ASan detects heap buffer overflow in Tor Browser 6.5a1 Hardened
Tor Browser 6.5a1 Hardened reliably triggers ASan when visiting https://www.facebook.com/messages/ with the message:
==5786==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fff8d268000 at pc 0x7ffff6ef8d65 bp 0x7fff8a7563f0 sp 0x7fff8a755b98
READ of size 9437184 at 0x7fff8d268000 thread T70 (DOM Worker)
I have also (once) seen a stack buffer underflow, again on the DOM Worker thread, using the same repro case:
==5689==ERROR: AddressSanitizer: stack-buffer-underflow on address 0x7fff919db9a0 at pc 0x7ffff6ef8d65 bp 0x7fff9838d3f0 sp 0x7fff9838cb98
READ of size 9437184 at 0x7fff919db9a0 thread T69 (DOM Worker)
I have attached a symbolized backtrace for the heap overflow case and a partial (sorry!) backtrace of the underflow case.
This may be related to #19515 (moved), but the crash looks different enough (DOM Worker thread vs Compositor thread) to warrant a new report.
Steps to reproduce:
- Have Tor Browser 6.5a1 Hardened installed, low security level
- Navigate to https://www.facebook.com/messages/ (you will need a Facebook login for this)
- Wait a few seconds