Closed Bug 1153478 (CVE-2015-2713) Opened 4 years ago Closed 4 years ago

heap-use-after-free in SetBreaks

Categories

(Core :: Layout: Text and Fonts, defect, critical)

defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla40
Tracking Status
firefox37 --- wontfix
firefox38 + fixed
firefox39 + fixed
firefox40 + fixed
firefox-esr31 38+ fixed
firefox-esr38 --- fixed
b2g-v1.4 --- fixed
b2g-v2.0 --- fixed
b2g-v2.0M --- fixed
b2g-v2.1 --- fixed
b2g-v2.1S --- fixed
b2g-v2.2 --- fixed
b2g-master --- fixed

People

(Reporter: scott.bell, Assigned: mats)

References

Details

(4 keywords, Whiteboard: [asan][adv-main38+][adv-esr31.7+])

Attachments

(6 files)

Attached file crash.html
==3799==ERROR: AddressSanitizer: heap-use-after-free on address 0x62b000038200 at pc 0x7f555a8ac8a1 bp 0x7fff68025060 sp 0x7fff68025058
READ of size 8 at 0x62b000038200 thread T0 (Web Content)
    #0 0x7f555a8ac8a0 in SetBreaks /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsTextFrame.cpp:974
    #1 0x7f5556d97c92 in FlushCurrentWord /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsLineBreaker.cpp:121
    #2 0x7f5556d9c9f1 in Reset /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsLineBreaker.cpp:489
    #3 0x7f555a8518e4 in FlushLineBreaks /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsTextFrame.cpp:1523
    #4 0x7f555a84a423 in FlushFrames /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsTextFrame.cpp:1513
    #5 0x7f555a859862 in BuildTextRuns /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsTextFrame.cpp:1437
    #6 0x7f555a88f4ac in ReflowText /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsTextFrame.cpp:8229
    #7 0x7f555a614245 in ReflowFrame /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsLineLayout.cpp:957
    #8 0x7f555a7e4173 in ReflowInlineFrame /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsInlineFrame.cpp:774
    #9 0x7f555a7e3084 in ReflowFrames /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsInlineFrame.cpp:658
    #10 0x7f555a7e1e9d in Reflow /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsInlineFrame.cpp:434
    #11 0x7f555a6141c0 in ReflowFrame /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsLineLayout.cpp:955
    #12 0x7f555a7e4173 in ReflowInlineFrame /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsInlineFrame.cpp:774
    #13 0x7f555a7e3084 in ReflowFrames /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsInlineFrame.cpp:658
    #14 0x7f555a7e1e9d in Reflow /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsInlineFrame.cpp:434
    #15 0x7f555a6141c0 in ReflowFrame /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsLineLayout.cpp:955
    #16 0x7f555a7e4173 in ReflowInlineFrame /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsInlineFrame.cpp:774
    #17 0x7f555a7e3084 in ReflowFrames /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsInlineFrame.cpp:658
    #18 0x7f555a7e1e9d in Reflow /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsInlineFrame.cpp:434
    #19 0x7f555a6141c0 in ReflowFrame /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsLineLayout.cpp:955
    #20 0x7f555a679a71 in ReflowInlineFrame /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsBlockFrame.cpp:3959
    #21 0x7f555a6781e3 in DoReflowInlineFrames /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsBlockFrame.cpp:3761
    #22 0x7f555a66f682 in ReflowInlineFrames /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsBlockFrame.cpp:3627
    #23 0x7f555a66119b in ReflowLine /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsBlockFrame.cpp:2713
    #24 0x7f555a659d24 in Reflow /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsBlockFrame.cpp:1160
    #25 0x7f555a675894 in ReflowBlock /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsBlockReflowContext.cpp:291
    #26 0x7f555a66cd1c in ReflowBlockFrame /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsBlockFrame.cpp:3354
    #27 0x7f555a6611bb in ReflowLine /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsBlockFrame.cpp:2710
    #28 0x7f555a659d24 in Reflow /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsBlockFrame.cpp:1160
    #29 0x7f555a6c1c25 in ReflowChild /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsContainerFrame.cpp:963
    #30 0x7f555a6a7a39 in Reflow /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsCanvasFrame.cpp:672
    #31 0x7f555a7501d1 in ReflowChild /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsContainerFrame.cpp:963
    #32 0x7f555a751729 in ReflowContents /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsGfxScrollFrame.cpp:621
    #33 0x7f555a753ac5 in Reflow /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsGfxScrollFrame.cpp:856
    #34 0x7f555a6c1fbe in ReflowChild /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsContainerFrame.cpp:1005
    #35 0x7f555a8a66ff in Reflow /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsViewportFrame.cpp:217
    #36 0x7f555a5bc49a in DoReflow /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/nsPresShell.cpp:9159
    #37 0x7f555a5d0e48 in ProcessReflowCommands /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/nsPresShell.cpp:9319
    #38 0x7f555a5d02ca in FlushPendingNotifications /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/nsPresShell.cpp:4320
    #39 0x7f555a34cae3 in Tick /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/nsRefreshDriver.cpp:1663
    #40 0x7f555a3556a0 in TickDriver /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/nsRefreshDriver.cpp:198
    #41 0x7f555a354f0d in RunRefreshDrivers /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/nsRefreshDriver.cpp:440
    #42 0x7f555abb7140 in RecvNotify /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/ipc/VsyncChild.cpp:63
    #43 0x7f55557ed52c in OnMessageReceived /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/ipc/ipdl/./PVsyncChild.cpp:224
    #44 0x7f555539a53c in OnMessageReceived /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/ipc/ipdl/./PBackgroundChild.cpp:1082
    #45 0x7f5555329dc2 in DispatchAsyncMessage /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessageChannel.cpp:1237
    #46 0x7f5555327856 in DispatchMessage /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessageChannel.cpp:1164
    #47 0x7f555531bc94 in OnMaybeDequeueOne /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessageChannel.cpp:1148
    #48 0x7f55552bf914 in RunTask /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:361
    #49 0x7f55552c09c7 in DoWork /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:456
    #50 0x7f5555331062 in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:233
    #51 0x7f5554a76d04 in ProcessNextEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:866
    #52 0x7f5554ad90ea in NS_ProcessNextEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:265
    #53 0x7f55553307a8 in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:140
    #54 0x7f55552be49c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:233
    #55 0x7f5559d3ad17 in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/widget/nsBaseAppShell.cpp:164
    #56 0x7f555b8c9d72 in XRE_RunAppShell /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:738
    #57 0x7f55552be49c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:233
    #58 0x7f555b8c93e2 in XRE_InitChildProcess /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:575
    #59 0x48ce81 in content_process_main /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/app/../contentproc/plugin-container.cpp:222
    #60 0x7f55525d8ec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287
    #61 0x48c24c in _start ??:?

