Closed
Bug 1100686
Opened 10 years ago
Closed 9 years ago
[e10s] heap-use-after-free in UDPSocketChildBase::ReleaseIPDLReference
Categories
(Core :: WebRTC: Networking, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1099414
| blocking-b2g | 2.1+ |
| Tracking | Status | |
|---|---|---|
| e10s | + | --- |
| firefox33 | --- | unaffected |
| firefox34 | --- | unaffected |
| firefox36 | + | affected |
People
(Reporter: drno, Assigned: bwc)
References
Details
(Keywords: csectype-uaf, regression, sec-high)
The fix in bug 1080096 results in heap-use-after-free if the socket creation fails. The memory gets allocated and freed on the child process (because of a failure during the socket creation). But then main tries to set the reference to NULL because of the patch added in bug 1080096. ==31281==ERROR: AddressSanitizer: heap-use-after-free on address 0x6130000a04b0 at pc 0x7f35c3bd1ea6 bp 0x7fff56dfa070 sp 0x7fff56dfa068 READ of size 8 at 0x6130000a04b0 thread T0 (Web Content) --DOCSHELL 0x6190004a6f80 == 4 [pid = 31216] [id = 3] #0 0x7f35c3bd1ea5 in NS_LogCOMPtrRelease /home/nohlmeier/src/mozilla-central-asan/xpcom/base/nsTraceRefcnt.cpp:1327 #1 0x7f35c73dda35 in nsCOMPtr<nsIUDPSocketInternal>::assign_assuming_AddRef(nsIUDPSocketInternal*) /home/nohlmeier/src/mozilla-central-asan/objdir-ff-asan/dom/network/../../dist/include/nsCOMPtr.h:504 #2 0x7f35c73dc0ed in nsCOMPtr<nsIUDPSocketInternal>::operator=(nsIUDPSocketInternal*) /home/nohlmeier/src/mozilla-central-asan/objdir-ff-asan/dom/network/../../dist/include/nsCOMPtr.h:677 #3 0x7f35c73d596e in mozilla::dom::UDPSocketChildBase::ReleaseIPDLReference() /home/nohlmeier/src/mozilla-central-asan/dom/network/UDPSocketChild.cpp:31 #4 0x7f35c41e234c in mozilla::net::NeckoChild::DeallocPUDPSocketChild(mozilla::net::PUDPSocketChild*) /home/nohlmeier/src/mozilla-central-asan/netwerk/ipc/NeckoChild.cpp:251 #5 0x7f35c491e07a in mozilla::net::PNeckoChild::DeallocSubtree() /home/nohlmeier/src/mozilla-central-asan/objdir-ff-asan/ipc/ipdl/./PNeckoChild.cpp:1902 #6 0x7f35c46cc3b6 in mozilla::dom::PContentChild::DeallocSubtree() /home/nohlmeier/src/mozilla-central-asan/objdir-ff-asan/ipc/ipdl/./PContentChild.cpp:6714 #7 0x7f35c46ca2da in mozilla::dom::PContentChild::OnChannelClose() /home/nohlmeier/src/mozilla-central-asan/objdir-ff-asan/ipc/ipdl/./PContentChild.cpp:6227 #8 0x7f35c44a85de in mozilla::ipc::MessageChannel::NotifyChannelClosed() /home/nohlmeier/src/mozilla-central-asan/ipc/glue/MessageChannel.cpp:1684 #9 0x7f35c44a8791 in mozilla::ipc::MessageChannel::OnNotifyMaybeChannelError() /home/nohlmeier/src/mozilla-central-asan/ipc/glue/MessageChannel.cpp:1566 #10 0x7f35c4426fe1 in MessageLoop::RunTask(Task*) /home/nohlmeier/src/mozilla-central-asan/ipc/chromium/src/base/message_loop.cc:361 #11 0x7f35c44278ef in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const&) /home/nohlmeier/src/mozilla-central-asan/ipc/chromium/src/base/message_loop.cc:369 #12 0x7f35c4427c46 in MessageLoop::DoWork() /home/nohlmeier/src/mozilla-central-asan/ipc/chromium/src/base/message_loop.cc:447 #13 0x7f35c44abae7 in mozilla::ipc::DoWorkRunnable::Run() /home/nohlmeier/src/mozilla-central-asan/ipc/glue/MessagePump.cpp:233 #14 0x7f35c3c7b879 in nsThread::ProcessNextEvent(bool, bool*) /home/nohlmeier/src/mozilla-central-asan/xpcom/threads/nsThread.cpp:830 #15 0x7f35c3cd58be in NS_ProcessNextEvent(nsIThread*, bool) /home/nohlmeier/src/mozilla-central-asan/xpcom/glue/nsThreadUtils.cpp:265 #16 0x7f35c44ab219 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/nohlmeier/src/mozilla-central-asan/ipc/glue/MessagePump.cpp:140 #17 0x7f35c44abf10 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /home/nohlmeier/src/mozilla-central-asan/ipc/glue/MessagePump.cpp:302 #18 0x7f35c4426d41 in MessageLoop::RunInternal() /home/nohlmeier/src/mozilla-central-asan/ipc/chromium/src/base/message_loop.cc:233 #19 0x7f35c4426a98 in MessageLoop::Run() /home/nohlmeier/src/mozilla-central-asan/ipc/chromium/src/base/message_loop.cc:200 #20 0x7f35c793d9c6 in nsBaseAppShell::Run() /home/nohlmeier/src/mozilla-central-asan/widget/nsBaseAppShell.cpp:164 #21 0x7f35c8d44e26 in XRE_RunAppShell /home/nohlmeier/src/mozilla-central-asan/toolkit/xre/nsEmbedFunctions.cpp:713 #22 0x7f35c44abdb3 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /home/nohlmeier/src/mozilla-central-asan/ipc/glue/MessagePump.cpp:272 #23 0x7f35c4426d41 in MessageLoop::RunInternal() /home/nohlmeier/src/mozilla-central-asan/ipc/chromium/src/base/message_loop.cc:233 #24 0x7f35c4426a98 in MessageLoop::Run() /home/nohlmeier/src/mozilla-central-asan/ipc/chromium/src/base/message_loop.cc:200 #25 0x7f35c8d4462b in XRE_InitChildProcess /home/nohlmeier/src/mozilla-central-asan/toolkit/xre/nsEmbedFunctions.cpp:550 #26 0x4b842f in content_process_main(int, char**) /home/nohlmeier/src/mozilla-central-asan/ipc/app/../contentproc/plugin-container.cpp:158 #27 0x7f35c0275ec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287 #28 0x4b832a in _start (/home/nohlmeier/src/mozilla-central-asan/objdir-ff-asan/dist/bin/plugin-container+0x4b832a) 0x6130000a04b0 is located 176 bytes inside of 352-byte region [0x6130000a0400,0x6130000a0560) freed by thread T17 (Socket Thread) here: #0 0x4999a1 in free /home/nohlmeier/checkouts/llvm-20140708/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:69 #1 0x7f35c50a241c in nr_socket_local_create /home/nohlmeier/src/mozilla-central-asan/media/mtransport/nr_socket_prsock.cpp:1139 #2 0x7f35c874ba6c in nr_ice_component_initialize_udp /home/nohlmeier/src/mozilla-central-asan/media/mtransport/third_party/nICEr/src/ice/ice_component.c:198 #3 0x7f35c874b3ad in nr_ice_component_initialize /home/nohlmeier/src/mozilla-central-asan/media/mtransport/third_party/nICEr/src/ice/ice_component.c:404 #4 0x7f35c875693a in nr_ice_media_stream_initialize /home/nohlmeier/src/mozilla-central-asan/media/mtransport/third_party/nICEr/src/ice/ice_media_stream.c:133 #5 0x7f35c8755694 in nr_ice_initialize /home/nohlmeier/src/mozilla-central-asan/media/mtransport/third_party/nICEr/src/ice/ice_ctx.c:560 #6 0x7f35c50abb91 in mozilla::NrIceCtx::StartGathering() /home/nohlmeier/src/mozilla-central-asan/media/mtransport/nricectx.cpp:629 #7 0x7f35c4dec234 in mozilla::runnable_args_m_0<mozilla::RefPtr<mozilla::NrIceCtx>, tag_nsresult (mozilla::NrIceCtx::*)()>::Run() /home/nohlmeier/src/mozilla-central-asan/media/webrtc/signaling/../../../media/mtransport/runnable_utils_generated.h:48 #8 0x7f35c3c7b879 in nsThread::ProcessNextEvent(bool, bool*) /home/nohlmeier/src/mozilla-central-asan/xpcom/threads/nsThread.cpp:830 #9 0x7f35c3cd58be in NS_ProcessNextEvent(nsIThread*, bool) /home/nohlmeier/src/mozilla-central-asan/xpcom/glue/nsThreadUtils.cpp:265 #10 0x7f35c3e3ba30 in nsSocketTransportService::Run() /home/nohlmeier/src/mozilla-central-asan/netwerk/base/src/nsSocketTransportService2.cpp:740 #11 0x7f35c3e3cddc in non-virtual thunk to nsSocketTransportService::Run() /home/nohlmeier/src/mozilla-central-asan/netwerk/base/src/nsSocketTransportService2.cpp:777 #12 0x7f35c3c7b879 in nsThread::ProcessNextEvent(bool, bool*) /home/nohlmeier/src/mozilla-central-asan/xpcom/threads/nsThread.cpp:830 #13 0x7f35c3cd58be in NS_ProcessNextEvent(nsIThread*, bool) /home/nohlmeier/src/mozilla-central-asan/xpcom/glue/nsThreadUtils.cpp:265 #14 0x7f35c44ac2b8 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /home/nohlmeier/src/mozilla-central-asan/ipc/glue/MessagePump.cpp:339 #15 0x7f35c4426d41 in MessageLoop::RunInternal() /home/nohlmeier/src/mozilla-central-asan/ipc/chromium/src/base/message_loop.cc:233 #16 0x7f35c4426a98 in MessageLoop::Run() /home/nohlmeier/src/mozilla-central-asan/ipc/chromium/src/base/message_loop.cc:200 #17 0x7f35c3c792de in nsThread::ThreadFunc(void*) /home/nohlmeier/src/mozilla-central-asan/xpcom/threads/nsThread.cpp:350 #18 0x7f35cf51b863 in _pt_root /home/nohlmeier/src/mozilla-central-asan/nsprpub/pr/src/pthreads/ptthread.c:212 #19 0x7f35cfb6d181 in start_thread /build/buildd/eglibc-2.19/nptl/pthread_create.c:312 previously allocated by thread T17 (Socket Thread) here: #0 0x499c79 in malloc /home/nohlmeier/checkouts/llvm-20140708/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:79 #1 0x7f35cff7ed6d in moz_xmalloc /home/nohlmeier/src/mozilla-central-asan/memory/mozalloc/mozalloc.cpp:52 #2 0x7f35c50a2311 in operator new(unsigned long) /home/nohlmeier/src/mozilla-central-asan/objdir-ff-asan/media/mtransport/build/../../../dist/include/mozilla/mozalloc.h:208 #3 0x7f35c50a2311 in nr_socket_local_create /home/nohlmeier/src/mozilla-central-asan/media/mtransport/nr_socket_prsock.cpp:1118 #4 0x7f35c874ba6c in nr_ice_component_initialize_udp /home/nohlmeier/src/mozilla-central-asan/media/mtransport/third_party/nICEr/src/ice/ice_component.c:198 #5 0x7f35c874b3ad in nr_ice_component_initialize /home/nohlmeier/src/mozilla-central-asan/media/mtransport/third_party/nICEr/src/ice/ice_component.c:404 #6 0x7f35c875693a in nr_ice_media_stream_initialize /home/nohlmeier/src/mozilla-central-asan/media/mtransport/third_party/nICEr/src/ice/ice_media_stream.c:133 #7 0x7f35c8755694 in nr_ice_initialize /home/nohlmeier/src/mozilla-central-asan/media/mtransport/third_party/nICEr/src/ice/ice_ctx.c:560 #8 0x7f35c50abb91 in mozilla::NrIceCtx::StartGathering() /home/nohlmeier/src/mozilla-central-asan/media/mtransport/nricectx.cpp:629 #9 0x7f35c4dec234 in mozilla::runnable_args_m_0<mozilla::RefPtr<mozilla::NrIceCtx>, tag_nsresult (mozilla::NrIceCtx::*)()>::Run() /home/nohlmeier/src/mozilla-central-asan/media/webrtc/signaling/../../../media/mtransport/runnable_utils_generated.h:48 #10 0x7f35c3c7b879 in nsThread::ProcessNextEvent(bool, bool*) /home/nohlmeier/src/mozilla-central-asan/xpcom/threads/nsThread.cpp:830 #11 0x7f35c3cd58be in NS_ProcessNextEvent(nsIThread*, bool) /home/nohlmeier/src/mozilla-central-asan/xpcom/glue/nsThreadUtils.cpp:265 #12 0x7f35c3e3ba30 in nsSocketTransportService::Run() /home/nohlmeier/src/mozilla-central-asan/netwerk/base/src/nsSocketTransportService2.cpp:740 #13 0x7f35c3e3cddc in non-virtual thunk to nsSocketTransportService::Run() /home/nohlmeier/src/mozilla-central-asan/netwerk/base/src/nsSocketTransportService2.cpp:777 #14 0x7f35c3c7b879 in nsThread::ProcessNextEvent(bool, bool*) /home/nohlmeier/src/mozilla-central-asan/xpcom/threads/nsThread.cpp:830 #15 0x7f35c3cd58be in NS_ProcessNextEvent(nsIThread*, bool) /home/nohlmeier/src/mozilla-central-asan/xpcom/glue/nsThreadUtils.cpp:265 #16 0x7f35c44ac2b8 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /home/nohlmeier/src/mozilla-central-asan/ipc/glue/MessagePump.cpp:339 #17 0x7f35c4426d41 in MessageLoop::RunInternal() /home/nohlmeier/src/mozilla-central-asan/ipc/chromium/src/base/message_loop.cc:233 #18 0x7f35c4426a98 in MessageLoop::Run() /home/nohlmeier/src/mozilla-central-asan/ipc/chromium/src/base/message_loop.cc:200 #19 0x7f35c3c792de in nsThread::ThreadFunc(void*) /home/nohlmeier/src/mozilla-central-asan/xpcom/threads/nsThread.cpp:350 #20 0x7f35cf51b863 in _pt_root /home/nohlmeier/src/mozilla-central-asan/nsprpub/pr/src/pthreads/ptthread.c:212 #21 0x7f35cfb6d181 in start_thread /build/buildd/eglibc-2.19/nptl/pthread_create.c:312 Thread T17 (Socket Thread) created by T0 (Web Content) here: #0 0x43941e in __interceptor_pthread_create /home/nohlmeier/checkouts/llvm-20140708/projects/compiler-rt/lib/asan/asan_interceptors.cc:180 #1 0x7f35cf517be9 in _PR_CreateThread /home/nohlmeier/src/mozilla-central-asan/nsprpub/pr/src/pthreads/ptthread.c:453 #2 0x7f35cf5176fa in PR_CreateThread /home/nohlmeier/src/mozilla-central-asan/nsprpub/pr/src/pthreads/ptthread.c:544 #3 0x7f35c3c79fdf in nsThread::Init() /home/nohlmeier/src/mozilla-central-asan/xpcom/threads/nsThread.cpp:455 #4 0x7f35c3c7db94 in nsThreadManager::NewThread(unsigned int, unsigned int, nsIThread**) /home/nohlmeier/src/mozilla-central-asan/xpcom/threads/nsThreadManager.cpp:269 #5 0x7f35c3cd50ef in NS_NewThread(nsIThread**, nsIRunnable*, unsigned int) /home/nohlmeier/src/mozilla-central-asan/xpcom/glue/nsThreadUtils.cpp:68 #6 0x7f35c3e39d5d in nsSocketTransportService::Init() /home/nohlmeier/src/mozilla-central-asan/netwerk/base/src/nsSocketTransportService2.cpp:468 #7 0x7f35c436d0a1 in nsSocketTransportServiceConstructor(nsISupports*, nsID const&, void**) /home/nohlmeier/src/mozilla-central-asan/netwerk/build/nsNetModule.cpp:72 #8 0x7f35c3c59689 in nsComponentManagerImpl::CreateInstanceByContractID(char const*, nsISupports*, nsID const&, void**) /home/nohlmeier/src/mozilla-central-asan/xpcom/components/nsComponentManager.cpp:1199 #9 0x7f35c3c54050 in nsComponentManagerImpl::GetServiceByContractID(char const*, nsID const&, void**) /home/nohlmeier/src/mozilla-central-asan/xpcom/components/nsComponentManager.cpp:1560 #10 0x7f35c3cc314e in nsGetServiceByContractIDWithError::operator()(nsID const&, void**) const /home/nohlmeier/src/mozilla-central-asan/xpcom/glue/nsComponentManagerUtils.cpp:292 #11 0x7f35c3e036a6 in nsCOMPtr<nsPISocketTransportService>::assign_from_gs_contractid_with_error(nsGetServiceByContractIDWithError const&, nsID const&) /home/nohlmeier/src/mozilla-central-asan/objdir-ff-asan/netwerk/base/src/../../../dist/include/nsCOMPtr.h:1228 #12 0x7f35c3dfbc14 in nsCOMPtr<nsPISocketTransportService>::operator=(nsGetServiceByContractIDWithError const&) /home/nohlmeier/src/mozilla-central-asan/objdir-ff-asan/netwerk/base/src/../../../dist/include/nsCOMPtr.h:744 #13 0x7f35c3de126d in nsIOService::InitializeSocketTransportService() /home/nohlmeier/src/mozilla-central-asan/netwerk/base/src/nsIOService.cpp:243 #14 0x7f35c3de2054 in nsIOService::SetOffline(bool) /home/nohlmeier/src/mozilla-central-asan/netwerk/base/src/nsIOService.cpp:817 #15 0x7f35c3de0f2c in nsIOService::InitializeNetworkLinkService() /home/nohlmeier/src/mozilla-central-asan/netwerk/base/src/nsIOService.cpp:290 #16 0x7f35c3de03e7 in nsIOService::Init() /home/nohlmeier/src/mozilla-central-asan/netwerk/base/src/nsIOService.cpp:226 #17 0x7f35c3de2666 in nsIOService::GetInstance() /home/nohlmeier/src/mozilla-central-asan/netwerk/base/src/nsIOService.cpp:303 #18 0x7f35c436cf03 in nsIOServiceConstructor(nsISupports*, nsID const&, void**) /home/nohlmeier/src/mozilla-central-asan/netwerk/build/nsNetModule.cpp:57 #19 0x7f35c3c59689 in nsComponentManagerImpl::CreateInstanceByContractID(char const*, nsISupports*, nsID const&, void**) /home/nohlmeier/src/mozilla-central-asan/xpcom/components/nsComponentManager.cpp:1199 #20 0x7f35c3c54050 in nsComponentManagerImpl::GetServiceByContractID(char const*, nsID const&, void**) /home/nohlmeier/src/mozilla-central-asan/xpcom/components/nsComponentManager.cpp:1560 #21 0x7f35c515d7cd in nsScriptSecurityManager::Init() /home/nohlmeier/src/mozilla-central-asan/caps/nsScriptSecurityManager.cpp:1257:19 #22 0x7f35c515dec2 in nsScriptSecurityManager::InitStatics() /home/nohlmeier/src/mozilla-central-asan/caps/nsScriptSecurityManager.cpp:1328 #23 0x7f35c4c80de9 in nsXPConnect::InitStatics() /home/nohlmeier/src/mozilla-central-asan/js/xpconnect/src/nsXPConnect.cpp:132 #24 0x7f35c4c1eb68 in xpcModuleCtor() /home/nohlmeier/src/mozilla-central-asan/js/xpconnect/src/XPCModule.cpp:13 #25 0x7f35c831f584 in Initialize() /home/nohlmeier/src/mozilla-central-asan/layout/build/nsLayoutModule.cpp:395 #26 0x7f35c3c57c4b in nsComponentManagerImpl::KnownModule::Load() /home/nohlmeier/src/mozilla-central-asan/xpcom/components/nsComponentManager.cpp:858 #27 0x7f35c3c5887e in nsFactoryEntry::GetFactory() /home/nohlmeier/src/mozilla-central-asan/xpcom/components/nsComponentManager.cpp:1915 #28 0x7f35c3c59613 in nsComponentManagerImpl::CreateInstanceByContractID(char const*, nsISupports*, nsID const&, void**) /home/nohlmeier/src/mozilla-central-asan/xpcom/components/nsComponentManager.cpp:1196 #29 0x7f35c3c54050 in nsComponentManagerImpl::GetServiceByContractID(char const*, nsID const&, void**) /home/nohlmeier/src/mozilla-central-asan/xpcom/components/nsComponentManager.cpp:1560 #30 0x7f35c3cc2fb4 in nsGetServiceByContractID::operator()(nsID const&, void**) const /home/nohlmeier/src/mozilla-central-asan/xpcom/glue/nsComponentManagerUtils.cpp:280 #31 0x7f35c3cc2ed9 in nsCOMPtr_base::assign_from_gs_contractid(nsGetServiceByContractID, nsID const&) /home/nohlmeier/src/mozilla-central-asan/xpcom/glue/nsCOMPtr.cpp:103 #32 0x7f35c3ce6e3f in NS_InitXPCOM2 /home/nohlmeier/src/mozilla-central-asan/xpcom/build/XPCOMInit.cpp:706 #33 0x7f35c8d43a63 in XRE_InitEmbedding2 /home/nohlmeier/src/mozilla-central-asan/toolkit/xre/nsEmbedFunctions.cpp:164 #34 0x7f35c44ad786 in mozilla::ipc::ScopedXREEmbed::Start() /home/nohlmeier/src/mozilla-central-asan/ipc/glue/ScopedXREEmbed.cpp:104 #35 0x7f35c759ae99 in mozilla::dom::ContentProcess::Init() /home/nohlmeier/src/mozilla-central-asan/dom/ipc/ContentProcess.cpp:28 #36 0x7f35c8d4461d in XRE_InitChildProcess /home/nohlmeier/src/mozilla-central-asan/toolkit/xre/nsEmbedFunctions.cpp:537 #37 0x4b842f in content_process_main(int, char**) /home/nohlmeier/src/mozilla-central-asan/ipc/app/../contentproc/plugin-container.cpp:158 #38 0x7f35c0275ec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287 SUMMARY: AddressSanitizer: heap-use-after-free /home/nohlmeier/src/mozilla-central-asan/xpcom/base/nsTraceRefcnt.cpp:1327 NS_LogCOMPtrRelease Shadow bytes around the buggy address: 0x0c268000c040: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c268000c050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c268000c060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c268000c070: 00 00 00 00 fa fa fa fa fa fa fa fa fa fa fa fa 0x0c268000c080: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd =>0x0c268000c090: fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd 0x0c268000c0a0: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa 0x0c268000c0b0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c268000c0c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c268000c0d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c268000c0e0: 00 00 00 00 fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc ASan internal: fe ==31281==ABORTING
|
||
Comment 1•10 years ago
|
||
I assume an attacker can force the socket creation to fail since they can have their client scripts connect to a server of their choosing.
Blocks: 1080096
Keywords: regression,
testcase-wanted
|
||
Comment 2•10 years ago
|
||
[Blocking Requested - why for this release]: regression uplifted into b2g34
blocking-b2g: --- → 2.1?
|
||
Updated•10 years ago
|
status-firefox35:
--- → unaffected
status-firefox36:
--- → affected
tracking-firefox36:
--- → +
Keywords: sec-high
|
||
Comment 3•10 years ago
|
||
Is this a dupe of bug 1099414? The stacks look very similar.
Flags: needinfo?(drno)
|
|
||
Comment 4•10 years ago
|
||
Also, I don't understand how this is a regression from bug 1080096. The type of UDPSocketChildBase::mSocket is nsCOMPtr<nsIUDPSocketInternal>, so we'll end up calling Release() on mSocket in the dtor for UDPSocketChild even without bug 1080096. Is that prevented somehow?
|
||
Comment 5•10 years ago
|
||
I think the main issue is we use "delete" to a reference counted object [1] in the nr_socket_local_create. Mixing the usage of raw pointer and smart pointer will lead to either memory leakage or use-after-free. [1] http://dxr.mozilla.org/mozilla-central/source/media/mtransport/nr_socket_prsock.cpp#1139
|
Reporter | |
Comment 6•10 years ago
|
||
(In reply to Andrew McCreight [:mccr8] from comment #3) > Is this a dupe of bug 1099414? The stacks look very similar. We saw so many problems in 1099414 that I decided to split the problems into separate bugs. This one here for freeing the socket properly, and lets stick to the assertions problem in 1099414.
Flags: needinfo?(drno)
|
|
Reporter | |
Comment 7•10 years ago
|
||
(In reply to Andrew McCreight [:mccr8] from comment #4) > Also, I don't understand how this is a regression from bug 1080096. The > type of UDPSocketChildBase::mSocket is nsCOMPtr<nsIUDPSocketInternal>, so > we'll end up calling Release() on mSocket in the dtor for UDPSocketChild > even without bug 1080096. Is that prevented somehow? I pointed to that bug, because ASAN is blaming exactly this one line which got added by bug 1080096. Quite possible that without that one line the heap-use-after-free would still exist, but at a different code point.
|
||
Updated•10 years ago
|
tracking-e10s:
--- → +
|
|
||
Comment 8•10 years ago
|
||
(In reply to Nils Ohlmeier [:drno] from comment #7) > I pointed to that bug, because ASAN is blaming exactly this one line which > got added by bug 1080096. Quite possible that without that one line the > heap-use-after-free would still exist, but at a different code point. Ok, that makes sense. I'm pretty sure this would have been a UAF even without that patch, so the bug must stretch back further. |delete sock;| in nr_socket_local_create stretches back to bug 790517, and it looks like NrSocket was ref counted even then, so it is possible this could have caused problems even then. But maybe it was not a problem until bug 869869 added more complex lifetimes for these socket things.
No longer blocks: 1080096
|
|
||
Updated•10 years ago
|
status-firefox35:
unaffected → ---
|
|
||
Comment 9•10 years ago
|
||
nils: can you try verifying on Beta/34? Or Release/33?
Flags: needinfo?(drno)
|
||
Updated•10 years ago
|
blocking-b2g: 2.1? → 2.1+
|
|
Reporter | |
Comment 10•10 years ago
|
||
(In reply to Randell Jesup [:jesup] from comment #9) > nils: can you try verifying on Beta/34? Or Release/33? Unfortunately the test is not deterministic (as it uses random in it). Additionally Anything else then Nightly does not allow e10s mode (which this only applies to). So I had to modify the code in beta and release to force it into e10s mode. Unfortunately I'm not aware of any easy way to verify in the browser that it runs in e10s mode. With the modified code I ran the test against 34 and 33. In both cases I eventually hit the famous assertion from bug 1099414. I guess that tells us that I was successfully running in e10s mode, as this should only apply to e10s. After removing the assertion I ran the test for a very long time without ASAN ever complaining about any heap problems. So I think 33 and 34 are not affected by this problem.
|
|
||
Comment 11•10 years ago
|
||
Byron has a patch in bug 1099414 that looks like it will fix this, so I'm just going to assign to him. Please just clear it if you aren't working on it.
Assignee: nobody → docfaraday
Keywords: csectype-uaf
|
|
Reporter | |
Comment 12•10 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #1) > I assume an attacker can force the socket creation to fail since they can > have their client scripts connect to a server of their choosing. This is not about the socket failing to connect somewhere. This is really the creation of an unconnected socket failing. We are actually not sure why. One possible explanation might be that we reached the maximum number of sockets we can create (our code seems to play conservative on that). As we are talking about not-connected sockets here, you can probably create this with the right JS code, which keeps opening and closing PeerConnections in your browser very quickly. Or opens lots of PeerConnections until we are out of ports...
|
|
||
Comment 13•10 years ago
|
||
bryon: if the patch in bug 1099414 should fix this, let's dup it to that.
|
|
||
Updated•9 years ago
|
Flags: needinfo?(docfaraday)
|
Assignee | |
Comment 14•9 years ago
|
||
Yes, it should.
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(docfaraday)
Resolution: --- → DUPLICATE
|
|
||
Updated•9 years ago
|
Group: core-security
|
||
Updated•9 years ago
|
Keywords: testcase-wanted
You need to log in
before you can comment on or make changes to this bug.
Description
•