Closed
Bug 1326084
Opened 8 years ago
Closed 7 years ago
IPC - Use After Free in a11y::DocAccessibleParent::RemoveChildDoc()
Categories
(Core :: Disability Access APIs, defect)
Tracking
()
VERIFIED
FIXED
mozilla54
People
(Reporter: loobenyang, Assigned: handyman)
References
Details
(Keywords: csectype-uaf, sec-high, topcrash-win, Whiteboard: [post-critsmash-triage] aes+)
Crash Data
Attachments
(4 files, 4 obsolete files)
665 bytes,
text/plain
|
Details | |
1.38 KB,
patch
|
bugzilla
:
review+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
2.30 KB,
patch
|
Details | Diff | Splinter Review | |
3.30 KB,
patch
|
yzen
:
review+
RyanVM
:
feedback+
|
Details | Diff | Splinter Review |
Reproduction test case: <html><body></body><script> var iframe = document.body.appendChild(document.createElement("iframe")); var element1 = document.createElement("content"); var element2 = document.createElement("OPTION"); var element3 = document.createElement("wbr"); var range = document.createRange(); range.setStart(element2, 0); setTimeout(function(){var select = window.getSelection();}, 50); var player0 = document.documentElement.animate([{"position": "relative","offset":"0"},], {duration:34,iterations: 69,delay: 50}); player0.onfinish = function(){range.insertNode(element1);range.setStartBefore(element3); }; setTimeout(function(){location.reload(true)},200);</script></html> Steps to reproduce: 1. Open the test case UAF_RemoveChildDoc_Repro.html in Firefox browser. 2. Firefox crashes at corrupted memory in a11y::DocAccessibleParent::RemoveChildDoc(): (14e8.374c): Access violation - code c0000005 (!!! second chance !!!) eax=1fa0a648 ebx=00000008 ecx=17a0f000 edx=179f61c4 esi=1fa0a630 edi=7f7198ec eip=5987e676 esp=00afe268 ebp=00afe274 iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206 xul!nsDefaultComparator<mozilla::a11y::ProxyAccessible *,mozilla::a11y::DocAccessibleParent *>::Equals+0x12 [inlined in xul!nsTArray_Impl<mozilla::a11y::ProxyAccessible *,nsTArrayInfallibleAllocator>::IndexOf<mozilla::a11y::DocAccessibleParent *,nsDefaultComparator<mozilla::a11y::ProxyAccessible *,mozilla::a11y::DocAccessibleParent *> >+0x29]: 5987e676 3901 cmp dword ptr [ecx],eax ds:002b:17a0f000=???????? Firefox version: 53.0a1 (2016-12-28) (32-bit) OS: Windows 10 Stack trace: 0:000> !analyze -v ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* FAULTING_IP: xul!nsTArray_Impl<mozilla::a11y::ProxyAccessible *,nsTArrayInfallibleAllocator>::IndexOf<mozilla::a11y::DocAccessibleParent *,nsDefaultComparator<mozilla::a11y::ProxyAccessible *,mozilla::a11y::DocAccessibleParent *> >+29 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\obj-firefox\dist\include\nstarray.h @ 1276] 5987e676 3901 cmp dword ptr [ecx],eax EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 5987e676 (xul!nsDefaultComparator<mozilla::a11y::ProxyAccessible *,mozilla::a11y::DocAccessibleParent *>::Equals+0x00000012) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: 17a0f000 Attempt to read from address 17a0f000 CONTEXT: 00000000 -- (.cxr 0x0;r) eax=1fa0a648 ebx=00000008 ecx=17a0f000 edx=179f61c4 esi=1fa0a630 edi=7f7198ec eip=5987e676 esp=00afe268 ebp=00afe274 iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206 xul!nsDefaultComparator<mozilla::a11y::ProxyAccessible *,mozilla::a11y::DocAccessibleParent *>::Equals+0x12 [inlined in xul!nsTArray_Impl<mozilla::a11y::ProxyAccessible *,nsTArrayInfallibleAllocator>::IndexOf<mozilla::a11y::DocAccessibleParent *,nsDefaultComparator<mozilla::a11y::ProxyAccessible *,mozilla::a11y::DocAccessibleParent *> >+0x29]: 5987e676 3901 cmp dword ptr [ecx],eax ds:002b:17a0f000=???????? FAULTING_THREAD: 0000374c DEFAULT_BUCKET_ID: INVALID_POINTER_READ PROCESS_NAME: firefox.exe OVERLAPPED_MODULE: Address regions for 'softokn3' and 'kbdus.dll' overlap ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s. EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s. EXCEPTION_PARAMETER1: 00000000 EXCEPTION_PARAMETER2: 17a0f000 READ_ADDRESS: 17a0f000 FOLLOWUP_IP: xul!nsTArray_Impl<mozilla::a11y::ProxyAccessible *,nsTArrayInfallibleAllocator>::IndexOf<mozilla::a11y::DocAccessibleParent *,nsDefaultComparator<mozilla::a11y::ProxyAccessible *,mozilla::a11y::DocAccessibleParent *> >+29 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\obj-firefox\dist\include\nstarray.h @ 1276] 5987e676 3901 cmp dword ptr [ecx],eax NTGLOBALFLAG: 2000000 APPLICATION_VERIFIER_FLAGS: 0 APP: firefox.exe ANALYSIS_VERSION: 6.3.9600.17029 (debuggers(dbg).140219-1702) x86fre PRIMARY_PROBLEM_CLASS: INVALID_POINTER_READ BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_READ LAST_CONTROL_TRANSFER: from 5987f635 to 5987e676 STACK_TEXT: 00afe274 5987f635 00000000 17a76740 17a76740 xul!nsTArray_Impl<mozilla::a11y::ProxyAccessible *,nsTArrayInfallibleAllocator>::IndexOf<mozilla::a11y::DocAccessibleParent *,nsDefaultComparator<mozilla::a11y::ProxyAccessible *,mozilla::a11y::DocAccessibleParent *> >+0x29 00afe29c 5987ea0e 1fa0a630 00000000 17a76740 xul!mozilla::a11y::DocAccessibleParent::RemoveChildDoc+0x22 00afe2d8 5987e9a0 1fbe6c28 17a76740 1fbe6c28 xul!mozilla::a11y::DocAccessibleParent::Destroy+0xa6 00afe310 5987f39a 1fbe6c28 17a76740 17a76740 xul!mozilla::a11y::DocAccessibleParent::Destroy+0x38 00afe324 58cc5a7c 00afe33e 1fbe6c28 1ba0a800 xul!mozilla::a11y::DocAccessibleParent::RecvShutdown+0xd 00afe384 58c9c12a 1fbe6c28 1fbe6c28 1ba0a8a8 xul!mozilla::a11y::PDocAccessibleParent::OnMessageReceived+0x57 00aff0c0 582b8e5f 1fbe6c28 1ba0a8a8 200cff10 xul!mozilla::dom::PContentParent::OnMessageReceived+0x4b 00aff0dc 582b8f91 00be6c28 1fbe6c28 1ba0a8a8 xul!mozilla::ipc::MessageChannel::DispatchAsyncMessage+0x4c 00aff144 582b9296 1fbe6c28 1fbe6c00 200cff10 xul!mozilla::ipc::MessageChannel::DispatchMessageW+0xc2 00aff15c 582b9231 1fbe6c00 0850b160 08511524 xul!mozilla::ipc::MessageChannel::RunMessage+0x53 