Closed Bug 1177367 Opened 9 years ago Closed 9 years ago

AddressSanitizer (invalid READ of size 4) GetMostRecentDestWindow widget/gtk/nsDragService.h:105

Categories

(Core Graveyard :: Plug-ins, defect)

Product:
Core Graveyard
Component:
Plug-ins
Version:
41 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(firefox39 wontfix, firefox40 wontfix, firefox41 fixed, firefox42 verified, firefox-esr38 wontfix, b2g-v2.0 unaffected, b2g-v2.0M unaffected, b2g-v2.1 unaffected, b2g-v2.1S unaffected, b2g-v2.2 unaffected, b2g-v2.2r unaffected, b2g-master unaffected)

Status:
RESOLVED FIXED
Milestone:
mozilla42
Tracking Flags:
Tracking Status
firefox39 --- wontfix
firefox40 --- wontfix
firefox41 --- fixed
firefox42 --- verified
firefox-esr38 --- wontfix
b2g-v2.0 --- unaffected
b2g-v2.0M --- unaffected
b2g-v2.1 --- unaffected
b2g-v2.1S --- unaffected
b2g-v2.2 --- unaffected
b2g-v2.2r --- unaffected
b2g-master --- unaffected

People

(Reporter: rs, Assigned: jimm)

References

(Blocks 1 open bug,
URL
)

Details

(Keywords: sec-moderate, Whiteboard: [adv-main41-])

Attachments

(1 file, 1 obsolete file)

patch
1.22 KB, patch
bugzilla
: review+
ritu
: approval-mozilla-beta+
Details | Diff | Splinter Review 
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.130 Safari/537.36

Steps to reproduce:

firefox-41.0a1 ASAN debug build

Related to GetMostRecentDestWindow, no testcase so If anyone wants to take a look, thanks.


Actual results:

=================================================================
==1667==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60d000231158 at pc 0x7f4974d6ab25 bp 0x7ffff908ce90 sp 0x7ffff908ce88
READ of size 4 at 0x60d000231158 thread T0 (Web Content)
    #0 0x7f4974d6ab24 in GetMostRecentDestWindow /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/widget/gtk/nsDragService.h:105
    #1 0x7f4974d6ab24 in nsWindow::Destroy() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/widget/gtk/nsWindow.cpp:630
    #2 0x7f49744f60dc in nsPluginInstanceOwner::CreateWidget() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/plugins/base/nsPluginInstanceOwner.cpp:2917
    #3 0x7f49744ac401 in CreateWidget /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/plugins/base/nsPluginHost.cpp:3374
    #4 0x7f49744ac401 in nsPluginHost::InstantiatePluginInstance(nsACString_internal const&, nsIURI*, nsObjectLoadingContent*, nsPluginInstanceOwner**) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/plugins/base/nsPluginHost.cpp:845
    #5 0x7f4971801967 in nsObjectLoadingContent::InstantiatePluginInstance(bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsObjectLoadingContent.cpp:788
    #6 0x7f497180abea in nsObjectLoadingContent::LoadObject(bool, bool, nsIRequest*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsObjectLoadingContent.cpp:2385
    #7 0x7f4971807c6a in nsObjectLoadingContent::OnStartRequest(nsIRequest*, nsISupports*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsObjectLoadingContent.cpp:1127
    #8 0x7f496fcbd174 in mozilla::net::HttpChannelChild::DoOnStartRequest(nsIRequest*, nsISupports*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/netwerk/protocol/http/HttpChannelChild.cpp:492
    #9 0x7f496fcc6c69 in mozilla::net::HttpChannelChild::OnStartRequest(nsresult const&, mozilla::net::nsHttpResponseHead const&, bool const&, mozilla::net::nsHttpHeaderArray const&, bool const&, bool const&, unsigned int const&, nsCString const&, nsCString const&, mozilla::net::NetAddr const&, mozilla::net::NetAddr const&, unsigned int const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/netwerk/protocol/http/HttpChannelChild.cpp:482
    #10 0x7f496fcc5e0a in mozilla::net::HttpChannelChild::RecvOnStartRequest(nsresult const&, mozilla::net::nsHttpResponseHead const&, bool const&, mozilla::net::nsHttpHeaderArray const&, bool const&, bool const&, unsigned int const&, nsCString const&, nsCString const&, mozilla::net::NetAddr const&, mozilla::net::NetAddr const&, short const&, unsigned int const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/netwerk/protocol/http/HttpChannelChild.cpp:407
    #11 0x7f4970200630 in mozilla::net::PHttpChannelChild::OnMessageReceived(IPC::Message const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/ipc/ipdl/./PHttpChannelChild.cpp:529
    #12 0x7f49707793b8 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/ipc/ipdl/./PContentChild.cpp:5337
    #13 0x7f4970084c42 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessageChannel.cpp:1279
    #14 0x7f4970082656 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessageChannel.cpp:1198
    #15 0x7f49700762b4 in mozilla::ipc::MessageChannel::OnMaybeDequeueOne() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessageChannel.cpp:1182
    #16 0x7f497001af94 in RunTask /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:364
    #17 0x7f497001af94 in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:372
    #18 0x7f497001c047 in MessageLoop::DoWork() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:459
    #19 0x7f497008bee2 in mozilla::ipc::DoWorkRunnable::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessagePump.cpp:220
    #20 0x7f496f7bbb17 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsThread.cpp:848
    #21 0x7f496f83603a in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/glue/nsThreadUtils.cpp:265
    #22 0x7f497008b649 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessagePump.cpp:95
    #23 0x7f4970019b1c in RunInternal /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:234
    #24 0x7f4970019b1c in RunHandler /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:227
    #25 0x7f4970019b1c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:201
    #26 0x7f4974d12347 in nsBaseAppShell::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/widget/nsBaseAppShell.cpp:165
    #27 0x7f4976b06582 in XRE_RunAppShell /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:778
    #28 0x7f4970019b1c in RunInternal /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:234
    #29 0x7f4970019b1c in RunHandler /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:227
    #30 0x7f4970019b1c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:201
    #31 0x7f4976b05c7b in XRE_InitChildProcess /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:614
    #32 0x48cf52 in content_process_main(int, char**) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/app/../contentproc/plugin-container.cpp:236
    #33 0x7f496d266a3f in __libc_start_main /build/buildd/glibc-2.21/csu/libc-start.c:289
    #34 0x48c2ac in _start (/home/revskills/Browsers/firefox/plugin-container+0x48c2ac)

0x60d000231158 is located 8 bytes to the right of 144-byte region [0x60d0002310c0,0x60d000231150)
allocated by thread T0 (Web Content) here:
    #0 0x4748c1 in __interceptor_malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:74
    #1 0x48d56d in moz_xmalloc /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/memory/mozalloc/mozalloc.cpp:83
    #2 0x7f4974d34dfa in operator new /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/widget/../dist/include/mozilla/mozalloc.h:186
    #3 0x7f4974d34dfa in nsDragServiceProxyConstructor(nsISupports*, nsID const&, void**) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/widget/nsContentProcessWidgetFactory.cpp:24
    #4 0x7f496f794911 in nsComponentManagerImpl::CreateInstanceByContractID(char const*, nsISupports*, nsID const&, void**) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/components/nsComponentManager.cpp:1223
    #5 0x7f496f78bf1a in nsComponentManagerImpl::GetServiceByContractID(char const*, nsID const&, void**) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/components/nsComponentManager.cpp:1584
    #6 0x7f496f825771 in CallGetService /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/glue/nsComponentManagerUtils.cpp:67
    #7 0x7f496f825771 in nsGetServiceByContractID::operator()(nsID const&, void**) const /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/glue/nsComponentManagerUtils.cpp:280
    #8 0x7f496f81aa06 in nsCOMPtr_base::assign_from_gs_contractid(nsGetServiceByContractID, nsID const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/glue/nsCOMPtr.cpp:103
    #9 0x7f49716e54fb in nsCOMPtr /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dom/base/../../dist/include/nsCOMPtr.h:514
    #10 0x7f49716e54fb in nsContentUtils::GetDragSession() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsContentUtils.cpp:5349
    #11 0x7f49755d9e2c in PresShell::ProcessSynthMouseMoveEvent(bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsPresShell.cpp:5456
    #12 0x7f4975607678 in PresShell::nsSynthMouseMoveEvent::WillRefresh(mozilla::TimeStamp) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsPresShell.h:643
    #13 0x7f4975329a9d in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsRefreshDriver.cpp:1649
    #14 0x7f49753346ee in TickDriver /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsRefreshDriver.cpp:195
    #15 0x7f49753346ee in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsRefreshDriver.cpp:186
    #16 0x7f4975333f5d in RunRefreshDrivers /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsRefreshDriver.cpp:437
    #17 0x7f4975333f5d in TickRefreshDriver /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsRefreshDriver.cpp:371
    #18 0x7f4975333f5d in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsRefreshDriver.cpp:342
    #19 0x7f4975bddaf0 in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/ipc/VsyncChild.cpp:63
    #20 0x7f497057ec12 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/ipc/ipdl/./PVsyncChild.cpp:220
    #21 0x7f497010c15c in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/ipc/ipdl/./PBackgroundChild.cpp:1288
    #22 0x7f4970084c42 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessageChannel.cpp:1279
    #23 0x7f4970082656 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessageChannel.cpp:1198
    #24 0x7f49700762b4 in mozilla::ipc::MessageChannel::OnMaybeDequeueOne() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessageChannel.cpp:1182
    #25 0x7f497001af94 in RunTask /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:364
    #26 0x7f497001af94 in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:372
    #27 0x7f497001c047 in MessageLoop::DoWork() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:459
    #28 0x7f497008bee2 in mozilla::ipc::DoWorkRunnable::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessagePump.cpp:220
    #29 0x7f496f7bbb17 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsThread.cpp:848
    #30 0x7f496f83603a in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/glue/nsThreadUtils.cpp:265
    #31 0x7f497008b649 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessagePump.cpp:95
    #32 0x7f4970019b1c in RunInternal /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:234
    #33 0x7f4970019b1c in RunHandler /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:227
    #34 0x7f4970019b1c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:201
    #35 0x7f4974d12347 in nsBaseAppShell::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/widget/nsBaseAppShell.cpp:165
    #36 0x7f4976b06582 in XRE_RunAppShell /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:778
    #37 0x7f4970019b1c in RunInternal /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:234
    #38 0x7f4970019b1c in RunHandler /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:227
    #39 0x7f4970019b1c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:201
    #40 0x7f4976b05c7b in XRE_InitChildProcess /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:614

SUMMARY: AddressSanitizer: heap-buffer-overflow /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/widget/gtk/nsDragService.h:105 GetMostRecentDestWindow
Shadow bytes around the buggy address:
  0x0c1a8003e1d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a8003e1e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a8003e1f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 00 00
  0x0c1a8003e200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1a8003e210: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
=>0x0c1a8003e220: 00 00 00 00 00 00 00 00 00 00 fa[fa]fa fa fa fa
  0x0c1a8003e230: fa fa 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1a8003e240: 00 00 00 fa fa fa fa fa fa fa fa fa 00 00 00 00
  0x0c1a8003e250: 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa
  0x0c1a8003e260: fa fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00
  0x0c1a8003e270: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==1667==ABORTING
The problem occurs when you click on a page usually has enough content to load or slow (which it is easy to do, and I shared a real example). When you click eg: on a pager (page 2), and to load the following content, you go back to click on previous page using pager (page 1, before we proceed to load the page 2). I've tried also here:

http://www.dafont.com/fr/theme.php?cat=402&page=12

Doing exactly the same. So it's valid also to reproduce the error. Click on page 11 and then click again on page 12. Obviously prevent cached pages for testing (so you can just try to load different numbers for testing).
drag and drog and plugin related? e10s related?
Component: Untriaged → Plug-ins
Flags: needinfo?(bugs)
Product: Firefox → Core
Flags: needinfo?(aklotz)
I don't quite understand this. Does plugin code create GTK Widget on child process, not PuppetWidget?
Flags: needinfo?(bugs)
Oh, we do something silly in nsDragService::GetInstance(). Hardcoding to use
drag service based on NS_DRAGSERVICE_CID and then static_cast that to the gtk's implementation.
But I still don't understand why we have gtk widget in child process. Is that something plugins code need?
Attached patch possible fix (obsolete) — — Splinter Review 
This should fix the crash, but I really don't understand why we have non-PuppetWidget here.

Do we support dnd on plugins, also in e10s?
Flags: needinfo?(aklotz) → needinfo?(jmathies)
#1 0x7f4974d6ab24 in nsWindow::Destroy() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/widget/gtk/nsWindow.cpp:630

#2 0x7f49744f60dc in nsPluginInstanceOwner::CreateWidget() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/plugins/base/nsPluginInstanceOwner.cpp:2917

Look like:

1) we try to create a e10s plugin widget here - 
https://dxr.mozilla.org/mozilla-central/source/dom/plugins/base/nsPluginInstanceOwner.cpp#2818

2) either content, window, topWindow, or tc are unexpected null.

3) we fall through to code we shouldn't fall through too here - 

https://dxr.mozilla.org/mozilla-central/source/dom/plugins/base/nsPluginInstanceOwner.cpp#2862
Flags: needinfo?(jmathies)
This is with e10s correct? If not my synopsis makes no sense.
Flags: needinfo?(rs)
Assignee: nobody → jmathies
right, I'm using a firefox-41.0a1 ASAN debug build with the default preferences, hence e10s is enabled by default.
Flags: needinfo?(rs)
crashing again:

=================================================================
==19779==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60d0000ccda8 at pc 0x7f227d9e0b25 bp 0x7fffd087bc90 sp 0x7fffd087bc88
READ of size 4 at 0x60d0000ccda8 thread T0 (Web Content)
    #0 0x7f227d9e0b24 in GetMostRecentDestWindow /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/widget/gtk/nsDragService.h:105
    #1 0x7f227d9e0b24 in nsWindow::Destroy() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/widget/gtk/nsWindow.cpp:630
    #2 0x7f227d16c0dc in nsPluginInstanceOwner::CreateWidget() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/plugins/base/nsPluginInstanceOwner.cpp:2917
    #3 0x7f227d122401 in CreateWidget /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/plugins/base/nsPluginHost.cpp:3374
    #4 0x7f227d122401 in nsPluginHost::InstantiatePluginInstance(nsACString_internal const&, nsIURI*, nsObjectLoadingContent*, nsPluginInstanceOwner**) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/plugins/base/nsPluginHost.cpp:845
    #5 0x7f227a477967 in nsObjectLoadingContent::InstantiatePluginInstance(bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsObjectLoadingContent.cpp:788
    #6 0x7f227a480bea in nsObjectLoadingContent::LoadObject(bool, bool, nsIRequest*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsObjectLoadingContent.cpp:2385
    #7 0x7f227a47dc6a in nsObjectLoadingContent::OnStartRequest(nsIRequest*, nsISupports*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsObjectLoadingContent.cpp:1127
    #8 0x7f2278933174 in mozilla::net::HttpChannelChild::DoOnStartRequest(nsIRequest*, nsISupports*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/netwerk/protocol/http/HttpChannelChild.cpp:492
    #9 0x7f227893cc69 in mozilla::net::HttpChannelChild::OnStartRequest(nsresult const&, mozilla::net::nsHttpResponseHead const&, bool const&, mozilla::net::nsHttpHeaderArray const&, bool const&, bool const&, unsigned int const&, nsCString const&, nsCString const&, mozilla::net::NetAddr const&, mozilla::net::NetAddr const&, unsigned int const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/netwerk/protocol/http/HttpChannelChild.cpp:482
    #10 0x7f227893be0a in mozilla::net::HttpChannelChild::RecvOnStartRequest(nsresult const&, mozilla::net::nsHttpResponseHead const&, bool const&, mozilla::net::nsHttpHeaderArray const&, bool const&, bool const&, unsigned int const&, nsCString const&, nsCString const&, mozilla::net::NetAddr const&, mozilla::net::NetAddr const&, short const&, unsigned int const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/netwerk/protocol/http/HttpChannelChild.cpp:407
    #11 0x7f2278e76630 in mozilla::net::PHttpChannelChild::OnMessageReceived(IPC::Message const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/ipc/ipdl/./PHttpChannelChild.cpp:529
    #12 0x7f22793ef3b8 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/ipc/ipdl/./PContentChild.cpp:5337
    #13 0x7f2278cfac42 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessageChannel.cpp:1279
    #14 0x7f2278cf8656 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessageChannel.cpp:1198
    #15 0x7f2278cec2b4 in mozilla::ipc::MessageChannel::OnMaybeDequeueOne() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessageChannel.cpp:1182
    #16 0x7f2278c90f94 in RunTask /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:364
    #17 0x7f2278c90f94 in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:372
    #18 0x7f2278c92047 in MessageLoop::DoWork() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:459
    #19 0x7f2278d01ee2 in mozilla::ipc::DoWorkRunnable::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessagePump.cpp:220
    #20 0x7f2278431b17 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsThread.cpp:848
    #21 0x7f22784ac03a in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/glue/nsThreadUtils.cpp:265
    #22 0x7f2278d01649 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessagePump.cpp:95
    #23 0x7f2278c8fb1c in RunInternal /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:234
    #24 0x7f2278c8fb1c in RunHandler /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:227
    #25 0x7f2278c8fb1c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:201
    #26 0x7f227d988347 in nsBaseAppShell::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/widget/nsBaseAppShell.cpp:165
    #27 0x7f227f77c582 in XRE_RunAppShell /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:778
    #28 0x7f2278c8fb1c in RunInternal /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:234
    #29 0x7f2278c8fb1c in RunHandler /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:227
    #30 0x7f2278c8fb1c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:201
    #31 0x7f227f77bc7b in XRE_InitChildProcess /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:614
    #32 0x48cf52 in content_process_main(int, char**) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/app/../contentproc/plugin-container.cpp:236
    #33 0x7f2275edca3f in __libc_start_main /build/buildd/glibc-2.21/csu/libc-start.c:289
    #34 0x48c2ac in _start (/home/revskills/Browsers/firefox/plugin-container+0x48c2ac)

0x60d0000ccda8 is located 8 bytes to the right of 144-byte region [0x60d0000ccd10,0x60d0000ccda0)
allocated by thread T0 (Web Content) here:
    #0 0x4748c1 in __interceptor_malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:74
    #1 0x48d56d in moz_xmalloc /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/memory/mozalloc/mozalloc.cpp:83
    #2 0x7f227d9aadfa in operator new /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/widget/../dist/include/mozilla/mozalloc.h:186
    #3 0x7f227d9aadfa in nsDragServiceProxyConstructor(nsISupports*, nsID const&, void**) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/widget/nsContentProcessWidgetFactory.cpp:24
    #4 0x7f227840a911 in nsComponentManagerImpl::CreateInstanceByContractID(char const*, nsISupports*, nsID const&, void**) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/components/nsComponentManager.cpp:1223
    #5 0x7f2278401f1a in nsComponentManagerImpl::GetServiceByContractID(char const*, nsID const&, void**) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/components/nsComponentManager.cpp:1584
    #6 0x7f227849b771 in CallGetService /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/glue/nsComponentManagerUtils.cpp:67
    #7 0x7f227849b771 in nsGetServiceByContractID::operator()(nsID const&, void**) const /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/glue/nsComponentManagerUtils.cpp:280
    #8 0x7f2278490a06 in nsCOMPtr_base::assign_from_gs_contractid(nsGetServiceByContractID, nsID const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/glue/nsCOMPtr.cpp:103
    #9 0x7f227a35b4fb in nsCOMPtr /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dom/base/../../dist/include/nsCOMPtr.h:514
    #10 0x7f227a35b4fb in nsContentUtils::GetDragSession() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsContentUtils.cpp:5349
    #11 0x7f227e24fe2c in PresShell::ProcessSynthMouseMoveEvent(bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsPresShell.cpp:5456
    #12 0x7f227e27d678 in PresShell::nsSynthMouseMoveEvent::WillRefresh(mozilla::TimeStamp) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsPresShell.h:643
    #13 0x7f227df9fa9d in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsRefreshDriver.cpp:1649
    #14 0x7f227dfaa6ee in TickDriver /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsRefreshDriver.cpp:195
    #15 0x7f227dfaa6ee in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsRefreshDriver.cpp:186
    #16 0x7f227dfa9f5d in RunRefreshDrivers /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsRefreshDriver.cpp:437
    #17 0x7f227dfa9f5d in TickRefreshDriver /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsRefreshDriver.cpp:371
    #18 0x7f227dfa9f5d in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsRefreshDriver.cpp:342
    #19 0x7f227e853af0 in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/ipc/VsyncChild.cpp:63
    #20 0x7f22791f4c12 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/ipc/ipdl/./PVsyncChild.cpp:220
    #21 0x7f2278d8215c in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/ipc/ipdl/./PBackgroundChild.cpp:1288
    #22 0x7f2278cfac42 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessageChannel.cpp:1279
    #23 0x7f2278cf8656 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessageChannel.cpp:1198
    #24 0x7f2278cec2b4 in mozilla::ipc::MessageChannel::OnMaybeDequeueOne() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessageChannel.cpp:1182
    #25 0x7f2278c90f94 in RunTask /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:364
    #26 0x7f2278c90f94 in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:372
    #27 0x7f2278c92047 in MessageLoop::DoWork() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:459
    #28 0x7f2278d01ee2 in mozilla::ipc::DoWorkRunnable::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessagePump.cpp:220
    #29 0x7f2278431b17 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsThread.cpp:848
    #30 0x7f22784ac03a in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/glue/nsThreadUtils.cpp:265
    #31 0x7f2278d01649 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessagePump.cpp:95
    #32 0x7f2278c8fb1c in RunInternal /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:234
    #33 0x7f2278c8fb1c in RunHandler /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:227
    #34 0x7f2278c8fb1c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:201
    #35 0x7f227d988347 in nsBaseAppShell::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/widget/nsBaseAppShell.cpp:165
    #36 0x7f227f77c582 in XRE_RunAppShell /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:778
    #37 0x7f2278c8fb1c in RunInternal /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:234
    #38 0x7f2278c8fb1c in RunHandler /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:227
    #39 0x7f2278c8fb1c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:201
    #40 0x7f227f77bc7b in XRE_InitChildProcess /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:614

SUMMARY: AddressSanitizer: heap-buffer-overflow /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/widget/gtk/nsDragService.h:105 GetMostRecentDestWindow
Shadow bytes around the buggy address:
  0x0c1a80011960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a80011970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a80011980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a80011990: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a800119a0: fa fa 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c1a800119b0: 00 00 00 00 fa[fa]fa fa fa fa fa fa fa fa fa fa
  0x0c1a800119c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a800119d0: fa fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00
  0x0c1a800119e0: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
  0x0c1a800119f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a80011a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==19779==ABORTING
[Parent 19586] WARNING: pipe error (61): Connection reset by peer: file /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 459

###!!! [Parent][MessageChannel] Error: (msgtype=0x20007A,name=PBrowser::Msg_Destroy) Channel error: cannot send/recv


###!!! [Child][MessageChannel] Error: (msgtype=0x980018,name=PPluginScriptableObject::Msg_Unprotect) Channel error: cannot send/recv
Flags: needinfo?(jmathies)
ok I'll take this.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(jmathies)
Attached patch patch — — Splinter Review 

        Attachment #8627833 -
        Attachment is obsolete: true

        Attachment #8630069 -
        Flags: review?(aklotz)

    
  

        Attachment #8630069 -
        Flags: sec-approval?

        Attachment #8630069 -
        Flags: review?(aklotz) → review+

    
    

    
  
Is there a CVE number assigned?

    
    

    
  
(In reply to Francisco A. from comment #13)
> Is there a CVE number assigned?

When there is a CVE number assigned, it will be included in the summary. You can see an example of this in bug 851781. CVE numbers are usually assigned by abillings closer to the end of the release cycle where we release the fix.

    
    

    
  
Thanks Andrew, just asking to know if was asigned via internal CVE pool.

    
    

    
  
Comment on attachment 8630069 [details] [diff] [review]
patch

This doesn't need sec-approval+ as a sec-moderate

        Attachment #8630069 -
        Flags: sec-approval?

    
    

    
  
(In reply to Francisco A. from comment #15)
> Thanks Andrew, just asking to know if was asigned via internal CVE pool.

We have a list of CVE numbers. I assign them the week or so before we ship the release with the fix.
Flags: sec-bounty?
Flags: sec-bounty? → sec-bounty+

    
    

    
  
Looks like this could use Beta/esr38 approval requests.

          status-b2g-v2.0:
          --- → unaffected

          status-b2g-v2.0M:
          --- → unaffected

          status-b2g-v2.1:
          --- → unaffected

          status-b2g-v2.1S:
          --- → unaffected

          status-b2g-v2.2:
          --- → unaffected

          status-b2g-v2.2r:
          --- → unaffected

          status-b2g-master:
          --- → unaffected

          status-firefox40:
          affectedwontfix
Flags: needinfo?(jmathies)
Target Milestone: --- → mozilla42

    
    

    
  
Comment on attachment 8630069 [details] [diff] [review]
patch

Approval Request Comment
[Feature/regressing bug #]:
e10s plugin work that landed last fall
[User impact if declined]:
rare tab crashes. 
[Describe test coverage new/current, TreeHerder]:
on mc for a two months, in aurora.
[Risks and why]: 
none
[String/UUID change made/needed]:
none

the esr approval form said it had to be sec critical so I didn't request.
Flags: needinfo?(jmathies)

        Attachment #8630069 -
        Flags: approval-mozilla-beta?

    
    

    
  
Comment on attachment 8630069 [details] [diff] [review]
patch

Since this is circumventing a crash by returning an error flag, it is safe to uplift to Beta41. In general, for the remainder of the cycle, I would be very cautious approving uplifts to Beta41 that are e10s related given that it is not enabled by default in 41. Thanks!

        Attachment #8630069 -
        Flags: approval-mozilla-beta? → approval-mozilla-beta+

    
  
Group: core-security → core-security-release
Flags: qe-verify+

    
    

    
  
Unable to reproduce this issue on 41.0a1 asan debug build, under Ubuntu 13.10 64-bit and 14.04 64-bit, with STR from comment 1 and different heavy content websites; same result with 41.0a1 debug build on Mac OS X 10.9.5. 
Francisco, could you please check out if this issue is fixed?
Flags: needinfo?(rs)

    
    

    
  
I tried the patches and looked good, it must be fixed.
Flags: needinfo?(rs)
Whiteboard: [adv-main41+]
Alias: CVE-2015-4513
Flags: qe-verify+
Alias: CVE-2015-4513
Whiteboard: [adv-main41+] → [adv-main41-]
Group: core-security-release

    
  
Product: Core → Core Graveyard

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: