Last Comment Bug 1317409 - (CVE-2016-9899) UAF involving mutation events, contenteditable iframes and adding and immediately removing audio elements
(CVE-2016-9899)
: UAF involving mutation events, contenteditable iframes and adding and immedia...
Status: RESOLVED FIXED
[adv-main50.1+][adv-esr45.6+]
: csectype-uaf, sec-critical
Product: Core
Classification: Components
Component: DOM (show other bugs)
: 49 Branch
: Unspecified Unspecified
P1 normal (vote)
: mozilla53
Assigned To: Olli Pettay [:smaug] (pto-ish for couple of days)
:
: Andrew Overholt [:overholt]
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-11-14 11:01 PST by echo
Modified: 2017-02-09 08:02 PST (History)
15 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
+
fixed
+
fixed
+
fixed
+
fixed
50+
fixed


Attachments
09043C65.5F5B4F30.log-ff-uaf-49.0.2.html (2.30 KB, text/html)
2016-11-14 11:01 PST, echo
no flags Details
adopt_recursion.diff (944 bytes, patch)
2016-11-15 13:45 PST, Olli Pettay [:smaug] (pto-ish for couple of days)
peterv: review+
gchang: approval‑mozilla‑aurora+
gchang: approval‑mozilla‑beta+
rkothari: approval‑mozilla‑release+
gchang: approval‑mozilla‑esr45+
abillings: sec‑approval+
Details | Diff | Splinter Review
Reduced testcase seems to be more controllable (1.83 KB, text/html)
2016-12-03 20:33 PST, echo
no flags Details

Description User image echo 2016-11-14 11:01:07 PST
Created attachment 8810488 [details]
09043C65.5F5B4F30.log-ff-uaf-49.0.2.html

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0
Build ID: 20161019084923

Steps to reproduce:

1. Run Firefox 
2. Attach debugger to plugin-container.exe 
3. Open reporo   (remotly eg. http://localhost/09043C65.5F5B4F30.log-ff-uaf-49.0.2.html) 


Actual results:

Firefox Crash (ESI = 0xe5e5e5e5)


Expected results:

Nothing
Comment 2 User image :Gijs 2016-11-14 14:18:45 PST
Olli or Nathan, this seems like it's in your corner of things?
Comment 3 User image Andrew McCreight [:mccr8] 2016-11-14 14:42:22 PST
This looks like a DOM issue.
Comment 4 User image Andrew McCreight [:mccr8] 2016-11-14 14:49:56 PST
Kamil, could you reproduce this in an ASan build and attach the ASan report please? Thanks.
Comment 5 User image Andrew McCreight [:mccr8] 2016-11-14 14:51:14 PST
Crash report in comment 0 is from Firefox 49, so I'm going to assume everything later is also affected. ESR45 might also be affected.
Comment 6 User image Olli Pettay [:smaug] (pto-ish for couple of days) 2016-11-14 16:40:06 PST
Some issue with media element handling, based on the testcase and stack.
Trying to reproduce...
Comment 7 User image Olli Pettay [:smaug] (pto-ish for couple of days) 2016-11-14 16:57:20 PST
I see.
Comment 8 User image Olli Pettay [:smaug] (pto-ish for couple of days) 2016-11-14 17:04:22 PST
er, not yet sure. But I'll take a new look tomorrow.
Comment 9 User image Kamil Jozwiak [:kjozwiak] 2016-11-14 19:26:07 PST
I reproduced the crash using the str and poc from comment#0 using the following asan build:
* fx53.0a1, buildId: 20161114201329, changeset: 71fd23fa0803

==96689==ERROR: AddressSanitizer: heap-use-after-free on address 0x61a000171680 at pc 0x7f6f9ebe6267 bp 0x7ffed4b7e3f0 sp 0x7ffed4b7e3e8
READ of size 8 at 0x61a000171680 thread T0 (Web Content)
    #0 0x7f6f9ebe6266 in operator() /home/kjozwiak/mozcode/m-c-asan/xpcom/glue/nsCOMPtr.cpp:14:23
    #1 0x7f6f9ebe6266 in nsCOMPtr_base::assign_from_qi(nsQueryInterface, nsID const&) /home/kjozwiak/mozcode/m-c-asan/xpcom/glue/nsCOMPtr.cpp:51
    #2 0x7f6fa1d7c75f in nsCOMPtr /home/kjozwiak/mozcode/m-c-asan/objdir-ff-asan/dist/include/nsCOMPtr.h:519:5
    #3 0x7f6fa1d7c75f in NotifyActivityChanged(nsISupports*, void*) /home/kjozwiak/mozcode/m-c-asan/dom/base/nsDocument.cpp:4366
    #4 0x7f6fa1dadaa2 in EnumerateActivityObservers /home/kjozwiak/mozcode/m-c-asan/dom/base/nsDocument.cpp:9680:5
    #5 0x7f6fa1dadaa2 in nsDocument::UpdateVisibilityState() /home/kjozwiak/mozcode/m-c-asan/dom/base/nsDocument.cpp:11847
    #6 0x7f6fa1dae491 in nsDocument::OnPageHide(bool, mozilla::dom::EventTarget*) /home/kjozwiak/mozcode/m-c-asan/dom/base/nsDocument.cpp:8808:3
    #7 0x7f6fa5f2dc50 in nsDocumentViewer::PageHide(bool) /home/kjozwiak/mozcode/m-c-asan/layout/base/nsDocumentViewer.cpp:1316:14
    #8 0x7f6fa6d6b80d in nsDocShell::FirePageHideNotification(bool) /home/kjozwiak/mozcode/m-c-asan/docshell/base/nsDocShell.cpp:1684:20
    #9 0x7f6fa6d6c143 in non-virtual thunk to nsDocShell::FirePageHideNotification(bool) /home/kjozwiak/mozcode/m-c-asan/docshell/base/nsDocShell.cpp:1672:13
    #10 0x7f6fa6d6bba9 in nsDocShell::FirePageHideNotification(bool) /home/kjozwiak/mozcode/m-c-asan/docshell/base/nsDocShell.cpp:1700:18
    #11 0x7f6fa6d425ba in nsDocShell::CreateContentViewer(nsACString_internal const&, nsIRequest*, nsIStreamListener**) /home/kjozwiak/mozcode/m-c-asan/docshell/base/nsDocShell.cpp:9073:3
    #12 0x7f6fa6d40358 in nsDSURIContentListener::DoContent(nsACString_internal const&, bool, nsIRequest*, nsIStreamListener**, bool*) /home/kjozwiak/mozcode/m-c-asan/docshell/base/nsDSURIContentListener.cpp:128:21
    #13 0x7f6fa0d8f8b6 in nsDocumentOpenInfo::TryContentListener(nsIURIContentListener*, nsIChannel*) /home/kjozwiak/mozcode/m-c-asan/uriloader/base/nsURILoader.cpp:736:28
    #14 0x7f6fa0d8ca62 in nsDocumentOpenInfo::DispatchContent(nsIRequest*, nsISupports*) /home/kjozwiak/mozcode/m-c-asan/uriloader/base/nsURILoader.cpp:414:30
    #15 0x7f6fa0d8b3d2 in nsDocumentOpenInfo::OnStartRequest(nsIRequest*, nsISupports*) /home/kjozwiak/mozcode/m-c-asan/uriloader/base/nsURILoader.cpp:277:8
    #16 0x7f6f9f6b8ea7 in mozilla::net::HttpChannelChild::DoOnStartRequest(nsIRequest*, nsISupports*) /home/kjozwiak/mozcode/m-c-asan/netwerk/protocol/http/HttpChannelChild.cpp:543:28
    #17 0x7f6f9f6c34b7 in mozilla::net::HttpChannelChild::OnStartRequest(nsresult const&, mozilla::net::nsHttpResponseHead const&, bool const&, mozilla::net::nsHttpHeaderArray const&, bool const&, bool const&, unsigned int const&, nsCString const&, nsCString const&, mozilla::net::NetAddr const&, mozilla::net::NetAddr const&, unsigned int const&, nsCString const&) /home/kjozwiak/mozcode/m-c-asan/netwerk/protocol/http/HttpChannelChild.cpp:474:3
    #18 0x7f6f9f706f5b in mozilla::net::StartRequestEvent::Run() /home/kjozwiak/mozcode/m-c-asan/netwerk/protocol/http/HttpChannelChild.cpp:339:13
    #19 0x7f6f9f5f4ea5 in mozilla::net::ChannelEventQueue::RunOrEnqueue(mozilla::net::ChannelEvent*, bool) /home/kjozwiak/mozcode/m-c-asan/objdir-ff-asan/dist/include/mozilla/net/ChannelEventQueue.h:133:10
    #20 0x7f6f9f6c293f in mozilla::net::HttpChannelChild::RecvOnStartRequest(nsresult const&, mozilla::net::nsHttpResponseHead const&, bool const&, mozilla::net::nsHttpHeaderArray const&, bool const&, bool const&, unsigned int const&, nsCString const&, nsCString const&, mozilla::net::NetAddr const&, mozilla::net::NetAddr const&, short const&, unsigned int const&, nsCString const&) /home/kjozwiak/mozcode/m-c-asan/netwerk/protocol/http/HttpChannelChild.cpp:389:12
    #21 0x7f6f9fe099f6 in mozilla::net::PHttpChannelChild::OnMessageReceived(IPC::Message const&) /home/kjozwiak/mozcode/m-c-asan/objdir-ff-asan/ipc/ipdl/PHttpChannelChild.cpp:640:20
    #22 0x7f6fa0555883 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /home/kjozwiak/mozcode/m-c-asan/objdir-ff-asan/ipc/ipdl/PContentChild.cpp:5852:28
    #23 0x7f6f9fb8f009 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /home/kjozwiak/mozcode/m-c-asan/ipc/glue/MessageChannel.cpp:1743:25
    #24 0x7f6f9fb8bb2e in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /home/kjozwiak/mozcode/m-c-asan/ipc/glue/MessageChannel.cpp:1681:17
    #25 0x7f6f9fb8dde1 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /home/kjozwiak/mozcode/m-c-asan/ipc/glue/MessageChannel.cpp:1572:5
    #26 0x7f6f9fb8e414 in mozilla::ipc::MessageChannel::MessageTask::Run() /home/kjozwiak/mozcode/m-c-asan/ipc/glue/MessageChannel.cpp:1597:15
    #27 0x7f6f9eb7ca65 in nsThread::ProcessNextEvent(bool, bool*) /home/kjozwiak/mozcode/m-c-asan/xpcom/threads/nsThread.cpp:1216:14
    #28 0x7f6f9ec0862a in NS_ProcessNextEvent(nsIThread*, bool) /home/kjozwiak/mozcode/m-c-asan/xpcom/glue/nsThreadUtils.cpp:361:10
    #29 0x7f6f9fb95ccd in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/kjozwiak/mozcode/m-c-asan/ipc/glue/MessagePump.cpp:124:5
    #30 0x7f6f9fa8dafc in RunInternal /home/kjozwiak/mozcode/m-c-asan/ipc/chromium/src/base/message_loop.cc:232:10
    #31 0x7f6f9fa8dafc in RunHandler /home/kjozwiak/mozcode/m-c-asan/ipc/chromium/src/base/message_loop.cc:225
    #32 0x7f6f9fa8dafc in MessageLoop::Run() /home/kjozwiak/mozcode/m-c-asan/ipc/chromium/src/base/message_loop.cc:205
    #33 0x7f6fa562623f in nsBaseAppShell::Run() /home/kjozwiak/mozcode/m-c-asan/widget/nsBaseAppShell.cpp:156:27
    #34 0x7f6fa795e089 in XRE_RunAppShell /home/kjozwiak/mozcode/m-c-asan/toolkit/xre/nsEmbedFunctions.cpp:869:22
    #35 0x7f6f9fa8dafc in RunInternal /home/kjozwiak/mozcode/m-c-asan/ipc/chromium/src/base/message_loop.cc:232:10
    #36 0x7f6f9fa8dafc in RunHandler /home/kjozwiak/mozcode/m-c-asan/ipc/chromium/src/base/message_loop.cc:225
    #37 0x7f6f9fa8dafc in MessageLoop::Run() /home/kjozwiak/mozcode/m-c-asan/ipc/chromium/src/base/message_loop.cc:205
    #38 0x7f6fa795d5fc in XRE_InitChildProcess /home/kjozwiak/mozcode/m-c-asan/toolkit/xre/nsEmbedFunctions.cpp:701:34
    #39 0x50d78e in content_process_main /home/kjozwiak/mozcode/m-c-asan/browser/app/../../ipc/contentproc/plugin-container.cpp:197:19
    #40 0x50d78e in main /home/kjozwiak/mozcode/m-c-asan/browser/app/nsBrowserApp.cpp:392
    #41 0x7f6fb9f1e82f in __libc_start_main /build/glibc-Qz8a69/glibc-2.23/csu/../csu/libc-start.c:291
    #42 0x41d9d8 in _start (/home/kjozwiak/mozcode/m-c-asan/objdir-ff-asan/dist/bin/firefox+0x41d9d8)

0x61a000171680 is located 0 bytes inside of 1328-byte region [0x61a000171680,0x61a000171bb0)
freed by thread T0 (Web Content) here:
    #0 0x4d32e0 in __interceptor_cfree.localalias.0 /home/kjozwiak/mozcode/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:54
    #1 0x7f6f9ea59925 in SnowWhiteKiller::~SnowWhiteKiller() /home/kjozwiak/mozcode/m-c-asan/xpcom/base/nsCycleCollector.cpp:2665:25
    #2 0x7f6f9ea48b3d in nsCycleCollector::FreeSnowWhite(bool) /home/kjozwiak/mozcode/m-c-asan/xpcom/base/nsCycleCollector.cpp:2840:3
    #3 0x7f6f9ea4e39b in nsCycleCollector::BeginCollection(ccType, nsICycleCollectorListener*) /home/kjozwiak/mozcode/m-c-asan/xpcom/base/nsCycleCollector.cpp:3826:3
    #4 0x7f6f9ea4dc22 in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) /home/kjozwiak/mozcode/m-c-asan/xpcom/base/nsCycleCollector.cpp:3651:9
    #5 0x7f6f9ea50ee0 in nsCycleCollector_collectSlice(js::SliceBudget&, bool) /home/kjozwiak/mozcode/m-c-asan/xpcom/base/nsCycleCollector.cpp:4160:21
    #6 0x7f6fa1e9b3d0 in nsJSContext::RunCycleCollectorSlice() /home/kjozwiak/mozcode/m-c-asan/dom/base/nsJSEnvironment.cpp:1476:3
    #7 0x7f6fa1e9d835 in CCTimerFired(nsITimer*, void*) /home/kjozwiak/mozcode/m-c-asan/dom/base/nsJSEnvironment.cpp:1807:7
    #8 0x7f6f9eb9eeba in nsTimerImpl::Fire() /home/kjozwiak/mozcode/m-c-asan/xpcom/threads/nsTimerImpl.cpp:477:7
    #9 0x7f6f9eb6e972 in nsTimerEvent::Run() /home/kjozwiak/mozcode/m-c-asan/xpcom/threads/TimerThread.cpp:289:11
    #10 0x7f6f9eb7ca65 in nsThread::ProcessNextEvent(bool, bool*) /home/kjozwiak/mozcode/m-c-asan/xpcom/threads/nsThread.cpp:1216:14
    #11 0x7f6f9ec0862a in NS_ProcessNextEvent(nsIThread*, bool) /home/kjozwiak/mozcode/m-c-asan/xpcom/glue/nsThreadUtils.cpp:361:10
    #12 0x7f6f9fb95cd8 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/kjozwiak/mozcode/m-c-asan/ipc/glue/MessagePump.cpp:96:21
    #13 0x7f6f9fa8dafc in RunInternal /home/kjozwiak/mozcode/m-c-asan/ipc/chromium/src/base/message_loop.cc:232:10
    #14 0x7f6f9fa8dafc in RunHandler /home/kjozwiak/mozcode/m-c-asan/ipc/chromium/src/base/message_loop.cc:225
    #15 0x7f6f9fa8dafc in MessageLoop::Run() /home/kjozwiak/mozcode/m-c-asan/ipc/chromium/src/base/message_loop.cc:205
    #16 0x7f6fa562623f in nsBaseAppShell::Run() /home/kjozwiak/mozcode/m-c-asan/widget/nsBaseAppShell.cpp:156:27
    #17 0x7f6fa795e089 in XRE_RunAppShell /home/kjozwiak/mozcode/m-c-asan/toolkit/xre/nsEmbedFunctions.cpp:869:22
    #18 0x7f6f9fa8dafc in RunInternal /home/kjozwiak/mozcode/m-c-asan/ipc/chromium/src/base/message_loop.cc:232:10
    #19 0x7f6f9fa8dafc in RunHandler /home/kjozwiak/mozcode/m-c-asan/ipc/chromium/src/base/message_loop.cc:225
    #20 0x7f6f9fa8dafc in MessageLoop::Run() /home/kjozwiak/mozcode/m-c-asan/ipc/chromium/src/base/message_loop.cc:205
    #21 0x7f6fa795d5fc in XRE_InitChildProcess /home/kjozwiak/mozcode/m-c-asan/toolkit/xre/nsEmbedFunctions.cpp:701:34
    #22 0x50d78e in content_process_main /home/kjozwiak/mozcode/m-c-asan/browser/app/../../ipc/contentproc/plugin-container.cpp:197:19
    #23 0x50d78e in main /home/kjozwiak/mozcode/m-c-asan/browser/app/nsBrowserApp.cpp:392
    #24 0x7f6fb9f1e82f in __libc_start_main /build/glibc-Qz8a69/glibc-2.23/csu/../csu/libc-start.c:291

previously allocated by thread T0 (Web Content) here:
    #0 0x4d3498 in __interceptor_malloc /home/kjozwiak/mozcode/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64
    #1 0x50e99d in moz_xmalloc /home/kjozwiak/mozcode/m-c-asan/memory/mozalloc/mozalloc.cpp:83:17
    #2 0x7f6fa3efc8f6 in operator new /home/kjozwiak/mozcode/m-c-asan/objdir-ff-asan/dist/include/mozilla/mozalloc.h:194:12
    #3 0x7f6fa3efc8f6 in NS_NewHTMLAudioElement(already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser) /home/kjozwiak/mozcode/m-c-asan/dom/html/HTMLAudioElement.cpp:23
    #4 0x7f6fa4118389 in CreateHTMLElement /home/kjozwiak/mozcode/m-c-asan/dom/html/nsHTMLContentSink.cpp:289:41
    #5 0x7f6fa4118389 in NS_NewHTMLElement(mozilla::dom::Element**, already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser, nsAString_internal const*) /home/kjozwiak/mozcode/m-c-asan/dom/html/nsHTMLContentSink.cpp:270
    #6 0x7f6fa1ecc1c1 in NS_NewElement(mozilla::dom::Element**, already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser, nsAString_internal const*) /home/kjozwiak/mozcode/m-c-asan/dom/base/nsNameSpaceManager.cpp:177:12
    #7 0x7f6fa1da7eac in nsDocument::CreateElem(nsAString_internal const&, nsIAtom*, int, nsAString_internal const*) /home/kjozwiak/mozcode/m-c-asan/dom/base/nsDocument.cpp:8143:17
    #8 0x7f6fa1d8b31a in nsDocument::CreateElement(nsAString_internal const&, mozilla::dom::ElementCreationOptionsOrString const&, mozilla::ErrorResult&) /home/kjozwiak/mozcode/m-c-asan/dom/base/nsDocument.cpp:5409:26
    #9 0x7f6fa3342fc6 in mozilla::dom::DocumentBinding::createElement(JSContext*, JS::Handle<JSObject*>, nsIDocument*, JSJitMethodCallArgs const&) /home/kjozwiak/mozcode/m-c-asan/objdir-ff-asan/dom/bindings/DocumentBinding.cpp:1010:59
    #10 0x7f6fa3911502 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /home/kjozwiak/mozcode/m-c-asan/dom/bindings/BindingUtils.cpp:2879:13
    #11 0x7f6f92945d59  (<unknown module>)
    #12 0x621000d93797  (<unknown module>)
    #13 0x7f6f9278e887  (<unknown module>)
    #14 0x7f6faa95e967 in EnterBaseline(JSContext*, js::jit::EnterJitData&) /home/kjozwiak/mozcode/m-c-asan/js/src/jit/BaselineJIT.cpp:153:9
    #15 0x7f6faa95e15d in js::jit::EnterBaselineMethod(JSContext*, js::RunState&) /home/kjozwiak/mozcode/m-c-asan/js/src/jit/BaselineJIT.cpp:193:28
    #16 0x7f6faa0c17ba in js::RunScript(JSContext*, js::RunState&) /home/kjozwiak/mozcode/m-c-asan/js/src/vm/Interpreter.cpp:395:41
    #17 0x7f6faa0f7cdb in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/kjozwiak/mozcode/m-c-asan/js/src/vm/Interpreter.cpp:477:15
    #18 0x7f6faa0f8742 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/kjozwiak/mozcode/m-c-asan/js/src/vm/Interpreter.cpp:523:10
    #19 0x7f6fa9e5e531 in js::Wrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/kjozwiak/mozcode/m-c-asan/js/src/proxy/Wrapper.cpp:165:12
    #20 0x7f6fa9e11de5 in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/kjozwiak/mozcode/m-c-asan/js/src/proxy/CrossCompartmentWrapper.cpp:333:23
    #21 0x7f6fa9e3dc0d in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /home/kjozwiak/mozcode/m-c-asan/js/src/proxy/Proxy.cpp:400:21
    #22 0x7f6fa9e40694 in js::proxy_Call(JSContext*, unsigned int, JS::Value*) /home/kjozwiak/mozcode/m-c-asan/js/src/proxy/Proxy.cpp:689:12
    #23 0x7f6faa0f7e4b in CallJSNative /home/kjozwiak/mozcode/m-c-asan/js/src/jscntxtinlines.h:239:15
    #24 0x7f6faa0f7e4b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/kjozwiak/mozcode/m-c-asan/js/src/vm/Interpreter.cpp:447
    #25 0x7f6faa0f8742 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/kjozwiak/mozcode/m-c-asan/js/src/vm/Interpreter.cpp:523:10
    #26 0x7f6fa9be0f2d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/kjozwiak/mozcode/m-c-asan/js/src/jsapi.cpp:2828:12
    #27 0x7f6fa330043c in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /home/kjozwiak/mozcode/m-c-asan/objdir-ff-asan/dom/bindings/EventListenerBinding.cpp:47:8
    #28 0x7f6fa3d3540f in HandleEvent<mozilla::dom::EventTarget *> /home/kjozwiak/mozcode/m-c-asan/objdir-ff-asan/dist/include/mozilla/dom/EventListenerBinding.h:64:12
    #29 0x7f6fa3d3540f in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /home/kjozwiak/mozcode/m-c-asan/dom/events/EventListenerManager.cpp:1131
    #30 0x7f6fa3d36df7 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /home/kjozwiak/mozcode/m-c-asan/dom/events/EventListenerManager.cpp:1287:17
    #31 0x7f6fa3d224f3 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /home/kjozwiak/mozcode/m-c-asan/dom/events/EventDispatcher.cpp:401:14
    #32 0x7f6fa3d24ff0 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /home/kjozwiak/mozcode/m-c-asan/dom/events/EventDispatcher.cpp:711:9
    #33 0x7f6fa3d26efc in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) /home/kjozwiak/mozcode/m-c-asan/dom/events/EventDispatcher.cpp:780:12

