[tbb-bugs] #19400 [Applications/Tor Browser]: [Asan] Crash in js::AsmJSModule::deserialize / DeserializeSig
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Jun 14 12:47:06 UTC 2016
#19400: [Asan] Crash in js::AsmJSModule::deserialize / DeserializeSig
---------------------------------------------+-----------------------------
Reporter: cypherpunks | Owner: tbb-team
Type: defect | Status:
Priority: Very High | needs_information
Component: Applications/Tor Browser | Milestone:
Severity: Critical | Version:
Keywords: tbb-crash, TorBrowserTeam201606 | Resolution:
Parent ID: | Actual Points:
Reviewer: | Points:
| Sponsor:
---------------------------------------------+-----------------------------
Comment (by gk):
Okay, I think I found out some important things:
0) I assume the crashes on mega.nz some of our users observe are caused by
the same underlying flaw. I attach a stacktrace from a mega.nz related
crash that should be similar enough to justify treating it as the same
bug.
1) The first crucial bit that was missing so far was that updating must be
involved to reproduce the problem. I.e. I am pretty sure that using a
clean, new 6.0.1 or 6.5a1 is working fine (can you confirm this,
cypherpunk?). That would explain our problems reproducing the crash I
guess.
2) The second crucial bit is that one must have visited e.g. mega.nz once
before the update (I guess this applies to Facebook as well but I don't
have an account to verify this). "Ideally", you have mega.nz open, apply
your update and visit mega.nz again and it crashes.
3) The problem is confined to the Tor Browser profile. More specifically,
for some reason there is a `https+++mega.nz` folder in
`profile.default/storage/temporary` that contains binary asmjs/moduleN
files which are different between a clean new profile used to visit
mega.nz once and a profile that contains them after the update. Not sure
whether that difference is enough to explain the crashes (probably not)
but removing `https+++mega.nz` solves the problem for me.
4) This is no issue with a vanilla Firefox. I tried applying my STR to
Firefox 45.1.1esr/45.2.0esr and did not hit this problem.
Things I still don't understand are
a) What role exactly plays the updater here?
b) How can it be that these asmjs modules are saved to disk given that we
are in PBM?
c) Which of our patches is actually causing this problem given 4)?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/19400#comment:16>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list