The default bug view has changed. See this FAQ.
Bug 1317409 (CVE-2016-9899)

UAF involving mutation events, contenteditable iframes and adding and immediately removing audio elements

RESOLVED FIXED in Firefox 50

Status

()

Core
DOM
P1
normal
RESOLVED FIXED
4 months ago
a month ago

People

(Reporter: echo, Assigned: smaug)

Tracking

({csectype-uaf, sec-critical})

49 Branch
mozilla53
csectype-uaf, sec-critical
Points:
---

Firefox Tracking Flags

(firefox50+ fixed, firefox51+ fixed, firefox52+ fixed, firefox53+ fixed, firefox-esr4550+ fixed)

Details

(Whiteboard: [adv-main50.1+][adv-esr45.6+], crash signature)

Attachments

(3 attachments)

(Reporter)

Description

4 months ago
Created attachment 8810488 [details]
09043C65.5F5B4F30.log-ff-uaf-49.0.2.html

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0
Build ID: 20161019084923

Steps to reproduce:

1. Run Firefox 
2. Attach debugger to plugin-container.exe 
3. Open reporo   (remotly eg. http://localhost/09043C65.5F5B4F30.log-ff-uaf-49.0.2.html) 


Actual results:

Firefox Crash (ESI = 0xe5e5e5e5)


Expected results:

Nothing
(Reporter)

Comment 1

4 months ago
Crash dump https://crash-stats.mozilla.com/report/index/76a26070-fa1f-4431-a387-7c0bc2161114

Comment 2

4 months ago
Olli or Nathan, this seems like it's in your corner of things?
Group: firefox-core-security → core-security
Crash Signature: [@ nsCOMPtr_base::assign_from_qi | nsCOMPtr<T>::nsCOMPtr<T> | NotifyActivityChanged ]
Component: Untriaged → DOM
Flags: needinfo?(nfroyd)
Flags: needinfo?(bugs)
Product: Firefox → Core
Summary: use after free → UAF involving mutation events, contenteditable iframes and adding and immediately removing audio elements
This looks like a DOM issue.
Flags: needinfo?(nfroyd)
Kamil, could you reproduce this in an ASan build and attach the ASan report please? Thanks.
Flags: needinfo?(kjozwiak)
Keywords: csectype-uaf, sec-critical
Crash report in comment 0 is from Firefox 49, so I'm going to assume everything later is also affected. ESR45 might also be affected.
status-firefox50: --- → affected
status-firefox51: --- → affected
status-firefox52: --- → affected
status-firefox53: --- → affected
status-firefox-esr45: --- → ?
(Assignee)

Comment 6

4 months ago
Some issue with media element handling, based on the testcase and stack.
Trying to reproduce...
(Assignee)

Comment 7

4 months ago
I see.
Assignee: nobody → bugs
Flags: needinfo?(bugs)
(Assignee)

Comment 8

4 months ago
er, not yet sure. But I'll take a new look tomorrow.
Assignee: bugs → nobody
I reproduced the crash using the str and poc from comment#0 using the following asan build:
* fx53.0a1, buildId: 20161114201329, changeset: 71fd23fa0803