SUMMARY: AddressSanitizer: heap-use-after-free /home/kjozwiak/mozcode/m-c-asan/xpcom/glue/nsCOMPtr.cpp:14:23 in operator()
Shadow bytes around the buggy address:
  0x0c3480026280: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3480026290: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c34800262a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c34800262b0: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa
  0x0c34800262c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c34800262d0:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c34800262e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c34800262f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3480026300: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3480026310: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3480026320: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==96689==ABORTING
Comment 10 User image Olli Pettay [:smaug] (pto-ish for couple of days) 2016-11-15 13:45:57 PST
Created attachment 8811032 [details] [diff] [review]
adopt_recursion.diff

This was interesting to debug. Suddenly OwnerDoc() started to return something very unexpected...
Comment 11 User image Peter Van der Beken [:peterv] 2016-11-15 17:29:24 PST
Comment on attachment 8811032 [details] [diff] [review]
adopt_recursion.diff

Review of attachment 8811032 [details] [diff] [review]:
-----------------------------------------------------------------

Sigh, thanks for debugging this. I wonder if we also need to RecompileScriptEventListeners.
Comment 12 User image Olli Pettay [:smaug] (pto-ish for couple of days) 2016-11-16 01:55:26 PST
I was wondering that and thought it really shouldn't matter. Things start to go rather wrong in this kind of case anyhow.
Comment 13 User image Olli Pettay [:smaug] (pto-ish for couple of days) 2016-11-16 01:58:26 PST
Comment on attachment 8811032 [details] [diff] [review]
adopt_recursion.diff

[Security approval request comment]
How easily could an exploit be constructed based on the patch?
I'd say not very easily, but sure, the patch does pinpoint what kind of code to look at.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
Commit message could be
"Bug 1317409, handle failing node adoption properly, r=peterv"

Which older supported branches are affected by this flaw?
all

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
Patch seems to apply to branches too


How likely is this patch to cause regressions; how much testing does it need?
very unlikely, since it requires JS to be in 'too much recursion' state
Comment 14 User image Al Billings [:abillings] 2016-11-16 15:10:34 PST
Comment on attachment 8811032 [details] [diff] [review]
adopt_recursion.diff

sec-approval+
Comment 15 User image Olli Pettay [:smaug] (pto-ish for couple of days) 2016-11-17 10:49:18 PST
https://hg.mozilla.org/integration/mozilla-inbound/rev/dfde779ec34212bdf72eebe927390785a4091dd0
Comment 16 User image Carsten Book [:Tomcat] 2016-11-18 08:01:48 PST
https://hg.mozilla.org/mozilla-central/rev/dfde779ec342
Comment 17 User image Gerry Chang [:gchang] 2016-11-18 19:22:50 PST
Comment on attachment 8811032 [details] [diff] [review]
adopt_recursion.diff

Fix a sec-critical. Beta51+ and Aurora52+. Should be in 51 beta 2.
Comment 19 User image Ryan VanderMeulen [:RyanVM] 2016-11-20 11:14:59 PST
https://hg.mozilla.org/releases/mozilla-esr45/rev/3a38c92ab431
Comment 20 User image Ryan VanderMeulen [:RyanVM] 2016-11-29 18:05:47 PST
Temporarily reverted from esr45 for reasons. No action needed on your part, this'll be relanded at the appropriate time.

https://hg.mozilla.org/releases/mozilla-esr45/rev/848e7d67e753
Comment 21 User image Ryan VanderMeulen [:RyanVM] 2016-11-30 06:04:35 PST
Comment on attachment 8811032 [details] [diff] [review]
adopt_recursion.diff

Low-risk sec-crit with a simple patch. Also, this was already landed on ESR45 for the 45.6 release, so I think that makes this more important to ship with 50.1 as well.
Comment 22 User image Ryan VanderMeulen [:RyanVM] 2016-11-30 15:52:13 PST
https://hg.mozilla.org/releases/mozilla-esr45/rev/7391f60fb790
Comment 23 User image Gerry Chang [:gchang] 2016-11-30 19:06:03 PST
Track 51- as it was fixed.
Comment 24 User image Gerry Chang [:gchang] 2016-12-01 16:25:33 PST
Track 51+ as sec-critical.
Comment 25 User image echo 2016-12-03 20:33:48 PST
Created attachment 8816736 [details]
Reduced testcase seems to be more controllable
Comment 26 User image Ritu Kothari (:ritu) 2016-12-05 10:10:43 PST
Comment on attachment 8811032 [details] [diff] [review]
adopt_recursion.diff

Sec-crit, meets the triage bar for inclusion in 50.1.0
Comment 27 User image Ryan VanderMeulen [:RyanVM] 2016-12-05 15:15:45 PST
https://hg.mozilla.org/releases/mozilla-release/rev/c3a677de3a52
Comment 28 User image Al Billings [:abillings] 2016-12-07 12:01:49 PST
Can't write an advisory for this as it will 0day ESR45 users since 45.6 doesn't ship until 2017. ESr45 affected security bugs shouldn't have landed in 50.1.
Comment 29 User image Al Billings [:abillings] 2016-12-07 12:37:18 PST
Ok. There is a 45.6 release going out with 50.1. This should have an advisory for both.

Note You need to log in before you can comment on or make changes to this bug.