0x62b000038200 is located 0 bytes inside of 26492-byte region [0x62b000038200,0x62b00003e97c)
freed by thread T0 (Web Content) here:
    #0 0x474661 in __interceptor_free _asan_rtl_
    #1 0x7f555a857387 in AssignTextRun /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsTextFrame.cpp:2584
    #2 0x7f555a8504be in BuildTextRunForFrames /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsTextFrame.cpp:2255
    #3 0x7f555a84a7a0 in FlushFrames /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsTextFrame.cpp:1508
    #4 0x7f555a859862 in BuildTextRuns /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsTextFrame.cpp:1437
    #5 0x7f555a88f4ac in ReflowText /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsTextFrame.cpp:8229
    #6 0x7f555a614245 in ReflowFrame /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsLineLayout.cpp:957
    #7 0x7f555a7e4173 in ReflowInlineFrame /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsInlineFrame.cpp:774
    #8 0x7f555a7e3084 in ReflowFrames /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsInlineFrame.cpp:658
    #9 0x7f555a7e1e9d in Reflow /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsInlineFrame.cpp:434
    #10 0x7f555a6141c0 in ReflowFrame /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsLineLayout.cpp:955
    #11 0x7f555a7e4173 in ReflowInlineFrame /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsInlineFrame.cpp:774
    #12 0x7f555a7e3084 in ReflowFrames /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsInlineFrame.cpp:658
    #13 0x7f555a7e1e9d in Reflow /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsInlineFrame.cpp:434
    #14 0x7f555a6141c0 in ReflowFrame /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsLineLayout.cpp:955
    #15 0x7f555a7e4173 in ReflowInlineFrame /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsInlineFrame.cpp:774
    #16 0x7f555a7e3084 in ReflowFrames /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsInlineFrame.cpp:658
    #17 0x7f555a7e1e9d in Reflow /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsInlineFrame.cpp:434
    #18 0x7f555a6141c0 in ReflowFrame /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsLineLayout.cpp:955
    #19 0x7f555a679a71 in ReflowInlineFrame /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsBlockFrame.cpp:3959
    #20 0x7f555a6781e3 in DoReflowInlineFrames /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsBlockFrame.cpp:3761
    #21 0x7f555a66f682 in ReflowInlineFrames /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsBlockFrame.cpp:3627
    #22 0x7f555a66119b in ReflowLine /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsBlockFrame.cpp:2713
    #23 0x7f555a659d24 in Reflow /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsBlockFrame.cpp:1160
    #24 0x7f555a675894 in ReflowBlock /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsBlockReflowContext.cpp:291
    #25 0x7f555a66cd1c in ReflowBlockFrame /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsBlockFrame.cpp:3354
    #26 0x7f555a6611bb in ReflowLine /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsBlockFrame.cpp:2710
    #27 0x7f555a659d24 in Reflow /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsBlockFrame.cpp:1160
    #28 0x7f555a6c1c25 in ReflowChild /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsContainerFrame.cpp:963
    #29 0x7f555a6a7a39 in Reflow /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsCanvasFrame.cpp:672

previously allocated by thread T0 (Web Content) here:
    #0 0x474861 in __interceptor_malloc _asan_rtl_
    #1 0x7f55567778fe in AllocateStorageForTextRun /builds/slave/m-cen-l64-asan-000000000000000/build/src/gfx/thebes/gfxTextRun.cpp:109
    #2 0x7f555a8502aa in MakeTextRun<unsigned char> /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsTextFrame.cpp:581
    #3 0x7f555a84a7a0 in FlushFrames /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsTextFrame.cpp:1508
    #4 0x7f555a859862 in BuildTextRuns /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsTextFrame.cpp:1437
    #5 0x7f555a88f4ac in ReflowText /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsTextFrame.cpp:8229
    #6 0x7f555a614245 in ReflowFrame /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsLineLayout.cpp:957
    #7 0x7f555a7e4173 in ReflowInlineFrame /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsInlineFrame.cpp:774
    #8 0x7f555a7e3084 in ReflowFrames /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsInlineFrame.cpp:658
    #9 0x7f555a7e1e9d in Reflow /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsInlineFrame.cpp:434
    #10 0x7f555a6141c0 in ReflowFrame /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsLineLayout.cpp:955
    #11 0x7f555a7e4173 in ReflowInlineFrame /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsInlineFrame.cpp:774
    #12 0x7f555a7e3084 in ReflowFrames /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsInlineFrame.cpp:658
    #13 0x7f555a7e1e9d in Reflow /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsInlineFrame.cpp:434
    #14 0x7f555a6141c0 in ReflowFrame /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsLineLayout.cpp:955
    #15 0x7f555a7e4173 in ReflowInlineFrame /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsInlineFrame.cpp:774
    #16 0x7f555a7e3084 in ReflowFrames /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsInlineFrame.cpp:658
    #17 0x7f555a7e1e9d in Reflow /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsInlineFrame.cpp:434
    #18 0x7f555a6141c0 in ReflowFrame /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsLineLayout.cpp:955
    #19 0x7f555a679a71 in ReflowInlineFrame /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsBlockFrame.cpp:3959
    #20 0x7f555a6781e3 in DoReflowInlineFrames /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsBlockFrame.cpp:3761
    #21 0x7f555a66f682 in ReflowInlineFrames /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsBlockFrame.cpp:3627
    #22 0x7f555a66119b in ReflowLine /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsBlockFrame.cpp:2713
    #23 0x7f555a659d24 in Reflow /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsBlockFrame.cpp:1160
    #24 0x7f555a675894 in ReflowBlock /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsBlockReflowContext.cpp:291
    #25 0x7f555a66cd1c in ReflowBlockFrame /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsBlockFrame.cpp:3354
    #26 0x7f555a6611bb in ReflowLine /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsBlockFrame.cpp:2710
    #27 0x7f555a659d24 in Reflow /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsBlockFrame.cpp:1160
    #28 0x7f555a6c1c25 in ReflowChild /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsContainerFrame.cpp:963
    #29 0x7f555a6a7a39 in Reflow /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsCanvasFrame.cpp:672

SUMMARY: AddressSanitizer: heap-use-after-free ??:0 ??
Shadow bytes around the buggy address:
  0x0c567fffeff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c567ffff000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c567ffff010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c567ffff020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c567ffff030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c567ffff040:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c567ffff050: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c567ffff060: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c567ffff070: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c567ffff080: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c567ffff090: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:
==3799==ABORTING
Severity: normal → critical
Component: General → Layout: Text
Keywords: crash, testcase
Product: Firefox → Core
Whiteboard: [asan]
Testcase contains "writing-mode:vertical-lr;direction:rtl;".

I couldn't reproduce it in a local DEBUG asan build on Linux64.
I'll try an Opt build tomorrow.
I see the following assertions in a debug build.

###!!! ASSERTION: Shouldn't be incomplete if availableBSize is UNCONSTRAINED.: 'aReflowState.AvailableBSize() != NS_UNCONSTRAINEDSIZE', file /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/layout/generic/nsBlockFrame.cpp, line 1571

###!!! ASSERTION: not in child list: 'found', file /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/layout/base/nsLayoutUtils.cpp, line 1227
Assertion failure: list && list->ContainsFrame(aChild) (aChild isn't our child or on a frame list not supported by StealFrame), at /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/layout/generic/nsContainerFrame.cpp:1342
> ASSERTION: not in child list

This is likely the root cause.  Can you run it in gdb and attach a stack trace?

What's the BuildID of the debug build you're using?  (you can find it in the
application.ini file in the same directory as the firefox binary)
Flags: needinfo?(scott.bell)
Fwiw, I haven't been able to reproduce it in any local build, 
nor with Mozilla asan builds, so far.
Are there any steps that makes it more reproducible for you?
(like resizing the window, reloading the page etc)
Are you using a default profile?
Attached file frame dump
I finally did manage to reproduce it, luckily in a debug build as well.

So what happens here is that we have a child frame inside an inline
frame that we push to some next-in-flows, so it sits in an OverflowList
with a stale parent pointer.  Then we decide to remove this child,
which basically does aChild->GetParent()->StealFrame(aChild) which
fails since it's the wrong parent due to the "lazy reparenting"
optimization in nsInlineFrame.

http://mxr.mozilla.org/mozilla-central/source/layout/generic/nsContainerFrame.cpp?rev=c0d778faf638#147
Attached file prefs.js
Cool. So I'm using the following build with the attached prefs.js in my profile.
Version=40.0a1
BuildID=20150410122440
Flags: needinfo?(scott.bell)
Thanks.
Assignee: nobody → mats
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Attached patch fixSplinter Review
See comment 5 for a description of the root cause:
http://mxr.mozilla.org/mozilla-central/source/layout/generic/nsContainerFrame.cpp#150

So that results in a destroyed nsInlineFrame in the tree.
How this leads to the crash in SetBreaks is still unknown.
What I do know is that somehow we end up with a text frame
in two flows and then we call AssignTextRun with the stack:

#1  gfxTextRun::~gfxTextRun (this=0x7fffac302000) at gfx/thebes/gfxTextRun.cpp:187
#2  gfxTextRun::~gfxTextRun (this=0x7fffac302000) at gfx/thebes/gfxTextRun.cpp:186
#3  BuildTextRunsScanner::AssignTextRun (this=0x7fffffff8d10, aTextRun=0x7fffac302000, aInflation=1) at layout/generic/nsTextFrame.cpp:2647
#4  BuildTextRunsScanner::BuildTextRunForFrames (this=0x7fffffff8d10, ...) at layout/generic/nsTextFrame.cpp:2312
#5  BuildTextRunsScanner::FlushFrames (this=0x7fffffff8d10, aFlushLineBreaks=true, aSuppressTrailingBreak=false) at layout/generic/nsTextFrame.cpp:1554
#6  BuildTextRuns (...) at layout/generic/nsTextFrame.cpp:1473
#7  nsTextFrame::EnsureTextRun (this=0x7fffb0776968, aWhichTextRun=nsTextFrame::eInflated, ... , aFlowEndInTextRun=0x7fffaafb36c4) at layout/generic/nsTextFrame.cpp:2693
#8  nsTextFrame::ReflowText (this=0x7fffb0776968, ...) at layout/generic/nsTextFrame.cpp:8292
#9  nsLineLayout::ReflowFrame (this=0x7fffffffa5f0, aFrame=0x7fffb0776968, ...) at layout/generic/nsLineLayout.cpp:957

This ClearTextRuns() call in AssignTextRun() was inlined:
http://mxr.mozilla.org/mozilla-central/source/layout/generic/nsTextFrame.cpp#2584

The first time we process the frame F here is OK, we clear the old textrun
and then assign the new one on line 2596, all is well.  The second time
we see F in this loop, we call ClearTextRuns() and promptly delete the *new*
textrun - you can see it's the same address in the DTOR as 'aTextRun' above.
It quickly starts to go badly wrong after that of course.

The destroyed nsInlineFrame isn't involved here though and I don't know how
that caused the same text frame to be on multiple flows.  I tried to use
'rr' but it it failed to run on my platform (Ubuntu 14.something, x86-64).
Attachment #8592199 - Flags: review?(roc)
With the fix above, I'm still seeing these assertions for the test.
I think they are just bogus.  It happens when you have frames like so:
A1
  x1
A2
  x2
  overflow: y

Reflowing A1 pulls x2, so now A2 is empty with an overflow list,
which is what the assertions says can't happen.  I'm not sure
why where not seeing more often actually.
Attachment #8592213 - Flags: review?(roc)
I think all branches are affected, although it's probably hard to reproduce
unless you have vertical-text enabled.  The vertical-text code seems to
cause a lot overflow lists in the tree somehow, and sometimes it's not
actually completing the reflow (as we saw in bug 1145768 comment 6).
I think the crash is exploitable, but it's probably hard to make it crash
without vertical-text enabled.  I think it's only enabled by default in
Nightly and Aurora, as far as I know.
Keywords: sec-critical
OS: Linux → All
Hardware: x86_64 → All
Keywords: csectype-uaf
(In reply to Mats Palmgren (:mats) from comment #8)
> The destroyed nsInlineFrame isn't involved here though and I don't know how
> that caused the same text frame to be on multiple flows.  I tried to use
> 'rr' but it it failed to run on my platform (Ubuntu 14.something, x86-64).

Please file an rr issue on that!
Comment on attachment 8592199 [details] [diff] [review]
fix

Review of attachment 8592199 [details] [diff] [review]:
-----------------------------------------------------------------

::: layout/generic/nsInlineFrame.cpp
@@ +234,5 @@
> +      }
> +    }
> +
> +    // Due to our "lazy reparenting" optimization 'aChild' might not actually
> +    // be on any of our child lists, but instead in one of our next-in-flows.

