Closed Bug 1070759 Opened 10 years ago Closed 10 years ago

Use-after-poison in nsStyleText::WhiteSpaceOrNewlineIsSignificant

Categories

(Core :: CSS Parsing and Computation, defect)

x86_64
All
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla35
Tracking Status
firefox32 --- unaffected
firefox33 --- unaffected
firefox34 --- unaffected
firefox35 --- verified
firefox-esr31 --- unaffected

People

(Reporter: inferno, Assigned: heycam)

References

Details

(5 keywords, Whiteboard: [fixed by backout of bug 1045895])

Attachments

(2 files)

Attached file test.html
>==31766==ERROR: AddressSanitizer: use-after-poison on address 0x6250005137a4 at pc 0x7f349bb48e1b bp 0x7fffe9b56630 sp 0x7fffe9b56628
>READ of size 1 at 0x6250005137a4 thread T0
>    #0 0x7f349bb48e1a in nsStyleText::WhiteSpaceOrNewlineIsSignificant() const src/layout/base/../style/nsStyleStruct.h:1618:5
>    #1 0x7f349baaa1be in nsStyleText::CalcDifference(nsStyleText const&) const src/layout/style/nsStyleStruct.cpp:3256:7
>    #2 0x7f349ba94c4e in nsStyleContext::CalcStyleDifference(nsStyleContext*, nsChangeHint, unsigned int*) src/layout/style/nsStyleContext.cpp:677:3
>    #3 0x7f349bf4733d in mozilla::ElementRestyler::CaptureChange(nsStyleContext*, nsStyleContext*, nsChangeHint, unsigned int*) src/layout/base/RestyleManager.cpp:2347:5
>    #4 0x7f349bf4ed26 in mozilla::ElementRestyler::RestyleSelf(nsIFrame*, nsRestyleHint, unsigned int*, nsIFrame**) src/layout/base/RestyleManager.cpp:2928:7
>    #5 0x7f349bf48e6d in mozilla::ElementRestyler::Restyle(nsRestyleHint) src/layout/base/RestyleManager.cpp:2459:7
>    #6 0x7f349bf5b084 in mozilla::ElementRestyler::RestyleContentChildren(nsIFrame*, nsRestyleHint) src/layout/base/RestyleManager.cpp:3383:13
>    #7 0x7f349bf54884 in mozilla::ElementRestyler::RestyleChildren(nsRestyleHint) src/layout/base/RestyleManager.cpp:3103:7
>    #8 0x7f349bf49bc9 in mozilla::ElementRestyler::Restyle(nsRestyleHint) src/layout/base/RestyleManager.cpp:2533:3
>    #9 0x7f349bf5b084 in mozilla::ElementRestyler::RestyleContentChildren(nsIFrame*, nsRestyleHint) src/layout/base/RestyleManager.cpp:3383:13
>    #10 0x7f349bf54884 in mozilla::ElementRestyler::RestyleChildren(nsRestyleHint) src/layout/base/RestyleManager.cpp:3103:7
>    #11 0x7f349bf49bc9 in mozilla::ElementRestyler::Restyle(nsRestyleHint) src/layout/base/RestyleManager.cpp:2533:3
>    #12 0x7f349bf5b084 in mozilla::ElementRestyler::RestyleContentChildren(nsIFrame*, nsRestyleHint) src/layout/base/RestyleManager.cpp:3383:13
>    #13 0x7f349bf54884 in mozilla::ElementRestyler::RestyleChildren(nsRestyleHint) src/layout/base/RestyleManager.cpp:3103:7
>    #14 0x7f349bf49bc9 in mozilla::ElementRestyler::Restyle(nsRestyleHint) src/layout/base/RestyleManager.cpp:2533:3
>    #15 0x7f349bf5b084 in mozilla::ElementRestyler::RestyleContentChildren(nsIFrame*, nsRestyleHint) src/layout/base/RestyleManager.cpp:3383:13
>    #16 0x7f349bf54884 in mozilla::ElementRestyler::RestyleChildren(nsRestyleHint) src/layout/base/RestyleManager.cpp:3103:7
>    #17 0x7f349bf49bc9 in mozilla::ElementRestyler::Restyle(nsRestyleHint) src/layout/base/RestyleManager.cpp:2533:3
>    #18 0x7f349bf5b084 in mozilla::ElementRestyler::RestyleContentChildren(nsIFrame*, nsRestyleHint) src/layout/base/RestyleManager.cpp:3383:13
>    #19 0x7f349bf54884 in mozilla::ElementRestyler::RestyleChildren(nsRestyleHint) src/layout/base/RestyleManager.cpp:3103:7
>    #20 0x7f349bf49bc9 in mozilla::ElementRestyler::Restyle(nsRestyleHint) src/layout/base/RestyleManager.cpp:2533:3
>    #21 0x7f349bf5e566 in mozilla::RestyleManager::ComputeStyleChangeFor(nsIFrame*, nsStyleChangeList*, nsChangeHint, mozilla::RestyleTracker&, nsRestyleHint) src/layout/base/RestyleManager.cpp:3516:7
>    #22 0x7f349bf2e870 in mozilla::RestyleManager::ComputeAndProcessStyleChange(nsIFrame*, nsChangeHint, mozilla::RestyleTracker&, nsRestyleHint) src/layout/base/RestyleManager.cpp:3457:3
>    #23 0x7f349bf2d403 in mozilla::RestyleManager::RestyleElement(mozilla::dom::Element*, nsIFrame*, nsChangeHint, mozilla::RestyleTracker&, nsRestyleHint) src/layout/base/RestyleManager.cpp:909:5
>    #24 0x7f349bf629c5 in mozilla::RestyleTracker::ProcessOneRestyle(mozilla::dom::Element*, nsRestyleHint, nsChangeHint) src/layout/base/RestyleTracker.cpp:123:5
>    #25 0x7f349bf60662 in mozilla::RestyleTracker::DoProcessRestyles() src/layout/base/RestyleTracker.cpp:205:7
>    #26 0x7f349bf3c31f in mozilla::RestyleTracker::ProcessRestyles() src/layout/base/RestyleTracker.h:276:7
>    #27 0x7f349bf3b0c1 in mozilla::RestyleManager::ProcessPendingRestyles() src/layout/base/RestyleManager.cpp:1527:3
>    #28 0x7f349bd49f2e in PresShell::FlushPendingNotifications(mozilla::ChangesToFlush) src/layout/base/nsPresShell.cpp:4230:9
>    #29 0x7f349be45fac in nsRefreshDriver::Tick(long, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:1243:11
>    #30 0x7f349be7092e in mozilla::RefreshDriverTimer::TickDriver(nsRefreshDriver*, long, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:173:5
>    #31 0x7f349be7016c in mozilla::RefreshDriverTimer::Tick() src/layout/base/nsRefreshDriver.cpp:164:7
>    #32 0x7f349be6f7f2 in mozilla::RefreshDriverTimer::TimerTick(nsITimer*, void*) src/layout/base/nsRefreshDriver.cpp:190:5
>    #33 0x7f3487afe4b6 in nsTimerImpl::Fire() src/xpcom/threads/nsTimerImpl.cpp:618:7
>    #34 0x7f3487b00d61 in nsTimerEvent::Run() src/xpcom/threads/nsTimerImpl.cpp:711:3
>    #35 0x7f3487ad0c9d in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:823:7
>    #36 0x7f3487c77021 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/glue/nsThreadUtils.cpp:265:10
>    #37 0x7f348a204e51 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:99:21
>    #38 0x7f348a029120 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:234:3
>    #39 0x7f348a028e88 in MessageLoop::RunHandler() src/ipc/chromium/src/base/message_loop.cc:227:3
>    #40 0x7f348a028d0d in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:201:3
>    #41 0x7f3497909428 in nsBaseAppShell::Run() src/widget/xpwidgets/nsBaseAppShell.cpp:164:3
>    #42 0x7f34a0d439bc in nsAppStartup::Run() src/toolkit/components/startup/nsAppStartup.cpp:280:19
>    #43 0x7f34a10ee1f0 in XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:4159:10
>    #44 0x7f34a10f2a92 in XREMain::XRE_main(int, char**, nsXREAppData const*) src/toolkit/xre/nsAppRunner.cpp:4230:8
>    #45 0x7f34a10f573d in XRE_main src/toolkit/xre/nsAppRunner.cpp:4444:16
>    #46 0x4c3e66 in do_main(int, char**, nsIFile*) src/browser/app/nsBrowserApp.cpp:282:12
>    #47 0x4c0c09 in main src/browser/app/nsBrowserApp.cpp:643:16
>    #48 0x7f34b688576c in __libc_start_main /build/buildd/eglibc-2.15/csu/libc-start.c:226
>    #49 0x4c039c in _start
>
>0x6250005137a4 is located 7844 bytes inside of 8192-byte region [0x625000511900,0x625000513900)
>allocated by thread T0 here:
>    #0 0x4a00e9 in malloc _asan_rtl_
>    #1 0x7f34b39e9905 in PR_Malloc src/nsprpub/pr/src/malloc/prmem.c:435:55
>    #2 0x7f34b37440ee in PL_ArenaAllocate src/nsprpub/lib/ds/plarena.c:203:27
>    #3 0x7f349bcb16bc in nsPresArena::Allocate(unsigned int, unsigned long) src/layout/base/nsPresArena.cpp:94:3
>    #4 0x7f349bc140ce in nsPresArena::AllocateByObjectID(nsPresArena::ObjectID, unsigned long) src/layout/mathml/../base/nsPresArena.h:90:12
>    #5 0x7f349b982b7b in nsIPresShell::AllocateByObjectID(nsPresArena::ObjectID, unsigned long) src/layout/mathml/../base/nsIPresShell.h:251:20
>    #6 0x7f349ca42c87 in nsLineBox::operator new(unsigned long, nsIPresShell*) src/layout/generic/nsLineBox.cpp:152:10
>    #7 0x7f349ca42941 in NS_NewLineBox(nsIPresShell*, nsIFrame*, bool) src/layout/generic/nsLineBox.cpp:73:3
>    #8 0x7f349c5e610a in nsBlockFrame::NewLineBox(nsIFrame*, bool) src/layout/generic/nsBlockFrame.h:383:12
>    #9 0x7f349c600f6a in nsBlockFrame::AddFrames(nsFrameList&, nsIFrame*) src/layout/generic/nsBlockFrame.cpp:4986:25
>    #10 0x7f349c62d6ce in nsBlockFrame::SetInitialChildList(mozilla::layout::FrameChildListID, nsFrameList&) src/layout/generic/nsBlockFrame.cpp:6513:5
>    #11 0x7f349c0d3b78 in MoveChildrenTo(nsPresContext*, nsIFrame*, nsContainerFrame*, nsFrameList&) src/layout/base/nsCSSFrameConstructor.cpp:1467:5
>    #12 0x7f349c0d5213 in nsCSSFrameConstructor::CreateIBSiblings(nsFrameConstructorState&, nsContainerFrame*, bool, nsFrameItems&, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:10951:5
>    #13 0x7f349c0ba9ba in nsCSSFrameConstructor::ConstructInline(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:10901:3
>    #14 0x7f349c0ab44e in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:3738:7
>    #15 0x7f349c0cb107 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:5801:3
>    #16 0x7f349c07bf0c in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:9563:5
>    #17 0x7f349c0ba10f in nsCSSFrameConstructor::ConstructInline(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:10873:3
>    #18 0x7f349c0ab44e in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:3738:7
>    #19 0x7f349c0cb107 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:5801:3
>    #20 0x7f349c07bf0c in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:9563:5
>    #21 0x7f349c0ba10f in nsCSSFrameConstructor::ConstructInline(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:10873:3
>    #22 0x7f349c0ab44e in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:3738:7
>    #23 0x7f349c0cb107 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:5801:3
>    #24 0x7f349c07bf0c in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:9563:5
>    #25 0x7f349c0ecc86 in nsCSSFrameConstructor::ContentAppended(nsIContent*, nsIContent*, bool) src/layout/base/nsCSSFrameConstructor.cpp:6974:3
>    #26 0x7f349c0e151b in nsCSSFrameConstructor::CreateNeededFrames(nsIContent*) src/layout/base/nsCSSFrameConstructor.cpp:6616:5
>    #27 0x7f349c0e170b in nsCSSFrameConstructor::CreateNeededFrames(nsIContent*) src/layout/base/nsCSSFrameConstructor.cpp:6623:7
>    #28 0x7f349c0edbb4 in nsCSSFrameConstructor::CreateNeededFrames() src/layout/base/nsCSSFrameConstructor.cpp:6638:5
>    #29 0x7f349bf3ae4c in mozilla::RestyleManager::ProcessPendingRestyles() src/layout/base/RestyleManager.cpp:1494:3
>
>SUMMARY: AddressSanitizer: use-after-poison ??:0 ??
>Shadow bytes around the buggy address:
>  0x0c4a8009a6a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>  0x0c4a8009a6b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>  0x0c4a8009a6c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>  0x0c4a8009a6d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>  0x0c4a8009a6e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>=>0x0c4a8009a6f0: 00 00 00 00[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7 00 00
>  0x0c4a8009a700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f7
>  0x0c4a8009a710: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
>  0x0c4a8009a720: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>  0x0c4a8009a730: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>  0x0c4a8009a740: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>Shadow byte legend (one shadow byte represents 8 application bytes):
>  Addressable:           00
>  Partially addressable: 01 02 03 04 05 06 07
>  Heap left redzone:       fa
>  Heap right redzone:      fb
>  Freed heap region:       fd
>  Stack left redzone:      f1
>  Stack mid redzone:       f2
>  Stack right redzone:     f3
>  Stack partial redzone:   f4
>  Stack after return:      f5
>  Stack use after scope:   f8
>  Global redzone:          f9
>  Global init order:       f6
>  Poisoned by user:        f7
>  Container overflow:      fc
>  Array cookie:            ac
>  ASan internal:           fe
>==31766==ABORTING
>
>
This memory might always be poisoned, even in regular release build. feel free to remove security tags if no security implications.
Severity: normal → critical
Keywords: crash, testcase
Attached file assertions
In a DEBUG build I also got a couple of assertions before reaching the
ASAN error:
Assertion failure: !mozilla::IsNaN(mValue.mFloat), at layout/style/nsCSSValue.h:524
Assertion failure: !mozilla::IsNaN(mValue.mFloat), at layout/style/nsCSSValue.cpp:402
We're using a nsStyleText* that has been destroyed.  These things are allocated from
the pres shell arena, so poisoning should make this non-exploitable.  I'm leaving
the bug hidden for now though until we find the root cause of the crash.
I can't reproduce this on Aurora.  I get the IsNaN assertions, but not the ASAN crash.
(Aurora tip (rev 26ee4bed7952), ASAN debug build on Linux64)
Regression is from:
88d6381ad5d1
2014-09-10 14:42 +1000	Cameron McCormack - Bug 1045895 - Pass out provider frame from RestyleSelf to avoid calling GetParentStyleContextFrame again. r=dbaron
FYI, I had to workaround bug 1045895 in my display:contents patches (bug 907396).
I changed the nsIFrame** outparam to a nsStyleContext**:
https://bugzilla.mozilla.org/attachment.cgi?id=8492598&action=diff#a/layout/base/RestyleManager.cpp_sec5
It would be great if the fix here could take into account that style contexts
won't necessarily have an associated "provider frame" in the near future.
I couldn't reproduce the ASAN assertion, but I do get the nsCSSValue assertions.  How about for the moment we just back out bug 1045895, since that patch wasn't intending to change any functionality.
Backed out on inbound.  Mats or Abishek, can you test that the ASAN assertions have gone?
Yep, the ASAN crash is gone in latest m-c (6a63bcb6e0d3).

There is bug 873260 on the nsCSSValue assertion, I'll copy the test there for now.
Assignee: nobody → cam
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Whiteboard: [fixed by backout of bug 1045895]
Target Milestone: --- → mozilla35
Confirmed crash on Fx35, 2014-09-15.
Verified fixed on Fx35 release candidate, 2015-01-06.
Status: RESOLVED → VERIFIED
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: