The vulnerability affects Firefox version 76.0a1 x64 and is contained in the SharedWorker component.

image

Specialists from the Cisco Talos team reported a critical vulnerability (CVE-2020-12405) in the Mozilla Firefox browser, the operation of which allows an attacker to remotely execute code. Vulnerability was discovered by researcher Marcin Noga.

The problem was rated 8.8 on the CVSS scale and can only be exploited when a user goes to a malicious page. The vulnerability affects Firefox version 76.0a1 x64 and is contained in the SharedWorker component and internal objects associated with it.

As the experts explained, for the SharedWorkerService object, allocation is performed inside the stream, and release occurs as a result of processing the next event inside another stream. However, the execution of the thread continues, which leads to the use of the SharedWorkerService object upon release.

The vulnerability is due to the absence of a Mutex object in the GetOrCreateWorkerManager method. Thus, the same SharedWorkerService object is passed as an argument to the GetOrCreateWorkerManagerRunnable method and is deleted using the ~ SharedWorkerManagerHolder () destructor.

“Correct heap cleanup can give an attacker complete control over a use-after-free vulnerability and, as a result, can turn it into arbitrary code execution,” the experts explained.

In order to exploit the vulnerability, an attacker needs to create an HTML web page and configure it in such a way that it causes a race condition and leads to a vulnerability such as use after release, and then to remote code execution.

Talos Vulnerability Report

TALOS-2020-1053

Mozilla Firefox SharedWorkerService Code Execution Vulnerability

JUNE 10, 2020
CVE NUMBER

CVE-2020-12405

Summary

An exploitable code execution vulnerability exists in the SharedWorkerService functionality of Mozilla Firefox 76.0a1 (2020-04-01) x64. A specially crafted HTML web page can cause a use after free condition, resulting in a remote code execution. The victim needs to visit malicious web site to trigger the vulnerability.

Tested Versions

Mozilla Firefox 76.0a1 (2020-04-01) x64

Product URLs

Mozilla Firefox

CVSSv3 Score

8.8 – CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-416 – Use After Free

Details

Mozilla Firefox is one of the most popular web browsers on the world available for a variety of the different platforms : Windows, Linux, OSX, Android and more. Its active development ensure support for the newest web technologies like HTML5 or CSS3.

The vulnerability is related with the SharedWorker component and objects internaly related with it. A malicious web page can lead to a race condition situation which can cause a use-after-free vulnerability and remote code execution.

Tracking an SharedWorkerService object life cycle we can notice that there is an allocation made :

previously allocated by thread T46 (IPDL Background) here:
    #0 0x55b699485b0d in malloc /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:145:3
    #1 0x55b6994bb4fd in moz_xmalloc /builds/worker/checkouts/gecko/memory/mozalloc/mozalloc.cpp:52:15
    #2 0x7fa306effc46 in operator new /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:33:10
    #3 0x7fa306effc46 in mozilla::dom::SharedWorkerService::GetOrCreate() /builds/worker/checkouts/gecko/dom/workers/sharedworkers/SharedWorkerService.cpp:126:42
    #4 0x7fa306effa77 in mozilla::dom::SharedWorkerParent::Initialize(mozilla::dom::RemoteWorkerData const&, unsigned long, mozilla::dom::MessagePortIdentifier const&) /builds/worker/checkouts/gecko/dom/workers/sharedworkers/SharedWorkerParent.cpp:50:41
    #5 0x7fa3014c45aa in mozilla::ipc::BackgroundParentImpl::RecvPSharedWorkerConstructor(mozilla::dom::PSharedWorkerParent*, mozilla::dom::RemoteWorkerData const&, unsigned long const&, mozilla::dom::MessagePortIdentifier const&) /builds/worker/checkouts/gecko/ipc/glue/BackgroundParentImpl.cpp:552:10
    #6 0x7fa301c6538f in mozilla::ipc::PBackgroundParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundParent.cpp:5068:28
    #7 0x7fa30153813c in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2187:25
    #8 0x7fa301535255 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2111:9
    #9 0x7fa3015366cf in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1959:3
    #10 0x7fa301536ede in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1990:13
    #11 0x7fa3004c58ce in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1220:14
    #12 0x7fa3004d035c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:481:10
    #13 0x7fa301540ec9 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:332:5
    #14 0x7fa30146cfe7 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:315:10
    #15 0x7fa30146cfe7 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:308:3
    #16 0x7fa30146cfe7 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:290:3
    #17 0x7fa3004bf245 in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:464:10
    #18 0x7fa3169a51fe in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #19 0x7fa31a2c2668 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x9668)

