Closed
Bug 1070759
Opened 10 years ago
Closed 10 years ago
Use-after-poison in nsStyleText::WhiteSpaceOrNewlineIsSignificant
Categories
(Core :: CSS Parsing and Computation, defect)
Tracking
()
VERIFIED
FIXED
mozilla35
Tracking | Status | |
---|---|---|
firefox32 | --- | unaffected |
firefox33 | --- | unaffected |
firefox34 | --- | unaffected |
firefox35 | --- | verified |
firefox-esr31 | --- | unaffected |
People
(Reporter: inferno, Assigned: heycam)
References
Details
(5 keywords, Whiteboard: [fixed by backout of bug 1045895])
Attachments
(2 files)
>==31766==ERROR: AddressSanitizer: use-after-poison on address 0x6250005137a4 at pc 0x7f349bb48e1b bp 0x7fffe9b56630 sp 0x7fffe9b56628 >READ of size 1 at 0x6250005137a4 thread T0 > #0 0x7f349bb48e1a in nsStyleText::WhiteSpaceOrNewlineIsSignificant() const src/layout/base/../style/nsStyleStruct.h:1618:5 > #1 0x7f349baaa1be in nsStyleText::CalcDifference(nsStyleText const&) const src/layout/style/nsStyleStruct.cpp:3256:7 > #2 0x7f349ba94c4e in nsStyleContext::CalcStyleDifference(nsStyleContext*, nsChangeHint, unsigned int*) src/layout/style/nsStyleContext.cpp:677:3 > #3 0x7f349bf4733d in mozilla::ElementRestyler::CaptureChange(nsStyleContext*, nsStyleContext*, nsChangeHint, unsigned int*) src/layout/base/RestyleManager.cpp:2347:5 > #4 0x7f349bf4ed26 in mozilla::ElementRestyler::RestyleSelf(nsIFrame*, nsRestyleHint, unsigned int*, nsIFrame**) src/layout/base/RestyleManager.cpp:2928:7 > #5 0x7f349bf48e6d in mozilla::ElementRestyler::Restyle(nsRestyleHint) src/layout/base/RestyleManager.cpp:2459:7 > #6 0x7f349bf5b084 in mozilla::ElementRestyler::RestyleContentChildren(nsIFrame*, nsRestyleHint) src/layout/base/RestyleManager.cpp:3383:13 > #7 0x7f349bf54884 in mozilla::ElementRestyler::RestyleChildren(nsRestyleHint) src/layout/base/RestyleManager.cpp:3103:7 > #8 0x7f349bf49bc9 in mozilla::ElementRestyler::Restyle(nsRestyleHint) src/layout/base/RestyleManager.cpp:2533:3 > #9 0x7f349bf5b084 in mozilla::ElementRestyler::RestyleContentChildren(nsIFrame*, nsRestyleHint) src/layout/base/RestyleManager.cpp:3383:13 > #10 0x7f349bf54884 in mozilla::ElementRestyler::RestyleChildren(nsRestyleHint) src/layout/base/RestyleManager.cpp:3103:7 > #11 0x7f349bf49bc9 in mozilla::ElementRestyler::Restyle(nsRestyleHint) src/layout/base/RestyleManager.cpp:2533:3 > #12 0x7f349bf5b084 in mozilla::ElementRestyler::RestyleContentChildren(nsIFrame*, nsRestyleHint) src/layout/base/RestyleManager.cpp:3383:13 > #13 0x7f349bf54884 in mozilla::ElementRestyler::RestyleChildren(nsRestyleHint) src/layout/base/RestyleManager.cpp:3103:7 > #14 0x7f349bf49bc9 in mozilla::ElementRestyler::Restyle(nsRestyleHint) src/layout/base/RestyleManager.cpp:2533:3 > #15 0x7f349bf5b084 in mozilla::ElementRestyler::RestyleContentChildren(nsIFrame*, nsRestyleHint) src/layout/base/RestyleManager.cpp:3383:13 > #16 0x7f349bf54884 in mozilla::ElementRestyler::RestyleChildren(nsRestyleHint) src/layout/base/RestyleManager.cpp:3103:7 > #17 0x7f349bf49bc9 in mozilla::ElementRestyler::Restyle(nsRestyleHint) src/layout/base/RestyleManager.cpp:2533:3 > #18 0x7f349bf5b084 in mozilla::ElementRestyler::RestyleContentChildren(nsIFrame*, nsRestyleHint) src/layout/base/RestyleManager.cpp:3383:13 > #19 0x7f349bf54884 in mozilla::ElementRestyler::RestyleChildren(nsRestyleHint) src/layout/base/RestyleManager.cpp:3103:7 > #20 0x7f349bf49bc9 in mozilla::ElementRestyler::Restyle(nsRestyleHint) src/layout/base/RestyleManager.cpp:2533:3 > #21 0x7f349bf5e566 in