[tbb-bugs] #19400 [Applications/Tor Browser]: [Asan] Crash in js::AsmJSModule::deserialize / DeserializeSig

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Jun 14 12:47:06 UTC 2016 

#19400: [Asan] Crash in js::AsmJSModule::deserialize / DeserializeSig
---------------------------------------------+-----------------------------
 Reporter:  cypherpunks                      |          Owner:  tbb-team
     Type:  defect                           |         Status:
 Priority:  Very High                        |  needs_information
Component:  Applications/Tor Browser         |      Milestone:
 Severity:  Critical                         |        Version:
 Keywords:  tbb-crash, TorBrowserTeam201606  |     Resolution:
Parent ID:                                   |  Actual Points:
 Reviewer:                                   |         Points:
                                             |        Sponsor:
---------------------------------------------+-----------------------------

Comment (by gk):

 Okay, I think I found out some important things:

 0) I assume the crashes on mega.nz some of our users observe are caused by
 the same underlying flaw. I attach a stacktrace from a mega.nz related
 crash that should be similar enough to justify treating it as the same
 bug.

 1) The first crucial bit that was missing so far was that updating must be
 involved to reproduce the problem. I.e. I am pretty sure that using a
 clean, new 6.0.1 or 6.5a1 is working fine (can you confirm this,
 cypherpunk?). That would explain our problems reproducing the crash I
 guess.

 2) The second crucial bit is that one must have visited e.g. mega.nz once
 before the update (I guess this applies to Facebook as well but I don't
 have an account to verify this). "Ideally", you have mega.nz open, apply
 your update and visit mega.nz again and it crashes.

 3) The problem is confined to the Tor Browser profile. More specifically,
 for some reason there is a `https+++mega.nz` folder in
 `profile.default/storage/temporary` that contains binary asmjs/moduleN
 files which are different between a clean new profile used to visit
 mega.nz once and a profile that contains them after the update. Not sure
 whether that difference is enough to explain the crashes (probably not)
 but removing `https+++mega.nz` solves the problem for me.

 4) This is no issue with a vanilla Firefox. I tried applying my STR to
 Firefox 45.1.1esr/45.2.0esr and did not hit this problem.

 Things I still don't understand are

 a) What role exactly plays the updater here?
 b) How can it be that these asmjs modules are saved to disk given that we
 are in PBM?
 c) Which of our patches is actually causing this problem given 4)?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/19400#comment:16>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list