Mozilla Firefox Use-After-Free (ASAN included)

RESOLVED DUPLICATE of bug 1164766

Status

()

RESOLVED DUPLICATE of bug 1164766
3 years ago
2 years ago

People

(Reporter: zosiasamosia, Unassigned)

Tracking

({csectype-uaf, sec-critical})

40 Branch
csectype-uaf, sec-critical
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [asan])

Attachments

(2 attachments)

(Reporter)

Description

3 years ago
Created attachment 8650061 [details]
repro.html

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36

Steps to reproduce:

Opened the repro. 

ASAN logs are from nightly build from couple of weeks ago (Mozilla Firefox 41.0a1). I tested this on newest Firefox on Windows 7 and it still crashed.

$ ./firefox --version
Mozilla Firefox 41.0a1

=================================================================
==6101==ERROR: AddressSanitizer: heap-use-after-free on address 0x61700008b998 at pc 0x7faed79d527f bp 0x7ffc21ea31d0 sp 0x7ffc21ea31c8
READ of size 8 at 0x61700008b998 thread T0 (Web Content)
    #0 0x7faed79d527e in StyleSet /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dom/canvas/../../dist/include/nsIPresShell.h:319
    #1 0x7faed79d527e in mozilla::dom::GetFontStyleContext(mozilla::dom::Element*, nsAString_internal const&, nsIPresShell*, nsAString_internal&, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/canvas/CanvasRenderingContext2D.cpp:2207
    #2 0x7faed79e73ae in mozilla::dom::CanvasRenderingContext2D::SetFont(nsAString_internal const&, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/canvas/CanvasRenderingContext2D.cpp:3039
    #3 0x7faed79ecc66 in mozilla::dom::CanvasRenderingContext2D::GetCurrentFontStyle() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/canvas/CanvasRenderingContext2D.cpp:3866
    #4 0x7faed6d74d88 in GetFont /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dom/bindings/../../dist/include/mozilla/dom/CanvasRenderingContext2D.h:684
    #5 0x7faed6d74d88 in GetFont /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dom/bindings/../../dist/include/mozilla/dom/CanvasRenderingContext2D.h:278
    #6 0x7faed6d74d88 in operator nsString & /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dom/bindings/../../dist/include/mozilla/dom/CanvasRenderingContext2D.h:382
    #7 0x7faed6d74d88 in mozilla::dom::CanvasRenderingContext2DBinding::get_mozTextStyle(JSContext*, JS::Handle<JSObject*>, mozilla::dom::CanvasRenderingContext2D*, JSJitGetterCallArgs) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dom/bindings/./CanvasRenderingContext2DBinding.cpp:5083
    #8 0x7faed79325cc in mozilla::dom::GenericBindingGetter(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/bindings/BindingUtils.cpp:2490
    #9 0x7faedc598d24 in CallJSNative /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/jscntxtinlines.h:235
    #10 0x7faedc598d24 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:697
    #11 0x7faedc546b93 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:766
    #12 0x7faedc5e9fb6 in js::InvokeGetter(JSContext*, JSObject*, JS::Value, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:842
    #13 0x7faedc6a7191 in CallGetter /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/NativeObject.cpp:1653
    #14 0x7faedc6a7191 in GetExistingProperty<1> /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/NativeObject.cpp:1701
    #15 0x7faedc6a7191 in NativeGetPropertyInline<1> /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/NativeObject.cpp:1919
    #16 0x7faedc6a7191 in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/NativeObject.cpp:1953
    #17 0x7faedc5ef98e in GetProperty /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/NativeObject.h:1417
    #18 0x7faedc5ef98e in GetProperty /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/jsobj.h:847
    #19 0x7faedc5ef98e in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:4095
    #20 0x7faedc5d9102 in GetPropertyOperation /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:259
    #21 0x7faedc5d9102 in Interpret(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:2683
    #22 0x7faedc5b7e54 in js::RunScript(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:653
    #23 0x7faedc5ea9d8 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, JS::Value const&, js::ExecuteType, js::AbstractFramePtr, JS::Value*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:893
    #24 0x7faedc5eb038 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:926
    #25 0x7faedd057c5e in Evaluate(JSContext*, JS::Handle<JSObject*>, JS::Handle<js::ScopeObject*>, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/jsapi.cpp:4415
    #26 0x7faedd05848b in Evaluate(JSContext*, JS::AutoVectorRooter<JSObject*>&, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/jsapi.cpp:4442
    #27 0x7faed5fc3754 in nsJSUtils::EvaluateString(JSContext*, JS::SourceBufferHolder&, JS::Handle<JSObject*>, JS::CompileOptions&, nsJSUtils::EvaluateOptions const&, JS::MutableHandle<JS::Value>, void**) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsJSUtils.cpp:223
    #28 0x7faed5fc2cca in nsJSUtils::EvaluateString(JSContext*, nsAString_internal const&, JS::Handle<JSObject*>, JS::CompileOptions&, nsJSUtils::EvaluateOptions const&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsJSUtils.cpp:151
    #29 0x7faed5fc3fa2 in nsJSUtils::EvaluateString(JSContext*, nsAString_internal const&, JS::Handle<JSObject*>, JS::CompileOptions&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsJSUtils.cpp:271
    #30 0x7faed5bed10a in nsGlobalWindow::RunTimeoutHandler(nsTimeout*, nsIScriptContext*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsGlobalWindow.cpp:12101
    #31 0x7faed5bca990 in nsGlobalWindow::RunTimeout(nsTimeout*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsGlobalWindow.cpp:12342
    #32 0x7faed5bebfb1 in nsGlobalWindow::TimerCallback(nsITimer*, void*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsGlobalWindow.cpp:12589
    #33 0x7faed3bd12b1 in nsTimerImpl::Fire() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsTimerImpl.cpp:613
    #34 0x7faed3bd1c7b in nsTimerEvent::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsTimerImpl.cpp:700
    #35 0x7faed3bc7ab7 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsThread.cpp:848
    #36 0x7faed3c41f6a in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/glue/nsThreadUtils.cpp:265
    #37 0x7faed449a2a8 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessagePump.cpp:127
    #38 0x7faed4427dec in RunInternal /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:234
    #39 0x7faed4427dec in RunHandler /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:227
    #40 0x7faed4427dec in MessageLoop::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:201
    #41 0x7faed908b737 in nsBaseAppShell::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/widget/nsBaseAppShell.cpp:165
    #42 0x7faedae8c702 in XRE_RunAppShell /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:778
    #43 0x7faed4427dec in RunInternal /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:234
    #44 0x7faed4427dec in RunHandler /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:227
    #45 0x7faed4427dec in MessageLoop::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:201
    #46 0x7faedae8bdfb in XRE_InitChildProcess /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:614
    #47 0x48d632 in content_process_main(int, char**) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/app/../contentproc/plugin-container.cpp:236
    #48 0x7faed1669ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #49 0x48c98c in _start (/home/lab/Downloads/firefox/plugin-container+0x48c98c)