00aff174 5818391c 1fbe6c00 085221a0 08522190 xul!mozilla::ipc::MessageChannel::MessageTask::Run+0x38 00aff1e4 58182119 0850b160 00000000 00aff217 xul!nsThread::ProcessNextEvent+0x14d 00aff218 58281d48 0855f0c0 37a307f6 08511520 xul!mozilla::ipc::MessagePump::Run+0x70 00aff250 58281d17 0850b160 00000001 08511500 xul!MessageLoop::RunHandler+0x20 00aff270 584c2c61 14ad95c0 00000000 00aff290 xul!MessageLoop::Run+0x19 00aff280 584c29f0 08511520 14ad95c0 00aff2a4 xul!nsBaseAppShell::Run+0x34 00aff290 584c29a5 08511520 00aff61d 18215de0 xul!nsAppShell::Run+0x26 00aff2a4 584cb85c 14ad95c0 62d92c50 00aff520 xul!nsAppStartup::Run+0x22 00aff498 586501bc 085100b0 00aff65c 00c130c0 xul!XREMain::XRE_mainRun+0x65c 00aff4c4 5864f6d9 00000000 00000000 00aff65c xul!XREMain::XRE_main+0x157 00aff62c 00bf17fc 00000001 08501050 00aff65c xul!XRE_main+0x39 00aff8c4 00bf3385 004eff18 085111c0 00000001 firefox!do_main+0x7cc 00affc7c 00bf5e07 00000001 ffe03f50 0830cf18 firefox!wmain+0x405 00affcc4 74228694 00910000 74228670 1e55464b firefox!__scrt_common_main_seh+0xf9 00affcd8 778004ba 00910000 1df5b00d 00000000 KERNEL32!BaseThreadInitThunk+0x24 00affd20 7780048a ffffffff 77822f86 00000000 ntdll!__RtlUserThreadStart+0x2f 00affd30 00000000 00bf5e7d 00910000 00000000 ntdll!_RtlUserThreadStart+0x1b STACK_COMMAND: .cxr 0x0 ; kb FAULTING_SOURCE_LINE: c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\obj-firefox\dist\include\nstarray.h FAULTING_SOURCE_FILE: c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\obj-firefox\dist\include\nstarray.h FAULTING_SOURCE_LINE_NUMBER: 1276 FAULTING_SOURCE_CODE: No source found for 'c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\obj-firefox\dist\include\nstarray.h' SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: xul!nsTArray_Impl<mozilla::a11y::ProxyAccessible *,nsTArrayInfallibleAllocator>::IndexOf<mozilla::a11y::DocAccessibleParent *,nsDefaultComparator<mozilla::a11y::ProxyAccessible *,mozilla::a11y::DocAccessibleParent *> >+29 FOLLOWUP_NAME: MachineOwner MODULE_NAME: xul IMAGE_NAME: xul.dll DEBUG_FLR_IMAGE_TIMESTAMP: 5863c2af FAILURE_BUCKET_ID: INVALID_POINTER_READ_c0000005_xul.dll!nsTArray_Impl_mozilla::a11y::ProxyAccessible_*,nsTArrayInfallibleAllocator_::IndexOf_mozilla::a11y::DocAccessibleParent_*,nsDefaultComparator_mozilla::a11y::ProxyAccessible_*,mozilla::a11y::DocAccessibleParent_*___ BUCKET_ID: APPLICATION_FAULT_INVALID_POINTER_READ_xul!nsTArray_Impl_mozilla::a11y::ProxyAccessible_*,nsTArrayInfallibleAllocator_::IndexOf_mozilla::a11y::DocAccessibleParent_*,nsDefaultComparator_mozilla::a11y::ProxyAccessible_*,mozilla::a11y::DocAccessibleParent_*___+2 ANALYSIS_SOURCE: UM FAILURE_ID_HASH_STRING: um:invalid_pointer_read_c0000005_xul.dll!nstarray_impl_mozilla::a11y::proxyaccessible_*,nstarrayinfallibleallocator_::indexof_mozilla::a11y::docaccessibleparent_*,nsdefaultcomparator_mozilla::a11y::proxyaccessible_*,mozilla::a11y::docaccessibleparent_*___ FAILURE_ID_HASH: {6ee3eec6-b59d-bfd8-7523-dec28070ab0a} Followup: MachineOwner --------- Sometimes it crashes at e5e5e5e5. Variables shows that the aChildDoc->mParent pointed to a freed object: (5a0.3570): Unknown exception - code c000041d (!!! second chance !!!) eax=0093d1f8 ebx=00000008 ecx=187ca884 edx=e5e5e5e5 esi=187ca880 edi=239eba50 eip=5f12e655 esp=0093d1c8 ebp=0093d1d4 iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210206 xul!nsTArray_Impl<mozilla::a11y::ProxyAccessible *,nsTArrayInfallibleAllocator>::IndexOf<mozilla::a11y::DocAccessibleParent *,nsDefaultComparator<mozilla::a11y::ProxyAccessible *,mozilla::a11y::DocAccessibleParent *> >+0x8: 5f12e655 8b3a mov edi,dword ptr [edx] ds:002b:e5e5e5e5=???????? aChildDoc 0x239eba50 class mozilla::a11y::DocAccessibleParent * mozilla::a11y::ProxyAccessible class mozilla::a11y::ProxyAccessible mozilla::a11y::ProxyAccessibleBase<mozilla::a11y::ProxyAccessible> class mozilla::a11y::ProxyAccessibleBase<mozilla::a11y::ProxyAccessible> mParent 0x187ca880 class mozilla::a11y::ProxyAccessible * mozilla::a11y::ProxyAccessibleBase<mozilla::a11y::ProxyAccessible> class mozilla::a11y::ProxyAccessibleBase<mozilla::a11y::ProxyAccessible> mParent 0xe5e5e5e5 class mozilla::a11y::ProxyAccessible * mChildren class nsTArray<mozilla::a11y::ProxyAccessible *> mDoc 0xe5e5e5e5 class mozilla::a11y::DocAccessibleParent * mWrapper 0xe5e5e5e5 mID 0xe5e5e5e5`e5e5e5e5 mRole 0n98952677 (No matching enumerant) mOuterDoc true mIsDoc false mHasValue true mIsHyperLink false mIsHyperText false mCOMProxy class RefPtr<IAccessible> mChildren class nsTArray<mozilla::a11y::ProxyAccessible *> mDoc 0x239eba50 class mozilla::a11y::DocAccessibleParent * mWrapper 0 mID 0 mRole DOCUMENT (0n15) mOuterDoc false mIsDoc true mHasValue false mIsHyperLink false mIsHyperText false mCOMProxy class RefPtr<IAccessible> mozilla::a11y::PDocAccessibleParent class mozilla::a11y::PDocAccessibleParent mChildDocs class nsTArray<mozilla::a11y::DocAccessibleParent *> mParentDoc 0x255e7a90 class mozilla::a11y::DocAccessibleParent * mAccessibles class nsTHashtable<mozilla::a11y::DocAccessibleParent::ProxyEntry> mTopLevel false mShutdown true this 0x255e7a90 class mozilla::a11y::DocAccessibleParent * mozilla::a11y::ProxyAccessible class mozilla::a11y::ProxyAccessible mozilla::a11y::PDocAccessibleParent class mozilla::a11y::PDocAccessibleParent mChildDocs class nsTArray<mozilla::a11y::DocAccessibleParent *> mParentDoc 0x00000000 class mozilla::a11y::DocAccessibleParent * mAccessibles class nsTHashtable<mozilla::a11y::DocAccessibleParent::ProxyEntry> mTopLevel true mShutdown true
Updated•8 years ago
|
Group: core-security → dom-core-security
Component: IPC → Disability Access APIs
Keywords: csectype-uaf,
sec-high
Comment 1•8 years ago
|
||
The test case involves animation, so I'm not sure if that or a11y IPC stuff is to blame here.
Comment 2•8 years ago
|
||
We've been having problems with how a11y+e10s handles iframes, so that's the real repro here. I'll try this repro locally and see if it works for me.
Reporter | ||
Comment 3•8 years ago
|
||
Updated•8 years ago
|
Flags: sec-bounty?
Comment 4•7 years ago
|
||
The attached repro works pretty quickly with a debug build on my machine. I think what I'm seeing here is that hide events are being dispatched in the parent in an unexpected order with respect to shutdown messages. We still need to be able to work backwards do determine how we got into this state.
Updated•7 years ago
|
Whiteboard: aes+
Comment 5•7 years ago
|
||
Trevor is back agreed to take a look at this. (Note public bug is likely: bug 1324863)
Assignee: nobody → tbsaunde+mozbugs
Reporter | ||
Comment 6•7 years ago
|
||
Anyone working on it?(In reply to Aaron Klotz [:aklotz] from comment #4) > The attached repro works pretty quickly with a debug build on my machine. > > I think what I'm seeing here is that hide events are being dispatched in the > parent in an unexpected order with respect to shutdown messages. > > We still need to be able to work backwards do determine how we got into this > state. Thanks for confirming it. Are you or someone else working on it?
Comment 7•7 years ago
|
||
Trevor is currently assigned to this.
Reporter | ||
Comment 8•7 years ago
|
||
Hi Trevor, are you able to reproduce it? If you need more information, please let me know.
Flags: needinfo?(tbsaunde+mozbugs)
Comment 9•7 years ago
|
||
I've never been able to reproduce this on linux, I guess I can try on windows, but I suspect debugging there will be much harder. Can you only reproduce on windows?
Flags: needinfo?(tbsaunde+mozbugs)
Reporter | ||
Comment 10•7 years ago
|
||
(In reply to Trevor Saunders (:tbsaunde) from comment #9) > I've never been able to reproduce this on linux, I guess I can try on > windows, but I suspect debugging there will be much harder. Can you only > reproduce on windows? Yes I only reproduce it on Windows, I don't have a Linux machine.
Reporter | ||
Comment 11•7 years ago
|
||
(In reply to Trevor Saunders (:tbsaunde) from comment #9) > I've never been able to reproduce this on linux, I guess I can try on > windows, but I suspect debugging there will be much harder. Can you only > reproduce on windows? If it's not convenient for you to debug it in Windows. Do you need it to be re-assigned to someone else?
Flags: needinfo?(tbsaunde+mozbugs)
Assignee | ||
Comment 12•7 years ago
|
||
Hey Trevor, I think I've got a bead on this so I guess I'll take it. Its not hard to see whats going on in the patch but there are a few other issues to cover: --- This patch seems to stop the crashes for me. I'm starting the Narrarator screen reader built into Windows (on Win10) to turn on Accessibility in Firefox. I don't have a touch device yet but I assume its the same failure. That's the only step I added to the STR. --- The loop fix in the patch is obvious. The code in DocAccessibleParent::RemoveChildDoc [1] seems pretty clear -- it is trying to free aChildDoc from its parent. Note, however, that the Parent [2] and the ParentDoc [3] are not the same thing, at least in the case of this crash. It seems from the rest of RemoveChildDoc that this was supposed to be the ParentDoc (which is what mParentDoc refers to), but I don't know this code enough to say for sure. --- So, initially, the code crashed almost immediately after turning on a11y due to the RemoveChildDoc bug. With the patch, the crashes seemed to stop but, after turning a11y on/off a few times and watching it for a while, then leaving the browser to write this comment, then returning to the browser (with the narrarator off), I got this ASSERT [4]: xul.dll!mozilla::a11y::ProxyDestroyed(mozilla::a11y::ProxyAccessible * aProxy=0x12f30958) Line 84 C++ xul.dll!mozilla::a11y::DocAccessibleParent::Destroy() Line 469 C++ > xul.dll!mozilla::a11y::DocAccessibleParent::ActorDestroy(mozilla::ipc::IProtocol::ActorDestroyReason aWhy=AbnormalShutdown) Line 93 C++ xul.dll!mozilla::a11y::PDocAccessibleParent::DestroySubtree(mozilla::ipc::IProtocol::ActorDestroyReason why=AbnormalShutdown) Line 610 C++ xul.dll!mozilla::dom::PBrowserParent::DestroySubtree(mozilla::ipc::IProtocol::ActorDestroyReason why=AbnormalShutdown) Line 5030 C++ xul.dll!mozilla::dom::PContentParent::DestroySubtree(mozilla::ipc::IProtocol::ActorDestroyReason why=AbnormalShutdown) Line 8620 C++ xul.dll!mozilla::dom::PContentParent::OnChannelError() Line 8584 C++ xul.dll!mozilla::dom::ContentParent::OnChannelError() Line 1315 C++ xul.dll!mozilla::ipc::MessageChannel::NotifyMaybeChannelError() Line 2217 C++ xul.dll!mozilla::ipc::MessageChannel::OnNotifyMaybeChannelError() Line 2246 C++ xul.dll!mozilla::detail::RunnableMethodArguments<>::applyImpl<mozilla::ipc::MessageChannel,void (__thiscall mozilla::ipc::MessageChannel::*)(void)>(mozilla::ipc::MessageChannel * o=0x123c90b8, void(mozilla::ipc::MessageChannel::*)() m=0x01def5f2, mozilla::Tuple<> & args={...}, mozilla::IndexSequence<> __formal={...}) Line 826 C++ xul.dll!mozilla::detail::RunnableMethodArguments<>::apply<mozilla::ipc::MessageChannel,void (__thiscall mozilla::ipc::MessageChannel::*)(void)>(mozilla::ipc::MessageChannel * o=0x123c90b8, void(mozilla::ipc::MessageChannel::*)() m=0x01def5f2) Line 831 C++ xul.dll!mozilla::detail::RunnableMethodImpl<mozilla::ipc::MessageChannel * const,void (__thiscall mozilla::ipc::MessageChannel::*)(void),0,1>::Run() Line 862 C++ xul.dll!nsThread::ProcessNextEvent(bool aMayWait=false, bool * aResult=0x00e5f015) Line 1240 C++ xul.dll!NS_ProcessNextEvent(nsIThread * aThread=0x01c62280, bool aMayWait=false) Line 390 C++ xul.dll!mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate * aDelegate=0x01c621b0) Line 96 C++ xul.dll!MessageLoop::RunInternal() Line 239 C++ xul.dll!MessageLoop::RunHandler() Line 232 C++ xul.dll!MessageLoop::Run() Line 212 C++ xul.dll!nsBaseAppShell::Run() Line 158 C++ xul.dll!nsAppShell::Run() Line 262 C++ xul.dll!nsAppStartup::Run() Line 283 C++ xul.dll!XREMain::XRE_mainRun() Line 4461 C++ xul.dll!XREMain::XRE_main(int argc=3, char * * argv=0x01c01030, const mozilla::BootstrapConfig & aConfig={...}) Line 4638 C++ xul.dll!XRE_main(int argc=3, char * * argv=0x01c01030, const mozilla::BootstrapConfig & aConfig={...}) Line 4729 C++ xul.dll!mozilla::BootstrapImpl::XRE_main(int argc=3, char * * argv=0x01c01030, const mozilla::BootstrapConfig & aConfig={...}) Line 45 C++ firefox.exe!do_main(int argc=3, char * * argv=0x01c01030, char * * envp=0x015f30e8) Line 235 C++ firefox.exe!NS_internal_main(int argc=3, char * * argv=0x01c01030, char * * envp=0x015f30e8) Line 305 C++ firefox.exe!wmain(int argc=3, wchar_t * * argv=0x015eb518) Line 115 C++ firefox.exe!__scrt_common_main_seh() Line 253 C++ kernel32.dll!@BaseThreadInitThunk@12() Unknown ntdll.dll!__RtlUserThreadStart() Unknown ntdll.dll!__RtlUserThreadStart@8() Unknown It doesn't look like it would crash a release but I couldnt continue past the ASSERT in the debug build to test that. The signature is clearly different than this bug so I'm assuming this is a separate issue. OTOH, it may be due to the mParent vs mParentDoc issue. Its worth pointing out that the call stack indicates some exceptional behavior. But I only have a cursory understanding of this code at this point. --- I'm also getting spammed by this message while the page runs with a11y on [5]: [Parent 1000] ###!!! ASSERTION: why weren't the child docs destroyed already?: 'mChildDocs.IsEmpty()', file c:/mozilla-src/mozilla-unified/accessible/ipc/DocAccessibleParent.cpp, line 450 [Parent 1000] ###!!! ASSERTION: Why do we still have a child doc?: '!mOuterDoc', file c:/mozilla-src/mozilla-unified/accessible/ipc/ProxyAccessibleBase.cpp, line 28 It seems to print it about a half-dozen times on each page reload. However, the only place other than the location in [5] that would destroy the child doc is the Unbind method [6]. I don't know why it hasn't been called. Again, this seems to be a different bug. Previously, it just crashed before it had a chance to spam. --- [1] https://dxr.mozilla.org/mozilla-central/rev/8ff550409e1d1f8b54f6f7f115545dbef857be0b/accessible/ipc/DocAccessibleParent.h#112 [2] https://dxr.mozilla.org/mozilla-central/rev/8ff550409e1d1f8b54f6f7f115545dbef857be0b/accessible/ipc/ProxyAccessibleBase.h#93 [3] https://dxr.mozilla.org/mozilla-central/rev/8ff550409e1d1f8b54f6f7f115545dbef857be0b/accessible/ipc/DocAccessibleParent.h#99 [4] https://dxr.mozilla.org/mozilla-central/rev/8ff550409e1d1f8b54f6f7f115545dbef857be0b/accessible/windows/msaa/Platform.cpp#84 [5] https://dxr.mozilla.org/mozilla-central/rev/8ff550409e1d1f8b54f6f7f115545dbef857be0b/accessible/ipc/DocAccessibleParent.cpp#449 [6] https://dxr.mozilla.org/mozilla-central/rev/8ff550409e1d1f8b54f6f7f115545dbef857be0b/accessible/ipc/DocAccessibleParent.h#77
Assignee: tbsaunde+mozbugs → davidp99
Attachment #8830045 -
Flags: review?(tbsaunde+mozbugs)
Comment 13•7 years ago
|
||
(In reply to David Parks (dparks) [:handyman] from comment #12) > Created attachment 8830045 [details] [diff] [review] > Fix a11y document teardown issues > > Hey Trevor, I think I've got a bead on this so I guess I'll take it. Its > not hard to see whats going on in the patch but there are a few other issues > to cover: > > --- > > This patch seems to stop the crashes for me. I'm starting the Narrarator > screen reader built into Windows (on Win10) to > turn on Accessibility in Firefox. I don't have a touch device yet but I > assume its the same failure. That's the only > step I added to the STR. I would expect so, I was seeing similar crashes with nvda, with this test case. > The loop fix in the patch is obvious. I'm not actually convinced it is, though I admit relying on unsigned underflow being defined is sneaky. > The code in DocAccessibleParent::RemoveChildDoc [1] seems pretty clear -- it > is trying to free aChildDoc from its parent. > Note, however, that the Parent [2] and the ParentDoc [3] are not the same > thing, at least in the case of this crash. I believe they should always be different, I believe we have asserts that check this. > It seems from the rest of RemoveChildDoc that this was supposed to be the > ParentDoc (which is what mParentDoc refers to), > but I don't know this code enough to say for sure. no, it actually was trying to remove the document from the parent, not the parent document. > --- > > So, initially, the code crashed almost immediately after turning on a11y due > to the RemoveChildDoc bug. With the patch, > the crashes seemed to stop but, after turning a11y on/off a few times and > watching it for a while, then leaving the browser to write this > comment, then returning to the browser (with the narrarator off), I got this so, given the above I'm not really sure why this patch fixes the crashes. > ASSERT [4]: > > xul.dll!mozilla::a11y::ProxyDestroyed(mozilla::a11y::ProxyAccessible * > aProxy=0x12f30958) Line 84 C++ > xul.dll!mozilla::a11y::DocAccessibleParent::Destroy() Line 469 C++ > > xul.dll!mozilla::a11y::DocAccessibleParent::ActorDestroy(mozilla::ipc::IProtocol::ActorDestroyReason aWhy=AbnormalShutdown) Line 93 C++ this does seem different, I'm not totally sure if that assert is valid, but for the moment seems safer to leave it in. > It doesn't look like it would crash a release but I couldnt continue past > the ASSERT in the debug build to test that. The signature is > clearly different than this bug so I'm assuming this is a separate issue. > OTOH, it may be due to the mParent vs mParentDoc issue. > Its worth pointing out that the call stack indicates some exceptional > behavior. But I only have a cursory understanding of this code > at this point. the only thing I find odd in a quick look is that the shutdown reason for the actor is abnormal shutdown. > > I'm also getting spammed by this message while the page runs with a11y on > [5]: > > [Parent 1000] ###!!! ASSERTION: why weren't the child docs destroyed > already?: 'mChildDocs.IsEmpty()', file > c:/mozilla-src/mozilla-unified/accessible/ipc/DocAccessibleParent.cpp, line > 450 I haven't seen that one, but I'm not really sure its valid, though it would be nice if it was. > [Parent 1000] ###!!! ASSERTION: Why do we still have a child doc?: > '!mOuterDoc', file > c:/mozilla-src/mozilla-unified/accessible/ipc/ProxyAccessibleBase.cpp, line > 28 yeah, that's known, I believe things work fine after that happens, but it would be nice to see if we can fix it some day.
Flags: needinfo?(tbsaunde+mozbugs)
Assignee | ||
Comment 15•7 years ago
|
||
OK, it was worth a shot. I'm returning the bug to you.
Assignee: davidp99 → tbsaunde+mozbugs
Comment 16•7 years ago
|
||
Copy info from bug duped to this. Affects 52, so this should be a high priority.
Crash Signature: https://crash-stats.mozilla.com/signature/?signature=nsTArray_Impl%3CT%3E%3A%3AIndexOf%3CT%3E%20%7C%20mozilla%3A%3Aa11y%3A%3ADocAccessibleParent%3A%3ARemoveChildDoc
https://crash- stats.mozilla.com/signature/?signature=mozilla%3A%3Aa11y%3A%3ADocAccessibl…
status-firefox52:
--- → affected
Keywords: topcrash-win
Updated•7 years ago
|
Crash Signature: https://crash-stats.mozilla.com/signature/?signature=nsTArray_Impl%3CT%3E%3A%3AIndexOf%3CT%3E%20%7C%20mozilla%3A%3Aa11y%3A%3ADocAccessibleParent%3A%3ARemoveChildDoc
https://crash- stats.mozilla.com/signature/?signature=mozilla%3A%3Aa11y%3A%3ADocAccessibl… → [@ mozilla::a11y::DocAccessibleParent::RemoveChildDoc]
[@nsTArray_Impl<T>::IndexOf<T> | mozilla::a11y::DocAccessibleParent::RemoveChildDoc]
Updated•7 years ago
|
status-firefox54:
--- → affected
Updated•7 years ago
|
Crash Signature: [@ mozilla::a11y::DocAccessibleParent::RemoveChildDoc]
[@nsTArray_Impl<T>::IndexOf<T> | mozilla::a11y::DocAccessibleParent::RemoveChildDoc] → [@ mozilla::a11y::DocAccessibleParent::RemoveChildDoc]
[@nsTArray_Impl<T>::IndexOf<T> | mozilla::a11y::DocAccessibleParent::RemoveChildDoc]
[@ mozilla::a11y::ProxyAccessibleBase<T>::ClearChildDoc]
[@ nsTArray_Impl<T>::IndexOf<T> | mozilla::a11y::ProxyA…
Comment 18•7 years ago
|
||
(In reply to David Parks (dparks) [:handyman] from comment #12) > [Parent 1000] ###!!! ASSERTION: why weren't the child docs destroyed > already?: 'mChildDocs.IsEmpty()', file > c:/mozilla-src/mozilla-unified/accessible/ipc/DocAccessibleParent.cpp, line > 450 > [Parent 1000] ###!!! ASSERTION: Why do we still have a child doc?: > '!mOuterDoc', file > c:/mozilla-src/mozilla-unified/accessible/ipc/ProxyAccessibleBase.cpp, line > 28 Aaron, Trevor do we know why this happens?
Flags: needinfo?(tbsaunde+mozbugs)
Flags: needinfo?(aklotz)
Comment 19•7 years ago
|
||
In the last 7 days, these signatures have combined for over 3,353 crashes on nightly.
Comment 20•7 years ago
|
||
Since it can be called in strange orderings wrt SetChildDoc() it seems reasonable to believe we can get an ordering where the proxy has a document as a child but is not marked as having document children. I'm not completely sure, but I think this fixes the test case locally.
Attachment #8832315 -
Flags: review?(aklotz)
Updated•7 years ago
|
Attachment #8832315 -
Flags: review?(aklotz) → review+
https://hg.mozilla.org/mozilla-central/rev/c2aee4595f1a
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla54
Updated•7 years ago
|
Group: dom-core-security → core-security-release
Comment 22•7 years ago
|
||
This high-severity security bug was checked in without sec-approval https://wiki.mozilla.org/Security/Bug_Approval_Process Please retroactively request approval and answer the questions that are added to the comment so we can evaluate what other branches will need this fix and how much risk is associated with that.
status-firefox-esr45:
--- → unaffected
status-firefox-esr52:
--- → affected
Flags: needinfo?(dbolter)
Comment 23•7 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #22) > This high-severity security bug was checked in without sec-approval > https://wiki.mozilla.org/Security/Bug_Approval_Process shit sorry. Though in my defense I don't know if this actually fixes it, and if it does I don't think the patch leaks much information. I certainly have no idea how to trigger it.
Flags: needinfo?(tbsaunde+mozbugs)
Comment 24•7 years ago
|
||
Comment on attachment 8832315 [details] [diff] [review] ClearChildDoc() should leave the proxy marked as being an outerdoc [Security approval request comment] How easily could an exploit be constructed based on the patch? supposing that the patch does actually fix the bug which is unclear I don't think the patch tells you much about how to trigger it. Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? no Which older supported branches are affected by this flaw? 52 and 53 If not all supported branches, which bug introduced the flaw? unclear but this is only an issue when a11y is in use with e10s enabled which is 52 and later. Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? should be pretty easy. How likely is this patch to cause regressions; how much testing does it need? we need some testing on nightly to see if it does infact fix the issue. I don't think it can regress much, but I wouldn't backport it if it doesn't fix the problem.
Attachment #8832315 -
Flags: sec-approval?
Comment 25•7 years ago
|
||
We're currently targeting FF 54 for e10s a11y support so this configuration (and bug) should be disabled in <= 53. I do see crashes in recent 53 builds though -- Jimm is this expected?
Flags: needinfo?(dbolter) → needinfo?(jmathies)
Updated•7 years ago
|
Comment 26•7 years ago
|
||
78% of those crashes have "addons should have disabled e10s" set to true. They must be force-enabled, so I'd say it's expected.
Flags: needinfo?(jmathies)
Updated•7 years ago
|
Flags: needinfo?(aklotz)
Comment 27•7 years ago
|
||
Thanks, updating flags accordingly.
Updated•7 years ago
|
Attachment #8832315 -
Flags: sec-approval? → sec-approval+
Comment 29•7 years ago
|
||
backout out because of start up crashes
Updated•7 years ago
|
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Comment 30•7 years ago
|
||
For the last few days I seem to hit this nearly once an hour on my Surface Book Pro using Microsoft Japanese IME with e10s turned on.
Comment 31•7 years ago
|
||
Some crash comments: "closed a tab" "every time if I close a Facebook tab, Nightly make a crash" "basically every time i use ctrl+w" "crash when closing a tab" "closed google docs tab"
Comment 32•7 years ago
|
||
updated version of last patch
Attachment #8835060 -
Flags: review?(yzenevich)
Comment 33•7 years ago
|
||
Trevor, note that the latest patch still seems to produce the startup crash
Attachment #8835714 -
Flags: review?(tbsaunde+mozbugs)
Comment 34•7 years ago
|
||
(In reply to Yura Zenevich [:yzen] from comment #33) > Created attachment 8835714 [details] [diff] [review] > 1337370 patch with test > > Trevor, note that the latest patch still seems to produce the startup crash also fyi: the test passes as is on trunk
Comment 35•7 years ago
|
||
Comment on attachment 8835714 [details] [diff] [review] 1337370 patch with test I'm not going to pretend I understand this, but its a test so if it works fine.
Attachment #8835714 -
Flags: review?(tbsaunde+mozbugs) → review+
Comment 36•7 years ago
|
||
Things changed: * instead of wait of executeSoon, after content a11y doc is loaded, waiting for 3000 as I found that sometimes executeSoon is not enough to see the crash. * RyanVM: as per our conversation, updated the browser.ini to reflect what's going to happen in bug 1336712
Attachment #8835714 -
Attachment is obsolete: true
Attachment #8835999 -
Flags: review+
Attachment #8835999 -
Flags: feedback?(ryanvm)
Comment 37•7 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/11b11c798427 landed and has this bug number in it - is this the right patch for this bug or maybe a wrong bug number
Flags: needinfo?(tbsaunde+mozbugs)
Updated•7 years ago
|
Attachment #8835999 -
Flags: feedback?(ryanvm) → feedback+
Comment 38•7 years ago
|
||
(In reply to Carsten Book [:Tomcat] from comment #37) > https://hg.mozilla.org/mozilla-central/rev/11b11c798427 landed and has this > bug number in it - is this the right patch for this bug or maybe a wrong bug > number its the right bug.
Flags: needinfo?(tbsaunde+mozbugs)
Comment 39•7 years ago
|
||
Comment on attachment 8835060 [details] [diff] [review] rework ProxyAccessible handling of outer docs I thought this was reviewed, but whatever I'll just carry forward review from the first patch.
Attachment #8835060 -
Flags: review?(yzenevich)
Comment 40•7 years ago
|
||
Are there any specific requirements regarding landing, or pushing to try the test for this patch?
Flags: needinfo?(abillings)
Comment 41•7 years ago
|
||
Isn't this checked in now, per comment 28? We don't land tests for security bugs until after the release with the fix for the issue has gone public.
Flags: needinfo?(abillings)
Comment 42•7 years ago
|
||
(In reply to Al Billings [:abillings] from comment #41) > Isn't this checked in now, per comment 28? I relanded what bounced the first time, but I don't think we know for certain if that fixes the issue yet. I haven't done anything with the test.
Comment 43•7 years ago
|
||
The signature this was originally filed against appears fixed, others were not. I'll close this out and make sure we have bugs filed on the other signatures.
Status: REOPENED → RESOLVED
Closed: 7 years ago → 7 years ago
Resolution: --- → FIXED
Comment 45•7 years ago
|
||
The signature "nsTArray_Impl<T>::IndexOf<T> | mozilla::a11y::DocAccessibleParent::RemoveChildDoc" just reappeared on nightly 54 with buildid 20170216030210: there are 12 crashes.
Comment 46•7 years ago
|
||
I'm not aware of any landings on the 15th that might have brought this back. Maybe it's just infrequent? David, any idea? https://crash-stats.mozilla.com/search/?signature=%3DnsTArray_Impl%3CT%3E%3A%3AIndexOf%3CT%3E%20%7C%20mozilla%3A%3Aa11y%3A%3ADocAccessibleParent%3A%3ARemoveChildDoc&product=Firefox&version=54.0a1&date=%3E%3D2017-02-01T13%3A36%3A00.000Z&date=%3C2017-02-17T13%3A36%3A00.000Z&_sort=-date&_facets=signature&_facets=build_id&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#facet-build_id
Flags: needinfo?(dbolter)
Comment 47•7 years ago
|
||
Trevor would have best answers here. I do recall him saying he's not sure his fix would fix all STR cases.
Flags: needinfo?(dbolter) → needinfo?(tbsaunde+mozbugs)
Comment 48•7 years ago
|
||
I'm not able to crash (on windows touchscreen) via the test case. (I saved it as html and loaded locally)
Comment 49•7 years ago
|
||
Comment on attachment 8830045 [details] [diff] [review] Fix a11y document teardown issues Removing old review request per Trevor.
Attachment #8830045 -
Attachment is obsolete: true
Attachment #8830045 -
Flags: review?(tbsaunde+mozbugs)
Updated•7 years ago
|
Assignee: tbsaunde+mozbugs → davidp99
Flags: needinfo?(tbsaunde+mozbugs)
Comment 50•7 years ago
|
||
David Parks is working on a public bug 1332690 we hope will fix this.
Comment 51•7 years ago
|
||
firefox53 is marked as disabled but the [@ mozilla::a11y::DocAccessibleParent::RemoveChildDoc ] signature is the #6 top brower crash on 53.0b6 accounting for 1% of all crashes.
Comment 52•7 years ago
|
||
dbolter - can you make sure we get that other fix into 53, or actually disable? bug 1332690 is marked as 53-disabled as well, but clearly that's not the case.
Flags: needinfo?(dbolter)
Flags: needinfo?(davidp99)
Updated•7 years ago
|
Comment 53•7 years ago
|
||
Suspected fixes are bug 1332690 and bug 1340579 - I've requested authors to request uplifts.
Flags: needinfo?(dbolter)
Assignee | ||
Comment 54•7 years ago
|
||
This one is pretty straight-forward. When we 'swap' child docs in the tree (instead of the 'usual' creating them), we were properly updating mChildren, mParent and mParentDoc but not mChildDocs.
Flags: needinfo?(davidp99)
Attachment #8853166 -
Flags: review?(tbsaunde+mozbugs)
Assignee | ||
Comment 55•7 years ago
|
||
Re-instituting NI to self to remember uplift
Flags: needinfo?(davidp99)
Comment 56•7 years ago
|
||
(In reply to David Parks (dparks) [:handyman] from comment #54) > Created attachment 8853166 [details] [diff] [review] > Maintain mChildDocs when swapping child docs > > This one is pretty straight-forward. When we 'swap' child docs in the tree > (instead of the 'usual' creating them), we were properly updating mChildren, > mParent and mParentDoc but not mChildDocs. yeah... that seems reasonable, and I really should have seen it :( On the subject of the patch I think the best thing to do is call outerDoc->ChildAt(0)->AsDoc()->Unbind() which should also fix this issue and allow us to remove the stuff in ProxyAccessiblebase::SetChildDoc() dealing with replacing one document with another. That is what happens in this case either way is we start with a new doc N and an existing bound doc B, and end with B being out of the tree and N bound where B used to be. The simplest way to implement that is unbind both B and N, and then bind N where it belongs. On the other hand maybe we should take the patch more or less as is for branches? it might be slightly less risk? but maybe that doesn't realy matter.
Comment 57•7 years ago
|
||
Comment on attachment 8853166 [details] [diff] [review] Maintain mChildDocs when swapping child docs dparks your going to post an updated patch right?
Attachment #8853166 -
Flags: review?(tbsaunde+mozbugs)
Assignee | ||
Comment 58•7 years ago
|
||
Includes notes from comment 56.
Attachment #8853166 -
Attachment is obsolete: true
Flags: needinfo?(davidp99)
Attachment #8856596 -
Flags: review?(tbsaunde+mozbugs)
Assignee | ||
Comment 59•7 years ago
|
||
Tests: https://treeherder.mozilla.org/#/jobs?repo=try&revision=da1d51ac7b1d52b37d09c07f60f88b6c1b322d63&selectedJob=89778925
Updated•7 years ago
|
Attachment #8856596 -
Flags: review?(tbsaunde+mozbugs) → review+
Assignee | ||
Comment 60•7 years ago
|
||
Comment on attachment 8856596 [details] [diff] [review] Maintain mChildDocs when swapping child docs [Security approval request comment] How easily could an exploit be constructed based on the patch? Not easily. Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? No. Which older supported branches are affected by this flaw? 55 and 54 are affected. Requires e10s + a11y. If not all supported branches, which bug introduced the flaw? Unknown but a11y is disabled when e10s is on in prior releases. Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? Any backporting should be very simple. How likely is this patch to cause regressions; how much testing does it need? Regressions are unlikely. At worst they would manifest simply as a crash in a different spot.
Attachment #8856596 -
Flags: sec-approval?
Comment 61•7 years ago
|
||
(In reply to David Parks (dparks) [:handyman] from comment #60) > Which older supported branches are affected by this flaw? > 55 and 54 are affected. Requires e10s + a11y. What about comment 51? That makes it sound like 53 is affected too. Or is it two bugs with the same signature?
Flags: needinfo?(davidp99)
Comment 62•7 years ago
|
||
it seems the [@ mozilla::a11y::DocAccessibleParent::RemoveChildDoc ] crashes on 53.0b have significantly declined starting with beta 9 at least: https://crash-stats.mozilla.com/signature/?release_channel=beta&signature=mozilla%3A%3Aa11y%3A%3ADocAccessibleParent%3A%3ARemoveChildDoc&date=%3E%3D2017-03-11T22%3A13%3A00.000Z#graphs
Assignee | ||
Comment 63•7 years ago
|
||
The top crash signature in this bug picks up crashes we are handling as a different bug: https://crash-stats.mozilla.com/signature/?signature=mozilla%3A%3Aa11y%3A%3ADocAccessibleParent%3A%3ARemoveChildDoc is bug 1339168. The difference is the second entry in the call stack -- the nsTArray (or ClearChildDoc) crash is handled by this bug and DocAccessibleParent::Destroy is the other. More to the point, I believe 53 is supposed to have a11y disabled when e10s is on so it would be irrelevant. But I'm not sure because, while _most_ of the crashes show AddonsShouldHaveBlockedE10S to be true, there is one that doesnt... https://crash-stats.mozilla.com/report/index/f41d1acd-2c79-4ae8-8183-3f6022170408#tab-metadata So I'm not sure what's up with 53. If a11y+e10s is turned on there then maybe 53 needs this too. NI to jimm for clarification.
Flags: needinfo?(davidp99) → needinfo?(jmathies)
Comment 64•7 years ago
|
||
(In reply to David Parks (dparks) [:handyman] from comment #60) > Comment on attachment 8856596 [details] [diff] [review] > Maintain mChildDocs when swapping child docs > > [Security approval request comment] > How easily could an exploit be constructed based on the patch? > Not easily. Is that actually true? Once you know that what's happening is BindChildDoc() is leaving mChildDocs containing pointers to objects that can die you just need to create a page where you start out with a document as a child of an iframe and then move it to be the child of something else before getting rid of it. Then later get rid of the iframe and from there its a pretty standard vtable ptr overwriting exploit. > Do comments in the patch, the check-in comment, or tests included in the > patch paint a bulls-eye on the security problem? > No. above? > Which older supported branches are affected by this flaw? > 55 and 54 are affected. Requires e10s + a11y. we may not be seeing it, but I'm pretty sure 53 is effected. > If not all supported branches, which bug introduced the flaw? > Unknown but a11y is disabled when e10s is on in prior releases. pretty sure its always been there. I think we have e10s on in linux and maybe mac? those are effected we just haven't seen it there for some reason.
Comment 65•7 years ago
|
||
(In reply to David Parks (dparks) [:handyman] from comment #63) > The top crash signature in this bug picks up crashes we are handling as a > different bug: > > https://crash-stats.mozilla.com/signature/ > ?signature=mozilla%3A%3Aa11y%3A%3ADocAccessibleParent%3A%3ARemoveChildDoc > > is bug 1339168. The difference is the second entry in the call stack -- the > nsTArray (or ClearChildDoc) crash is handled by this bug and > DocAccessibleParent::Destroy is the other. > > More to the point, I believe 53 is supposed to have a11y disabled when e10s > is on so it would be irrelevant. But I'm not sure because, while _most_ of > the crashes show AddonsShouldHaveBlockedE10S to be true, there is one that > doesnt... > > https://crash-stats.mozilla.com/report/index/f41d1acd-2c79-4ae8-8183- > 3f6022170408#tab-metadata > > So I'm not sure what's up with 53. If a11y+e10s is turned on there then > maybe 53 needs this too. NI to jimm for clarification. Hey David, which signature set are you targeting with this fix, the ClearChildDoc signatures or the RemoveChildDoc/Destroy signatures?
Flags: needinfo?(davidp99)
Comment 66•7 years ago
|
||
Daniel, my socorro access is current hosed so I can't see sec info in crash reports. I'm having a hard time understanding which crashes that fall under the list of four signatures tracked here represent the use after free security issue this bug is tracking. We have this bug and we have bug 1339168 which tracks one of the signatures tracked here - [@ mozilla::a11y::DocAccessibleParent::RemoveChildDoc ] I'm wondering if that bug is a pure dupe of this sec bug and should be duped over (or ignored).
Flags: needinfo?(dveditz)
Comment 67•7 years ago
|
||
History Original stack reported here: ------------------------------------------------------------- xul!mozilla::a11y::DocAccessibleParent::RemoveChildDoc+0x22 xul!mozilla::a11y::DocAccessibleParent::Destroy+0xa6 xul!mozilla::a11y::DocAccessibleParent::Destroy+0x38 xul!mozilla::a11y::DocAccessibleParent::RecvShutdown+0xd xul!mozilla::a11y::PDocAccessibleParent::OnMessageReceived+0x57 xul!mozilla::dom::PContentParent::OnMessageReceived+0x4b Landings in sec bug 1326084 (this bug) ------------------------------------------------------------- 2017-02-01 c2aee4595f1a (in Fx54) 2017-02-02 a100bc4eab44 2017-02-03 backout of a100bc4eab44 due to startup crashes 2017-02-10 11b11c798427 (in Fx54) -- 2017-03-30 new patch from dparks posted, hasn't landed yet, needs sec approval Landings in other bugs that may impact this: -------------------------------------------------------------- 2017-03-01 5c809b2f8930 (bug 1340579) (in Fx54) 2017-03-29 3c911506e8c7 (bug 1332690) (in Fx55, Fx54, Fx53) uplifts: 2017-04-02 47ae4627fe0d (Fx 54), 00212876d4c4, ee66bb1f3ff0 (Fx 53)
Comment 68•7 years ago
|
||
Signature summary across builds: Fx52 release, Fx 52esr, Fx53 betas, Fx54 Nightly: [@ mozilla::a11y::DocAccessibleParent::RemoveChildDoc ] Fx52 release, Fx53 betas, Fx54 Nightly: [@ nsTArray_Impl<T>::IndexOf<T> | mozilla::a11y::DocAccessibleParent::RemoveChildDoc ] Fx54 Nightly: [@ mozilla::a11y::ProxyAccessibleBase<T>::ClearChildDoc ] No signatures: [@ nsTArray_Impl<T>::IndexOf<T> | mozilla::a11y::ProxyAccessibleBase<T>::ClearChildDoc ]
Assignee | ||
Comment 69•7 years ago
|
||
(In reply to Jim Mathies [:jimm] from comment #65) > Hey David, which signature set are you targeting with this fix, the > ClearChildDoc signatures or the RemoveChildDoc/Destroy signatures? Its the ClearChildDoc signatures. Note that the ones with IndexOf<T> are also this bug -- looking at source, I suspect the IndexOf call is inlined from ClearChildDoc. So only the first signature ([@ mozilla::a11y::DocAccessibleParent::RemoveChildDoc ]) included any signatures that were not dealt with in this bug.
Flags: needinfo?(davidp99)
Updated•7 years ago
|
Flags: needinfo?(jmathies)
Comment 70•7 years ago
|
||
(In reply to Jim Mathies [:jimm] from comment #66) > Daniel, my socorro access is current hosed so I can't see sec info in crash reports. > I'm having a hard time understanding which crashes that fall under the list of four > signatures tracked here represent the use after free security issue this bug is tracking. You don't need extended socorro access to see the signs of use-after-free. Won't spot _all_ UAF, and certainly not a successfully exploited one, but the ones flagged by crash-stats mining have been done from the public information. The easiest to spot is to show the "address" column in crash reports: https://crash-stats.mozilla.com/signature/?signature=mozilla%3A%3Aa11y%3A%3ADocAccessibleParent%3A%3ARemoveChildDoc&date=%3E%3D2017-03-31T01%3A38%3A24.000Z&date=%3C2017-04-14T01%3A38%3A24.000Z&_columns=date&_columns=product&_columns=version&_columns=build_id&_columns=platform&_columns=reason&_columns=address&_sort=-date&page=1 An address of 0xffffffffe5e5e5xx is a reliable indicator since we use 0xe5 as a freed memory marker. Sometimes the crashing address will be something else but if you look at the "raw dump" tab of a crash you'll see 0xe5e5e5e5 values in the registers. That's a clue but you have to look at individual crashes to see that. I don't think you can search on it. If Firefox crashes on a random valid-looking memory address (like bp-624a521e-3371-4095-ad94-49b012170401) that's some kind of memory corruption. Might be a use-after-free where the memory got re-used before we stumbled over the poisoned value, could be some other kind of memory corruption like a buffer overflow. Hard to say whether it's related or not. > We have this bug and we have bug 1339168 which tracks one of the signatures tracked here - > I'm wondering if that bug is a pure dupe of this sec bug and should be duped > over (or ignored). And also originally bug 1324863 was duped here. We've checked in some stuff here and seem to have reduced the number of crashes. Even if bug 1339168 is part of the same set of issues it's probably better to continue on over there since this bug is getting long and confusing.
Flags: needinfo?(dveditz)
Comment 71•7 years ago
|
||
dparks, lets post your 'Maintain mChildDocs when swapping child docs' w/trevors r+ patch over to bug 1339168 and land it. We'll keep this bug open so we can dig into these signatures looking for the telltale signs of a sec issue per Daniel's comments.
Flags: needinfo?(davidp99)
Updated•7 years ago
|
Attachment #8856596 -
Flags: sec-approval?
Assignee | ||
Comment 72•7 years ago
|
||
Comment on attachment 8856596 [details] [diff] [review] Maintain mChildDocs when swapping child docs Obsoleting this patch because we are landing it on bug 1339168.
Attachment #8856596 -
Attachment is obsolete: true
Flags: needinfo?(davidp99)
Comment 73•7 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/0f60f50ae0f4
Status: REOPENED → RESOLVED
Closed: 7 years ago → 7 years ago
status-firefox55:
--- → fixed
Resolution: --- → FIXED
Updated•7 years ago
|
Comment hidden (offtopic) |
Updated•7 years ago
|
Flags: sec-bounty? → sec-bounty+
Comment hidden (offtopic) |
Comment 76•7 years ago
|
||
Per bug 1339168 comment 13.
Updated•7 years ago
|
Flags: qe-verify+
Whiteboard: aes+ → [post-critsmash-triage] aes+
Comment 77•7 years ago
|
||
I have reproduced this issue using Firefox debug build (32 bit) from 2017.01.03, on Win 10 x32, I'm starting the Narrarator screen reader built into Windows, Firefox crashed, but the crash report was not generated, I just saw that the tab title was flickering,loading non-stop. I can confirm this issue is fixed, I verified using Firefox 55.0 debug build, on Windows 10 x32, seems that Firefox crashes stoped, and the tab title no longer flickering.
Updated•7 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•