Closed
Bug 1079815
Opened 10 years ago
Closed 10 years ago
Heap-use-after-free in nsRefPtr<nsCSSFontFaceRule>::get()
Categories
(Core :: DOM: CSS Object Model, defect)
Tracking
()
VERIFIED
FIXED
mozilla35
Tracking | Status | |
---|---|---|
firefox34 | --- | unaffected |
firefox35 | --- | fixed |
firefox-esr31 | --- | unaffected |
People
(Reporter: attekett, Assigned: jtd)
References
Details
(5 keywords, Whiteboard: [fixed by bug 1079422])
Attachments
(1 file)
514 bytes,
text/html
|
Details |
Tested on:
OS: Ubuntu 12.04
Firefox: ASAN build from https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-asan/
To reproduce, open the repro-file with ASAN build Firefox. For more reliable reproduction I added location.reload in the end of the repro-file. You might need to adjust the timing of that location.reload to reproduce the issue.
ASAN-trace:
==27716==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d0001b2438 at pc 0x7f55910c2020 bp 0x7fffe8f033f0 sp 0x7fffe8f033e8
READ of size 8 at 0x60d0001b2438 thread T0
#0 0x7f55910c201f in get /builds/slave/m-cen-l64-asan-000000000000000/build/obj-firefox/layout/style/../../dist/include/nsRefPtr.h:222:0
#1 0x7f55910c201f in operator nsCSSFontFaceRule * /builds/slave/m-cen-l64-asan-000000000000000/build/obj-firefox/layout/style/../../dist/include/nsRefPtr.h:235:0
#2 0x7f55910c201f in HasRule /builds/slave/m-cen-l64-asan-000000000000000/build/obj-firefox/layout/style/../../dist/include/mozilla/dom/FontFace.h:125:0
#3 0x7f55910c201f in GetDesc /builds/slave/m-cen-l64-asan-000000000000000/build/layout/style/FontFace.cpp:746:0
#4 0x7f55910c201f in mozilla::dom::FontFace::GetFamilyName(nsString&) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/style/FontFace.cpp:811:0
#5 0x7f5591058eb3 in mozilla::dom::FontFaceSet::InsertRuleFontFace(mozilla::dom::FontFace*, unsigned char, nsTArray<mozilla::dom::FontFaceSet::FontFaceRecord>&, bool&) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/style/FontFaceSet.cpp:676:0
#6 0x7f55910581a5 in mozilla::dom::FontFaceSet::UpdateRules(nsTArray<nsFontFaceRuleContainer> const&) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/style/FontFaceSet.cpp:552:0
.
.
.
0x60d0001b2438 is located 72 bytes inside of 136-byte region [0x60d0001b23f0,0x60d0001b2478)
freed by thread T0 here:
#0 0x471b71 in __interceptor_free _asan_rtl_:0
#1 0x7f558c2e9daa in SnowWhiteKiller::~SnowWhiteKiller() /builds/slave/m-cen-l64-asan-000000000000000/build/xpcom/base/nsCycleCollector.cpp:2624:0
#2 0x7f558c2e99b9 in nsCycleCollector::FreeSnowWhite(bool) /builds/slave/m-cen-l64-asan-000000000000000/build/xpcom/base/nsCycleCollector.cpp:2797:0
#3 0x7f558d470629 in AsyncFreeSnowWhite::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/js/xpconnect/src/XPCJSRuntime.cpp:228:0
#4 0x7f558c3ddf71 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/xpcom/threads/nsThread.cpp:830:0
#5 0x7f558c43b43a in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/xpcom/glue/nsThreadUtils.cpp:265:0
.
.
.
Updated•10 years ago
|
Component: General → DOM: CSS Object Model
Comment 1•10 years ago
|
||
[Tracking Requested - why for this release]:
regression
Most probably a regression from bug 1028497
status-firefox35:
--- → affected
tracking-firefox35:
--- → ?
Comment 2•10 years ago
|
||
I can reproduce the crash in a local Linux64 ASAN debug build - within a few seconds.
Backing out bug 1077746 (using the first patch in bug 1079422) makes the crash
go away - I ran it for about 10 minutes without any problems.
Comment 3•10 years ago
|
||
The stack in comment 0 leading up to the crash:
...
#3 GetDesc
#4 mozilla::dom::FontFace::GetFamilyName
#5 mozilla::dom::FontFaceSet::InsertRuleFontFace
#6 mozilla::dom::FontFaceSet::UpdateRules(nsTArray<nsFontFaceRuleContainer>
is the same as in bp-1a9abd4a-7c0a-4469-910e-a1c442141007
so I think this bug is likely a dupe of bug 1079422.
It's just that an ASAN build crashes a bit earlier so the top stack
frames differ slightly.
Updated•10 years ago
|
Keywords: csectype-uaf,
sec-critical
Comment 4•10 years ago
|
||
Mats, can you confirm that this is fixed now that bug 1079422 has landed? Thanks.
Flags: needinfo?(mats)
Comment 5•10 years ago
|
||
Yes, I can't reproduce it anymore. Resolving as fixed by bug 1079422.
Status: NEW → RESOLVED
Closed: 10 years ago
tracking-firefox35:
? → ---
Flags: needinfo?(mats)
Resolution: --- → FIXED
Whiteboard: [fixed by bug 1079422]
Target Milestone: --- → mozilla35
Comment 6•10 years ago
|
||
Thanks for checking.
Assignee: nobody → jdaggett
status-firefox34:
--- → unaffected
status-firefox-esr31:
--- → unaffected
Keywords: regression
Comment 7•10 years ago
|
||
Confirmed crash on Fx35, 2014-10-06.
Verified fixed on Fx35, release candidate, 2015-01-06.
Status: RESOLVED → VERIFIED
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•