0x61700008b998 is located 24 bytes inside of 704-byte region [0x61700008b980,0x61700008bc40)
freed by thread T0 (Web Content) here:
    #0 0x474da1 in __interceptor_free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64
    #1 0x7faed9924337 in PresShell::Release() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsPresShell.cpp:812
    #2 0x7faed94e1f14 in ~nsCOMPtr_base /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/layout/style/../../dist/include/nsCOMPtr.h:296
    #3 0x7faed94e1f14 in nsComputedDOMStyle::GetStyleContextForElement(mozilla::dom::Element*, nsIAtom*, nsIPresShell*, nsComputedDOMStyle::StyleType) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/style/nsComputedDOMStyle.cpp:411
    #4 0x7faed79d4839 in GetFontParentStyleContext /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/canvas/CanvasRenderingContext2D.cpp:2132
    #5 0x7faed79d4839 in mozilla::dom::GetFontStyleContext(mozilla::dom::Element*, nsAString_internal const&, nsIPresShell*, nsAString_internal&, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/canvas/CanvasRenderingContext2D.cpp:2195
    #6 0x7faed79e73ae in mozilla::dom::CanvasRenderingContext2D::SetFont(nsAString_internal const&, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/canvas/CanvasRenderingContext2D.cpp:3039
    #7 0x7faed79ecc66 in mozilla::dom::CanvasRenderingContext2D::GetCurrentFontStyle() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/canvas/CanvasRenderingContext2D.cpp:3866
    #8 0x7faed6d74d88 in GetFont /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dom/bindings/../../dist/include/mozilla/dom/CanvasRenderingContext2D.h:684
    #9 0x7faed6d74d88 in GetFont /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dom/bindings/../../dist/include/mozilla/dom/CanvasRenderingContext2D.h:278
    #10 0x7faed6d74d88 in operator nsString & /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dom/bindings/../../dist/include/mozilla/dom/CanvasRenderingContext2D.h:382
    #11 0x7faed6d74d88 in mozilla::dom::CanvasRenderingContext2DBinding::get_mozTextStyle(JSContext*, JS::Handle<JSObject*>, mozilla::dom::CanvasRenderingContext2D*, JSJitGetterCallArgs) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dom/bindings/./CanvasRenderingContext2DBinding.cpp:5083
    #12 0x7faed79325cc in mozilla::dom::GenericBindingGetter(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/bindings/BindingUtils.cpp:2490
    #13 0x7faedc598d24 in CallJSNative /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/jscntxtinlines.h:235
    #14 0x7faedc598d24 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:697
    #15 0x7faedc546b93 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:766
    #16 0x7faedc5e9fb6 in js::InvokeGetter(JSContext*, JSObject*, JS::Value, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:842
    #17 0x7faedc6a7191 in CallGetter /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/NativeObject.cpp:1653
    #18 0x7faedc6a7191 in GetExistingProperty<1> /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/NativeObject.cpp:1701
    #19 0x7faedc6a7191 in NativeGetPropertyInline<1> /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/NativeObject.cpp:1919
    #20 0x7faedc6a7191 in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/NativeObject.cpp:1953
    #21 0x7faedc5ef98e in GetProperty /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/NativeObject.h:1417
    #22 0x7faedc5ef98e in GetProperty /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/jsobj.h:847
    #23 0x7faedc5ef98e in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:4095
    #24 0x7faedc5d9102 in GetPropertyOperation /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:259
    #25 0x7faedc5d9102 in Interpret(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:2683
    #26 0x7faedc5b7e54 in js::RunScript(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:653
    #27 0x7faedc5ea9d8 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, JS::Value const&, js::ExecuteType, js::AbstractFramePtr, JS::Value*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:893
    #28 0x7faedc5eb038 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:926
    #29 0x7faedd057c5e in Evaluate(JSContext*, JS::Handle<JSObject*>, JS::Handle<js::ScopeObject*>, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/jsapi.cpp:4415
    #30 0x7faedd05848b in Evaluate(JSContext*, JS::AutoVectorRooter<JSObject*>&, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/jsapi.cpp:4442
    #31 0x7faed5fc3754 in nsJSUtils::EvaluateString(JSContext*, JS::SourceBufferHolder&, JS::Handle<JSObject*>, JS::CompileOptions&, nsJSUtils::EvaluateOptions const&, JS::MutableHandle<JS::Value>, void**) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsJSUtils.cpp:223
    #32 0x7faed5fc2cca in nsJSUtils::EvaluateString(JSContext*, nsAString_internal const&, JS::Handle<JSObject*>, JS::CompileOptions&, nsJSUtils::EvaluateOptions const&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsJSUtils.cpp:151
    #33 0x7faed5fc3fa2 in nsJSUtils::EvaluateString(JSContext*, nsAString_internal const&, JS::Handle<JSObject*>, JS::CompileOptions&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsJSUtils.cpp:271
    #34 0x7faed5bed10a in nsGlobalWindow::RunTimeoutHandler(nsTimeout*, nsIScriptContext*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsGlobalWindow.cpp:12101
    #35 0x7faed5bca990 in nsGlobalWindow::RunTimeout(nsTimeout*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsGlobalWindow.cpp:12342
    #36 0x7faed5bebfb1 in nsGlobalWindow::TimerCallback(nsITimer*, void*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsGlobalWindow.cpp:12589
    #37 0x7faed3bd12b1 in nsTimerImpl::Fire() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsTimerImpl.cpp:613
    #38 0x7faed3bd1c7b in nsTimerEvent::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsTimerImpl.cpp:700
    #39 0x7faed3bc7ab7 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsThread.cpp:848
    #40 0x7faed3c41f6a in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/glue/nsThreadUtils.cpp:265
    #41 0x7faed449a2a8 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessagePump.cpp:127

