Closed
Bug 1338277
Opened 7 years ago
Closed 7 years ago
NULL deref [@ txExpandedNameMap_base::removeItem]
Categories
(Core :: XSLT, defect)
Tracking
()
People
(Reporter: tsmith, Assigned: peterv)
References
(Blocks 1 open bug)
Details
(4 keywords, Whiteboard: [adv-main55-][post-critsmash-triage])
Crash Data
Attachments
(3 files)
Marking as s-s for now. There have been some UAFs found in XSLT recently and we just got a fuzzer up and running. ==7358==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f14bde55996 bp 0x7fff2b029dc0 sp 0x7fff2b029d90 T0) #0 0x7f14bde55995 in Hdr /home/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:642:32 #1 0x7f14bde55995 in Elements /home/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:1150 #2 0x7f14bde55995 in IndexOf<txExpandedName, txMapItemComparator> /home/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:1273 #3 0x7f14bde55995 in txExpandedNameMap_base::removeItem(txExpandedName const&) /home/worker/workspace/build/src/dom/xslt/base/txExpandedNameMap.cpp:97 #4 0x7f14bdec1859 in remove /home/worker/workspace/build/src/dom/xslt/base/txExpandedNameMap.h:126:20 #5 0x7f14bdec1859 in removeVariable /home/worker/workspace/build/src/dom/xslt/xslt/txVariableMap.h:74 #6 0x7f14bdec1859 in removeVariable /home/worker/workspace/build/src/dom/xslt/xslt/txExecutionState.cpp:518 #7 0x7f14bdec1859 in txRemoveVariable::execute(txExecutionState&) /home/worker/workspace/build/src/dom/xslt/xslt/txInstructions.cpp:737 #8 0x7f14bdf1c23d in txXSLTProcessor::execute(txExecutionState&) /home/worker/workspace/build/src/dom/xslt/xslt/txXSLTProcessor.cpp:49:14 #9 0x7f14bdee5108 in txMozillaXSLTProcessor::TransformToDoc(nsIDOMDocument**, bool) /home/worker/workspace/build/src/dom/xslt/xslt/txMozillaXSLTProcessor.cpp:676:14 #10 0x7f14bdeeb2ab in TransformToDocument /home/worker/workspace/build/src/dom/xslt/xslt/txMozillaXSLTProcessor.cpp:645:12 ... see log.txt
Reporter | ||
Comment 1•7 years ago
|
||
Comment 2•7 years ago
|
||
The obvious null check here isn't enough, since other scarier looking crashes happen with that. peterv and pike might remember some of this code.
Comment 4•7 years ago
|
||
Also Jonas. I have to admit, I don't even recall what all those xslt stylesheet things are supposed to do in theory, let alone the code that implements them.
Comment 5•7 years ago
|
||
Regression range: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=9a8f2342fb3116d23989087e026448d38a3768c5&tochange=fc706d376f0658e560a59c3dd520437b18e8c4a4 I see Bindings-related stuff on the stack, so maybe bug 1039986?
status-firefox51:
--- → affected
status-firefox52:
--- → affected
status-firefox53:
--- → affected
status-firefox-esr45:
--- → affected
status-firefox-esr52:
--- → affected
tracking-firefox51:
--- → ?
tracking-firefox52:
--- → ?
tracking-firefox53:
--- → ?
tracking-firefox54:
--- → ?
tracking-firefox-esr45:
--- → ?
tracking-firefox-esr52:
--- → ?
Version: Trunk → 44 Branch
Comment 6•7 years ago
|
||
Here's a stack from a current nightly: https://crash-stats.mozilla.com/report/index/8c54dcfb-faa6-43b1-9556-c4f622170210
Crash Signature: [@ nsTArray_Impl<T>::IndexOf<T> | txExpandedNameMap_base::removeItem ]
Comment 7•7 years ago
|
||
Bindings stuff on the stack just means "yeah, we got called from JS".... This is a crash in the guts of the XSLT stuff, not really bindings related per se. Looking in that range, we have changes to XSLT code from bug 1191645. But I don't think we're doing any actual URL-fetch stylesheet loading that would have been affected by that. It also looks like on current Mac I can't run those year-old nightlies at all. They crash on startup. :(
Comment 8•7 years ago
|
||
Local bisection says this was caused by bug 932517. https://hg.mozilla.org/integration/mozilla-inbound/rev/3bb8446a6d8d
Blocks: 932517
Comment 9•7 years ago
|
||
Not caused. Testcase just uses "let" in a non-strict no-version script, so ends up throwing errors before that changeset. Change the "let" to "var" in the testcase and I expect you will reproduce with earlier builds....