==96689==ERROR: AddressSanitizer: heap-use-after-free on address 0x61a000171680 at pc 0x7f6f9ebe6267 bp 0x7ffed4b7e3f0 sp 0x7ffed4b7e3e8
READ of size 8 at 0x61a000171680 thread T0 (Web Content)
    #0 0x7f6f9ebe6266 in operator() /home/kjozwiak/mozcode/m-c-asan/xpcom/glue/nsCOMPtr.cpp:14:23
    #1 0x7f6f9ebe6266 in nsCOMPtr_base::assign_from_qi(nsQueryInterface, nsID const&) /home/kjozwiak/mozcode/m-c-asan/xpcom/glue/nsCOMPtr.cpp:51
    #2 0x7f6fa1d7c75f in nsCOMPtr /home/kjozwiak/mozcode/m-c-asan/objdir-ff-asan/dist/include/nsCOMPtr.h:519:5
    #3 0x7f6fa1d7c75f in NotifyActivityChanged(nsISupports*, void*) /home/kjozwiak/mozcode/m-c-asan/dom/base/nsDocument.cpp:4366
    #4 0x7f6fa1dadaa2 in EnumerateActivityObservers /home/kjozwiak/mozcode/m-c-asan/dom/base/nsDocument.cpp:9680:5
    #5 0x7f6fa1dadaa2 in nsDocument::UpdateVisibilityState() /home/kjozwiak/mozcode/m-c-asan/dom/base/nsDocument.cpp:11847
    #6 0x7f6fa1dae491 in nsDocument::OnPageHide(bool, mozilla::dom::EventTarget*) /home/kjozwiak/mozcode/m-c-asan/dom/base/nsDocument.cpp:8808:3
    #7 0x7f6fa5f2dc50 in nsDocumentViewer::PageHide(bool) /home/kjozwiak/mozcode/m-c-asan/layout/base/nsDocumentViewer.cpp:1316:14
    #8 0x7f6fa6d6b80d in nsDocShell::FirePageHideNotification(bool) /home/kjozwiak/mozcode/m-c-asan/docshell/base/nsDocShell.cpp:1684:20
    #9 0x7f6fa6d6c143 in non-virtual thunk to nsDocShell::FirePageHideNotification(bool) /home/kjozwiak/mozcode/m-c-asan/docshell/base/nsDocShell.cpp:1672:13
    #10 0x7f6fa6d6bba9 in nsDocShell::FirePageHideNotification(bool) /home/kjozwiak/mozcode/m-c-asan/docshell/base/nsDocShell.cpp:1700:18
    #11 0x7f6fa6d425ba in nsDocShell::CreateContentViewer(nsACString_internal const&, nsIRequest*, nsIStreamListener**) /home/kjozwiak/mozcode/m-c-asan/docshell/base/nsDocShell.cpp:9073:3
    #12 0x7f6fa6d40358 in nsDSURIContentListener::DoContent(nsACString_internal const&, bool, nsIRequest*, nsIStreamListener**, bool*) /home/kjozwiak/mozcode/m-c-asan/docshell/base/nsDSURIContentListener.cpp:128:21
    #13 0x7f6fa0d8f8b6 in nsDocumentOpenInfo::TryContentListener(nsIURIContentListener*, nsIChannel*) /home/kjozwiak/mozcode/m-c-asan/uriloader/base/nsURILoader.cpp:736:28
    #14 0x7f6fa0d8ca62 in nsDocumentOpenInfo::DispatchContent(nsIRequest*, nsISupports*) /home/kjozwiak/mozcode/m-c-asan/uriloader/base/nsURILoader.cpp:414:30
    #15 0x7f6fa0d8b3d2 in nsDocumentOpenInfo::OnStartRequest(nsIRequest*, nsISupports*) /home/kjozwiak/mozcode/m-c-asan/uriloader/base/nsURILoader.cpp:277:8
    #16 0x7f6f9f6b8ea7 in mozilla::net::HttpChannelChild::DoOnStartRequest(nsIRequest*, nsISupports*) /home/kjozwiak/mozcode/m-c-asan/netwerk/protocol/http/HttpChannelChild.cpp:543:28
    #17 0x7f6f9f6c34b7 in mozilla::net::HttpChannelChild::OnStartRequest(nsresult const&, mozilla::net::nsHttpResponseHead const&, bool const&, mozilla::net::nsHttpHeaderArray const&, bool const&, bool const&, unsigned int const&, nsCString const&, nsCString const&, mozilla::net::NetAddr const&, mozilla::net::NetAddr const&, unsigned int const&, nsCString const&) /home/kjozwiak/mozcode/m-c-asan/netwerk/protocol/http/HttpChannelChild.cpp:474:3
    #18 0x7f6f9f706f5b in mozilla::net::StartRequestEvent::Run() /home/kjozwiak/mozcode/m-c-asan/netwerk/protocol/http/HttpChannelChild.cpp:339:13