Can't it be in a prev-in-flow as well?
Attachment #8592199 - Flags: review?(roc)
I don't think so.  We pick these children up from the prev-in-flow's overflow
list and put them on mFrames (without reparenting them!) when we start reflow:
https://dxr.mozilla.org/mozilla-central/source/layout/generic/nsInlineFrame.cpp#351
Then we reparent them as we go.  Or we push them to that frame's overflow
list which will eventually move them forward.  I don't see how they can move
before the original parent though.
Actually if we reflow a prev-in-flow of the original parent it may in fact
pull up an arbitrary number of children from its next-in-flows.  Hmmm.
I'll add a last ditch effort to search the prev-in-flows too.
It doesn't really cost anything since normal web pages should
never hit this code.
Actually, nsInlineFrame::PullOneFrame already has code to reparent the
pulled up frame so that shouldn't be a problem:
https://dxr.mozilla.org/mozilla-central/source/layout/generic/nsInlineFrame.cpp#857
(In reply to Robert O'Callahan (:roc) (Mozilla Corporation) from comment #13)
> Please file an rr issue on that!

https://github.com/mozilla/rr/issues/1459
Attachment #8592199 - Flags: review?(roc)
Comment on attachment 8592199 [details] [diff] [review]
fix

[Security approval request comment]
How easily could an exploit be constructed based on the patch?

Very hard.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?

No.

Which older supported branches are affected by this flaw?

All.

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?

I expect backporting to be easy.

How likely is this patch to cause regressions; how much testing does it need?

Low risk, this code is well covered by tests so if there's any problem
with the patch it should show up in the first test run.
Attachment #8592199 - Flags: sec-approval?
Comment on attachment 8592199 [details] [diff] [review]
fix

sec-approval = dveditz
Attachment #8592199 - Flags: sec-approval? → sec-approval+
[Tracking Requested - why for this release]: sec-critical security bug
Mats, can we have an uplift request to aurora & beta? Thanks
Flags: needinfo?(mats)
Comment on attachment 8592199 [details] [diff] [review]
fix

Approval Request Comment
[Feature/regressing bug #]: bug 5588
[User impact if declined]: possibly exploitable crash
[Describe test coverage new/current, TreeHerder]: we have no specific test for this edge case but the normal path in this code is well covered by existing tests
[Risks and why]: low-risk
[String/UUID change made/needed]: none
Flags: needinfo?(mats)
Attachment #8592199 - Flags: approval-mozilla-esr31?
Attachment #8592199 - Flags: approval-mozilla-beta?
Attachment #8592199 - Flags: approval-mozilla-aurora?
Blocks: 5588
https://hg.mozilla.org/mozilla-central/rev/0ca91806d2c4
https://hg.mozilla.org/mozilla-central/rev/34a7eeb94839
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla40
Attachment #8592199 - Flags: approval-mozilla-beta?
Attachment #8592199 - Flags: approval-mozilla-beta+
Attachment #8592199 - Flags: approval-mozilla-aurora?
Attachment #8592199 - Flags: approval-mozilla-aurora+
Attachment #8592199 - Flags: approval-mozilla-esr31? → approval-mozilla-esr31+
Flags: sec-bounty? → sec-bounty+
Ryan, if you see ESR tracking set to '?' and you check it into ESR, please set the tracking to the current version.
Flags: sec-bounty+ → sec-bounty?
Flags: sec-bounty? → sec-bounty+
Whiteboard: [asan] → [asan][adv-main38+][adv-main31.7+]
Whiteboard: [asan][adv-main38+][adv-main31.7+] → [asan][adv-main38+][adv-esr31.7+]
Alias: CVE-2015-2713
I was unable to reproduce this issue using an old Asan build from 2015-04-09 (also debug builds) on Ubuntu 14.04 64bit and 13.10 64bit so I can`t verify if this is fixed. 

Scott, can you please verify if 38.0 ESR and 31.7.0 ESR are fixed?
http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/38.0esr-candidates/build1/
http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/31.7.0esr-candidates/build2/
Flags: needinfo?(scott.bell)
Group: core-security → core-security-release
Group: core-security-release
Flags: needinfo?(scott.bell)
Flags: in-testsuite?
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.