Closed
Bug 1348115
Opened 7 years ago
Closed 7 years ago
heap-use-after-free in mozilla::dom::Selection::ScrollSelectionIntoViewEvent::Run
Categories
(Core :: DOM: Selection, defect)
Core
DOM: Selection
Tracking
()
RESOLVED
FIXED
mozilla55
| Tracking | Status | |
|---|---|---|
| firefox-esr45 | --- | unaffected |
| firefox52 | --- | unaffected |
| firefox-esr52 | --- | unaffected |
| firefox53 | --- | unaffected |
| firefox54 | --- | unaffected |
| firefox55 | --- | fixed |
People
(Reporter: nils, Assigned: MatsPalmgren_bugz)
References
Details
(4 keywords, Whiteboard: [fixed by bug 1348222])
The latest ASAN build of Firefox (BuildID=20170316145716) crashes when loading the following testcase:
<html>
<head>
<script>
function start() {
o1=window.document.documentElement;
o22=document.createElementNS('http://www.w3.org/1999/xhtml','input');
window.fuzzPriv.CC();
window.top.document.documentElement.appendChild(o22);
o22.focus();
o22.setSelectionRange(6,131075,'unknown');
o1.remove();
window.fuzzPriv.CC();
}
</script>
</head>
<body onload="start()"></body>
</html>
ASAN output:
=================================================================
==8875==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d00007fa78 at pc 0x7fa392aecf30 bp 0x7ffe807eb6c0 sp 0x7ffe807eb6b8
READ of size 8 at 0x60d00007fa78 thread T0 (Web Content)
#0 0x7fa392aecf2f in assign_assuming_AddRef /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:62:17
#1 0x7fa392aecf2f in operator= /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:166
#2 0x7fa392aecf2f in Forget /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1195
#3 0x7fa392aecf2f in mozilla::dom::Selection::ScrollSelectionIntoViewEvent::Run() /home/worker/workspace/build/src/layout/generic/nsSelection.cpp:6166
#4 0x7fa38c02cd41 in mozilla::ValidatingDispatcher::Runnable::Run() /home/worker/workspace/build/src/xpcom/threads/Dispatcher.cpp:259:32
#5 0x7fa38c06062c in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1269:14
#6 0x7fa38c05cf58 in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:389:10
#7 0x7fa38ce054a1 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:96:21
#8 0x7fa38cd66000 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:238:10
#9 0x7fa38cd66000 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:231
#10 0x7fa38cd66000 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:211
#11 0x7fa391fcb53f in nsBaseAppShell::Run() /home/worker/workspace/build/src/widget/nsBaseAppShell.cpp:156:27
#12 0x7fa39560d7b7 in XRE_RunAppShell() /home/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:854:22
#13 0x7fa38cd66000 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:238:10
#14 0x7fa38cd66000 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:231
#15 0x7fa38cd66000 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:211
#16 0x7fa39560d1d6 in XRE_InitChildProcess(int, char**, XREChildData const*) /home/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:686:34
#17 0x4eb4b3 in content_process_main /home/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:64:30
#18 0x4eb4b3 in main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:286
#19 0x7fa3a752782f in __libc_start_main /build/glibc-t3gR2i/glibc-2.23/csu/../csu/libc-start.c:291
#20 0x41ce08 in _start (/home/nils/fuzzer3/firefox/firefox+0x41ce08)
0x60d00007fa78 is located 104 bytes inside of 136-byte region [0x60d00007fa10,0x60d00007fa98)
freed by thread T0 (Web Content) here:
#0 0x4bb33b in __interceptor_free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:47:3
#1 0x7fa38bf08427 in SnowWhiteKiller::~SnowWhiteKiller() /home/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2664:25
#2 0x7fa38bf08027 in nsCycleCollector::FreeSnowWhite(bool) /home/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2839:3
#3 0x7fa38d833eee in AsyncFreeSnowWhite::Run() /home/worker/workspace/build/src/js/xpconnect/src/XPCJSContext.cpp:146:34
#4 0x7fa38c06062c in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1269:14
#5 0x7fa38c05cf58 in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:389:10
#6 0x7fa38ce054a1 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:96:21
#7 0x7fa38cd66000 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:238:10
#8 0x7fa38cd66000 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:231
#9 0x7fa38cd66000 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:211
#10 0x7fa391fcb53f in nsBaseAppShell::Run() /home/worker/workspace/build/src/widget/nsBaseAppShell.cpp:156:27
#11 0x7fa39560d7b7 in XRE_RunAppShell() /home/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:854:22
#12 0x7fa38cd66000 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:238:10
#13 0x7fa38cd66000 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:231
#14 0x7fa38cd66000 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:211
#15 0x7fa39560d1d6 in XRE_InitChildProcess(int, char**, XREChildData const*) /home/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:686:34
#16 0x4eb4b3 in content_process_main /home/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:64:30
#17 0x4eb4b3 in main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:286
#18 0x7fa3a752782f in __libc_start_main /build/glibc-t3gR2i/glibc-2.23/csu/../csu/libc-start.c:291
previously allocated by thread T0 (Web Content) here:
#0 0x4bb68c in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64:3
#1 0x4ec64d in moz_xmalloc /home/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:83:17
#2 0x7fa392abc819 in operator new /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:194:12
#3 0x7fa392abc819 in nsFrameSelection::nsFrameSelection() /home/worker/workspace/build/src/layout/generic/nsSelection.cpp:539
#4 0x7fa390ac5447 in nsTextEditorState::BindToFrame(nsTextControlFrame*) /home/worker/workspace/build/src/dom/html/nsTextEditorState.cpp:1183:43
#5 0x7fa392bd735f in nsTextControlFrame::CreateAnonymousContent(nsTArray<nsIAnonymousContentCreator::ContentInfo>&) /home/worker/workspace/build/src/layout/forms/nsTextControlFrame.cpp:337:26
#6 0x7fa392757ba2 in nsCSSFrameConstructor::GetAnonymousContent(nsIContent*, nsIFrame*, nsTArray<nsIAnonymousContentCreator::ContentInfo>&) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:4232:26
#7 0x7fa39274b97a in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsContainerFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:10988:3
#8 0x7fa392760ac1 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:4087:9
#9 0x7fa39276b5bf in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:6229:3
#10 0x7fa39277a0d5 in ConstructFramesFromItemList /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:10769:5
#11 0x7fa39277a0d5 in nsCSSFrameConstructor::ContentAppended(nsIContent*, nsIContent*, bool, TreeMatchContext*) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:7616
#12 0x7fa392773fc7 in nsCSSFrameConstructor::CreateNeededFrames(nsIContent*, TreeMatchContext&) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:7209:5
#13 0x7fa39277b0a1 in nsCSSFrameConstructor::CreateNeededFrames() /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:7245:5
#14 0x7fa39268d4d2 in mozilla::GeckoRestyleManager::ProcessPendingRestyles() /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:464:38
#15 0x7fa3926d7333 in ProcessPendingRestyles /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RestyleManagerInlines.h:44:3
#16 0x7fa3926d7333 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /home/worker/workspace/build/src/layout/base/PresShell.cpp:4184
#17 0x7fa38ea13fe1 in FlushPendingNotifications /home/worker/workspace/build/src/obj-firefox/dist/include/nsIPresShell.h:599:5
#18 0x7fa38ea13fe1 in nsDocument::FlushPendingNotifications(mozilla::FlushType) /home/worker/workspace/build/src/dom/base/nsDocument.cpp:7991
#19 0x7fa38ea597cb in nsFocusManager::CheckIfFocusable(nsIContent*, unsigned int) /home/worker/workspace/build/src/dom/base/nsFocusManager.cpp:1552:8
#20 0x7fa38ea56172 in nsFocusManager::SetFocusInner(nsIContent*, int, bool, bool) /home/worker/workspace/build/src/dom/base/nsFocusManager.cpp:1182:41
#21 0x7fa38ea59214 in nsFocusManager::SetFocus(nsIDOMElement*, unsigned int) /home/worker/workspace/build/src/dom/base/nsFocusManager.cpp:486:3
#22 0x7fa38e7f77f0 in mozilla::dom::Element::Focus(mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/base/Element.cpp:311:18
#23 0x7fa39092529e in mozilla::dom::HTMLInputElement::Focus(mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/html/HTMLInputElement.cpp:3632:27
#24 0x7fa38ffc6e5b in mozilla::dom::HTMLElementBinding::focus(JSContext*, JS::Handle<JSObject*>, nsGenericHTMLElement*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/HTMLElementBinding.cpp:462:9
#25 0x7fa3902b501e in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2953:13
#26 0x7fa395a59341 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:282:15
#27 0x7fa395a59341 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:448
#28 0x7fa395a41db7 in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:499:12
#29 0x7fa395a41db7 in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2954
#30 0x7fa395a285ae in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:394:12
#31 0x7fa395a594c6 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:466:15
#32 0x7fa395a59cd2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:512:10
#33 0x7fa3963cceab in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2887:12
#34 0x7fa38fd59c95 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:260:37
#35 0x7fa3906bbb6b in Call<nsISupports *> /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:362:12
#36 0x7fa3906bbb6b in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) /home/worker/workspace/build/src/dom/events/JSEventHandler.cpp:215
SUMMARY: AddressSanitizer: heap-use-after-free /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:62:17 in assign_assuming_AddRef
Shadow bytes around the buggy address:
0x0c1a80007ef0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x0c1a80007f00: fd fd fd fd fd fa fa fa fa fa fa fa fa fa fd fd
0x0c1a80007f10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
0x0c1a80007f20: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c1a80007f30: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
=>0x0c1a80007f40: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]
0x0c1a80007f50: fd fd fd fa fa fa fa fa fa fa fa fa fd fd fd fd
0x0c1a80007f60: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
0x0c1a80007f70: fa fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00
0x0c1a80007f80: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
0x0c1a80007f90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==8875==ABORTING
|
||
Updated•7 years ago
|
Flags: sec-bounty?
|
||
Comment 1•7 years ago
|
||
Masayuki-san, is this something you could look at?
Flags: needinfo?(masayuki)
|
||
Comment 2•7 years ago
|
||
Hmm, if nobody is available, I could, later, though...
Flags: needinfo?(masayuki)
|
Assignee | |
Comment 3•7 years ago
|
||
This looks like a dupe of bug 1343795, which already has a fix waiting to land on 2017-03-21.
|
|
Assignee | |
Updated•7 years ago
|
Depends on: CVE-2017-5441
|
|
Assignee | |
Comment 4•7 years ago
|
||
I was mistaken - this is actually a very recent trunk regression from bug 1347820. I've fixed it in bug 1348222 and landed the patch on mozilla-inbound. This bug was reported first though, so deserves the credit for finding it.
Blocks: 1347820
Severity: normal → critical
Flags: in-testsuite?
OS: Unspecified → All
Hardware: Unspecified → All
|
||
Updated•7 years ago
|
Group: core-security → dom-core-security
|
|
Assignee | |
Comment 5•7 years ago
|
||
The fix in bug 1348222 was merged to m-c 2017-03-18 15:25: https://hg.mozilla.org/mozilla-central/rev/df0f179a8a9c
Assignee: nobody → mats
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Whiteboard: [fixed by bug 1348222]
Target Milestone: --- → mozilla55
|
|
||
Updated•7 years ago
|
status-firefox52:
--- → unaffected
status-firefox53:
--- → unaffected
status-firefox54:
--- → unaffected
status-firefox-esr45:
--- → unaffected
status-firefox-esr52:
--- → unaffected
|
|
||
Updated•7 years ago
|
Flags: sec-bounty? → sec-bounty+
|
|
||
Updated•7 years ago
|
Group: dom-core-security → core-security-release
|
|
||
Updated•7 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•