Closed Bug 1123021 Opened 10 years ago Closed 10 years ago

Use After Free in WebSocketChannelChild::OnStart()

Categories

(Core :: DOM: Workers, defect)

Product:
Core
Component:
DOM: Workers
Version:
37 Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla38
Tracking Flags:
Tracking Status
firefox35 --- unaffected
firefox36 --- unaffected
firefox37 + fixed
firefox38 --- fixed
firefox-esr31 --- unaffected
b2g-v1.4 --- unaffected
b2g-v2.0 --- unaffected
b2g-v2.0M --- unaffected
b2g-v2.1 --- unaffected
b2g-v2.1S --- unaffected
b2g-v2.2 --- fixed
b2g-master --- fixed

People

(Reporter: loobenyang, Assigned: baku)

Details

(Keywords: csectype-uaf, sec-critical)

Attachments

(2 files)

wsserver_uaf240.js
(deleted), application/x-javascript
Details
crash.patch
(deleted), patch
smaug
: review+
Sylvestre
: approval-mozilla-aurora+
Details | Diff | Splinter Review
Attached file wsserver_uaf240.js (deleted) —
Steps to reproduce: On client side, initiate web sockets with protocol "wsm1-protocol" in web workers. On server side, it accepts web socket with protocol "wsm1-protocol". Client side and server side code have been combined in a single Node.js source file wsserver_uaf240.js, which needs to run with websocket module. Firefox Version: 38.0a1 (2015-01-16) Operating System: Ubuntu 14.04 LTS 64bit Actual results: Asan reported Use After Free in WebSocketChannelChild::OnStart(): ================================================================= ==5570==ERROR: AddressSanitizer: heap-use-after-free on address 0x6110002eb980 at pc 0x7f2631a6bc2f bp 0x7f26126f7940 sp 0x7f26126f7938 READ of size 8 at 0x6110002eb980 thread T21 (DOM Worker) #0 0x7f2631a6bc2e in mozilla::net::WebSocketChannelChild::OnStart(nsCString const&, nsCString const&, nsString const&, bool const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/netwerk/protocol/websocket/WebSocketChannelChild.cpp:202 #1 0x7f2631a72383 in mozilla::net::WrappedChannelEvent::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/netwerk/protocol/websocket/WebSocketChannelChild.cpp:105 #2 0x7f2633436a88 in mozilla::dom::(anonymous namespace)::WorkerRunnableDispatcher::WorkerRun(JSContext*, mozilla::dom::workers::WorkerPrivate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/WebSocket.cpp:2565 #3 0x7f2635df54ea in mozilla::dom::workers::WorkerRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerRunnable.cpp:326 #4 0x7f2631446d34 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:855 #5 0x7f26314a69fa in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:265 #6 0x7f2635dd622d in mozilla::dom::workers::WorkerPrivate::DoRunLoop(JSContext*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:4408 #7 0x7f2635d9c3ef in (anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/RuntimeService.cpp:2664 #8 0x7f2631446d34 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:855 #9 0x7f26314a69fa in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:265 #10 0x7f2631cd41f8 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:368 #11 0x7f2631c7e62c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:233 #12 0x7f2631c7e62c in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:226 #13 0x7f2631c7e62c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:200 #14 0x7f26314437c5 in nsThread::ThreadFunc(void*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:356 #15 0x7f263d270135 in _pt_root /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:212 #16 0x7f263dac0181 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8181) #17 0x7f262f15330c (/lib/x86_64-linux-gnu/libc.so.6+0xfb30c) 0x6110002eb980 is located 0 bytes inside of 240-byte region [0x6110002eb980,0x6110002eba70) freed by thread T0 (Web Content) here: #0 0x4721e1 in free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64 #1 0x7f2631a6931d in mozilla::net::WebSocketChannelChild::Release() /builds/slave/m-cen-l64-asan-000000000000000/build/src/netwerk/protocol/websocket/WebSocketChannelChild.cpp:39 #2 0x7f2631a8e589 in mozilla::net::NeckoChild::DeallocPWebSocketChild(mozilla::net::PWebSocketChild*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/netwerk/ipc/NeckoChild.cpp:166 #3 0x7f263243c578 in mozilla::net::PWebSocketChild::OnMessageReceived(IPC::Message const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/ipc/ipdl/./PWebSocketChild.cpp:488 #4 0x7f2631f4fd85 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/ipc/ipdl/./PContentChild.cpp:4792 #5 0x7f2631ccbe31 in DispatchAsyncMessage /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessageChannel.cpp:1218 #6 0x7f2631ccbe31 