    #19 0x7f6f9f5f4ea5 in mozilla::net::ChannelEventQueue::RunOrEnqueue(mozilla::net::ChannelEvent*, bool) /home/kjozwiak/mozcode/m-c-asan/objdir-ff-asan/dist/include/mozilla/net/ChannelEventQueue.h:133:10
    #20 0x7f6f9f6c293f in mozilla::net::HttpChannelChild::RecvOnStartRequest(nsresult const&, mozilla::net::nsHttpResponseHead const&, bool const&, mozilla::net::nsHttpHeaderArray const&, bool const&, bool const&, unsigned int const&, nsCString const&, nsCString const&, mozilla::net::NetAddr const&, mozilla::net::NetAddr const&, short const&, unsigned int const&, nsCString const&) /home/kjozwiak/mozcode/m-c-asan/netwerk/protocol/http/HttpChannelChild.cpp:389:12
    #21 0x7f6f9fe099f6 in mozilla::net::PHttpChannelChild::OnMessageReceived(IPC::Message const&) /home/kjozwiak/mozcode/m-c-asan/objdir-ff-asan/ipc/ipdl/PHttpChannelChild.cpp:640:20
    #22 0x7f6fa0555883 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /home/kjozwiak/mozcode/m-c-asan/objdir-ff-asan/ipc/ipdl/PContentChild.cpp:5852:28
    #23 0x7f6f9fb8f009 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /home/kjozwiak/mozcode/m-c-asan/ipc/glue/MessageChannel.cpp:1743:25
    #24 0x7f6f9fb8bb2e in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /home/kjozwiak/mozcode/m-c-asan/ipc/glue/MessageChannel.cpp:1681:17
    #25 0x7f6f9fb8dde1 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /home/kjozwiak/mozcode/m-c-asan/ipc/glue/MessageChannel.cpp:1572:5
    #26 0x7f6f9fb8e414 in mozilla::ipc::MessageChannel::MessageTask::Run() /home/kjozwiak/mozcode/m-c-asan/ipc/glue/MessageChannel.cpp:1597:15
    #27 0x7f6f9eb7ca65 in nsThread::ProcessNextEvent(bool, bool*) /home/kjozwiak/mozcode/m-c-asan/xpcom/threads/nsThread.cpp:1216:14
    #28 0x7f6f9ec0862a in NS_ProcessNextEvent(nsIThread*, bool) /home/kjozwiak/mozcode/m-c-asan/xpcom/glue/nsThreadUtils.cpp:361:10
    #29 0x7f6f9fb95ccd in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/kjozwiak/mozcode/m-c-asan/ipc/glue/MessagePump.cpp:124:5
    #30 0x7f6f9fa8dafc in RunInternal /home/kjozwiak/mozcode/m-c-asan/ipc/chromium/src/base/message_loop.cc:232:10
    #31 0x7f6f9fa8dafc in RunHandler /home/kjozwiak/mozcode/m-c-asan/ipc/chromium/src/base/message_loop.cc:225
    #32 0x7f6f9fa8dafc in MessageLoop::Run() /home/kjozwiak/mozcode/m-c-asan/ipc/chromium/src/base/message_loop.cc:205
    #33 0x7f6fa562623f in nsBaseAppShell::Run() /home/kjozwiak/mozcode/m-c-asan/widget/nsBaseAppShell.cpp:156:27
    #34 0x7f6fa795e089 in XRE_RunAppShell /home/kjozwiak/mozcode/m-c-asan/toolkit/xre/nsEmbedFunctions.cpp:869:22
    #35 0x7f6f9fa8dafc in RunInternal /home/kjozwiak/mozcode/m-c-asan/ipc/chromium/src/base/message_loop.cc:232:10
    #36 0x7f6f9fa8dafc in RunHandler /home/kjozwiak/mozcode/m-c-asan/ipc/chromium/src/base/message_loop.cc:225
    #37 0x7f6f9fa8dafc in MessageLoop::Run() /home/kjozwiak/mozcode/m-c-asan/ipc/chromium/src/base/message_loop.cc:205
    #38 0x7f6fa795d5fc in XRE_InitChildProcess /home/kjozwiak/mozcode/m-c-asan/toolkit/xre/nsEmbedFunctions.cpp:701:34
    #39 0x50d78e in content_process_main /home/kjozwiak/mozcode/m-c-asan/browser/app/../../ipc/contentproc/plugin-container.cpp:197:19
    #40 0x50d78e in main /home/kjozwiak/mozcode/m-c-asan/browser/app/nsBrowserApp.cpp:392
    #41 0x7f6fb9f1e82f in __libc_start_main /build/glibc-Qz8a69/glibc-2.23/csu/../csu/libc-start.c:291
    #42 0x41d9d8 in _start (/home/kjozwiak/mozcode/m-c-asan/objdir-ff-asan/dist/bin/firefox+0x41d9d8)

0x61a000171680 is located 0 bytes inside of 1328-byte region [0x61a000171680,0x61a000171bb0)
freed by thread T0 (Web Content) here:
    #0 0x4d32e0 in __interceptor_cfree.localalias.0 /home/kjozwiak/mozcode/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:54
    #1 0x7f6f9ea59925 in SnowWhiteKiller::~SnowWhiteKiller() /home/kjozwiak/mozcode/m-c-asan/xpcom/base/nsCycleCollector.cpp:2665:25
    #2 0x7f6f9ea48b3d in nsCycleCollector::FreeSnowWhite(bool) /home/kjozwiak/mozcode/m-c-asan/xpcom/base/nsCycleCollector.cpp:2840:3
    #3 0x7f6f9ea4e39b in nsCycleCollector::BeginCollection(ccType, nsICycleCollectorListener*) /home/kjozwiak/mozcode/m-c-asan/xpcom/base/nsCycleCollector.cpp:3826:3
    #4 0x7f6f9ea4dc22 in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) /home/kjozwiak/mozcode/m-c-asan/xpcom/base/nsCycleCollector.cpp:3651:9
    #5 0x7f6f9ea50ee0 in nsCycleCollector_collectSlice(js::SliceBudget&, bool) /home/kjozwiak/mozcode/m-c-asan/xpcom/base/nsCycleCollector.cpp:4160:21
    #6 0x7f6fa1e9b3d0 in nsJSContext::RunCycleCollectorSlice() /home/kjozwiak/mozcode/m-c-asan/dom/base/nsJSEnvironment.cpp:1476:3
    #7 0x7f6fa1e9d835 in CCTimerFired(nsITimer*, void*) /home/kjozwiak/mozcode/m-c-asan/dom/base/nsJSEnvironment.cpp:1807:7
    #8 0x7f6f9eb9eeba in nsTimerImpl::Fire() /home/kjozwiak/mozcode/m-c-asan/xpcom/threads/nsTimerImpl.cpp:477:7
    #9 0x7f6f9eb6e972 in nsTimerEvent::Run() /home/kjozwiak/mozcode/m-c-asan/xpcom/threads/TimerThread.cpp:289:11
    #10 0x7f6f9eb7ca65 in nsThread::ProcessNextEvent(bool, bool*) /home/kjozwiak/mozcode/m-c-asan/xpcom/threads/nsThread.cpp:1216:14
    #11 0x7f6f9ec0862a in NS_ProcessNextEvent(nsIThread*, bool) /home/kjozwiak/mozcode/m-c-asan/xpcom/glue/nsThreadUtils.cpp:361:10
    #12 0x7f6f9fb95cd8 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/kjozwiak/mozcode/m-c-asan/ipc/glue/MessagePump.cpp:96:21
    #13 0x7f6f9fa8dafc in RunInternal /home/kjozwiak/mozcode/m-c-asan/ipc/chromium/src/base/message_loop.cc:232:10
    #14 0x7f6f9fa8dafc in RunHandler /home/kjozwiak/mozcode/m-c-asan/ipc/chromium/src/base/message_loop.cc:225
    #15 0x7f6f9fa8dafc in MessageLoop::Run() /home/kjozwiak/mozcode/m-c-asan/ipc/chromium/src/base/message_loop.cc:205
    #16 0x7f6fa562623f in nsBaseAppShell::Run() /home/kjozwiak/mozcode/m-c-asan/widget/nsBaseAppShell.cpp:156:27
    #17 0x7f6fa795e089 in XRE_RunAppShell /home/kjozwiak/mozcode/m-c-asan/toolkit/xre/nsEmbedFunctions.cpp:869:22
    #18 0x7f6f9fa8dafc in RunInternal /home/kjozwiak/mozcode/m-c-asan/ipc/chromium/src/base/message_loop.cc:232:10
    #19 0x7f6f9fa8dafc in RunHandler /home/kjozwiak/mozcode/m-c-asan/ipc/chromium/src/base/message_loop.cc:225
    #20 0x7f6f9fa8dafc in MessageLoop::Run() /home/kjozwiak/mozcode/m-c-asan/ipc/chromium/src/base/message_loop.cc:205
    #21 0x7f6fa795d5fc in XRE_InitChildProcess /home/kjozwiak/mozcode/m-c-asan/toolkit/xre/nsEmbedFunctions.cpp:701:34
    #22 0x50d78e in content_process_main /home/kjozwiak/mozcode/m-c-asan/browser/app/../../ipc/contentproc/plugin-container.cpp:197:19
    #23 0x50d78e in main /home/kjozwiak/mozcode/m-c-asan/browser/app/nsBrowserApp.cpp:392
    #24 0x7f6fb9f1e82f in __libc_start_main /build/glibc-Qz8a69/glibc-2.23/csu/../csu/libc-start.c:291

previously allocated by thread T0 (Web Content) here:
    #0 0x4d3498 in __interceptor_malloc /home/kjozwiak/mozcode/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64
    #1 0x50e99d in moz_xmalloc /home/kjozwiak/mozcode/m-c-asan/memory/mozalloc/mozalloc.cpp:83:17
    #2 0x7f6fa3efc8f6 in operator new /home/kjozwiak/mozcode/m-c-asan/objdir-ff-asan/dist/include/mozilla/mozalloc.h:194:12
    #3 0x7f6fa3efc8f6 in NS_NewHTMLAudioElement(already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser) /home/kjozwiak/mozcode/m-c-asan/dom/html/HTMLAudioElement.cpp:23
    #4 0x7f6fa4118389 in CreateHTMLElement /home/kjozwiak/mozcode/m-c-asan/dom/html/nsHTMLContentSink.cpp:289:41
    #5 0x7f6fa4118389 in NS_NewHTMLElement(mozilla::dom::Element**, already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser, nsAString_internal const*) /home/kjozwiak/mozcode/m-c-asan/dom/html/nsHTMLContentSink.cpp:270
    #6 0x7f6fa1ecc1c1 in NS_NewElement(mozilla::dom::Element**, already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser, nsAString_internal const*) /home/kjozwiak/mozcode/m-c-asan/dom/base/nsNameSpaceManager.cpp:177:12
    #7 0x7f6fa1da7eac in nsDocument::CreateElem(nsAString_internal const&, nsIAtom*, int, nsAString_internal const*) /home/kjozwiak/mozcode/m-c-asan/dom/base/nsDocument.cpp:8143:17
    #8 0x7f6fa1d8b31a in nsDocument::CreateElement(nsAString_internal const&, mozilla::dom::ElementCreationOptionsOrString const&, mozilla::ErrorResult&) /home/kjozwiak/mozcode/m-c-asan/dom/base/nsDocument.cpp:5409:26
    #9 0x7f6fa3342fc6 in mozilla::dom::DocumentBinding::createElement(JSContext*, JS::Handle<JSObject*>, nsIDocument*, JSJitMethodCallArgs const&) /home/kjozwiak/mozcode/m-c-asan/objdir-ff-asan/dom/bindings/DocumentBinding.cpp:1010:59
    #10 0x7f6fa3911502 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /home/kjozwiak/mozcode/m-c-asan/dom/bindings/BindingUtils.cpp:2879:13
    #11 0x7f6f92945d59  (<unknown module>)
    #12 0x621000d93797  (<unknown module>)
    #13 0x7f6f9278e887  (<unknown module>)
    #14 0x7f6faa95e967 in EnterBaseline(JSContext*, js::jit::EnterJitData&) /home/kjozwiak/mozcode/m-c-asan/js/src/jit/BaselineJIT.cpp:153:9
    #15 0x7f6faa95e15d in js::jit::EnterBaselineMethod(JSContext*, js::RunState&) /home/kjozwiak/mozcode/m-c-asan/js/src/jit/BaselineJIT.cpp:193:28
    #16 0x7f6faa0c17ba in js::RunScript(JSContext*, js::RunState&) /home/kjozwiak/mozcode/m-c-asan/js/src/vm/Interpreter.cpp:395:41
    #17 0x7f6faa0f7cdb in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/kjozwiak/mozcode/m-c-asan/js/src/vm/Interpreter.cpp:477:15
    #18 0x7f6faa0f8742 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/kjozwiak/mozcode/m-c-asan/js/src/vm/Interpreter.cpp:523:10
    #19 0x7f6fa9e5e531 in js::Wrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/kjozwiak/mozcode/m-c-asan/js/src/proxy/Wrapper.cpp:165:12
    #20 0x7f6fa9e11de5 in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/kjozwiak/mozcode/m-c-asan/js/src/proxy/CrossCompartmentWrapper.cpp:333:23
    #21 0x7f6fa9e3dc0d in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /home/kjozwiak/mozcode/m-c-asan/js/src/proxy/Proxy.cpp:400:21
    #22 0x7f6fa9e40694 in js::proxy_Call(JSContext*, unsigned int, JS::Value*) /home/kjozwiak/mozcode/m-c-asan/js/src/proxy/Proxy.cpp:689:12
    #23 0x7f6faa0f7e4b in CallJSNative /home/kjozwiak/mozcode/m-c-asan/js/src/jscntxtinlines.h:239:15
    #24 0x7f6faa0f7e4b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/kjozwiak/mozcode/m-c-asan/js/src/vm/Interpreter.cpp:447
    #25 0x7f6faa0f8742 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/kjozwiak/mozcode/m-c-asan/js/src/vm/Interpreter.cpp:523:10
    #26 0x7f6fa9be0f2d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/kjozwiak/mozcode/m-c-asan/js/src/jsapi.cpp:2828:12
    #27 0x7f6fa330043c in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /home/kjozwiak/mozcode/m-c-asan/objdir-ff-asan/dom/bindings/EventListenerBinding.cpp:47:8
    #28 0x7f6fa3d3540f in HandleEvent<mozilla::dom::EventTarget *> /home/kjozwiak/mozcode/m-c-asan/objdir-ff-asan/dist/include/mozilla/dom/EventListenerBinding.h:64:12
    #29 0x7f6fa3d3540f in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /home/kjozwiak/mozcode/m-c-asan/dom/events/EventListenerManager.cpp:1131
    #30 0x7f6fa3d36df7 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /home/kjozwiak/mozcode/m-c-asan/dom/events/EventListenerManager.cpp:1287:17
    #31 0x7f6fa3d224f3 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /home/kjozwiak/mozcode/m-c-asan/dom/events/EventDispatcher.cpp:401:14
    #32 0x7f6fa3d24ff0 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /home/kjozwiak/mozcode/m-c-asan/dom/events/EventDispatcher.cpp:711:9
    #33 0x7f6fa3d26efc in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) /home/kjozwiak/mozcode/m-c-asan/dom/events/EventDispatcher.cpp:780:12

SUMMARY: AddressSanitizer: heap-use-after-free /home/kjozwiak/mozcode/m-c-asan/xpcom/glue/nsCOMPtr.cpp:14:23 in operator()
Shadow bytes around the buggy address:
  0x0c3480026280: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3480026290: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c34800262a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c34800262b0: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa
  0x0c34800262c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c34800262d0:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c34800262e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c34800262f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3480026300: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3480026310: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3480026320: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==96689==ABORTING
Flags: needinfo?(kjozwiak)
Group: core-security → dom-core-security
Priority: -- → P1
Status: UNCONFIRMED → NEW
Ever confirmed: true
(Assignee)

Updated

4 months ago
Assignee: nobody → bugs
(Assignee)

Comment 10

4 months ago
Created attachment 8811032 [details] [diff] [review]
adopt_recursion.diff

This was interesting to debug. Suddenly OwnerDoc() started to return something very unexpected...
Attachment #8811032 - Flags: review?(peterv)
Comment on attachment 8811032 [details] [diff] [review]
adopt_recursion.diff

Review of attachment 8811032 [details] [diff] [review]:
-----------------------------------------------------------------

Sigh, thanks for debugging this. I wonder if we also need to RecompileScriptEventListeners.
Attachment #8811032 - Flags: review?(peterv) → review+
(Assignee)

Comment 12

4 months ago
I was wondering that and thought it really shouldn't matter. Things start to go rather wrong in this kind of case anyhow.
(Assignee)

Comment 13

4 months ago
Comment on attachment 8811032 [details] [diff] [review]
adopt_recursion.diff

[Security approval request comment]
How easily could an exploit be constructed based on the patch?
I'd say not very easily, but sure, the patch does pinpoint what kind of code to look at.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
Commit message could be
"Bug 1317409, handle failing node adoption properly, r=peterv"

Which older supported branches are affected by this flaw?
all

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
Patch seems to apply to branches too


How likely is this patch to cause regressions; how much testing does it need?
very unlikely, since it requires JS to be in 'too much recursion' state
Attachment #8811032 - Flags: sec-approval?
Attachment #8811032 - Flags: approval-mozilla-esr45?
Attachment #8811032 - Flags: approval-mozilla-beta?
Attachment #8811032 - Flags: approval-mozilla-aurora?
status-firefox50: affected → wontfix
status-firefox-esr45: ? → affected
tracking-firefox53: --- → +
tracking-firefox-esr45: --- → 51+
Comment on attachment 8811032 [details] [diff] [review]
adopt_recursion.diff

sec-approval+
Attachment #8811032 - Flags: sec-approval? → sec-approval+
(Assignee)

Comment 15

4 months ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/dfde779ec34212bdf72eebe927390785a4091dd0
https://hg.mozilla.org/mozilla-central/rev/dfde779ec342
Status: NEW → RESOLVED
Last Resolved: 4 months ago
status-firefox53: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla53
Comment on attachment 8811032 [details] [diff] [review]
adopt_recursion.diff

Fix a sec-critical. Beta51+ and Aurora52+. Should be in 51 beta 2.
Attachment #8811032 - Flags: approval-mozilla-beta?
Attachment #8811032 - Flags: approval-mozilla-beta+
Attachment #8811032 - Flags: approval-mozilla-aurora?
Attachment #8811032 - Flags: approval-mozilla-aurora+
https://hg.mozilla.org/releases/mozilla-aurora/rev/3929c921fc44
https://hg.mozilla.org/releases/mozilla-beta/rev/983feaba1af4
status-firefox51: affected → fixed
status-firefox52: affected → fixed
https://hg.mozilla.org/releases/mozilla-esr45/rev/3a38c92ab431
status-firefox-esr45: affected → fixed

Updated

4 months ago
Attachment #8811032 - Flags: approval-mozilla-esr45? → approval-mozilla-esr45+
Group: dom-core-security → core-security-release
Temporarily reverted from esr45 for reasons. No action needed on your part, this'll be relanded at the appropriate time.

https://hg.mozilla.org/releases/mozilla-esr45/rev/848e7d67e753
status-firefox-esr45: fixed → affected
status-firefox50: wontfix → affected
tracking-firefox50: --- → ?
tracking-firefox51: --- → ?
tracking-firefox52: --- → ?
tracking-firefox-esr45: 51+ → ?
Comment on attachment 8811032 [details] [diff] [review]
adopt_recursion.diff

Low-risk sec-crit with a simple patch. Also, this was already landed on ESR45 for the 45.6 release, so I think that makes this more important to ship with 50.1 as well.
Attachment #8811032 - Flags: approval-mozilla-release?
https://hg.mozilla.org/releases/mozilla-esr45/rev/7391f60fb790
status-firefox-esr45: affected → fixed
Track 51- as it was fixed.
tracking-firefox51: ? → -
tracking-firefox51: - → ?
Track 51+ as sec-critical.
tracking-firefox51: ? → +
(Reporter)

Comment 25

4 months ago
Created attachment 8816736 [details]
Reduced testcase seems to be more controllable

Updated

4 months ago
tracking-firefox50: ? → +
tracking-firefox52: ? → +
tracking-firefox-esr45: ? → 51+

Comment 26

4 months ago
Comment on attachment 8811032 [details] [diff] [review]
adopt_recursion.diff

Sec-crit, meets the triage bar for inclusion in 50.1.0
Attachment #8811032 - Flags: approval-mozilla-release? → approval-mozilla-release+
https://hg.mozilla.org/releases/mozilla-release/rev/c3a677de3a52
status-firefox50: affected → fixed
Can't write an advisory for this as it will 0day ESR45 users since 45.6 doesn't ship until 2017. ESr45 affected security bugs shouldn't have landed in 50.1.
Flags: needinfo?(abillings)
Ok. There is a 45.6 release going out with 50.1. This should have an advisory for both.
Flags: needinfo?(abillings)
Whiteboard: [adv-main50.1+][adv-esr45.6+]
Alias: CVE-2016-9899
tracking-firefox-esr45: 51+ → 50+
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.