While fuzzing ASan Nightly (20170713233213) with https://github.com/mwobensmith/tp_fuzz on Debian 8 x64, this UAF was triggered. ==11744==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000189a48 at pc 0x000000427f9f bp 0x7efd0d3b7610 sp 0x7efd0d3b6db8 READ of size 49 at 0x606000189a48 thread T11 (JS Helper) #0 0x427f9e in __interceptor_strlen /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:227 (discriminator 35) #1 0x7efd25f2d546 in DuplicateString /home/worker/workspace/build/src/js/src/jsstr.cpp:3845 (discriminator 1) #2 0x7efd25f272a8 in XDRScript<js::XDRMode::XDR_DECODE> /home/worker/workspace/build/src/js/src/jsscript.cpp:538 (discriminator 3) #3 0x7efd265af3e1 in codeScript /home/worker/workspace/build/src/js/src/vm/Xdr.cpp:177 (discriminator 4) #4 0x7efd26271e60 in parse /home/worker/workspace/build/src/js/src/vm/HelperThreads.cpp:504 (discriminator 1) #5 0x7efd2627e788 in handleParseWorkload /home/worker/workspace/build/src/js/src/vm/HelperThreads.cpp:1900 #6 0x7efd2627bac7 in threadLoop /home/worker/workspace/build/src/js/src/vm/HelperThreads.cpp:2163 #7 0x7efd26285b75 in callMain<0> /home/worker/workspace/build/src/js/src/threading/Thread.h:234 (discriminator 1) #8 0x7efd367bc063 in start_thread /build/glibc-6V9RKT/glibc-2.19/nptl/pthread_create.c:309 (discriminator 2) #9 0x7efd358c362c in clone /build/glibc-6V9RKT/glibc-2.19/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:111 0x606000189a48 is located 8 bytes inside of 64-byte region [0x606000189a40,0x606000189a80) freed by thread T0 here: #0 0x4bb69b in __interceptor_free _asan_rtl_ (discriminator 12) #1 0x7efd1bec5eeb in ~nsACString /home/worker/workspace/build/src/obj-firefox/dist/include/nsTSubstring.h:347 #2 0x7efd1a58d6bb in ~PLDHashTable /home/worker/workspace/build/src/xpcom/ds/PLDHashTable.cpp:317 #3 0x7efd1beaed78 in Clear /home/worker/workspace/build/src/obj-firefox/dist/include/nsTHashtable.h:272 #4 0x7efd1beb08b9 in Observe /home/worker/workspace/build/src/js/xpconnect/loader/ScriptPreloader.cpp:336 #5 0x7efd1a5afcac in NotifyObservers /home/worker/workspace/build/src/xpcom/ds/nsObserverList.cpp:112 (discriminator 1) #6 0x7efd1a5b399e in NotifyObservers /home/worker/workspace/build/src/xpcom/ds/nsObserverService.cpp:295 #7 0x7efd1a6f23bc in ShutdownXPCOM /home/worker/workspace/build/src/xpcom/build/XPCOMInit.cpp:879 (discriminator 2) #8 0x7efd24ecff47 in ~ScopedXPCOMStartup /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:1466 #9 0x7efd24ee30c1 in operator() /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/UniquePtr.h:528 (discriminator 1) #10 0x7efd24ee440b in XRE_main /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4873 (discriminator 1) #11 0x4eb613 in do_main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:236 (discriminator 1) #12 0x7efd357fcb44 in __libc_start_main /build/glibc-6V9RKT/glibc-2.19/csu/libc-start.c:287 previously allocated by thread T0 here: #0 0x4bb9ec in __interceptor_malloc _asan_rtl_ (discriminator 12) #1 0x7efd1a4f234a in Alloc /home/worker/workspace/build/src/xpcom/string/nsSubstring.cpp:242 #2 0x7efd1a4e0687 in SetCapacity /home/worker/workspace/build/src/xpcom/string/nsTSubstring.cpp:699 #3 0x7efd1a4dfab1 in SetCapacity /home/worker/workspace/build/src/xpcom/string/nsTSubstring.cpp:678 #4 0x7efd1bec6877 in codeString /home/worker/workspace/build/src/js/xpconnect/loader/ScriptPreloader-inl.h:193 #5 0x7efd1bec616c in Code<mozilla::loader::InputBuffer> /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ScriptPreloader.h:218 #6 0x7efd1beb24e5 in CachedScript /home/worker/workspace/build/src/js/xpconnect/loader/ScriptPreloader.cpp:972 #7 0x7efd1bead708 in InitCache /home/worker/workspace/build/src/js/xpconnect/loader/ScriptPreloader.cpp:402 #8 0x7efd1bead4a3 in GetSingleton /home/worker/workspace/build/src/js/xpconnect/loader/ScriptPreloader.cpp:92 (discriminator 5) #9 0x7efd1a6f1381 in NS_InitXPCOM2 /home/worker/workspace/build/src/xpcom/build/XPCOMInit.cpp:713 #10 0x7efd24ee2fc9 in Initialize /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:1526 (discriminator 1) #11 0x7efd24ee440b in XRE_main /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4873 (discriminator 1) #12 0x4eb613 in do_main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:236 (discriminator 1) #13 0x7efd357fcb44 in __libc_start_main /build/glibc-6V9RKT/glibc-2.19/csu/libc-start.c:287 Thread T11 (JS Helper) created by T0 here: #0 0x4a3dc6 in __interceptor_pthread_create _asan_rtl_ (discriminator 2) #1 0x7efd2601795d in create /home/worker/workspace/build/src/js/src/threading/posix/Thread.cpp:104 (discriminator 1) #2 0x7efd26275703 in init<void (&)(void *), js::HelperThread *> /home/worker/workspace/build/src/js/src/threading/Thread.h:117 #3 0x7efd2626d346 in ensureInitialized /home/worker/workspace/build/src/js/src/vm/HelperThreads.cpp:840 (discriminator 2) #4 0x7efd26325948 in init /home/worker/workspace/build/src/js/src/vm/Runtime.cpp:202 (discriminator 1) #5 0x7efd25d7f822 in NewContext /home/worker/workspace/build/src/js/src/jscntxt.cpp:161 #6 0x7efd1a517189 in _ZN7mozilla23CycleCollectedJSContext10InitializeEP9JSRuntimejj /home/worker/workspace/build/src/xpcom/base/CycleCollectedJSContext.cpp:144 #7 0x7efd1bf1d766 in Initialize /home/worker/workspace/build/src/js/xpconnect/src/XPCJSContext.cpp:811 #8 0x7efd1bf2d79f in NewXPCJSContext /home/worker/workspace/build/src/js/xpconnect/src/XPCJSContext.cpp:949 (discriminator 1) #9 0x7efd1bfcab21 in nsXPConnect /home/worker/workspace/build/src/js/xpconnect/src/nsXPConnect.cpp:74 (discriminator 1) #10 0x7efd1bf5ef08 in _Z13xpcModuleCtorv /home/worker/workspace/build/src/js/xpconnect/src/XPCModule.cpp:13 #11 0x7efd21d6de28 in Initialize /home/worker/workspace/build/src/layout/build/nsLayoutModule.cpp:324 #12 0x7efd1a65d988 in Load /home/worker/workspace/build/src/xpcom/components/nsComponentManager.cpp:779 (discriminator 1) #13 0x7efd1a65ee0d in CreateInstanceByContractID /home/worker/workspace/build/src/xpcom/components/nsComponentManager.cpp:1099 (discriminator 2) #14 0x7efd1a65604b in GetServiceByContractID /home/worker/workspace/build/src/xpcom/components/nsComponentManager.cpp:1458 #15 0x7efd1a664dc1 in CallGetService /home/worker/workspace/build/src/xpcom/components/nsComponentManagerUtils.cpp:67 #16 0x7efd1a52ae83 in assign_from_gs_contractid /home/worker/workspace/build/src/xpcom/base/nsCOMPtr.cpp:95 #17 0x7efd1a6f137c in nsCOMPtr /home/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h:890 (discriminator 1) #18 0x7efd24ee2fc9 in Initialize /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:1526 (discriminator 1) #19 0x7efd24ee440b in XRE_main /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4873 (discriminator 1) #20 0x4eb613 in do_main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:236 (discriminator 1) #21 0x7efd357fcb44 in __libc_start_main /build/glibc-6V9RKT/glibc-2.19/csu/libc-start.c:287 SUMMARY: AddressSanitizer: heap-use-after-free (/home/geeknik/firefox/firefox+0x427f9e) Shadow bytes around the buggy address: 0x0c0c800292f0: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa 0x0c0c80029300: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd 0x0c0c80029310: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd 0x0c0c80029320: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa 0x0c0c80029330: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd =>0x0c0c80029340: fd fd fd fd fa fa fa fa fd[fd]fd fd fd fd fd fd 0x0c0c80029350: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa 0x0c0c80029360: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd 0x0c0c80029370: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd 0x0c0c80029380: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa 0x0c0c80029390: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==11744==ABORTING

Setting needinfo? from Shu-yu as a start.

Brian, you didn't by any chance capture the shavar response that caused this, did you?

No, and that's my fault, had a typo in a script and all that was captured was the ASan output.

It sounds like Shu is may not have time to look at this soon. Maybe Kris has some ideas. (In reply to Matt Wobensmith [:mwobensmith][:matt:] from comment #2) > Brian, you didn't by any chance capture the shavar response that caused > this, did you? This is related to how we cache and load chrome JS scripts, so I'd expect the fuzzer triggers this issue just from how it is opening and closing the browser, rather than some particular input it was feeding it.

It looks like we're shutting down before startup is finished, and freeing script buffers before their decode tasks are done. Should be fairly simple to fix.

Thanks, Kris. Something involving chrome JS caching when we shut down very soon after startup doesn't sound very exploitable, so I'll mark this sec-moderate.

Kris: do you think bug 1382329 is the fix for this, or is there more left to do?