No longer blocks: 932517
Comment 10•7 years ago
|
||
Well, that was a fun night of slow builds down the drain. New regression range: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=c3c4c902e9cd&tochange=31879b88cc82
Version: 44 Branch → 6 Branch
Assignee | ||
Comment 11•7 years ago
|
||
This is probably related to the issue I mentioned in bug 1336832 comment 7, we need to propagate errors from matching instead of blindly continuing executing. In this case we try to call txExecutionState::removeVariable even though we skipped txExecutionState::bindVariable due to a matching error.
Assignee | ||
Updated•7 years ago
|
Assignee: nobody → peterv
Status: NEW → ASSIGNED
Comment 13•7 years ago
|
||
Looks like a wontfix for 52 as well now.
Assignee | ||
Comment 14•7 years ago
|
||
This is a spot fix we should take on branches, the underlying issue would be fixed by the trunk patch in bug 1336828.
Attachment #8840869 -
Flags: review?(erahm)
Comment 15•7 years ago
|
||
Comment on attachment 8840869 [details] [diff] [review] Branch patch v1 Review of attachment 8840869 [details] [diff] [review]: ----------------------------------------------------------------- r=me
Attachment #8840869 -
Flags: review?(erahm) → review+
Assignee | ||
Comment 16•7 years ago
|
||
Comment on attachment 8840869 [details] [diff] [review] Branch patch v1 [Security approval request comment] How easily could an exploit be constructed based on the patch? Not easily I think. Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? The testcase does. Which older supported branches are affected by this flaw? All. If not all supported branches, which bug introduced the flaw? All branches are affected. Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? Should just apply to branches. How likely is this patch to cause regressions; how much testing does it need? Shouldn't cause regressions, it just adds a null-check before dereferencing a pointer. Note that this is a lower-risk patch intended for branches. I have a different, much bigger change for trunk (in bug 1336828). Please let me know if it's ok to not land the branch patch on trunk, otherwise we could land this on trunk too, and then backout and land the riskier change from bug 1336828 only on trunk.
Attachment #8840869 -
Flags: sec-approval?
Comment 17•7 years ago
|
||
Comment on attachment 8840869 [details] [diff] [review] Branch patch v1 Sec-approval is only necessary for sec-high and sec-critical rated issues that affect more than trunk. Since this is not high or critical, I'm clearing. You can just check in.
Attachment #8840869 -
Flags: sec-approval?
Assignee | ||
Comment 18•7 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/421407ec02c07437ced56c950b03c74e6faea56b Bug 1338277 - Deal better with failed matching for variables, r=erahm.
This was backed out in https://hg.mozilla.org/integration/mozilla-inbound/rev/b5d6fe8ac8fef915a078629fcf5984c666b31d82 for failing the crashtest it added.
Flags: needinfo?(peterv)
Assignee | ||
Comment 20•7 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/ddbfa3adcfaded3f220333bdf632edde5c42872a Bug 1338277 - Deal better with failed matching for variables, r=erahm.
Comment 21•7 years ago
|
||
backed out for failing on own crashtest in https://hg.mozilla.org/integration/mozilla-inbound/rev/227e9f482196f7068f0e17f83f4436ab8770233c
Assignee | ||
Comment 22•7 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=60a7eb26b5ca
Assignee | ||
Comment 23•7 years ago
|
||
I think we should just fix this with the patch from bug 1349717. After annotating the asserts the testcase still leaks too with just this patch.
Flags: needinfo?(peterv)
Comment 24•7 years ago
|
||
Per comment 23.
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
status-firefox55:
--- → fixed
tracking-firefox-esr45:
? → ---
tracking-firefox-esr52:
? → ---
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
Updated•7 years ago
|
Group: dom-core-security → core-security-release
Updated•7 years ago
|
Whiteboard: [adv-main55-]
Updated•7 years ago
|
Flags: qe-verify-
Whiteboard: [adv-main55-] → [adv-main55-][post-critsmash-triage]
Updated•6 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•