Closed
Bug 1277392
Opened 8 years ago
Closed 8 years ago
use-after-poison in ComputePositionValue
Categories
(Core :: DOM: Animation, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1276688
| Tracking | Status | |
|---|---|---|
| firefox49 | --- | affected |
People
(Reporter: nils, Assigned: birtles)
Details
(Keywords: csectype-uaf)
The following testcase crashes the latest ASAN build of Firefox (buildId 20160531170040).
Testcase:
<script>
function start() {
try{while(window.top.document.removeChild(window.top.document.firstChild));}catch(e){};undefined;
try{o1=document.createElementNS('http://www.w3.org/1999/xhtml','input')}catch(e){};undefined;
try{o1.animate([{
all: 'initial !important',
borderBottomLeftRadius: '4cm',
objectPosition: '1rem 3vh',
},
{
all: 'inherit',
borderBottomLeftRadius: '491520vw 1933312rem',
objectPosition: '1px 4vh',
}],124)}catch(e){};undefined;
}
</script>
<body onload="start()"></body>
ASAN output:
=================================================================
==2992==ERROR: AddressSanitizer: use-after-poison on address 0x6250002b8478 at pc 0x7f0981a2d7d9 bp 0x7ffe93cf1420 sp 0x7ffe93cf1418
READ of size 4 at 0x6250002b8478 thread T0 (Web Content)
#0 0x7f0981a2d7d8 in Reset /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/style/nsCSSValue.h:718
#1 0x7f0981a2d7d8 in ~nsCSSValue /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/style/nsCSSValue.h:468
#2 0x7f0981a2d7d8 in ~Array /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/style/nsCSSValue.h:938
#3 0x7f0981a2d7d8 in Release /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/style/nsCSSValue.h:897
#4 0x7f0981a2d7d8 in Release /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:39
#5 0x7f0981a2d7d8 in Release /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:377
#6 0x7f0981a2d7d8 in ~RefPtr /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:77
#7 0x7f0981a2d7d8 in ComputePositionValue(nsStyleContext*, nsCSSValue const&, nsStyleImageLayers::Position&, mozilla::RuleNodeCacheConditions&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/style/nsRuleNode.cpp:6688
#8 0x7f09819e727e in nsRuleNode::ComputePositionData(void*, nsRuleData const*, nsStyleContext*, nsRuleNode*, nsRuleNode::RuleDetail, mozilla::RuleNodeCacheConditions) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/style/nsRuleNode.cpp:8525
#9 0x7f09819beed2 in nsRuleNode::WalkRuleTree(nsStyleStructID, nsStyleContext*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/style/nsRuleNode.cpp:2441
#10 0x7f09819bf76d in nsStyleContext::StyleData(nsStyleStructID) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/style/nsStyleContext.cpp:450
#11 0x7f097d73f7d2 in mozilla::CreateStyleContextForAnimationValue(nsCSSProperty, mozilla::StyleAnimationValue, nsStyleContext*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/animation/KeyframeUtils.cpp:937
#12 0x7f097d72ad57 in BuildSegmentsFromValueEntries /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/animation/KeyframeUtils.cpp:1044
#13 0x7f097d72ad57 in mozilla::KeyframeUtils::GetAnimationPropertiesFromKeyframes(nsStyleContext*, mozilla::dom::Element*, mozilla::CSSPseudoElementType, nsTArray<mozilla::Keyframe> const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/animation/KeyframeUtils.cpp:554
#14 0x7f097d71826c in mozilla::dom::KeyframeEffectReadOnly::UpdateProperties(nsStyleContext*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/animation/KeyframeEffect.cpp:516
#15 0x7f097d724fbe in mozilla::dom::KeyframeEffectReadOnly::SetKeyframes(JSContext*, JS::Handle<JSObject*>, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/animation/KeyframeEffect.cpp:456
#16 0x7f097d733aca in already_AddRefed<mozilla::dom::KeyframeEffect> mozilla::dom::KeyframeEffectReadOnly::ConstructKeyframeEffect<mozilla::dom::KeyframeEffect, mozilla::dom::UnrestrictedDoubleOrKeyframeAnimationOptions>(mozilla::dom::GlobalObject const&, mozilla::dom::Nullable<mozilla::dom::ElementOrCSSPseudoElement> const&, JS::Handle<JSObject*>, mozilla::dom::UnrestrictedDoubleOrKeyframeAnimationOptions const&, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/animation/KeyframeEffect.cpp:757
#17 0x7f097d73347d in mozilla::dom::KeyframeEffect::Constructor(mozilla::dom::GlobalObject const&, mozilla::dom::Nullable<mozilla::dom::ElementOrCSSPseudoElement> const&, JS::Handle<JSObject*>, mozilla::dom::UnrestrictedDoubleOrKeyframeAnimationOptions const&, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/animation/KeyframeEffect.cpp:1403
#18 0x7f097d96195d in mozilla::dom::Element::Animate(mozilla::dom::Nullable<mozilla::dom::ElementOrCSSPseudoElement> const&, JSContext*, JS::Handle<JSObject*>, mozilla::dom::UnrestrictedDoubleOrKeyframeAnimationOptions const&, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/Element.cpp:3332
#19 0x7f097d96128e in mozilla::dom::Element::Animate(JSContext*, JS::Handle<JSObject*>, mozilla::dom::UnrestrictedDoubleOrKeyframeAnimationOptions const&, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/Element.cpp:3289
#20 0x7f097f485255 in mozilla::dom::ElementBinding::animate(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Element*, JSJitMethodCallArgs const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/bindings/ElementBinding.cpp:3414
#21 0x7f097f957125 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/bindings/BindingUtils.cpp:2782
#22 0x7f098541eaae in CallJSNative /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jscntxtinlines.h:235
#23 0x7f098541eaae in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:452
#24 0x7f098540d71c in CallFromStack /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:503
#25 0x7f098540d71c in Interpret(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:2840
#26 0x7f09853eeb1e in js::RunScript(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:398
#27 0x7f098541f1fb in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:470
#28 0x7f09853d1981 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:516
#29 0x7f0984fdf497 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsapi.cpp:2928
#30 0x7f097f3fe353 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:259
#31 0x7f097fd56f99 in Call<nsISupports *> /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:361
#32 0x7f097fd56f99 in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/JSEventHandler.cpp:214
#33 0x7f097fd21274 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/EventListenerManager.cpp:1116
#34 0x7f097fd231d3 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/EventListenerManager.cpp:1288
#35 0x7f097fd00981 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/EventDispatcher.cpp:379
#36 0x7f097fd04d9c in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/EventDispatcher.cpp:710
#37 0x7f0981ce56c0 in nsDocumentViewer::LoadComplete(nsresult) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/nsDocumentViewer.cpp:995
#38 0x7f0982a2d96f in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/slave/m-cen-l64-asan-000000000000000/build/src/docshell/base/nsDocShell.cpp:7542
#39 0x7f0982a29d64 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/slave/m-cen-l64-asan-000000000000000/build/src/docshell/base/nsDocShell.cpp:7343
#40 0x7f0982a30d1f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/docshell/base/Unified_cpp_docshell_base0.cpp:7350
#41 0x7f097ccf030b in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/slave/m-cen-l64-asan-000000000000000/build/src/uriloader/base/nsDocLoader.cpp:1250
#42 0x7f097ccef5f3 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/slave/m-cen-l64-asan-000000000000000/build/src/uriloader/base/nsDocLoader.cpp:834
#43 0x7f097ccec2d3 in nsDocLoader::DocLoaderIsEmpty(bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/uriloader/base/nsDocLoader.cpp:724
#44 0x7f097ccee5af in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/slave/m-cen-l64-asan-000000000000000/build/src/uriloader/base/nsDocLoader.cpp:608
#45 0x7f097cceefbc in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/uriloader/base/Unified_cpp_uriloader_base0.cpp:612
#46 0x7f097b1184c4 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/slave/m-cen-l64-asan-000000000000000/build/src/netwerk/base/nsLoadGroup.cpp:633
#47 0x7f097db7ac2c in nsDocument::DoUnblockOnload() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsDocument.cpp:9238
#48 0x7f097dc2610f in nsUnblockOnloadEvent::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsDocument.cpp:9191
#49 0x7f097af4b274 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:1029
#50 0x7f097afc5cda in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:290
#51 0x7f097bcdcd9e in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:100
#52 0x7f097bc4d4cc in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:235
#53 0x7f097bc4d4cc in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:228
#54 0x7f097bc4d4cc in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:208
#55 0x7f098144a057 in nsBaseAppShell::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/widget/nsBaseAppShell.cpp:156
#56 0x7f098346d862 in XRE_RunAppShell /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:827
#57 0x7f097bc4d4cc in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:235
#58 0x7f097bc4d4cc in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:228
#59 0x7f097bc4d4cc in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:208
#60 0x7f098346cf40 in XRE_InitChildProcess /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:657
#61 0x48dbf7 in content_process_main(int, char**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/app/../contentproc/plugin-container.cpp:231
#62 0x7f09787ac82f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291
#63 0x48cb3c in _start (/home/nils/MonkeyFarm/uap_project/firefox/plugin-container+0x48cb3c)
0x6250002b8478 is located 4984 bytes inside of 8192-byte region [0x6250002b7100,0x6250002b9100)
allocated by thread T0 (Web Content) here:
#0 0x475151 in __interceptor_malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:74
#1 0x7f098889e75a in PL_ArenaAllocate /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/lib/ds/plarena.c:210
#2 0x7f0981abdd29 in nsPresArena::Allocate(unsigned int, unsigned long) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/nsPresArena.cpp:165
#3 0x7f09819ee3b9 in AllocateByObjectID /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/nsPresArena.h:65
#4 0x7f09819ee3b9 in PresShell /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/nsIPresShell.h:251
#5 0x7f09819ee3b9 in operator new /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/style/nsStyleStruct.h:2460
#6 0x7f09819ee3b9 in nsRuleNode::ComputeDisplayData(void*, nsRuleData const*, nsStyleContext*, nsRuleNode*, nsRuleNode::RuleDetail, mozilla::RuleNodeCacheConditions) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/style/nsRuleNode.cpp:5289
#7 0x7f09819beed2 in nsRuleNode::WalkRuleTree(nsStyleStructID, nsStyleContext*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/style/nsRuleNode.cpp:2441
#8 0x7f0981a41e28 in nsStyleContext::SetStyleBits() /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/style/nsStyleContext.cpp:687
#9 0x7f0981a41bb5 in FinishConstruction /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/style/nsStyleContext.cpp:163
#10 0x7f0981a41bb5 in nsStyleContext::nsStyleContext(nsStyleContext*, nsIAtom*, mozilla::CSSPseudoElementType, already_AddRefed<nsRuleNode>, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/style/nsStyleContext.cpp:121
#11 0x7f0981a61f97 in NS_NewStyleContext(nsStyleContext*, nsIAtom*, mozilla::CSSPseudoElementType, nsRuleNode*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/style/nsStyleContext.cpp:1314
#12 0x7f0981a6cf1e in nsStyleSet::GetContext(nsStyleContext*, nsRuleNode*, nsRuleNode*, nsIAtom*, mozilla::CSSPseudoElementType, mozilla::dom::Element*, unsigned int) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/style/nsStyleSet.cpp:918
#13 0x7f0981a72070 in nsStyleSet::ResolveStyleFor(mozilla::dom::Element*, nsStyleContext*, TreeMatchContext&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/style/nsStyleSet.cpp:1366
#14 0x7f0981bdb161 in ResolveStyleFor /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dist/include/mozilla/StyleSetHandleInlines.h:93
#15 0x7f0981bdb161 in nsCSSFrameConstructor::ResolveStyleContext(nsStyleContext*, nsIContent*, nsFrameConstructorState*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:4959
#16 0x7f0981bd7973 in ResolveStyleContext /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:4928
#17 0x7f0981bd7973 in ResolveStyleContext /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:4944
#18 0x7f0981bd7973 in nsCSSFrameConstructor::AddFrameConstructionItems(nsFrameConstructorState&, nsIContent*, bool, nsCSSFrameConstructor::InsertionPoint const&, nsCSSFrameConstructor::FrameConstructionItemList&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:5574
#19 0x7f0981bbdd51 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsContainerFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:10685
#20 0x7f0981bd5446 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:3998
#21 0x7f0981bdfc60 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:6085
#22 0x7f0981bcd885 in ConstructFramesFromItemList /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:10502
#23 0x7f0981bcd885 in nsCSSFrameConstructor::CreateAnonymousFrames(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, PendingBinding*, nsFrameItems&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:4132
#24 0x7f0981bca110 in nsCSSFrameConstructor::BeginBuildingScrollFrame(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsContainerFrame*, nsIAtom*, bool, nsContainerFrame*&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:4546
#25 0x7f0981bc6784 in nsCSSFrameConstructor::SetUpDocElementContainingBlock(nsIContent*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:2875
#26 0x7f0981bc2fc0 in nsCSSFrameConstructor::ConstructDocElementFrame(mozilla::dom::Element*, nsILayoutHistoryState*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:2411
#27 0x7f0981be6cd2 in nsCSSFrameConstructor::ContentRangeInserted(nsIContent*, nsIContent*, nsIContent*, nsILayoutHistoryState*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:7635
#28 0x7f0981d8006d in PresShell::Initialize(int, int) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/nsPresShell.cpp:1694
#29 0x7f097dab19fa in nsContentSink::StartLayout(bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsContentSink.cpp:1210
#30 0x7f097cecc7b6 in nsHtml5TreeOpExecutor::StartLayout() /builds/slave/m-cen-l64-asan-000000000000000/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:612
#31 0x7f097ced948b in nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/parser/html/nsHtml5TreeOperation.cpp:822
#32 0x7f097cec9dc6 in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/slave/m-cen-l64-asan-000000000000000/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:448
#33 0x7f097ced02bb in nsHtml5ExecutorFlusher::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/parser/html/nsHtml5StreamParser.cpp:128
#34 0x7f097af4b274 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:1029
#35 0x7f097afc5cda in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:290
#36 0x7f097bcdcd92 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:132
#37 0x7f097bc4d4cc in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:235
#38 0x7f097bc4d4cc in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:228
#39 0x7f097bc4d4cc in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:208
SUMMARY: AddressSanitizer: use-after-poison /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/style/nsCSSValue.h:718 Reset
Shadow bytes around the buggy address:
0x0c4a8004f030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a8004f040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a8004f050: 00 00 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c4a8004f060: f7 f7 f7 f7 f7 f7 f7 00 00 00 00 00 00 00 00 00
0x0c4a8004f070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c4a8004f080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f7[f7]
0x0c4a8004f090: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c4a8004f0a0: f7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a8004f0b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a8004f0c0: 00 00 00 00 00 00 00 00 00 00 00 00 f7 f7 f7 f7
0x0c4a8004f0d0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==2992==ABORTING