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessageChannel.cpp:1145 #7 0x7f2631cc1875 in mozilla::ipc::MessageChannel::OnMaybeDequeueOne() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessageChannel.cpp:1129 #8 0x7f2631c7faa4 in RunTask /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:361 #9 0x7f2631c7faa4 in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:369 #10 0x7f2631c80b57 in MessageLoop::DoWork() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:447 #11 0x7f2631cd3ab2 in mozilla::ipc::DoWorkRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:233 #12 0x7f2631446d34 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:855 #13 0x7f26314a69fa in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:265 #14 0x7f2631cd3219 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:99 #15 0x7f2631c7e62c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:233 #16 0x7f2631c7e62c in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:226 #17 0x7f2631c7e62c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:200 #18 0x7f263621d657 in nsBaseAppShell::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/widget/nsBaseAppShell.cpp:164 #19 0x7f2637d87a52 in XRE_RunAppShell /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:738 #20 0x7f2631c7e62c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:233 #21 0x7f2631c7e62c in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:226 #22 0x7f2631c7e62c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:200 #23 0x7f2637d87034 in XRE_InitChildProcess /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:575 #24 0x48a9f1 in content_process_main(int, char**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/app/../contentproc/plugin-container.cpp:211 #25 0x7f262f079ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4) previously allocated by thread T0 (Web Content) here: #0 0x4723e1 in __interceptor_malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:74 #1 0x7f263d8aacbd in moz_xmalloc /builds/slave/m-cen-l64-asan-000000000000000/build/src/memory/mozalloc/mozalloc.cpp:52 #2 0x7f2631c291df in operator new /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/netwerk/build/../../dist/include/mozilla/mozalloc.h:209 #3 0x7f2631c291df in WebSocketChannelConstructor /builds/slave/m-cen-l64-asan-000000000000000/build/src/netwerk/build/nsNetModule.cpp:295 #4 0x7f2631c291df in mozilla::net::WebSocketChannelConstructor(nsISupports*, nsID const&, void**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/netwerk/build/nsNetModule.cpp:326 #5 0x7f2631423f81 in nsComponentManagerImpl::CreateInstanceByContractID(char const*, nsISupports*, nsID const&, void**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/components/nsComponentManager.cpp:1199 #6 0x7f2631496216 in CallCreateInstance /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsComponentManagerUtils.cpp:149 #7 0x7f2631496216 in nsCreateInstanceByContractID::operator()(nsID const&, void**) const /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsComponentManagerUtils.cpp:197 #8 0x7f263149295d in nsCOMPtr_base::assign_from_helper(nsCOMPtr_helper const&, nsID const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsCOMPtr.cpp:125 #9 0x7f26333ceae1 in operator= /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/base/../../dist/include/nsCOMPtr.h:621 #10 0x7f26333ceae1 in mozilla::dom::WebSocketImpl::InitializeConnection() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/WebSocket.cpp:1540 #11 0x7f26333cb88f in mozilla::dom::WebSocketImpl::Init(JSContext*, nsIPrincipal*, nsAString_internal const&, nsTArray<nsString>&, nsACString_internal const&, unsigned int, mozilla::ErrorResult&, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/WebSocket.cpp:1475 #12 0x7f263343751a in InitWithWindow /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/WebSocket.cpp:1012 #13 0x7f263343751a in mozilla::dom::(anonymous namespace)::InitRunnable::MainThreadRun() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/WebSocket.cpp:983 #14 0x7f2635df6747 in mozilla::dom::workers::WorkerMainThreadRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerRunnable.cpp:527 #15 0x7f2631446d34 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:855 #16 0x7f26314a69fa in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:265 #17 0x7f2631cd3219 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:99 #18 0x7f2631c7e62c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:233 #19 0x7f2631c7e62c in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:226 #20 0x7f2631c7e62c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:200 #21 0x7f263621d657 in