previously allocated by thread T0 (Web Content) here:
    #0 0x474fa1 in __interceptor_malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:74
    #1 0x48dc4d in moz_xmalloc /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/memory/mozalloc/mozalloc.cpp:83
    #2 0x7faed5e8e3cb in operator new /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dom/base/../../dist/include/mozilla/mozalloc.h:186
    #3 0x7faed5e8e3cb in operator new /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsPresShell.h:70
    #4 0x7faed5e8e3cb in nsDocument::doCreateShell(nsPresContext*, nsViewManager*, nsStyleSet*, nsCompatibility) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsDocument.cpp:3803
    #5 0x7faed7fb803f in nsHTMLDocument::CreateShell(nsPresContext*, nsViewManager*, nsStyleSet*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/html/nsHTMLDocument.cpp:272
    #6 0x7faed988fc53 in nsDocumentViewer::InitPresentationStuff(bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsDocumentViewer.cpp:639
    #7 0x7faed988f098 in nsDocumentViewer::InitInternal(nsIWidget*, nsISupports*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, bool, bool, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsDocumentViewer.cpp:895
    #8 0x7faed988e577 in nsDocumentViewer::Init(nsIWidget*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsDocumentViewer.cpp:621
    #9 0x7faeda4e971c in nsDocShell::SetupNewViewer(nsIContentViewer*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/docshell/base/nsDocShell.cpp:9299
    #10 0x7faeda4e8017 in nsDocShell::Embed(nsIContentViewer*, char const*, nsISupports*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/docshell/base/nsDocShell.cpp:7206
    #11 0x7faeda483408 in nsDocShell::CreateContentViewer(nsACString_internal const&, nsIRequest*, nsIStreamListener**) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/docshell/base/nsDocShell.cpp:9107
    #12 0x7faeda4808a3 in nsDSURIContentListener::DoContent(nsACString_internal const&, bool, nsIRequest*, nsIStreamListener**, bool*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/docshell/base/nsDSURIContentListener.cpp:129
    #13 0x7faed528566e in nsDocumentOpenInfo::TryContentListener(nsIURIContentListener*, nsIChannel*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/uriloader/base/nsURILoader.cpp:722
    #14 0x7faed528278b in nsDocumentOpenInfo::DispatchContent(nsIRequest*, nsISupports*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/uriloader/base/nsURILoader.cpp:399
    #15 0x7faed5281a1c in nsDocumentOpenInfo::OnStartRequest(nsIRequest*, nsISupports*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/uriloader/base/nsURILoader.cpp:260
    #16 0x7faed3d2a6eb in nsBaseChannel::OnStartRequest(nsIRequest*, nsISupports*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/netwerk/base/nsBaseChannel.cpp:747
    #17 0x7faed3d69eb5 in nsInputStreamPump::OnStateStart() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/netwerk/base/nsInputStreamPump.cpp:527
    #18 0x7faed3d69501 in nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/netwerk/base/nsInputStreamPump.cpp:429
    #19 0x7faed3b8b7e9 in nsInputStreamReadyEvent::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/io/nsStreamUtils.cpp:91
    #20 0x7faed3bc7ab7 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsThread.cpp:848
    #21 0x7faed3c41f6a in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/glue/nsThreadUtils.cpp:265
    #22 0x7faed449a2c9 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessagePump.cpp:95
    #23 0x7faed4427dec in RunInternal /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:234
    #24 0x7faed4427dec in RunHandler /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:227
    #25 0x7faed4427dec in MessageLoop::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:201
    #26 0x7faed908b737 in nsBaseAppShell::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/widget/nsBaseAppShell.cpp:165
    #27 0x7faedae8c702 in XRE_RunAppShell /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:778
    #28 0x7faed4427dec in RunInternal /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:234
    #29 0x7faed4427dec in RunHandler /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:227
    #30 0x7faed4427dec in MessageLoop::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:201
    #31 0x7faedae8bdfb in XRE_InitChildProcess /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:614
    #32 0x48d632 in content_process_main(int, char**) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/app/../contentproc/plugin-container.cpp:236
    #33 0x7faed1669ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)

SUMMARY: AddressSanitizer: heap-use-after-free /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dom/canvas/../../dist/include/nsIPresShell.h:319 StyleSet
Shadow bytes around the buggy address:
  0x0c2e800096e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2e800096f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2e80009700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2e80009710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa
  0x0c2e80009720: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c2e80009730: fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2e80009740: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2e80009750: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2e80009760: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2e80009770: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2e80009780: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==6101==ABORTING
[Parent 6036] WARNING: pipe error (57): Connection reset by peer: file /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 459

###!!! [Parent][MessageChannel] Error: (msgtype=0x20007B,name=PBrowser::Msg_Destroy) Channel error: cannot send/recv


Actual results:

Firefox crashed.


Expected results:

Render the page.
(Reporter)

Comment 1

3 years ago
Created attachment 8650067 [details]
ASAN.log
(Reporter)

Comment 2

3 years ago
Sorry for a messy submission. It's my first time.
Component: Untriaged → Graphics
Keywords: csectype-uaf
Product: Firefox → Core
Whiteboard: [asan]
The stack reminds me of bug 1175278 (which is a dupe of bug 1164766 that I don't have access to).  Daniel, does it look like the same bug?
Flags: needinfo?(dholbert)
Yes, likely a dupe of bug 1164766 (which has a patch which is about to land I think).
Flags: needinfo?(dholbert)
(or rather, its patch actually just landed on inbound earlier today)

I'll double-check to see if I crash with & without the landed patch, to be sure, before marking as a duplicate.
Flags: needinfo?(dholbert)
Yup, confirmed duplicate. In particular:
 (1) A build from https://hg.mozilla.org/integration/mozilla-inbound/rev/adffd0ca6322 (just before the patch) crashes when loading the attached testcase.
 (2) Current mozilla-inbound doesn't crash when loading the testcase.
 (3) The backtrace of the crash shows we're blowing up in this call to GetFontStyleContext:
https://hg.mozilla.org/integration/mozilla-inbound/rev/942cacbdaef2#l1.158
    ...which is after a previously-weak nsIPresShell pointer, which is now a refcounted pointer.  (And things have exploded because our lack of addrefing allowed that nsIPresShell and its document to die.)

So: as-suspected, dupe of bug 1164766.

In any case, thank you for reporting, zosiasamosia! This is a sneaky bug, and it's great to have folks reporting these sorts of things.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 3 years ago
Flags: needinfo?(dholbert)
Resolution: --- → DUPLICATE
Duplicate of bug: 1164766
(The build I was testing with isn't an ASAN build, but I'm confident that it's sufficient to exercise this, since the issue here is that the entire document is blown away, so the ASAN-reported uaf is just a symptom of working with a destroyed document [which makes us crash, with or without ASAN].)

Updated

3 years ago
Group: core-security → core-security-release
Group: core-security-release
Keywords: sec-critical
You need to log in before you can comment on or make changes to this bug.