Even though the ASAN build detects this as a use-after-poison the crash on a Windows non-asan build (49.0a1 (2016-06-01)) is fairly obviously exploitable: (1f28.1d50): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. xul!nsCSSValue::Array::AddRef [inlined in xul!RefPtr<nsCSSValue::Array>::RefPtr<nsCSSValue::Array>+0xc]: 5716e0b2 8b02 mov eax,dword ptr [edx] ds:002b:1e18b5e1=???????? 0:000:x86> u xul!nsCSSValue::Array::AddRef [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\obj-firefox\dist\include\mozilla\refptr.h @ 110] [inlined in xul!RefPtr<nsCSSValue::Array>::RefPtr<nsCSSValue::Array>+0xc [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\obj-firefox\dist\include\mozilla\refptr.h @ 110]]: 5716e0b2 8b02 mov eax,dword ptr [edx] 5716e0b4 83f8ff cmp eax,0FFFFFFFFh 5716e0b7 7403 je xul!RefPtr<nsCSSValue::Array>::RefPtr<nsCSSValue::Array>+0x16 (5716e0bc) 5716e0b9 40 inc eax 5716e0ba 8902 mov dword ptr [edx],eax
|
||
Comment 2•8 years ago
|
||
Brian: what kind of object do we think this invalid memory was supposed to be? if it's just an integer value that's a position or some CSS value it might just mess up display, but if it's an offset or an object with a pointer it might be exploitable.
Flags: needinfo?(bbirtles)
Keywords: csectype-uaf
|
Assignee | |
Comment 3•8 years ago
|
||
I'm not really sure, but I'm currently debugging a cluster of bugs in this area so I'll hopefully have a bit of an idea soon.
Assignee: nobody → bbirtles
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 4•8 years ago
|
||
It's going to be next week before I get to look into this.
|
|
||
Updated•8 years ago
|
Group: core-security → dom-core-security
|
|
Assignee | |
Comment 5•8 years ago
|
||
Possibly a dupe of bug 1276688. Or at least it trips up on a similar assertion. The test case could possibly be reduced to the following (but I don't have an ASAN build yet to verify with, only that it still triggers the same assertion): <script> function start() { div.animate([{ all: 'initial !important' }, { all: 'inherit' }], 1); } </script> <body onload="start()"> <div id=div></div> </body>
|
|
Assignee | |
Comment 6•8 years ago
|
||
Confirmed that this is fixed by the patch for bug 1276688 (which still take a few days before it lands because I'm having a hard time writing tests for it). (In reply to Daniel Veditz [:dveditz] from comment #2) > Brian: what kind of object do we think this invalid memory was supposed to > be? if it's just an integer value that's a position or some CSS value it > might just mess up display, but if it's an offset or an object with a > pointer it might be exploitable. I'm not really confident I know how to interpret this, but from the stack in comment 0 has us calling nsCSSValue::Reset which reads mUnit, an enum value. However, based on the result of that we may call DoReset and end up calling Release() on something we shouldn't.
Flags: needinfo?(bbirtles)
|
|
Assignee | |
Comment 7•8 years ago
|
||
The fix for bug 1276688 has landed on trunk and appears to have stuck. However, it hasn't yet landed on aurora/beta so I'm not going to open this up just yet.
|
|
||
Comment 8•8 years ago
|
||
(In reply to Nils from comment #1) > Even though the ASAN build detects this as a use-after-poison the crash on a > Windows non-asan build (49.0a1 (2016-06-01)) is fairly obviously exploitable: ASAN's "use-after-poison" is not the same as "frame poisoning". The latter we think is not exploitable because we only allocate same-type objects from the frame-tree arenas, the frame objects are only used to calculate layout (should you get a reference to a re-allocated one), and the poison value points to unmapped memory (if it's not re-allocated). ASAN's poisoning is just a way to detect normal use-after-frees that happens inside one of our arenas, and might be exploitable like any other use-after-free.
Flags: sec-bounty?
|
|
||
Updated•8 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
|
|
||
Updated•8 years ago
|
Flags: sec-bounty? → sec-bounty-
|
|
||
Updated•5 years ago
|
Group: dom-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•