nsBaseAppShell::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/widget/nsBaseAppShell.cpp:164 #22 0x7f2637d87a52 in XRE_RunAppShell /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:738 #23 0x7f2631c7e62c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:233 #24 0x7f2631c7e62c in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:226 #25 0x7f2631c7e62c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:200 #26 0x7f2637d87034 in XRE_InitChildProcess /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:575 #27 0x48a9f1 in content_process_main(int, char**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/app/../contentproc/plugin-container.cpp:211 #28 0x7f262f079ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4) Thread T21 (DOM Worker) created by T0 (Web Content) here: #0 0x45ec55 in pthread_create /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:175 #1 0x7f263d26cabd in _PR_CreateThread /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:453 #2 0x7f263d26c63a in PR_CreateThread /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:544 #3 0x7f2631444cdb in nsThread::Init() /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:467 #4 0x7f2635dfb98a in mozilla::dom::workers::WorkerThread::Create(mozilla::dom::workers::WorkerThreadFriendKey const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerThread.cpp:90 #5 0x7f2635d7ba46 in mozilla::dom::workers::RuntimeService::ScheduleWorker(JSContext*, mozilla::dom::workers::WorkerPrivate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/RuntimeService.cpp:1586 #6 0x7f2635d79558 in mozilla::dom::workers::RuntimeService::RegisterWorker(JSContext*, mozilla::dom::workers::WorkerPrivate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/RuntimeService.cpp:1449 #7 0x7f2635dd1d75 in mozilla::dom::workers::WorkerPrivate::Constructor(JSContext*, nsAString_internal const&, bool, mozilla::dom::workers::WorkerType, nsACString_internal const&, mozilla::dom::workers::WorkerPrivateParent<mozilla::dom::workers::WorkerPrivate>::LoadInfo*, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:4024 #8 0x7f2635dd1716 in Constructor /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:3960 #9 0x7f2635dd1716 in mozilla::dom::workers::WorkerPrivate::Constructor(mozilla::dom::GlobalObject const&, nsAString_internal const&, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:3901 #10 0x7f2634c642cb in mozilla::dom::WorkerBinding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/bindings/./WorkerBinding.cpp:707 #11 0x7f2639c8d999 in CallJSNative /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jscntxtinlines.h:226 #12 0x7f2639c8d999 in CallJSNativeConstructor /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jscntxtinlines.h:259 #13 0x7f2639c8d999 in js::InvokeConstructor(JSContext*, JS::CallArgs) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:595 #14 0x7f2639c7f2bd in Interpret(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:2558 #15 0x7f2639c6323c in js::RunScript(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:448 #16 0x7f2639c8ed5f in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::AbstractFramePtr, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:657 #17 0x7f2639c8f314 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:693 #18 0x7f26398ad122 in Evaluate(JSContext*, JS::Handle<JSObject*>, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsapi.cpp:4431 #19 0x7f26398ad8be in Evaluate /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsapi.cpp:4458 #20 0x7f26398ad8be in JS::Evaluate(JSContext*, JS::AutoObjectVector&, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsapi.cpp:4513 #21 0x7f26335d6240 in nsJSUtils::EvaluateString(JSContext*, JS::SourceBufferHolder&, JS::Handle<JSObject*>, JS::CompileOptions&, nsJSUtils::EvaluateOptions const&, JS::MutableHandle<JS::Value>, void**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsJSUtils.cpp:265 #22 0x7f26335d726b in nsJSUtils::EvaluateString(JSContext*, JS::SourceBufferHolder&, JS::Handle<JSObject*>, JS::CompileOptions&, void**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsJSUtils.cpp:337 #23 0x7f26336682b4 in nsScriptLoader::EvaluateScript(nsScriptLoadRequest*, JS::SourceBufferHolder&, void**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsScriptLoader.cpp:1144 #24 0x7f26336659ce in nsScriptLoader::ProcessRequest(nsScriptLoadRequest*, void**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsScriptLoader.cpp:974 #25 0x7f263365faa7 in nsScriptLoader::ProcessScriptElement(nsIScriptElement*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsScriptLoader.cpp:782 #26 0x7f263365b4fe in nsScriptElement::MaybeProcessScript() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsScriptElement.cpp:140 #27 0x7f2632b253c4 in operator-> /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsIScriptElement.h:220 #28 0x7f2632b253c4 in nsHtml5TreeOpExecutor::RunScript(nsIContent*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:663 #29 0x7f2632b23612 in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/slave/m-cen-l64-asan-000000000000000/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:488 #30 0x7f2632b2a5cb in nsHtml5ExecutorFlusher::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/parser/html/nsHtml5StreamParser.cpp:127 #31 0x7f2631446d34 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:855 #32 0x7f26314a69fa in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:265 #33 0x7f2631cd3219 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:99 #34 0x7f2631c7e62c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:233 #35 0x7f2631c7e62c in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:226 #36 0x7f2631c7e62c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:200 #37 0x7f263621d657 in nsBaseAppShell::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/widget/nsBaseAppShell.cpp:164 #38 0x7f2637d87a52 in XRE_RunAppShell /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:738 #39 0x7f2631c7e62c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:233 #40 0x7f2631c7e62c in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:226 #41 0x7f2631c7e62c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:200 #42 0x7f2637d87034 in XRE_InitChildProcess /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:575 #43 0x48a9f1 in content_process_main(int, char**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/app/../contentproc/plugin-container.cpp:211 #44 0x7f262f079ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4) SUMMARY: AddressSanitizer: heap-use-after-free /builds/slave/m-cen-l64-asan-000000000000000/build/src/netwerk/protocol/websocket/WebSocketChannelChild.cpp:202 mozilla::net::WebSocketChannelChild::OnStart(nsCString const&, nsCString const&, nsString const&, bool const&) Shadow bytes around the buggy address: 0x0c22800556e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c22800556f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2280055700: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c2280055710: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2280055720: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa =>0x0c2280055730:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2280055740: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa 0x0c2280055750: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c2280055760: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2280055770: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa 0x0c2280055780: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzon==5570==ABORTING ###!!! [Parent][MessageChannel] Error: Channel error: cannot send/recv
Assignee: nobody → amarchesini
Looks like the issue has been there since bug 537787.
Attached patch crash.patch (deleted) — Splinter Review
Attachment #8551361 - Flags: review?(bugs)
Comment on attachment 8551361 [details] [diff] [review] crash.patch Perhaps MaybeReleaseIPCObject could be declared close to AddIPDLReference and ReleaseIPDLReference methods.
Attachment #8551361 - Flags: review?(bugs) → review+
Comment on attachment 8551361 [details] [diff] [review] crash.patch Forgot the sec-approval. But this patch is needed just for aurora... but sorry. Approval Request Comment [Feature/regressing bug #]: bug 537787 [User impact if declined]: a crash [Describe test coverage new/current, TBPL]: none [Risks and why]: I don't see big risks, this patch is very simple. [String/UUID change made/needed]: none
Attachment #8551361 - Flags: approval-mozilla-aurora?
https://hg.mozilla.org/mozilla-central/rev/bb251436e156
Status: NEW → RESOLVED
Closed: 10 years ago
status-firefox38: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla38
Although bug 537787 landed in Firefox 7, this issue is only introduced in 37+ because of the introduction of web sockets in web workers. As this has already landed on 38, I think we should uplift after a couple of days on m-c.
[Tracking Requested - why for this release]: sec-critical
tracking-firefox37: --- → ?
Keywords: csectype-uaf, sec-critical
Flags: sec-bounty?
Attachment #8551361 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Flags: sec-bounty? → sec-bounty+
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: