty+
|
|
||
Updated•4 years ago
|
Group: core-security-release
|
|
||
Comment 20•4 years ago
|
||
Google Project Zero root cause analysis: https://googleprojectzero.blogspot.com/p/rca-cve-2020-6820.html
|
||
Updated•5 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•