Further, in a consequence of handling the next event inside another thread, the SharedWorkerService object gets deallocated:

0x606000315770 is located 48 bytes inside of 64-byte region [0x606000315740,0x606000315780)
freed by thread T0 here:
    #0 0x55b69948588d in free /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:123:3
    #1 0x7fa306eff34c in operator delete /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:51:10
    #2 0x7fa306eff34c in Release /builds/worker/checkouts/gecko/dom/workers/sharedworkers/SharedWorkerService.h:31:3
    #3 0x7fa306eff34c in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:50:40
    #4 0x7fa306eff34c in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:381:36
    #5 0x7fa306eff34c in ~RefPtr /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:81:7
    #6 0x7fa306eff34c in mozilla::dom::SharedWorkerManagerHolder::~SharedWorkerManagerHolder() /builds/worker/checkouts/gecko/dom/workers/sharedworkers/SharedWorkerManager.cpp:285:1
    #7 0x7fa306f04611 in mozilla::dom::SharedWorkerManagerHolder::Release() /builds/worker/checkouts/gecko/dom/workers/sharedworkers/SharedWorkerManager.h:32:3
    #8 0x7fa306f0853a in detail::ProxyReleaseEvent<mozilla::dom::SharedWorkerManagerHolder>::Run() /builds/worker/workspace/obj-build/dist/include/nsProxyRelease.h:36:5
    #9 0x7fa3004c58ce in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1220:14
    #10 0x7fa3004d035c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:481:10
    #11 0x7fa30153fe6a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:87:21
    #12 0x7fa30146cfe7 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:315:10
    #13 0x7fa30146cfe7 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:308:3
    #14 0x7fa30146cfe7 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:290:3
    #15 0x7fa307562ff8 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
    #16 0x7fa30aafa5bb in nsAppStartup::Run() /builds/worker/checkouts/gecko/toolkit/components/startup/nsAppStartup.cpp:271:30
    #17 0x7fa30ad00546 in XREMain::XRE_mainRun() /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:4614:22
    #18 0x7fa30ad023b1 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:4749:8
    #19 0x7fa30ad030f3 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:4800:21
    #20 0x55b6994b8726 in do_main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:217:22
    #21 0x55b6994b8726 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:331:16
    #22 0x7fa319d851e2 in __libc_start_main /build/glibc-t7JzpG/glibc-2.30/csu/../csu/libc-start.c:308:16

“Simultaneously” execution of thread T46 continues which in the final result leads to a use-after-free of the SharedWorkerService object:

==12981==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000315770 at pc 0x7fa306f0022f bp 0x7fa2e155f5f0 sp 0x7fa2e155f5e8 WRITE of size 8 at 0x606000315770 thread T46 (IPDL Background)

#0 0x7fa306f0022e in fetch_add /builds/worker/fetches/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/7.4.0/../../../../include/c++/7.4.0/bits/atomic_base.h:514:16
#1 0x7fa306f0022e in operator++ /builds/worker/workspace/obj-build/dist/include/nsISupportsImpl.h:331:19
#2 0x7fa306f0022e in AddRef /builds/worker/checkouts/gecko/dom/workers/sharedworkers/SharedWorkerService.h:31:3
#3 0x7fa306f0022e in AddRef /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:49:39
#4 0x7fa306f0022e in AddRef /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:380:35
#5 0x7fa306f0022e in RefPtr /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:109:7
#6 0x7fa306f0022e in GetOrCreateWorkerManagerRunnable /builds/worker/checkouts/gecko/dom/workers/sharedworkers/SharedWorkerService.cpp:37:9
#7 0x7fa306f0022e in mozilla::dom::SharedWorkerService::GetOrCreateWorkerManager(mozilla::dom::SharedWorkerParent*, mozilla::dom::RemoteWorkerData const&, unsigned long, mozilla::dom::MessagePortIdentifier const&) /builds/worker/checkouts/gecko/dom/workers/sharedworkers/SharedWorkerService.cpp:159:11
#8 0x7fa306effaa7 in mozilla::dom::SharedWorkerParent::Initialize(mozilla::dom::RemoteWorkerData const&, unsigned long, mozilla::dom::MessagePortIdentifier const&) /builds/worker/checkouts/gecko/dom/workers/sharedworkers/SharedWorkerParent.cpp:52:12
#9 0x7fa3014c45aa in mozilla::ipc::BackgroundParentImpl::RecvPSharedWorkerConstructor(mozilla::dom::PSharedWorkerParent*, mozilla::dom::RemoteWorkerData const&, unsigned long const&, mozilla::dom::MessagePortIdentifier const&) /builds/worker/checkouts/gecko/ipc/glue/BackgroundParentImpl.cpp:552:10
#10 0x7fa301c6538f in mozilla::ipc::PBackgroundParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundParent.cpp:5068:28
#11 0x7fa30153813c in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2187:25
#12 0x7fa301535255 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2111:9
#13 0x7fa3015366cf in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1959:3
#14 0x7fa301536ede in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1990:13
#15 0x7fa3004c58ce in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1220:14
#16 0x7fa3004d035c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:481:10
#17 0x7fa301540ed4 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:302:20
#18 0x7fa30146cfe7 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:315:10
#19 0x7fa30146cfe7 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:308:3
#20 0x7fa30146cfe7 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:290:3
#21 0x7fa3004bf245 in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:464:10
#22 0x7fa3169a51fe in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
#23 0x7fa31a2c2668 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x9668)
#24 0x7fa319e80322 in clone /build/glibc-t7JzpG/glibc-2.30/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Further analysis revealed that the root cause of that vulnerability seems to be a lack of Mutex object in the GetOrCreateWorkerManager method: https://github.com/mozilla/gecko-dev/blob/5a52cec97c41ae1eda9412dfe6f4099a9af4c7dd/dom/workers/sharedworkers/SharedWorkerService.cpp#L152

Line 152    void SharedWorkerService::GetOrCreateWorkerManager(
Line 153        SharedWorkerParent* aActor, const RemoteWorkerData& aData,
Line 154        uint64_t aWindowID, const MessagePortIdentifier& aPortIdentifier) {
Line 155      AssertIsOnBackgroundThread();
Line 156
Line 157      // The real check happens on main-thread.
Line 158      RefPtr<GetOrCreateWorkerManagerRunnable> r =
Line 159          new GetOrCreateWorkerManagerRunnable(this, aActor, aData, aWindowID,
Line 160                                               aPortIdentifier);

In line 159 the SharedWorkerService object, represented by this, is passed as an argument to the GetOrCreateWorkerManagerRunnable method. Meanwhile it is destroyed via the ~SharedWorkerManagerHolder() destructor.

0x606000315770 is located 48 bytes inside of 64-byte region [0x606000315740,0x606000315780)
freed by thread T0 here:
    #0 0x55b69948588d in free /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:123:3
    #1 0x7fa306eff34c in operator delete /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:51:10
    #2 0x7fa306eff34c in Release /builds/worker/checkouts/gecko/dom/workers/sharedworkers/SharedWorkerService.h:31:3
    #3 0x7fa306eff34c in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:50:40
    #4 0x7fa306eff34c in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:381:36
    #5 0x7fa306eff34c in ~RefPtr /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:81:7
    #6 0x7fa306eff34c in mozilla::dom::SharedWorkerManagerHolder::~SharedWorkerManagerHolder() /builds/worker/checkouts/gecko/dom/workers/sharedworkers/SharedWorkerManager.cpp:285:1

Proper heap grooming can give an attacker full control of this use-after-free vulnerability and as a result could allow it to be turned into arbitrary code execution.

Crash Information

=================================================================

==12981==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000315770 at pc 0x7fa306f0022f bp 0x7fa2e155f5f0 sp 0x7fa2e155f5e8
WRITE of size 8 at 0x606000315770 thread T46 (IPDL Background)
    #0 0x7fa306f0022e in fetch_add /builds/worker/fetches/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/7.4.0/../../../../include/c++/7.4.0/bits/atomic_base.h:514:16
    #1 0x7fa306f0022e in operator++ /builds/worker/workspace/obj-build/dist/include/nsISupportsImpl.h:331:19
    #2 0x7fa306f0022e in AddRef /builds/worker/checkouts/gecko/dom/workers/sharedworkers/SharedWorkerService.h:31:3
    #3 0x7fa306f0022e in AddRef /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:49:39
    #4 0x7fa306f0022e in AddRef /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:380:35
    #5 0x7fa306f0022e in RefPtr /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:109:7
    #6 0x7fa306f0022e in GetOrCreateWorkerManagerRunnable /builds/worker/checkouts/gecko/dom/workers/sharedworkers/SharedWorkerService.cpp:37:9
    #7 0x7fa306f0022e in mozilla::dom::SharedWorkerService::GetOrCreateWorkerManager(mozilla::dom::SharedWorkerParent*, mozilla::dom::RemoteWorkerData const&, unsigned long, mozilla::dom::MessagePortIdentifier const&) /builds/worker/checkouts/gecko/dom/workers/sharedworkers/SharedWorkerService.cpp:159:11
    #8 0x7fa306effaa7 in mozilla::dom::SharedWorkerParent::Initialize(mozilla::dom::RemoteWorkerData const&, unsigned long, mozilla::dom::MessagePortIdentifier const&) /builds/worker/checkouts/gecko/dom/workers/sharedworkers/SharedWorkerParent.cpp:52:12
    #9 0x7fa3014c45aa in mozilla::ipc::BackgroundParentImpl::RecvPSharedWorkerConstructor(mozilla::dom::PSharedWorkerParent*, mozilla::dom::RemoteWorkerData const&, unsigned long const&, mozilla::dom::MessagePortIdentifier const&) /builds/worker/checkouts/gecko/ipc/glue/BackgroundParentImpl.cpp:552:10
    #10 0x7fa301c6538f in mozilla::ipc::PBackgroundParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundParent.cpp:5068:28
    #11 0x7fa30153813c in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2187:25
    #12 0x7fa301535255 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2111:9
    #13 0x7fa3015366cf in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1959:3
    #14 0x7fa301536ede in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1990:13
    #15 0x7fa3004c58ce in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1220:14
    #16 0x7fa3004d035c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:481:10
    #17 0x7fa301540ed4 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:302:20
    #18 0x7fa30146cfe7 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:315:10
    #19 0x7fa30146cfe7 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:308:3
    #20 0x7fa30146cfe7 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:290:3
    #21 0x7fa3004bf245 in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:464:10
    #22 0x7fa3169a51fe in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #23 0x7fa31a2c2668 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x9668)
    #24 0x7fa319e80322 in clone /build/glibc-t7JzpG/glibc-2.30/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

0x606000315770 is located 48 bytes inside of 64-byte region [0x606000315740,0x606000315780)
freed by thread T0 here:
    #0 0x55b69948588d in free /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:123:3
    #1 0x7fa306eff34c in operator delete /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:51:10
    #2 0x7fa306eff34c in Release /builds/worker/checkouts/gecko/dom/workers/sharedworkers/SharedWorkerService.h:31:3
    #3 0x7fa306eff34c in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:50:40
    #4 0x7fa306eff34c in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:381:36
    #5 0x7fa306eff34c in ~RefPtr /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:81:7
    #6 0x7fa306eff34c in mozilla::dom::SharedWorkerManagerHolder::~SharedWorkerManagerHolder() /builds/worker/checkouts/gecko/dom/workers/sharedworkers/SharedWorkerManager.cpp:285:1
    #7 0x7fa306f04611 in mozilla::dom::SharedWorkerManagerHolder::Release() /builds/worker/checkouts/gecko/dom/workers/sharedworkers/SharedWorkerManager.h:32:3
    #8 0x7fa306f0853a in detail::ProxyReleaseEvent<mozilla::dom::SharedWorkerManagerHolder>::Run() /builds/worker/workspace/obj-build/dist/include/nsProxyRelease.h:36:5
    #9 0x7fa3004c58ce in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1220:14
    #10 0x7fa3004d035c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:481:10
    #11 0x7fa30153fe6a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:87:21
    #12 0x7fa30146cfe7 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:315:10
    #13 0x7fa30146cfe7 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:308:3
    #14 0x7fa30146cfe7 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:290:3
    #15 0x7fa307562ff8 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
    #16 0x7fa30aafa5bb in nsAppStartup::Run() /builds/worker/checkouts/gecko/toolkit/components/startup/nsAppStartup.cpp:271:30
    #17 0x7fa30ad00546 in XREMain::XRE_mainRun() /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:4614:22
    #18 0x7fa30ad023b1 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:4749:8
    #19 0x7fa30ad030f3 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:4800:21
    #20 0x55b6994b8726 in do_main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:217:22
    #21 0x55b6994b8726 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:331:16
    #22 0x7fa319d851e2 in __libc_start_main /build/glibc-t7JzpG/glibc-2.30/csu/../csu/libc-start.c:308:16

previously allocated by thread T46 (IPDL Background) here:
    #0 0x55b699485b0d in malloc /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:145:3
    #1 0x55b6994bb4fd in moz_xmalloc /builds/worker/checkouts/gecko/memory/mozalloc/mozalloc.cpp:52:15
    #2 0x7fa306effc46 in operator new /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:33:10
    #3 0x7fa306effc46 in mozilla::dom::SharedWorkerService::GetOrCreate() /builds/worker/checkouts/gecko/dom/workers/sharedworkers/SharedWorkerService.cpp:126:42
    #4 0x7fa306effa77 in mozilla::dom::SharedWorkerParent::Initialize(mozilla::dom::RemoteWorkerData const&, unsigned long, mozilla::dom::MessagePortIdentifier const&) /builds/worker/checkouts/gecko/dom/workers/sharedworkers/SharedWorkerParent.cpp:50:41
    #5 0x7fa3014c45aa in mozilla::ipc::BackgroundParentImpl::RecvPSharedWorkerConstructor(mozilla::dom::PSharedWorkerParent*, mozilla::dom::RemoteWorkerData const&, unsigned long const&, mozilla::dom::MessagePortIdentifier const&) /builds/worker/checkouts/gecko/ipc/glue/BackgroundParentImpl.cpp:552:10
    #6 0x7fa301c6538f in mozilla::ipc::PBackgroundParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundParent.cpp:5068:28
    #7 0x7fa30153813c in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2187:25
    #8 0x7fa301535255 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2111:9
    #9 0x7fa3015366cf in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1959:3
    #10 0x7fa301536ede in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1990:13
    #11 0x7fa3004c58ce in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1220:14
    #12 0x7fa3004d035c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:481:10
    #13 0x7fa301540ec9 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:332:5
    #14 0x7fa30146cfe7 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:315:10
    #15 0x7fa30146cfe7 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:308:3
    #16 0x7fa30146cfe7 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:290:3
    #17 0x7fa3004bf245 in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:464:10
    #18 0x7fa3169a51fe in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #19 0x7fa31a2c2668 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x9668)

Thread T46 (IPDL Background) created by T0 here:
    #0 0x55b69947029a in pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:209:3
    #1 0x7fa316995655 in _PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:458:14
    #2 0x7fa31698651e in PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:533:12
    #3 0x7fa3004c1c0c in nsThread::Init(nsTSubstring<char> const&) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:670:8
    #4 0x7fa3004cf251 in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadManager.cpp:621:12
    #5 0x7fa3004d3183 in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, nsIRunnable*, unsigned int) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:139:57
    #6 0x7fa3014f4e7e in NS_NewNamedThread<16> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:65:10
    #7 0x7fa3014f4e7e in (anonymous namespace)::ParentImpl::CreateBackgroundThread() /builds/worker/checkouts/gecko/ipc/glue/BackgroundImpl.cpp:1325:7
    #8 0x7fa3014f66c4 in CreateActorForSameProcess /builds/worker/checkouts/gecko/ipc/glue/BackgroundImpl.cpp:1235:32
    #9 0x7fa3014f66c4 in ParentContentActorCreateFunc((anonymous namespace)::ChildImpl::ThreadLocalInfo*, unsigned int, nsIEventTarget*, (anonymous namespace)::ChildImpl**) /builds/worker/checkouts/gecko/ipc/glue/BackgroundImpl.cpp:864:9
    #10 0x7fa3014fefdb in (anonymous namespace)::ChildImpl::ThreadInfoWrapper::GetOrCreateForCurrentThread(nsIEventTarget*) /builds/worker/checkouts/gecko/ipc/glue/BackgroundImpl.cpp:420:7
    #11 0x7fa30573ce17 in mozilla::dom::ClientManager::ClientManager() /builds/worker/checkouts/gecko/dom/clients/manager/ClientManager.cpp:50:7
    #12 0x7fa30573f310 in mozilla::dom::ClientManager::GetOrCreateForCurrentThread() /builds/worker/checkouts/gecko/dom/clients/manager/ClientManager.cpp:212:14
    #13 0x7fa30573fd12 in mozilla::dom::ClientManager::CreateSource(mozilla::dom::ClientType, nsISerialEventTarget*, nsIPrincipal*) /builds/worker/checkouts/gecko/dom/clients/manager/ClientManager.cpp:268:31
    #14 0x7fa30a2cc552 in nsDocShell::MaybeCreateInitialClientSource(nsIPrincipal*) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:2527:26
    #15 0x7fa30a2fa1b5 in nsDocShell::CreateAboutBlankContentViewer(nsIPrincipal*, nsIPrincipal*, nsIContentSecurityPolicy*, nsIURI*, bool, bool, mozilla::dom::WindowGlobalChild*) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:6554:5
    #16 0x7fa30a2fba9c in CreateAboutBlankContentViewer /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:6612:10
    #17 0x7fa30a2fba9c in non-virtual thunk to nsDocShell::CreateAboutBlankContentViewer(nsIPrincipal*, nsIPrincipal*, nsIContentSecurityPolicy*) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp
    #18 0x7fa30a3bdc13 in mozilla::AppWindow::Initialize(nsIAppWindow*, nsIAppWindow*, nsIURI*, int, int, bool, nsIRemoteTab*, mozIDOMWindowProxy*, nsWidgetInitData&) /builds/worker/checkouts/gecko/xpfe/appshell/AppWindow.cpp:298:21
    #19 0x7fa30a3dfccb in nsAppShellService::JustCreateTopWindow(nsIAppWindow*, nsIURI*, unsigned int, int, int, bool, nsIRemoteTab*, mozIDOMWindowProxy*, mozilla::AppWindow**) /builds/worker/checkouts/gecko/xpfe/appshell/nsAppShellService.cpp:679:25
    #20 0x7fa30a3e13c7 in nsAppShellService::CreateTopLevelWindow(nsIAppWindow*, nsIURI*, unsigned int, int, int, nsIRemoteTab*, mozIDOMWindowProxy*, nsIAppWindow**) /builds/worker/checkouts/gecko/xpfe/appshell/nsAppShellService.cpp:172:8
    #21 0x7fa30aafc911 in nsAppStartup::CreateChromeWindow(nsIWebBrowserChrome*, unsigned int, nsIRemoteTab*, mozIDOMWindowProxy*, unsigned long, bool*, nsIWebBrowserChrome**) /builds/worker/checkouts/gecko/toolkit/components/startup/nsAppStartup.cpp:634:15
    #22 0x7fa30ac75086 in nsWindowWatcher::CreateChromeWindow(nsTSubstring<char> const&, nsIWebBrowserChrome*, unsigned int, nsIRemoteTab*, mozIDOMWindowProxy*, unsigned long, nsIWebBrowserChrome**) /builds/worker/checkouts/gecko/toolkit/components/windowwatcher/nsWindowWatcher.cpp:424:33
    #23 0x7fa30ac72ee6 in nsWindowWatcher::OpenWindowInternal(mozIDOMWindowProxy*, char const*, char const*, char const*, bool, bool, bool, nsIArray*, bool, bool, bool, nsDocShellLoadState*, mozilla::dom::BrowsingContext**) /builds/worker/checkouts/gecko/toolkit/components/windowwatcher/nsWindowWatcher.cpp:910:12
    #24 0x7fa30ac6ddec in nsWindowWatcher::OpenWindow(mozIDOMWindowProxy*, char const*, char const*, char const*, nsISupports*, mozIDOMWindowProxy**) /builds/worker/checkouts/gecko/toolkit/components/windowwatcher/nsWindowWatcher.cpp:292:3
    #25 0x7fa3005085c1 in NS_InvokeByIndex /builds/worker/checkouts/gecko/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:106
    #26 0x7fa301ed7cfb in Invoke /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNative.cpp:1634:10
    #27 0x7fa301ed7cfb in Call /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNative.cpp:1175:19
    #28 0x7fa301ed7cfb in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNative.cpp:1141:23
    #29 0x7fa301edcd02 in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:947:10
    #30 0x7fa30af3c9e7 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:476:13
    #31 0x7fa30af3c9e7 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:568:12
    #32 0x7fa30af3e69a in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:631:10
    #33 0x7fa30af2504a in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:635:10
    #34 0x7fa30af2504a in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3026:16
    #35 0x7fa30af0aff3 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:448:10
    #36 0x7fa30af40998 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:824:13
    #37 0x7fa30b0108ec in ExecuteInExtensibleLexicalEnvironment(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>) /builds/worker/checkouts/gecko/js/src/builtin/Eval.cpp:499:10
    #38 0x7fa30b01130c in js::ExecuteInJSMEnvironment(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::Handle<JS::StackGCVector<JSObject*, js::TempAllocPolicy> >) /builds/worker/checkouts/gecko/js/src/builtin/Eval.cpp:606:10
    #39 0x7fa30b010f62 in js::ExecuteInJSMEnvironment(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>) /builds/worker/checkouts/gecko/js/src/builtin/Eval.cpp:561:10
    #40 0x7fa301dcb5db in mozJSComponentLoader::ObjectForLocation(ComponentLoaderInfo&, nsIFile*, JS::MutableHandle<JSObject*>, JS::MutableHandle<JSScript*>, char**, bool, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/xpconnect/loader/mozJSComponentLoader.cpp:929:19
    #41 0x7fa301dd3f8a in mozJSComponentLoader::Import(JSContext*, nsTSubstring<char> const&, JS::MutableHandle<JSObject*>, JS::MutableHandle<JSObject*>, bool) /builds/worker/checkouts/gecko/js/xpconnect/loader/mozJSComponentLoader.cpp:1343:12
    #42 0x7fa300447f93 in mozilla::xpcom::ConstructJSMComponent(nsTSubstring<char> const&, char const*, nsISupports**) /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:1586:3
    #43 0x7fa300438740 in mozilla::xpcom::CreateInstanceImpl(mozilla::xpcom::ModuleID, nsISupports*, nsID const&, void**) /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:11097:7
    #44 0x7fa3004754c5 in CreateInstance /builds/worker/checkouts/gecko/xpcom/components/nsComponentManager.cpp:219:46
    #45 0x7fa3004754c5 in nsComponentManagerImpl::GetServiceLocked((anonymous namespace)::MutexLock&, (anonymous namespace)::EntryWrapper&, nsID const&, void**) /builds/worker/checkouts/gecko/xpcom/components/nsComponentManager.cpp:1372:17
    #46 0x7fa30046bc3e in nsComponentManagerImpl::GetServiceByContractID(char const*, nsID const&, void**) /builds/worker/checkouts/gecko/xpcom/components/nsComponentManager.cpp:1559:10
    #47 0x7fa30047cfa2 in CallGetService /builds/worker/checkouts/gecko/xpcom/components/nsComponentManagerUtils.cpp:61:43
    #48 0x7fa30047cfa2 in nsGetServiceByContractIDWithError::operator()(nsID const&, void**) const /builds/worker/checkouts/gecko/xpcom/components/nsComponentManagerUtils.cpp:253:21
    #49 0x7fa3002f4756 in nsCOMPtr_base::assign_from_gs_contractid_with_error(nsGetServiceByContractIDWithError const&, nsID const&) /builds/worker/checkouts/gecko/xpcom/base/nsCOMPtr.cpp:91:7
    #50 0x7fa30ad0e17d in operator= /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:1054:5
    #51 0x7fa30ad0e17d in nsAppStartupNotifier::NotifyObservers(char const*) /builds/worker/checkouts/gecko/toolkit/xre/nsAppStartupNotifier.cpp:42:23
    #52 0x7fa30acff9ea in XREMain::XRE_mainRun() /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:4396:3
    #53 0x7fa30ad023b1 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:4749:8
    #54 0x7fa30ad030f3 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:4800:21
    #55 0x55b6994b8726 in do_main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:217:22
    #56 0x55b6994b8726 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:331:16
    #57 0x7fa319d851e2 in __libc_start_main /build/glibc-t7JzpG/glibc-2.30/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/fetches/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/7.4.0/../../../../include/c++/7.4.0/bits/atomic_base.h:514:16 in fetch_add
Shadow bytes around the buggy address:
  0x0c0c8005aa90: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c0c8005aaa0: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
  0x0c0c8005aab0: fd fd fd fd fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0c8005aac0: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c0c8005aad0: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
=>0x0c0c8005aae0: fd fd fd fd fa fa fa fa fd fd fd fd fd fd[fd]fd
  0x0c0c8005aaf0: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c0c8005ab00: fd fd fd fd fd fd fd fd fa fa fa fa 00 00 00 00
  0x0c0c8005ab10: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0c8005ab20: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c0c8005ab30: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==12981==ABORTING
Exiting due to channel error.
Exiting due to channel error.

Timeline

2020-04-20 – Vendor Disclosure
2020-06-02 – Vendor Patched
2020-06-10 – Public Release

CREDIT

Discovered by Marcin ‘Icewall’ Noga of Cisco Talos.

LEAVE A REPLY

Please enter your comment!
Please enter your name here