Closed Bug 1348222 Opened 8 years ago Closed 8 years ago

heap-use-after-free in [@ mozilla::dom::Selection::ScrollSelectionIntoViewEvent::Run()]

Categories

(Core :: DOM: Selection, defect)

Product:
Core
Component:
DOM: Selection
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla55
Tracking Flags:
Tracking Status
firefox-esr45 --- unaffected
firefox52 --- unaffected
firefox-esr52 --- unaffected
firefox53 --- unaffected
firefox54 --- unaffected
firefox55 --- fixed

People

(Reporter: tsmith, Assigned: MatsPalmgren_bugz)

References

(Blocks 1 open bug)

Details

(4 keywords)

Attachments

(3 files)

log.txt
13.92 KB, text/plain
Details
test_case.html
503 bytes, text/html
Details
fix
1.49 KB, patch
smaug
: review+
Details | Diff | Splinter Review
Attached file log.txt
Found in mozilla-inbound 20170316-38ecd019eceb Required fuzzpriv fuzzing plugin. ==4587==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d000125b58 at pc 0x7f2c88f6dbf0 bp 0x7ffc92baf300 sp 0x7ffc92baf2f8 READ of size 8 at 0x60d000125b58 thread T0 #0 0x7f2c88f6dbef in assign_assuming_AddRef /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:62:17 #1 0x7f2c88f6dbef in operator= /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:166 #2 0x7f2c88f6dbef in Forget /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1195 #3 0x7f2c88f6dbef in mozilla::dom::Selection::ScrollSelectionIntoViewEvent::Run() /home/worker/workspace/build/src/layout/generic/nsSelection.cpp:6166 #4 0x7f2c824d182c in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1269:14 #5 0x7f2c824ce158 in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:389:10 #6 0x7f2c832770b1 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:96:21 ... see log.txt
The test is taking longer than expected to reduce. I will upload it asap.
This looks like a dupe of bug 1343795, which already has a fix waiting to land on 2017-03-21.
Depends on: CVE-2017-5441
Attached file test_case.html
FWIW, I could only repro this in mozilla-inbound.
Component: DOM → Selection
(In reply to Tyson Smith [:tsmith] from comment #4) > FWIW, I could only repro this in mozilla-inbound. Interesting, I saw something similar: I couldn't reproduce the crash at first in my local mozilla-central ASAN build; I updated the tree and then it crashed. After applying the fix in bug 1343795 it still crashed! On the very line added by that patch: #0 0x00000000004c7a20 in __asan::ReportGenericError #1 0x00000000004c84d8 in __asan_report_load8 #2 0x00007fe99e361d3d in nsCycleCollectingAutoRefCnt::incr (this=0x60c0002a9bb0,... #3 nsCycleCollectingAutoRefCnt::incr (this=0x60c0002a9bb0... #4 mozilla::dom::Selection::AddRef #5 0x00007fe99e37ace9 in mozilla::dom::Selection::ScrollSelectionIntoViewEvent::Run nsSelection.cpp:6165 (rr) fr 5 #5 0x00007fe99e37ace9 in mozilla::dom::Selection::ScrollSelectionIntoViewEvent::Run 6165 RefPtr<Selection> kungFuDeathGrip = mSelection; The ScrollSelectionIntoViewEvent (a.k.a 'this') looks alive and so does this->mSelection. Hmm, I wonder what happened on trunk recently? (I'm now at rev 348125:b7ba1d282775, I don't know what my previous rev was but the update command said: "added 2073 changesets with 13715 changes to 8610 files")
Actually, this->mSelection isn't alive, it just wasn't poisoned like I expected. So, this looks like a regression from bug 1347820 at first glance... "ev.forget()" here: http://searchfox.org/mozilla-central/rev/006005beff40d377cfd2f69d3400633c5ff09127/layout/generic/nsSelection.cpp#6193,6200 makes 'ev' null, so we assign null to mScrollEvent, which means ~Selection can't revoke it: http://searchfox.org/mozilla-central/rev/006005beff40d377cfd2f69d3400633c5ff09127/layout/generic/nsSelection.cpp#3519
Assignee: nobody → mats
Rev 9339469b766a does not crash, rev c9689473edba does crash. So this is a regression from bug 1347820.
Blocks: 1347820
status-firefox52: --- → unaffected
status-firefox53: --- → unaffected
status-firefox54: --- → unaffected
status-firefox-esr45: --- → unaffected
status-firefox-esr52: --- → unaffected
No longer depends on: CVE-2017-5441
Keywords: regression
OS: Unspecified → All
Hardware: Unspecified → All
Attached patch fixSplinter Review
Attachment #8848600 - Flags: review?(bugs)
Attachment #8848600 - Flags: review?(bugs) → review+
This shows a possible error prone case when labeling runnables. Using .forget() and then afterwards thinking the runnable is still there.
Jeremy, it might be a good idea to audit your other labeling changes that have similar code, in case there are any uses of 'ev' after the ev.forget(). Just want to make sure we don't miss anything...
Flags: needinfo?(jeremychen)
Since this is a recent trunk-only regression, I'll go ahead and land it without explicit approval...
Blocks: 1348115
(In reply to Mats Palmgren (:mats) from comment #10) > Jeremy, it might be a good idea to audit your other labeling changes that > have similar code, in case there are any uses of 'ev' after the ev.forget(). > Just want to make sure we don't miss anything... Okay, I'll double check my other labeling work. Thank you for the quick fix.
Flags: needinfo?(jeremychen)
This was merged to m-c 2017-03-18 15:25: https://hg.mozilla.org/mozilla-central/rev/df0f179a8a9c
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox55: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
Group: dom-core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: