Closed Bug 848237 (CVE-2013-1679) Opened 12 years ago Closed 12 years ago

Heap-use-after-free in mozilla::plugins::child::_geturlnotify

Categories

(Core Graveyard :: Plug-ins, defect, P2)

defect

Tracking

(firefox20 wontfix, firefox21+ fixed, firefox22+ fixed, firefox23+ fixed, firefox-esr1721+ fixed, b2g1821+ fixed, b2g18-v1.0.0 wontfix, b2g18-v1.0.1 affected)

RESOLVED FIXED
mozilla23
Tracking Status
firefox20 --- wontfix
firefox21 + fixed
firefox22 + fixed
firefox23 + fixed
firefox-esr17 21+ fixed
b2g18 21+ fixed
b2g18-v1.0.0 --- wontfix
b2g18-v1.0.1 --- affected

People

(Reporter: inferno, Assigned: gfritzsche)

References

Details

(Keywords: csectype-uaf, sec-critical, Whiteboard: [qa-][adv-main21+][adv-esr1706+])

Attachments

(6 files, 1 obsolete file)

================================================================= ==24578== ERROR: AddressSanitizer: heap-use-after-free on address 0x600e0000f6a8 at pc 0x7fb7fe7fe517 bp 0x7fffb031f0f0 sp 0x7fffb031f0e8 WRITE of size 8 at 0x600e0000f6a8 thread T0 #0 0x7fb7fe7fe516 in mozilla::plugins::child::_geturlnotify(_NPP*, char const*, char const*, void*) src/../../../dist/include/mozilla/plugins/StreamNotifyChild.h:32 #1 0x7fb7ee257bea in #2 0x7fb7ee11e561 in #3 0x7fb7ee1564c2 in #4 0x7fb7ee0ba021 in #5 0x7fb7ee0ef4ea in #6 0x7fb7ee0efbd9 in #7 0x7fb7ee2ab585 in #8 0x7fb7ee254f54 in #9 0x7fb7f87a491a in #10 0x7fb7f87a3d52 in #11 0x7fb7f87a409f in #12 0x7fb7f87a4163 in #13 0x7fb7ff21004a in base::MessagePumpForUI::RunWithDispatcher(base::MessagePump::Delegate*, base::MessagePumpForUI::Dispatcher*) src/ipc/chromium/src/base/message_pump_glib.cc:195 #14 0x7fb7ff1d0b09 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:216 #15 0x7fb7fb8c9e89 in XRE_InitChildProcess src/toolkit/xre/nsEmbedFunctions.cpp:494 #16 0x42435d in main src/ipc/app/MozillaRuntimeMain.cpp:48 #17 0x7fb7f9f2976c in #18 0x424264 in 0x600e0000f6a8 is located 56 bytes inside of 72-byte region [0x600e0000f670,0x600e0000f6b8) freed by thread T0 here: #0 0x4180d2 in __interceptor_free #1 0x7fb7fe7e5ecc in mozilla::plugins::PluginInstanceChild::DeallocPStreamNotify(mozilla::plugins::PStreamNotifyChild*) src/dom/plugins/ipc/PluginInstanceChild.cpp:2406 #2 0x7fb7fe9bf9fb in mozilla::plugins::PPluginInstanceChild::CallPStreamNotifyConstructor(mozilla::plugins::PStreamNotifyChild*, nsCString const&, nsCString const&, bool const&, nsCString const&, bool const&, short*) src/objdir-ff-asan/ipc/ipdl/PPluginInstanceChild.cpp:821 #3 0x7fb7fe7fe37b in mozilla::plugins::child::_geturlnotify(_NPP*, char const*, char const*, void*) src/dom/plugins/ipc/PluginModuleChild.cpp:1055 #4 0x7fb7ee257bea in previously allocated by thread T0 here: #0 0x4181b2 in __interceptor_malloc #1 0x7fb80383e418 in moz_xmalloc src/memory/mozalloc/mozalloc.cpp:54 #2 0x7fb7ee257bea in Shadow bytes around the buggy address: 0x0c023fff9e80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c023fff9e90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c023fff9ea0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c023fff9eb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c023fff9ec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fd fd =>0x0c023fff9ed0: fd fd fd fd fd[fd]fd fa fa fa fa fa 00 00 00 00 0x0c023fff9ee0: 00 00 00 00 00 fa fa fa fa fa fd fd fd fd fd fd 0x0c023fff9ef0: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c023fff9f00: 00 fa fa fa fa fa 00 00 00 00 00 00 00 00 00 fa 0x0c023fff9f10: fa fa fa fa 00 00 00 00 00 00 00 00 00 fa fa fa 0x0c023fff9f20: fa fa fd fd fd fd fd fd fd fd fd fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap righ redzone: fb Freed Heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 ASan internal: fe ==24578== ABORTING
This bug doesn't have enough information to be usable. What plugin and URL were you testing with? Why is the stack from the invalid write completely missing frames 1-13?
Component: General → Plug-ins
Flags: needinfo?(inferno)
Product: Firefox → Core
Attached file Testcase Archive Part 1 (deleted) —
Flags: needinfo?(inferno)
Attached file Testcase Archive Part 2 (deleted) —
Missing frames are flash symbols that ASAN can't parse. Run the testcase using test.html in the archive. Attachment always get discarded at first because of the 4 mb limit, so i split :) #1 0x7ff00223cbea (/usr/lib/flashplugin-installer/libflashplayer.so+0x5ccbea) #2 0x7ff002103561 (/usr/lib/flashplugin-installer/libflashplayer.so+0x493561) #3 0x7ff00213b4c2 (/usr/lib/flashplugin-installer/libflashplayer.so+0x4cb4c2) #4 0x7ff00209f021 (/usr/lib/flashplugin-installer/libflashplayer.so+0x42f021) #5 0x7ff0020d44ea (/usr/lib/flashplugin-installer/libflashplayer.so+0x4644ea) #6 0x7ff0020d4bd9 (/usr/lib/flashplugin-installer/libflashplayer.so+0x464bd9) #7 0x7ff002290585 (/usr/lib/flashplugin-installer/libflashplayer.so+0x620585) #8 0x7ff002239f54 (/usr/lib/flashplugin-installer/libflashplayer.so+0x5c9f54) #9 0x7ff00c78991a (/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.3+0x4891a) #10 0x7ff00c788d52 (/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.3+0x47d52) #11 0x7ff00c78909f (/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.3+0x4809f) #12 0x7ff00c789163 (/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.3+0x48163)
You really don't need to include the bunny movie in a testcase. I can't get these two files to concatenate together to produce a valid zip file. Can you just provide the html and swf? These bugs as filed are really annoying. Can't you configure ASAN to provide deeper stacks? In particular, having just a few extra frames in the "previously freed by" and "previously allocated by" frames would be very helpful.
Attached file Testcase without bunny movie (deleted) —
I will be busy with pwn2own and pwnium this week, i will try it on valgrind over the weekend to see if i can get better unwinded stacks.
Jeromie, can you provide us with some assistance here? Perhaps help with FP symbols, eg how to obtain. Or, if someone can help us debug this on your end.
Matt, we really don't need Adobe symbols here (but we have them as breakpad .sym files in any case). We really just need stacks about 5 frames deeper (full stacks would be nice).
Hoping Abhishek can come through for us here with deeper stacks. Possibly requiring non-optimized asan builds?
Flags: needinfo?(inferno)
>I cannot get deeper stack in free and malloc stacks due to lack of adobe flash symbols and flash library not compiled with asan [change allocator to asan]. See last frame in free and malloc stacks, both are in libflashplayer.so. One interesting thing here is first there is a null crash, followed by the real flash oob write crash. the null crash is a frame poisoning crash, which i think we don't care. The problem with valgrind is it just kills itself on the first poisoning crash, so don't get info on the flash crash. > >ASAN:SIGSEGV >================================================================= >==9539==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000034 (pc 0x7fda59a2dfed sp 0x7fff47efbba0 bp 0x7fff47efc250 T0) >AddressSanitizer can not provide additional info. > #0 0x7fda59a2dfec (objdir-ff-asan-o1/toolkit/library/libxul.so+0x181ffec) > #1 0x7fda59a2f218 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x1821218) > #2 0x7fda59c58ace (objdir-ff-asan-o1/toolkit/library/libxul.so+0x1a4aace) > #3 0x7fda59c5ed37 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x1a50d37) > #4 0x7fda59af81c0 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x18ea1c0) > #5 0x7fda59a81407 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x1873407) > #6 0x7fda599e6cdb (objdir-ff-asan-o1/toolkit/library/libxul.so+0x17d8cdb) > #7 0x7fda599e5c62 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x17d7c62) > #8 0x7fda599e3a0b (objdir-ff-asan-o1/toolkit/library/libxul.so+0x17d5a0b) > #9 0x7fda599e0252 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x17d2252) > #10 0x7fda599db3ff (objdir-ff-asan-o1/toolkit/library/libxul.so+0x17cd3ff) > #11 0x7fda599d8714 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x17ca714) > #12 0x7fda599f2a64 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x17e4a64) > #13 0x7fda599e2276 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x17d4276) > #14 0x7fda599e0225 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x17d2225) > #15 0x7fda599db3ff (objdir-ff-asan-o1/toolkit/library/libxul.so+0x17cd3ff) > #16 0x7fda599d8714 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x17ca714) > #17 0x7fda599f2a64 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x17e4a64) > #18 0x7fda599e2276 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x17d4276) > #19 0x7fda599e0225 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x17d2225) > #20 0x7fda599db3ff (objdir-ff-asan-o1/toolkit/library/libxul.so+0x17cd3ff) > #21 0x7fda599d8714 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x17ca714) > #22 0x7fda59a05b35 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x17f7b35) > #23 0x7fda59a5cd8d (objdir-ff-asan-o1/toolkit/library/libxul.so+0x184ed8d) > #24 0x7fda59a05b35 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x17f7b35) > #25 0x7fda59a416a3 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x18336a3) > #26 0x7fda59a42166 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x1834166) > #27 0x7fda59a432d4 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x18352d4) > #28 0x7fda59a05b35 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x17f7b35) > #29 0x7fda59aedeb5 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x18dfeb5) > #30 0x7fda59964d8e (objdir-ff-asan-o1/toolkit/library/libxul.so+0x1756d8e) > #31 0x7fda5996e617 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x1760617) > #32 0x7fda5996dfc7 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x175ffc7) > #33 0x7fda5996d86b (objdir-ff-asan-o1/toolkit/library/libxul.so+0x175f86b) > #34 0x7fda59dba298 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x1bac298) > #35 0x7fda59df65e0 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x1be85e0) > #36 0x7fda59df658a (objdir-ff-asan-o1/toolkit/library/libxul.so+0x1be858a) > #37 0x7fda59df69b6 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x1be89b6) > #38 0x7fda59df73b7 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x1be93b7) > #39 0x7fda59e09229 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x1bfb229) > #40 0x7fda5b421cfb (objdir-ff-asan-o1/toolkit/library/libxul.so+0x3213cfb) > #41 0x7fda5b41f1d1 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x32111d1) > #42 0x7fda5c83f6da (objdir-ff-asan-o1/toolkit/library/libxul.so+0x46316da) > #43 0x7fda5c765036 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x4557036) > #44 0x7fda5c840084 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x4632084) > #45 0x7fda5c840b6a (objdir-ff-asan-o1/toolkit/library/libxul.so+0x4632b6a) > #46 0x7fda5c8af22e (objdir-ff-asan-o1/toolkit/library/libxul.so+0x46a122e) > #47 0x7fda5ab13d38 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x2905d38) > #48 0x7fda5c8c0e29 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x46b2e29) > #49 0x7fda5c8c4255 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x46b6255) > #50 0x7fda5c73d2ea (objdir-ff-asan-o1/toolkit/library/libxul.so+0x452f2ea) > #51 0x7fda5c844623 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x4636623) > #52 0x7fda5c82f70a (objdir-ff-asan-o1/toolkit/library/libxul.so+0x462170a) > #53 0x7fda5c829827 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x461b827) > #54 0x7fda5c83f766 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x4631766) > #55 0x7fda5c765036 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x4557036) > #56 0x7fda5c840084 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x4632084) > #57 0x7fda5c748c2d (objdir-ff-asan-o1/toolkit/library/libxul.so+0x453ac2d) > #58 0x7fda5a2172f1 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x20092f1) > #59 0x7fda5a22f6a0 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x20216a0) > #60 0x7fda5996de5d (objdir-ff-asan-o1/toolkit/library/libxul.so+0x175fe5d) > #61 0x7fda5996d86b (objdir-ff-asan-o1/toolkit/library/libxul.so+0x175f86b) > #62 0x7fda59dba298 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x1bac298) > #63 0x7fda59df65e0 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x1be85e0) > #64 0x7fda59df761c (objdir-ff-asan-o1/toolkit/library/libxul.so+0x1be961c) > #65 0x7fda5b42608b (objdir-ff-asan-o1/toolkit/library/libxul.so+0x321808b) > #66 0x7fda5b4250c1 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x32170c1) > #67 0x7fda5c83f6da (objdir-ff-asan-o1/toolkit/library/libxul.so+0x46316da) > #68 0x7fda5c8384bb (objdir-ff-asan-o1/toolkit/library/libxul.so+0x462a4bb) > #69 0x7fda5c829827 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x461b827) > #70 0x7fda5c83f766 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x4631766) > #71 0x7fda5c765036 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x4557036) > #72 0x7fda5c840084 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x4632084) > #73 0x7fda5c8b0cf4 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x46a2cf4) > #74 0x7fda5c99f43d (objdir-ff-asan-o1/toolkit/library/libxul.so+0x479143d) > #75 0x7fda5c8c226b (objdir-ff-asan-o1/toolkit/library/libxul.so+0x46b426b) > #76 0x7fda5c8c5b2e (objdir-ff-asan-o1/toolkit/library/libxul.so+0x46b7b2e) > #77 0x7fda5c83f8c2 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x46318c2) > #78 0x7fda5c765036 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x4557036) > #79 0x7fda5c840084 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x4632084) > #80 0x7fda5c748c2d (objdir-ff-asan-o1/toolkit/library/libxul.so+0x453ac2d) > #81 0x7fda5b42d536 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x321f536) > #82 0x7fda5a3e10ba (objdir-ff-asan-o1/toolkit/library/libxul.so+0x21d30ba) > #83 0x7fda5a3e0647 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x21d2647) > #84 0x7fda5a223080 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x2015080) > #85 0x7fda5a21d135 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x200f135) > #86 0x7fda59f460fe (objdir-ff-asan-o1/toolkit/library/libxul.so+0x1d380fe) > #87 0x7fda59f46633 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x1d38633) > #88 0x7fda59f82437 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x1d74437) > #89 0x7fda59f81b57 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x1d73b57) > #90 0x7fda59f83318 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x1d75318) > #91 0x7fda59f5e415 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x1d50415) > #92 0x7fda59f5eb8f (objdir-ff-asan-o1/toolkit/library/libxul.so+0x1d50b8f) > #93 0x7fda59f4ddb2 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x1d3fdb2) > #94 0x7fda59f4c7d8 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x1d3e7d8) > #95 0x7fda5997c566 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x176e566) > #96 0x7fda5997b363 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x176d363) > #97 0x7fda5997a4c9 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x176c4c9) > #98 0x7fda5a265f2d (objdir-ff-asan-o1/toolkit/library/libxul.so+0x2057f2d) > #99 0x7fda5996c3cf (objdir-ff-asan-o1/toolkit/library/libxul.so+0x175e3cf) > #100 0x7fda5997461c (objdir-ff-asan-o1/toolkit/library/libxul.so+0x176661c) > #101 0x7fda5998a07a (objdir-ff-asan-o1/toolkit/library/libxul.so+0x177c07a) > #102 0x7fda5998cdc6 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x177edc6) > #103 0x7fda5b78c835 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x357e835) > #104 0x7fda5b78cce0 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x357ece0) > #105 0x7fda5b7847b3 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x35767b3) > #106 0x7fda5b6ffdb9 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x34f1db9) > #107 0x7fda5b195436 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x2f87436) > #108 0x7fda5b7f3278 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x35e5278) > #109 0x7fda5af983ec (objdir-ff-asan-o1/toolkit/library/libxul.so+0x2d8a3ec) > #110 0x7fda5ac60512 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x2a52512) > #111 0x7fda59291635 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x1083635) > #112 0x7fda592924d8 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x10844d8) > #113 0x7fda59292cb9 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x1084cb9) > #114 0x427e53 (objdir-ff-asan-o1/dist/bin/firefox-bin+0x427e53) > #115 0x4273b1 (objdir-ff-asan-o1/dist/bin/firefox-bin+0x4273b1) > #116 0x7fda622cb76c (/lib/x86_64-linux-gnu/libc-2.15.so+0x2176c) > #117 0x42714c (objdir-ff-asan-o1/dist/bin/firefox-bin+0x42714c) >==9539==ABORTING >WARNING: pipe error (3): Connection reset by peer: file ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 431 > >###!!! [Child][RPCChannel] Error: Channel error: cannot send/recv > >================================================================= >==9562==ERROR: AddressSanitizer: heap-use-after-free on address 0x615000b8c8b8 at pc 0x7fc496c3333f bp 0x7ffffab597a0 sp 0x7ffffab59798 >WRITE of size 8 at 0x615000b8c8b8 thread T0 > #0 0x7fc496c3333e (objdir-ff-asan-o1/toolkit/library/libxul.so+0x2f6433e) > #1 0x7fc496c2ecc4 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x2f5fcc4) > #2 0x7fc485064c4a (/usr/lib/flashplugin-installer/libflashplayer.so+0x5ccc4a) > #3 0x7fc484f2b5a1 (/usr/lib/flashplugin-installer/libflashplayer.so+0x4935a1) > #4 0x7fc484f63522 (/usr/lib/flashplugin-installer/libflashplayer.so+0x4cb522) > #5 0x7fc484ec7061 (/usr/lib/flashplugin-installer/libflashplayer.so+0x42f061) > #6 0x7fc484efc52a (/usr/lib/flashplugin-installer/libflashplayer.so+0x46452a) > #7 0x7fc484efcc19 (/usr/lib/flashplugin-installer/libflashplayer.so+0x464c19) > #8 0x7fc4850b85f5 (/usr/lib/flashplugin-installer/libflashplayer.so+0x6205f5) > #9 0x7fc485061fb4 (/usr/lib/flashplugin-installer/libflashplayer.so+0x5c9fb4) > #10 0x7fc4918c791a (/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.3+0x4891a) > #11 0x7fc4918c6d52 (/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.3+0x47d52) > #12 0x7fc4918c709f (/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.3+0x4809f) > #13 0x7fc4918c7163 (/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.3+0x48163) > #14 0x7fc4972fc9ba (objdir-ff-asan-o1/toolkit/library/libxul.so+0x362d9ba) > #15 0x7fc4972b4278 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x35e5278) > #16 0x7fc494d62296 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x1093296) > #17 0x426c4d (objdir-ff-asan-o1/dist/bin/plugin-container+0x426c4d) > #18 0x7fc492f1b76c (/lib/x86_64-linux-gnu/libc-2.15.so+0x2176c) > #19 0x426b4c (objdir-ff-asan-o1/dist/bin/plugin-container+0x426b4c) >0x615000b8c8b8 is located 56 bytes inside of 72-byte region [0x615000b8c880,0x615000b8c8c8) >freed by thread T0 here: > #0 0x419262 (objdir-ff-asan-o1/dist/bin/plugin-container+0x419262) > #1 0x7fc496c1bf0c (objdir-ff-asan-o1/toolkit/library/libxul.so+0x2f4cf0c) > #2 0x7fc496d7a771 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x30ab771) > #3 0x7fc496c2ec79 (objdir-ff-asan-o1/toolkit/library/libxul.so+0x2f5fc79) > #4 0x7fc485064c4a (/usr/lib/flashplugin-installer/libflashplayer.so+0x5ccc4a) >previously allocated by thread T0 here: > #0 0x419342 (objdir-ff-asan-o1/dist/bin/plugin-container+0x419342) > #1 0x7fc49b688547 (objdir-ff-asan-o1/memory/mozalloc/libmozalloc.so+0x1547) > #2 0x7fc485064c4a (/usr/lib/flashplugin-installer/libflashplayer.so+0x5ccc4a) >Shadow bytes around the buggy address: > 0x0c2a801698c0: fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c2a801698d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c2a801698e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c2a801698f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c2a80169900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa >=>0x0c2a80169910: fd fd fd fd fd fd fd[fd]fd fa fa fa fa fa fa fa > 0x0c2a80169920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c2a80169930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c2a80169940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c2a80169950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c2a80169960: 00 00 00 00 00 06 fa fa fa fa fa fa fa fa fa fa >Shadow byte legend (one shadow byte represents 8 application bytes): > Addressable: 00 > Partially addressable: 01 02 03 04 05 06 07 > Heap left redzone: fa > Heap righ redzone: fb > Freed Heap region: fd > Stack left redzone: f1 > Stack mid redzone: f2 > Stack right redzone: f3 > Stack partial redzone: f4 > Stack after return: f5 > Stack use after scope: f8 > Global redzone: f9 > Global init order: f6 > Poisoned by user: f7 > ASan internal: fe >==9562==ABORTING > >----------symbolized version---------- ><subprocess.Popen object at 0x7f4471dbdb10> >ASAN:SIGSEGV >================================================================= >==9886==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000034 (pc 0x7fe4977bafed sp 0x7fffc595d7a0 bp 0x7fffc595de50 T0) >AddressSanitizer can not provide additional info. > #0 0x7fe4977bafec in nsFrame::BoxReflow(nsBoxLayoutState&, nsPresContext*, nsHTMLReflowMetrics&, nsRenderingContext*, int, int, int, int, bool) src/layout/generic/nsFrame.cpp:8006 > #1 0x7fe4977bc218 in nsFrame::DoLayout(nsBoxLayoutState&) src/layout/generic/nsFrame.cpp:7771 > #2 0x7fe4979e5ace in nsIFrame::Layout(nsBoxLayoutState&) src/layout/xul/base/src/nsBox.cpp:510 > #3 0x7fe4979ebd37 in nsBoxFrame::LayoutChildAt(nsBoxLayoutState&, nsIFrame*, nsRect const&) src/layout/xul/base/src/nsBoxFrame.cpp:1913 > #4 0x7fe4978851c0 in nsVideoFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) src/layout/generic/nsVideoFrame.cpp:314 > #5 0x7fe49780e407 in nsLineLayout::ReflowFrame(nsIFrame*, unsigned int&, nsHTMLReflowMetrics*, bool&) src/layout/generic/nsLineLayout.cpp:828 > #6 0x7fe497773cdb in nsBlockFrame::ReflowInlineFrame(nsBlockReflowState&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) src/layout/generic/nsBlockFrame.cpp:3735 > #7 0x7fe497772c62 in nsBlockFrame::DoReflowInlineFrames(nsBlockReflowState&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) src/layout/generic/nsBlockFrame.cpp:3532 > #8 0x7fe497770a0b in nsBlockFrame::ReflowInlineFrames(nsBlockReflowState&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3386 > #9 0x7fe49776d252 in nsBlockFrame::ReflowLine(nsBlockReflowState&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2525 > #10 0x7fe4977683ff in nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) src/layout/generic/nsBlockFrame.cpp:2044 > #11 0x7fe497765714 in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) src/layout/generic/nsBlockFrame.cpp:1067 > #12 0x7fe49777fa64 in nsBlockReflowContext::ReflowBlock(nsRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, nsHTMLReflowState&, unsigned int&, nsBlockReflowState&) src/layout/generic/nsBlockReflowContext.cpp:266 > #13 0x7fe49776f276 in nsBlockFrame::ReflowBlockFrame(nsBlockReflowState&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3111 > #14 0x7fe49776d225 in nsBlockFrame::ReflowLine(nsBlockReflowState&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2522 > #15 0x7fe4977683ff in nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) src/layout/generic/nsBlockFrame.cpp:2044 > #16 0x7fe497765714 in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) src/layout/generic/nsBlockFrame.cpp:1067 > #17 0x7fe49777fa64 in nsBlockReflowContext::ReflowBlock(nsRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, nsHTMLReflowState&, unsigned int&, nsBlockReflowState&) src/layout/generic/nsBlockReflowContext.cpp:266 > #18 0x7fe49776f276 in nsBlockFrame::ReflowBlockFrame(nsBlockReflowState&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3111 > #19 0x7fe49776d225 in nsBlockFrame::ReflowLine(nsBlockReflowState&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2522 > #20 0x7fe4977683ff in nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) src/layout/generic/nsBlockFrame.cpp:2044 > #21 0x7fe497765714 in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) src/layout/generic/nsBlockFrame.cpp:1067 > #22 0x7fe497792b35 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:964 > #23 0x7fe4977e9d8d in nsCanvasFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) src/layout/generic/nsCanvasFrame.cpp:487 > #24 0x7fe497792b35 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:964 > #25 0x7fe4977ce6a3 in nsHTMLScrollFrame::ReflowScrolledFrame(ScrollReflowState*, bool, bool, nsHTMLReflowMetrics*, bool) src/layout/generic/nsGfxScrollFrame.cpp:430 > #26 0x7fe4977cf166 in nsHTMLScrollFrame::ReflowContents(ScrollReflowState*, nsHTMLReflowMetrics const&) src/layout/generic/nsGfxScrollFrame.cpp:530 > #27 0x7fe4977d02d4 in nsHTMLScrollFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) src/layout/generic/nsGfxScrollFrame.cpp:771 > #28 0x7fe497792b35 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:964 > #29 0x7fe49787aeb5 in ViewportFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) src/layout/generic/nsViewportFrame.cpp:200 > #30 0x7fe4976f1d8e in PresShell::DoReflow(nsIFrame*, bool) src/layout/base/nsPresShell.cpp:7827 > #31 0x7fe4976fb617 in PresShell::ProcessReflowCommands(bool) src/layout/base/nsPresShell.cpp:7968 > #32 0x7fe4976fafc7 in PresShell::FlushPendingNotifications(mozilla::ChangesToFlush) src/layout/base/nsPresShell.cpp:3932 > #33 0x7fe4976fa86b in PresShell::FlushPendingNotifications(mozFlushType) src/layout/base/nsPresShell.cpp:3778 > #34 0x7fe497b47298 in nsDocument::FlushPendingNotifications(mozFlushType) src/content/base/src/nsDocument.cpp:7003 > #35 0x7fe497b835e0 in mozilla::dom::Element::GetPrimaryFrame(mozFlushType) src/content/base/src/Element.cpp:1578 > #36 0x7fe497b8358a in mozilla::dom::Element::GetStyledFrame() src/content/base/src/Element.cpp:485 > #37 0x7fe497b839b6 in mozilla::dom::Element::GetScrollFrame(nsIFrame**) src/content/base/src/Element.cpp:526 > #38 0x7fe497b843b7 in mozilla::dom::Element::GetClientAreaRect() src/content/base/src/Element.cpp:636 > #39 0x7fe497b96229 in mozilla::dom::Element::ClientWidth() src/../../dist/include/mozilla/dom/Element.h:699 > #40 0x7fe4991aecfb in mozilla::dom::ElementBinding::get_clientWidth(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Element*, JS::Value*) src/objdir-ff-asan-o1/dom/bindings/ElementBinding.cpp:1597 > #41 0x7fe4991ac1d1 in mozilla::dom::ElementBinding::genericGetter(JSContext*, unsigned int, JS::Value*) src/objdir-ff-asan-o1/dom/bindings/ElementBinding.cpp:2065 > #42 0x7fe49a5cc6da in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) src/js/src/jscntxtinlines.h:338 > #43 0x7fe49a4f2036 in js::Invoke(JSContext*, js::InvokeArgsGuard&, js::MaybeConstruct) src/js/src/jsinterp.h:135 > #44 0x7fe49a5cd084 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) src/js/src/jsinterp.cpp:431:10 > #45 0x7fe49a5cdb6a in js::InvokeGetterOrSetter(JSContext*, JSObject*, JS::Value const&, unsigned int, JS::Value*, JS::Value*) src/js/src/jsinterp.cpp:504:23 > #46 0x7fe49a63c22e in js::BaseProxyHandler::get(JSContext*, JSObject*, JSObject*, long, JS::Value*) src/js/src/jsproxy.cpp:163:51 > #47 0x7fe4988a0d38 in xpc::XrayWrapper<js::SecurityWrapper<js::CrossCompartmentWrapper>, xpc::DOMXrayTraits>::get(JSContext*, JSObject*, JSObject*, long, JS::Value*) src/js/xpconnect/wrappers/XrayWrapper.h:1750 > #48 0x7fe49a64de29 in js::Proxy::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<long>, JS::MutableHandle<JS::Value>) src/js/src/jsproxy.cpp:2476 > #49 0x7fe49a651255 in proxy_GetGeneric(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<long>, JS::MutableHandle<JS::Value>) src/js/src/jsproxy.cpp:2807 > #50 0x7fe49a4ca2ea in JSObject::getGeneric(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<long>, JS::MutableHandle<JS::Value>) src/js/src/jsobjinlines.h:163 > #51 0x7fe49a5d1623 in js::GetPropertyOperation(JSContext*, JSScript*, unsigned char*, JS::MutableHandle<JS::Value>, JS::MutableHandle<JS::Value>) src/js/src/jsinterpinlines.h:292:14 > #52 0x7fe49a5bc70a in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) src/js/src/jsinterp.cpp:2246 > #53 0x7fe49a5b6827 in js::RunScript(JSContext*, js::StackFrame*) src/js/src/jsinterp.cpp:341 > #54 0x7fe49a5cc766 in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) src/js/src/jsinterp.cpp:398 > #55 0x7fe49a4f2036 in js::Invoke(JSContext*, js::InvokeArgsGuard&, js::MaybeConstruct) src/js/src/jsinterp.h:135 > #56 0x7fe49a5cd084 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) src/js/src/jsinterp.cpp:431:10 > #57 0x7fe49a4d5c2d in JS_CallFunctionValue(JSContext*, JSObject*, JS::Value, unsigned int, JS::Value*, JS::Value*) src/js/src/jsapi.cpp:5764 > #58 0x7fe497fa42f1 in nsXBLProtoImplAnonymousMethod::Execute(nsIContent*) src/content/xbl/src/nsXBLProtoImplMethod.cpp:335:49 > #59 0x7fe497fbc6a0 in nsBindingManager::ProcessAttachedQueue(unsigned int) src/content/xbl/src/nsBindingManager.cpp:969 > #60 0x7fe4976fae5d in PresShell::FlushPendingNotifications(mozilla::ChangesToFlush) src/layout/base/nsPresShell.cpp:3907 > #61 0x7fe4976fa86b in PresShell::FlushPendingNotifications(mozFlushType) src/layout/base/nsPresShell.cpp:3778 > #62 0x7fe497b47298 in nsDocument::FlushPendingNotifications(mozFlushType) src/content/base/src/nsDocument.cpp:7003 > #63 0x7fe497b835e0 in mozilla::dom::Element::GetPrimaryFrame(mozFlushType) src/content/base/src/Element.cpp:1578 > #64 0x7fe497b8461c in mozilla::dom::Element::GetBoundingClientRect() src/content/base/src/Element.cpp:659 > #65 0x7fe4991b308b in mozilla::dom::ElementBinding::getBoundingClientRect(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Element*, unsigned int, JS::Value*) src/objdir-ff-asan-o1/dom/bindings/ElementBinding.cpp:1370 > #66 0x7fe4991b20c1 in mozilla::dom::ElementBinding::genericMethod(JSContext*, unsigned int, JS::Value*) src/objdir-ff-asan-o1/dom/bindings/ElementBinding.cpp:2033 > #67 0x7fe49a5cc6da in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) src/js/src/jscntxtinlines.h:338 > #68 0x7fe49a5c54bb in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) src/js/src/jsinterp.cpp:2396 > #69 0x7fe49a5b6827 in js::RunScript(JSContext*, js::StackFrame*) src/js/src/jsinterp.cpp:341 > #70 0x7fe49a5cc766 in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) src/js/src/jsinterp.cpp:398 > #71 0x7fe49a4f2036 in js::Invoke(JSContext*, js::InvokeArgsGuard&, js::MaybeConstruct) src/js/src/jsinterp.h:135 > #72 0x7fe49a5cd084 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) src/js/src/jsinterp.cpp:431:10 > #73 0x7fe49a63dcf4 in js::BaseProxyHandler::call(JSContext*, JSObject*, unsigned int, JS::Value*) src/js/src/jsproxy.cpp:337 > #74 0x7fe49a72c43d in js::CrossCompartmentWrapper::call(JSContext*, JSObject*, unsigned int, JS::Value*) src/js/src/jswrapper.cpp:480 > #75 0x7fe49a64f26b in js::Proxy::call(JSContext*, JSObject*, unsigned int, JS::Value*) src/js/src/jsproxy.cpp:2602 > #76 0x7fe49a652b2e in proxy_Call(JSContext*, unsigned int, JS::Value*) src/js/src/jsproxy.cpp:3175 > #77 0x7fe49a5cc8c2 in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) src/js/src/jscntxtinlines.h:338 > #78 0x7fe49a4f2036 in js::Invoke(JSContext*, js::InvokeArgsGuard&, js::MaybeConstruct) src/js/src/jsinterp.h:135 > #79 0x7fe49a5cd084 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) src/js/src/jsinterp.cpp:431:10 > #80 0x7fe49a4d5c2d in JS_CallFunctionValue(JSContext*, JSObject*, JS::Value, unsigned int, JS::Value*, JS::Value*) src/js/src/jsapi.cpp:5764 > #81 0x7fe4991ba536 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JSObject*, nsDOMEvent&, mozilla::ErrorResult&) src/objdir-ff-asan-o1/dom/bindings/EventHandlerBinding.cpp:51 > #82 0x7fe49816e0ba in JS::Value mozilla::dom::EventHandlerNonNull::Call<nsISupports*>(nsISupports* const&, nsDOMEvent&, mozilla::ErrorResult&, mozilla::dom::CallbackObject::ExceptionHandling) src/../../../dist/include/mozilla/dom/EventHandlerBinding.h:59 > #83 0x7fe49816d647 in nsJSEventListener::HandleEvent(nsIDOMEvent*) src/dom/src/events/nsJSEventListener.cpp:249 > #84 0x7fe497fb0080 in nsXBLPrototypeHandler::ExecuteHandler(nsIDOMEventTarget*, nsIDOMEvent*) src/content/xbl/src/nsXBLPrototypeHandler.cpp:347 > #85 0x7fe497faa135 in nsXBLEventHandler::HandleEvent(nsIDOMEvent*) src/content/xbl/src/nsXBLEventHandler.cpp:47 > #86 0x7fe497cd30fe in nsEventListenerManager::HandleEventSubType(nsListenerStruct*, nsIDOMEventListener*, nsIDOMEvent*, nsIDOMEventTarget*, nsCxPusher*) src/content/events/src/nsEventListenerManager.cpp:927 > #87 0x7fe497cd3633 in nsEventListenerManager::HandleEventInternal(nsPresContext*, nsEvent*, nsIDOMEvent**, nsIDOMEventTarget*, nsEventStatus*, nsCxPusher*) src/content/events/src/nsEventListenerManager.cpp:997 > #88 0x7fe497d0f437 in nsEventTargetChainItem::HandleEvent(nsEventChainPostVisitor&, bool, nsCxPusher*) src/content/events/src/nsEventDispatcher.cpp:200 > #89 0x7fe497d0eb57 in nsEventTargetChainItem::HandleEventTargetChain(nsEventChainPostVisitor&, nsDispatchingCallback*, bool, nsCxPusher*) src/content/events/src/nsEventDispatcher.cpp:349 > #90 0x7fe497d10318 in nsEventDispatcher::Dispatch(nsISupports*, nsPresContext*, nsEvent*, nsIDOMEvent*, nsEventStatus*, nsDispatchingCallback*, nsCOMArray<nsIDOMEventTarget>*) src/content/events/src/nsEventDispatcher.cpp:631 > #91 0x7fe497ceb415 in nsEventStateManager::DispatchMouseEvent(nsGUIEvent*, unsigned int, nsIContent*, nsIContent*) src/content/events/src/nsEventStateManager.cpp:3953 > #92 0x7fe497cebb8f in nsEventStateManager::NotifyMouseOver(nsGUIEvent*, nsIContent*) src/content/events/src/nsEventStateManager.cpp:4129 > #93 0x7fe497cdadb2 in nsEventStateManager::GenerateMouseEnterExit(nsGUIEvent*) src/content/events/src/nsEventStateManager.cpp:4245 > #94 0x7fe497cd97d8 in nsEventStateManager::PreHandleEvent(nsPresContext*, nsEvent*, nsIFrame*, nsEventStatus*) src/content/events/src/nsEventStateManager.cpp:1042 > #95 0x7fe497709566 in PresShell::HandleEventInternal(nsEvent*, nsEventStatus*) src/layout/base/nsPresShell.cpp:6821 > #96 0x7fe497708363 in PresShell::HandlePositionedEvent(nsIFrame*, nsGUIEvent*, nsEventStatus*) src/layout/base/nsPresShell.cpp:6583 > #97 0x7fe4977074c9 in PresShell::HandleEvent(nsIFrame*, nsGUIEvent*, bool, nsEventStatus*) src/layout/base/nsPresShell.cpp:6382 > #98 0x7fe497ff2f2d in nsViewManager::DispatchEvent(nsGUIEvent*, nsView*, nsEventStatus*) src/view/src/nsViewManager.cpp:713 > #99 0x7fe4976f93cf in PresShell::DispatchSynthMouseMove(nsGUIEvent*, bool) src/layout/base/nsPresShell.cpp:3470 > #100 0x7fe49770161c in PresShell::ProcessSynthMouseMoveEvent(bool) src/layout/base/nsPresShell.cpp:5285 > #101 0x7fe49771707a in nsRefreshDriver::Tick(long, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:866 > #102 0x7fe497719dc6 in mozilla::RefreshDriverTimer::Tick() src/layout/base/nsRefreshDriver.cpp:156 > #103 0x7fe499519835 in nsTimerImpl::Fire() src/xpcom/threads/nsTimerImpl.cpp:543 > #104 0x7fe499519ce0 in nsTimerEvent::Run() src/xpcom/threads/nsTimerImpl.cpp:630 > #105 0x7fe4995117b3 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:627 > #106 0x7fe49948cdb9 in NS_ProcessNextEvent_P(nsIThread*, bool) src/objdir-ff-asan-o1/xpcom/build/nsThreadUtils.cpp:238 > #107 0x7fe498f22436 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:82 > #108 0x7fe499580278 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:183 > #109 0x7fe498d253ec in nsBaseAppShell::Run() src/widget/xpwidgets/nsBaseAppShell.cpp:163 > #110 0x7fe4989ed512 in nsAppStartup::Run() src/toolkit/components/startup/nsAppStartup.cpp:288 > #111 0x7fe49701e635 in XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:3880 > #112 0x7fe49701f4d8 in XREMain::XRE_main(int, char**, nsXREAppData const*) src/toolkit/xre/nsAppRunner.cpp:3947 > #113 0x7fe49701fcb9 in XRE_main src/toolkit/xre/nsAppRunner.cpp:4150 > #114 0x427e53 in do_main(int, char**, nsIFile*) src/browser/app/nsBrowserApp.cpp:228 > #115 0x4273b1 in main src/browser/app/nsBrowserApp.cpp:529 > #116 0x7fe4a005876c in > #117 0x42714c in >==9886==ABORTING >WARNING: pipe error (3): Connection reset by peer: file src/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 431 > >###!!! [Child][RPCChannel] Error: Channel error: cannot send/recv > >================================================================= >==9922==ERROR: AddressSanitizer: heap-use-after-free on address 0x615000b8c638 at pc 0x7f1c4c72a33f bp 0x7fffab4e7400 sp 0x7fffab4e73f8 >WRITE of size 8 at 0x615000b8c638 thread T0 > #0 0x7f1c4c72a33e in mozilla::plugins::StreamNotifyChild::SetValid(void*) src/../../../dist/include/mozilla/plugins/StreamNotifyChild.h:32 > #1 0x7f1c4c725cc4 in mozilla::plugins::child::_geturlnotify(_NPP*, char const*, char const*, void*) src/dom/plugins/ipc/PluginModuleChild.cpp:1064 > #2 0x7f1c3ab5bc4a in > #3 0x7f1c3aa225a1 in > #4 0x7f1c3aa5a522 in > #5 0x7f1c3a9be061 in > #6 0x7f1c3a9f352a in > #7 0x7f1c3a9f3c19 in > #8 0x7f1c3abaf5f5 in > #9 0x7f1c3ab58fb4 in > #10 0x7f1c473be91a in > #11 0x7f1c473bdd52 in > #12 0x7f1c473be09f in > #13 0x7f1c473be163 in > #14 0x7f1c4cdf39ba in base::MessagePumpForUI::RunWithDispatcher(base::MessagePump::Delegate*, base::MessagePumpForUI::Dispatcher*) src/ipc/chromium/src/base/message_pump_glib.cc:195 > #15 0x7f1c4cdab278 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:183 > #16 0x7f1c4a859296 in XRE_InitChildProcess src/toolkit/xre/nsEmbedFunctions.cpp:494 > #17 0x426c4d in main src/ipc/app/MozillaRuntimeMain.cpp:60 > #18 0x7f1c48a1276c in > #19 0x426b4c in >0x615000b8c638 is located 56 bytes inside of 72-byte region [0x615000b8c600,0x615000b8c648) >freed by thread T0 here: > #0 0x419262 in __interceptor_free > #1 0x7f1c4c712f0c in mozilla::plugins::PluginInstanceChild::DeallocPStreamNotify(mozilla::plugins::PStreamNotifyChild*) src/dom/plugins/ipc/PluginInstanceChild.cpp:2411 > #2 0x7f1c4c871771 in mozilla::plugins::PPluginInstanceChild::CallPStreamNotifyConstructor(mozilla::plugins::PStreamNotifyChild*, nsCString const&, nsCString const&, bool const&, nsCString const&, bool const&, short*) src/objdir-ff-asan-o1/ipc/ipdl/PPluginInstanceChild.cpp:821 > #3 0x7f1c4c725c79 in mozilla::plugins::child::_geturlnotify(_NPP*, char const*, char const*, void*) src/dom/plugins/ipc/PluginModuleChild.cpp:1059:18 > #4 0x7f1c3ab5bc4a in >previously allocated by thread T0 here: > #0 0x419342 in __interceptor_malloc > #1 0x7f1c5117f547 in moz_xmalloc src/memory/mozalloc/mozalloc.cpp:54 > #2 0x7f1c3ab5bc4a in >Shadow bytes around the buggy address: > 0x0c2a80169870: fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c2a80169880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c2a80169890: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c2a801698a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c2a801698b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa >=>0x0c2a801698c0: fd fd fd fd fd fd fd[fd]fd fa fa fa fa fa fa fa > 0x0c2a801698d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c2a801698e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c2a801698f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c2a80169900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c2a80169910: 00 00 00 00 00 06 fa fa fa fa fa fa fa fa fa fa >Shadow byte legend (one shadow byte represents 8 application bytes): > Addressable: 00 > Partially addressable: 01 02 03 04 05 06 07 > Heap left redzone: fa > Heap righ redzone: fb > Freed Heap region: fd > Stack left redzone: f1 > Stack mid redzone: f2 > Stack right redzone: f3 > Stack partial redzone: f4 > Stack after return: f5 > Stack use after scope: f8 > Global redzone: f9 > Global init order: f6 > Poisoned by user: f7 > ASan internal: fe >==9922==ABORTING > >
Flags: needinfo?(inferno)
Does this ring any bells :) ? //looks like malloc point - 1055 StreamNotifyChild* sn = new StreamNotifyChild(url); 1056 1057 NPError err; // looks like free point (of sn) [also in stacktrace] - 1058 InstCast(aNPP)->CallPStreamNotifyConstructor( 1059 sn, url, NullableString(aTarget), false, nsCString(), false, &err); 1060 1061 if (NPERR_NO_ERROR == err) { 1062 // If NPN_PostURLNotify fails, the parent will immediately send us 1063 // a PStreamNotifyDestructor, which should not call NPP_URLNotify. // looks like invalid use point of sn [also in stacktrace] - 1064 sn->SetValid(aNotifyData);
Assignee: nobody → georg.fritzsche
Priority: -- → P2
George any traction here?
(In reply to David Bolter [:davidb] from comment #12) > George any traction here? I'm off sick this week, i can look into this on monday.
I can't reproduce this on Flash 11.2.202.275, x64 trunk, opt-build, Ubuntu 12.04.2. Does this need a specific build configuration, Flash version, ...?