mozilla::RestyleManager::ComputeStyleChangeFor(nsIFrame*, nsStyleChangeList*, nsChangeHint, mozilla::RestyleTracker&, nsRestyleHint) src/layout/base/RestyleManager.cpp:3516:7 > #22 0x7f349bf2e870 in mozilla::RestyleManager::ComputeAndProcessStyleChange(nsIFrame*, nsChangeHint, mozilla::RestyleTracker&, nsRestyleHint) src/layout/base/RestyleManager.cpp:3457:3 > #23 0x7f349bf2d403 in mozilla::RestyleManager::RestyleElement(mozilla::dom::Element*, nsIFrame*, nsChangeHint, mozilla::RestyleTracker&, nsRestyleHint) src/layout/base/RestyleManager.cpp:909:5 > #24 0x7f349bf629c5 in mozilla::RestyleTracker::ProcessOneRestyle(mozilla::dom::Element*, nsRestyleHint, nsChangeHint) src/layout/base/RestyleTracker.cpp:123:5 > #25 0x7f349bf60662 in mozilla::RestyleTracker::DoProcessRestyles() src/layout/base/RestyleTracker.cpp:205:7 > #26 0x7f349bf3c31f in mozilla::RestyleTracker::ProcessRestyles() src/layout/base/RestyleTracker.h:276:7 > #27 0x7f349bf3b0c1 in mozilla::RestyleManager::ProcessPendingRestyles() src/layout/base/RestyleManager.cpp:1527:3 > #28 0x7f349bd49f2e in PresShell::FlushPendingNotifications(mozilla::ChangesToFlush) src/layout/base/nsPresShell.cpp:4230:9 > #29 0x7f349be45fac in nsRefreshDriver::Tick(long, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:1243:11 > #30 0x7f349be7092e in mozilla::RefreshDriverTimer::TickDriver(nsRefreshDriver*, long, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:173:5 > #31 0x7f349be7016c in mozilla::RefreshDriverTimer::Tick() src/layout/base/nsRefreshDriver.cpp:164:7 > #32 0x7f349be6f7f2 in mozilla::RefreshDriverTimer::TimerTick(nsITimer*, void*) src/layout/base/nsRefreshDriver.cpp:190:5 > #33 0x7f3487afe4b6 in nsTimerImpl::Fire() src/xpcom/threads/nsTimerImpl.cpp:618:7 > #34 0x7f3487b00d61 in nsTimerEvent::Run() src/xpcom/threads/nsTimerImpl.cpp:711:3 > #35 0x7f3487ad0c9d in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:823:7 > #36 0x7f3487c77021 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/glue/nsThreadUtils.cpp:265:10 > #37 0x7f348a204e51 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:99:21 > #38 0x7f348a029120 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:234:3 > #39 0x7f348a028e88 in MessageLoop::RunHandler() src/ipc/chromium/src/base/message_loop.cc:227:3 > #40 0x7f348a028d0d in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:201:3 > #41 0x7f3497909428 in nsBaseAppShell::Run() src/widget/xpwidgets/nsBaseAppShell.cpp:164:3 > #42 0x7f34a0d439bc in nsAppStartup::Run() src/toolkit/components/startup/nsAppStartup.cpp:280:19 > #43 0x7f34a10ee1f0 in XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:4159:10 > #44 0x7f34a10f2a92 in XREMain::XRE_main(int, char**, nsXREAppData const*) src/toolkit/xre/nsAppRunner.cpp:4230:8 > #45 0x7f34a10f573d in XRE_main src/toolkit/xre/nsAppRunner.cpp:4444:16 > #46 0x4c3e66 in do_main(int, char**, nsIFile*) src/browser/app/nsBrowserApp.cpp:282:12 > #47 0x4c0c09 in main src/browser/app/nsBrowserApp.cpp:643:16 > #48 0x7f34b688576c in __libc_start_main /build/buildd/eglibc-2.15/csu/libc-start.c:226 > #49 0x4c039c in _start > >0x6250005137a4 is located 7844 bytes inside of 8192-byte region [0x625000511900,0x625000513900) >allocated by thread T0 here: > #0 0x4a00e9 in malloc _asan_rtl_ > #1 0x7f34b39e9905 in PR_Malloc src/nsprpub/pr/src/malloc/prmem.c:435:55 > #2 0x7f34b37440ee in PL_ArenaAllocate src/nsprpub/lib/ds/plarena.c:203:27 > #3 0x7f349bcb16bc in nsPresArena::Allocate(unsigned int, unsigned long) src/layout/base/nsPresArena.cpp:94:3 > #4 0x7f349bc140ce in nsPresArena::AllocateByObjectID(nsPresArena::ObjectID, unsigned long) src/layout/mathml/../base/nsPresArena.h:90:12 > #5 0x7f349b982b7b in nsIPresShell::AllocateByObjectID(nsPresArena::ObjectID, unsigned long) src/layout/mathml/../base/nsIPresShell.h:251:20 > #6 0x7f349ca42c87 in nsLineBox::operator new(unsigned long, nsIPresShell*) src/layout/generic/nsLineBox.cpp:152:10 > #7 0x7f349ca42941 in NS_NewLineBox(nsIPresShell*, nsIFrame*, bool) src/layout/generic/nsLineBox.cpp:73:3 > #8 0x7f349c5e610a in nsBlockFrame::NewLineBox(nsIFrame*, bool) src/layout/generic/nsBlockFrame.h:383:12 > #9 0x7f349c600f6a in nsBlockFrame::AddFrames(nsFrameList&, nsIFrame*) src/layout/generic/nsBlockFrame.cpp:4986:25 > #10 0x7f349c62d6ce in nsBlockFrame::SetInitialChildList(mozilla::layout::FrameChildListID, nsFrameList&) src/layout/generic/nsBlockFrame.cpp:6513:5 > #11 0x7f349c0d3b78 in MoveChildrenTo(nsPresContext*, nsIFrame*, nsContainerFrame*, nsFrameList&) src/layout/base/nsCSSFrameConstructor.cpp:1467:5 > #12 0x7f349c0d5213 in nsCSSFrameConstructor::CreateIBSiblings(nsFrameConstructorState&, nsContainerFrame*, bool, nsFrameItems&, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:10951:5 > #13 0x7f349c0ba9ba in nsCSSFrameConstructor::ConstructInline(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:10901:3 > #14 0x7f349c0ab44e in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:3738:7 > #15 0x7f349c0cb107 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:5801:3 > #16 0x7f349c07bf0c in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:9563:5 > #17 0x7f349c0ba10f in nsCSSFrameConstructor::ConstructInline(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:10873:3 > #18 0x7f349c0ab44e in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:3738:7 > #19 0x7f349c0cb107 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:5801:3 > #20 0x7f349c07bf0c in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:9563:5 > #21 0x7f349c0ba10f in nsCSSFrameConstructor::ConstructInline(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:10873:3 > #22 0x7f349c0ab44e in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:3738:7 > #23 0x7f349c0cb107 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:5801:3 > #24 0x7f349c07bf0c in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:9563:5 > #25 0x7f349c0ecc86 in nsCSSFrameConstructor::ContentAppended(nsIContent*, nsIContent*, bool) src/layout/base/nsCSSFrameConstructor.cpp:6974:3 > #26 0x7f349c0e151b in nsCSSFrameConstructor::CreateNeededFrames(nsIContent*) src/layout/base/nsCSSFrameConstructor.cpp:6616:5 > #27 0x7f349c0e170b in nsCSSFrameConstructor::CreateNeededFrames(nsIContent*) src/layout/base/nsCSSFrameConstructor.cpp:6623:7 > #28 0x7f349c0edbb4 in nsCSSFrameConstructor::CreateNeededFrames() src/layout/base/nsCSSFrameConstructor.cpp:6638:5 > #29 0x7f349bf3ae4c in mozilla::RestyleManager::ProcessPendingRestyles() src/layout/base/RestyleManager.cpp:1494:3 > >SUMMARY: AddressSanitizer: use-after-poison ??:0 ?? >Shadow bytes around the buggy address: > 0x0c4a8009a6a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0c4a8009a6b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0c4a8009a6c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0c4a8009a6d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 0x0c4a8009a6e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >=>0x0c4a8009a6f0: 00 00 00 00[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7 00 00 > 0x0c4a8009a700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f7 > 0x0c4a8009a710: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 > 0x0c4a8009a720: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c4a8009a730: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x0c4a8009a740: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa >Shadow byte legend (one shadow byte represents 8 application bytes): > Addressable: 00 > Partially addressable: 01 02 03 04 05 06 07 > Heap left redzone: fa > Heap right redzone: fb > Freed heap region: fd > Stack left redzone: f1 > Stack mid redzone: f2 > Stack right redzone: f3 > Stack partial redzone: f4 > Stack after return: f5 > Stack use after scope: f8 > Global redzone: f9 > Global init order: f6 > Poisoned by user: f7 > Container overflow: fc > Array cookie: ac > ASan internal: fe >==31766==ABORTING > >
Reporter | ||
Comment 1•10 years ago
|
||
This memory might always be poisoned, even in regular release build. feel free to remove security tags if no security implications.
Updated•10 years ago
|
Comment 2•10 years ago
|
||
In a DEBUG build I also got a couple of assertions before reaching the ASAN error: Assertion failure: !mozilla::IsNaN(mValue.mFloat), at layout/style/nsCSSValue.h:524 Assertion failure: !mozilla::IsNaN(mValue.mFloat), at layout/style/nsCSSValue.cpp:402
Comment 3•10 years ago
|
||
We're using a nsStyleText* that has been destroyed. These things are allocated from the pres shell arena, so poisoning should make this non-exploitable. I'm leaving the bug hidden for now though until we find the root cause of the crash.
Keywords: csectype-framepoisoning,
sec-other
Comment 4•10 years ago
|
||
I can't reproduce this on Aurora. I get the IsNaN assertions, but not the ASAN crash. (Aurora tip (rev 26ee4bed7952), ASAN debug build on Linux64)
Keywords: regression,
regressionwindow-wanted
Comment 5•10 years ago
|
||
Regression is from: 88d6381ad5d1 2014-09-10 14:42 +1000 Cameron McCormack - Bug 1045895 - Pass out provider frame from RestyleSelf to avoid calling GetParentStyleContextFrame again. r=dbaron
Blocks: 1045895
Keywords: regressionwindow-wanted
Comment 6•10 years ago
|
||
FYI, I had to workaround bug 1045895 in my display:contents patches (bug 907396). I changed the nsIFrame** outparam to a nsStyleContext**: https://bugzilla.mozilla.org/attachment.cgi?id=8492598&action=diff#a/layout/base/RestyleManager.cpp_sec5 It would be great if the fix here could take into account that style contexts won't necessarily have an associated "provider frame" in the near future.
Assignee | ||
Comment 7•10 years ago
|
||
I couldn't reproduce the ASAN assertion, but I do get the nsCSSValue assertions. How about for the moment we just back out bug 1045895, since that patch wasn't intending to change any functionality.
Assignee | ||
Comment 8•10 years ago
|
||
Backed out on inbound. Mats or Abishek, can you test that the ASAN assertions have gone?
Comment 9•10 years ago
|
||
Yep, the ASAN crash is gone in latest m-c (6a63bcb6e0d3). There is bug 873260 on the nsCSSValue assertion, I'll copy the test there for now.
Assignee: nobody → cam
Status: NEW → RESOLVED
Closed: 10 years ago
status-firefox32:
--- → unaffected
status-firefox33:
--- → unaffected
status-firefox34:
--- → unaffected
status-firefox35:
--- → fixed
Resolution: --- → FIXED
Whiteboard: [fixed by backout of bug 1045895]
Target Milestone: --- → mozilla35
Updated•10 years ago
|
status-firefox-esr31:
--- → unaffected
Comment 10•9 years ago
|
||
Confirmed crash on Fx35, 2014-09-15. Verified fixed on Fx35 release candidate, 2015-01-06.
Status: RESOLVED → VERIFIED
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•