This doesn't reproduce for me either, in a debug asan build: http://people.mozilla.com/~jschoenick/asan/
(In reply to Georg Fritzsche [:gfritzsche] from comment #14) > I can't reproduce this on Flash 11.2.202.275, x64 trunk, opt-build, Ubuntu > 12.04.2. > Does this need a specific build configuration, Flash version, ...? I can't reproduce anymore on trunk now, don't know what fixed it. BTW, my configuration is same - Flash 11.2.202.275, Ubuntu 12.04, clang r176408 for asan.
(In reply to Abhishek Arya from comment #16) > I can't reproduce anymore on trunk now, don't know what fixed it. Ah, thanks, will find out.
Matt, can you narrow down at all when this quit reproducing in ASAN?
Flags: needinfo?(mwobensmith)
So far i can say that with clang r176408 i hit a start-up buffer overflow below nsIPermissionManagerConstructor instead between r126001 (Mar 05 10:19:00 2013 +0800) and r126227 (Mar 14 21:25:04 2013 -0400) that is not reproducing on trunk: #0 0x415a78 in memcmp ??:0 #1 0x7ff351eac00d in fillInUnixFile /home/georg/moz/mc-asan/db/sqlite3/src/sqlite3.c:27640 #2 0x7ff34cae79b6 in (anonymous namespace)::xOpen(sqlite3_vfs*, char const*, sqlite3_file*, int, int*) /home/georg/moz/mc-asan/storage/src/TelemetryVFS.cpp:332 #3 0x7ff351ed8506 in sqlite3OsOpen /home/georg/moz/mc-asan/db/sqlite3/src/sqlite3.c:15082 #4 0x7ff351ecd4c1 in openDatabase /home/georg/moz/mc-asan/db/sqlite3/src/sqlite3.c:114993 #5 0x7ff34cac3551 in mozilla::storage::Connection::initialize(nsIFile*) /home/georg/moz/mc-asan/storage/src/mozStorageConnection.cpp:500 #6 0x7ff34cabee77 in mozilla::storage::Service::OpenDatabase(nsIFile*, mozIStorageConnection**) /home/georg/moz/mc-asan/storage/src/mozStorageService.cpp:710 #7 0x7ff34cbe1619 in nsPermissionManager::InitDB(bool) /home/georg/moz/mc-asan/extensions/cookie/nsPermissionManager.cpp:437 #8 0x7ff34cbe411a in nsPermissionManager::Init() /home/georg/moz/mc-asan/extensions/cookie/nsPermissionManager.cpp:404 #9 0x7ff34cbe3a9d in nsPermissionManager::GetXPCOMSingleton() /home/georg/moz/mc-asan/extensions/cookie/nsPermissionManager.cpp:360 #10 0x7ff34cbdfbcc in nsIPermissionManagerConstructor(nsISupports*, nsID const&, void**) /home/georg/moz/mc-asan/extensions/cookie/nsCookieModule.cpp:17 [...]
Georg, please skip the startup crash using env variable ASAN_OPTIONS=strict_memcmp=0
Using ASAN_OPTIONS=strict_memcmp=0:alloc_dealloc_mismatch=0 i now have the following data-points: (1) r125373 (Feb 25 19:28:07 2013 +0800): hit the nsFrame::BoxReflow() SIGSEGV (2) r126001 (Mar 05 10:19:00 2013 +0800): no repro (3) r124746 (Mar 10 18:38:57 2013 -0400): hit the nsFrame::BoxReflow() SIGSEGV, occassionally hitting the _geturlnotify() Noticed occasionally hitting the _geturlnotify with (3), it possibly also occurs with (1) but would have to recheck that. So apparently the parent being stopped may trigger this in the child based on timing or something. Is the nsFrame::BoxReflow() SIGSEGV already filed separately?
I'm not able to reproduce the _geturlnotify crash in any build I try. I just keep getting the other nsFrame::BoxReflow crash, which I've filed as bug 857841.
Flags: needinfo?(mwobensmith)
OS: All → Linux
Looks like the BoxReflow crash was just bug 851396 (which I've marked bug 857841 as a dupe of).
Attached patch Don't access deallocated StreamNotifyChild (obsolete) (deleted) — Splinter Review
This issues repro is a little elusive as soon as timing-changes etc. via debuggers come into play, but with the ASan information it's clear enough what happens here: * _geturlnotify() calls, without respecting it's return value, into * PPluginInstanceChild::CallPStreamNotifyConstructor() which has two paths that can * tear down the StreamNotifyChild via (actor)->DeallocSubtree() -> PluginInstanceChild::DeallocPStreamNotify() I can't reproduce anymore with this on the mentioned revision.
Attachment #734678 - Flags: review?(benjamin)
Is 21 unaffected?
CallPStreamNotifyConstructor is really never supposed to fail: if any of the IPC machinery on the child fails, it's supposed to abort immediately. I don't think I'd accept this patch; the only reasonable options here are: 1) add a MOZ_CRASH if the method fails 2) figure out what sub-call of this isn't aborting and add the MOZ_CRASH there.
Attachment #734678 - Flags: review?(benjamin) → review-
(In reply to Benjamin Smedberg [:bsmedberg] from comment #26) > 2) figure out what sub-call of this isn't aborting and add the MOZ_CRASH > there. It's the Read() in PPluginInstanceChild::CallPStreamNotifyConstructor that is failing (not indexed in dxr or mxr): > if ((!(Read(result, (&(__reply)), (&(__iter)))))) { If CallPStreamNotifyConstructor is supposed to be infallible we probably should fatally assert there, but then again, why have failure handling, deallocation on error in there and different return values in there in the first place? As is CallPStreamNotifyConstructor is fallible, hence the failure handling patch here.
There's a fair of shared code between parents and children. Plugin processes (children) are supposed to abort on state errors. Firefox processes are supposed to handle state errors by killing the connection.
(In reply to Al Billings [:abillings] from comment #25) > Is 21 unaffected?
(In reply to Alex Keybl [:akeybl] from comment #29) > (In reply to Al Billings [:abillings] from comment #25) > > Is 21 unaffected? Sorry, i completely missed that comment before. Following the history on the relevant parts of both PluginModuleChild.cpp and lower.py, this seems a potential issue since bug 640901: http://hg.mozilla.org/mozilla-central/rev/6f5809f44532 Refs: http://hg.mozilla.org/mozilla-central/annotate/a3dad9390a30/dom/plugins/ipc/PluginModuleChild.cpp#l1059 http://hg.mozilla.org/mozilla-central/annotate/a3dad9390a30/ipc/ipdl/ipdl/lower.py#l4617 http://hg.mozilla.org/mozilla-central/annotate/a3dad9390a30/ipc/ipdl/ipdl/lower.py#l4652
Blocks: 640901
This aborts if the constructors fail for methods that are vulnerable to this. Those 3 are the only places i found that try to use the managee afterwards. I'd propose this for uplift as it's a rather small change to just vulnerable code.
Attachment #734678 - Attachment is obsolete: true
Attachment #737714 - Flags: review?(benjamin)
Let IPDL generate runtime aborts for constructor failures in child processes. If we want to abort on IPDL ctor IPC read failures, this does it consistently. However, it's rather invasive. Affected files listed in next attachments. As an alternative to this we could land the previous patch on trunk as well. Also, is this maybe better suited for bent to review?
Attachment #737717 - Flags: review?(benjamin)
The listing of code affected by the IPDL runtime abort insert.
(In reply to Georg Fritzsche [:gfritzsche] from comment #32) > Created attachment 737717 [details] [diff] [review] > IPDL runtime aborts for ctor failures Forgot to mention, this passed try and the Linux ASan test-case fine, but is obviously still risky.
Attachment #737717 - Flags: review?(benjamin) → review+
Attachment #737714 - Flags: review?(benjamin) → review-
Comment on attachment 737714 [details] [diff] [review] Abort childs if constructor fails in vulnerable methods Oh sorry, I missed that this was for uplift.
Attachment #737714 - Flags: review- → review+
Comment on attachment 737717 [details] [diff] [review] IPDL runtime aborts for ctor failures [Security approval request comment] How easily could an exploit be constructed based on the patch? Hard, as it would require finding a way to abort the parent (or another way to make IPC fail) in a timing-sensitive way. This patch doesn't make it obvious which exact places are vulnerable in the first place. Note that the proposed uplift patch is more obvious as it's modifying the affected code parts. Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? No. Which older supported branches are affected by this flaw? 20, 21, 22. If not all supported branches, which bug introduced the flaw? No regression window determined due to high timing sensitivity of the bug. Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? Backport is present, not hard to do and low-risk. It just inserts child side aborts on IPC failure for the vulnerable code-parts instead of doing centrally for every constructor call. How likely is this patch to cause regressions; how much testing does it need? Unlikely to cause relevant regressions - this is only visited in the child process in case of parent abort or other IPC failures - a scenario in which we should abort anyway.
Attachment #737717 - Flags: sec-approval?
Comment on attachment 737714 [details] [diff] [review] Abort childs if constructor fails in vulnerable methods Review of attachment 737714 [details] [diff] [review]: ----------------------------------------------------------------- See previous comment, this is the patch i want to uplift.
Attachment #737714 - Flags: sec-approval?
Attachment #737717 - Flags: sec-approval? → sec-approval+
Comment on attachment 737714 [details] [diff] [review] Abort childs if constructor fails in vulnerable methods Please nominate the patch for the affected branches for release management team approval.
Attachment #737714 - Flags: sec-approval? → sec-approval+
Comment on attachment 737714 [details] [diff] [review] Abort childs if constructor fails in vulnerable methods [Approval Request Comment] Bug caused by (feature/regressing bug #): Bug 640901. User impact if declined: It is a possible attack vector, although probably hard to use in a controlled manner. Testing completed (on m-c, etc.): Did local testing, none on m-c as it will get a more invasive patch. Given that this is in an unrecoverable code-path and just aborting, it doesn't seem too problematic. Risk to taking this patch (and alternatives if risky): Low-risk. This is only visited in the child process in case of parent abort or other IPC failures - a scenario in which we should abort anyway. String or IDL/UUID changes made by this patch: None.
Attachment #737714 - Flags: approval-mozilla-beta?
Attachment #737714 - Flags: approval-mozilla-aurora?
Would this be taken for ESR17?
(In reply to Georg Fritzsche [:gfritzsche] from comment #40) > Would this be taken for ESR17? Yes, but please land on m-c before we consider this for m-a/m-b/m-e17
Keywords: checkin-needed
On inbound today which was closed too long yesterday: https://hg.mozilla.org/integration/mozilla-inbound/rev/5de9e9db23c5
Keywords: checkin-needed
Status: NEW → RESOLVED
Closed: 12 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla23
Comment on attachment 737714 [details] [diff] [review] Abort childs if constructor fails in vulnerable methods Request to land asap on mozilla-beta for this to get into Fx21 beta 4
Attachment #737714 - Flags: approval-mozilla-beta?
Attachment #737714 - Flags: approval-mozilla-beta+
Attachment #737714 - Flags: approval-mozilla-aurora?
Attachment #737714 - Flags: approval-mozilla-aurora+
Comment on attachment 737714 [details] [diff] [review] Abort childs if constructor fails in vulnerable methods [Approval Request Comment] If this is not a sec:{high,crit} bug, please state case for ESR consideration: n/a Fix Landed on Version: This fix on 21 & 22, a more invasive version on 20. User impact if declined: Risk to taking this patch (and alternatives if risky): String or UUID changes made by this patch: ... see comment 39. See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for more info.
Attachment #737714 - Flags: approval-mozilla-esr17?
(In reply to Georg Fritzsche [:gfritzsche] from comment #46) > a more invasive version on 20. 23 you mean?
(In reply to Ryan VanderMeulen [:RyanVM] from comment #47) > (In reply to Georg Fritzsche [:gfritzsche] from comment #46) > > a more invasive version on 20. > > 23 you mean? Right, of course.
Comment on attachment 737717 [details] [diff] [review] IPDL runtime aborts for ctor failures I think we want this on b2g18 too. We use a ton of IPDL stuff there and we expect failed constructors to abort the process.
Attachment #737717 - Flags: approval-mozilla-b2g18?
Matt, can you please verify this is fixed in the latest builds?
Keywords: verifyme
QA Contact: mwobensmith
I could never reproduce in the first place (comment 22)... perhaps Georg (comment 21) or Abhishek might be able to confirm? Otherwise we might have to mark qa-.
Attachment #737714 - Flags: approval-mozilla-esr17? → approval-mozilla-esr17+
Attachment #737717 - Flags: approval-mozilla-b2g18? → approval-mozilla-b2g18+
(In reply to Matt Wobensmith from comment #51) > I could never reproduce in the first place (comment 22)... perhaps Georg > (comment 21) or Abhishek might be able to confirm? Otherwise we might have > to mark qa-. Okay, thank you Matt, marking [qa-]. Abhishek or Georg, can either of you verify this is fixed?
Keywords: verifyme
Whiteboard: [qa-]
(In reply to Anthony Hughes, Mozilla QA (:ashughes) from comment #53) > Abhishek or Georg, can either of you verify this is fixed? Reproducing the issue depends on a) ASan builds and b) a browser process abort with just the right timing to trigger this in the plugin process (which we only had in apparently a narrow window on Linux), so i don't see how we could sensibly verify it.
OS: Linux → All
Hardware: x86_64 → All
Whiteboard: [qa-] → [qa-][adv-main21+][adv-esr1706+]
Alias: CVE-2013-1679
Flags: sec-bounty?
Flags: sec-bounty? → sec-bounty+
Attachment #775969 - Attachment description: Bounty Awarded $3000 → Bounty Awarded $3000 [paid] 7/1/7/2013
Group: core-security
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: