Closed Bug 1355039 (CVE-2017-7749) Opened 3 years ago Closed 3 years ago

heap-use-after-free in mozilla::net::PredictorLearn

Categories

(Core :: DOM: Navigation, defect)

defect
Not set

Tracking

()

VERIFIED FIXED
mozilla55
Tracking Status
firefox-esr45 --- wontfix
firefox52 --- wontfix
firefox-esr52 54+ verified
firefox53 --- wontfix
firefox54 + verified
firefox55 + verified

People

(Reporter: nils, Assigned: smaug)

Details

(Keywords: csectype-uaf, sec-high, testcase, Whiteboard: [post-critsmash-triage][adv-main54+][adv-esr52.2+])

Attachments

(1 file, 2 obsolete files)

The following testcase crashes the latest ASAN build of Firefox (BuildID=20170408204920). It may need a few reloads and requires the fuzzPriv extension.

<script>
function start () {
	o3=document;
	o31=document.createElement('audio');
	o32=document.createElement('track');
	o31.appendChild(o32);
	o3.write('<html>');
	o31.controls^=1;
	o3.documentElement.appendChild(o31);
	o38=document.createElement('iframe');
	o41=document.createElement('iframe');
	document.documentElement.appendChild(o41);
	document.documentElement.appendChild(o38);
	o3.write("!DOCTYPE<li id='id12'>");
	o3.location.hash='id12';
	o38.contentWindow.location.reload();
        o76=frames[1].document;
        o38.src="data:text/html,<div>2";
        o87=frames[1];
        o97=document.createElement('iframe');
        document.documentElement.appendChild(o97);
        o38.src="data:text/html,<div>3";
        setTimeout(fun1,4);
	o76.write('<iframe>');
	o38.src="data:text/html,<div>";
	o2219=o87.frames[0].document;
	o2219.write('<html>');
}
function fun1() {
	o2454=o2219.createElement('audio');
	o2455=document.createElement('track');
	o2454.appendChild(o2455);
	o2219.close();
	o2219.write('<html>');
	o2454.controls^=1;
	o2219.documentElement.appendChild(o2454);
	o2219.defaultView.onerror=fun2;
	o38.contentWindow.location.reload();
	setTimeout("location.reload()",100);
}
function fun2() {
	try{o76.location.hash='x';}catch(e){}
	window.fuzzPriv.CC();window.fuzzPriv.GC();window.fuzzPriv.CC();
}
</script>
<body onload="start()"></body>

ASAN output:
=================================================================
==23074==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d0000c9df0 at pc 0x7f02927069ce bp 0x7fffecb44f90 sp 0x7fffecb44f88
READ of size 8 at 0x60d0000c9df0 thread T0 (Web Content)
    #0 0x7f02927069cd in IsNullOrHttp /home/worker/workspace/build/src/netwerk/base/Predictor.cpp:191:8
    #1 0x7f02927069cd in mozilla::net::PredictorLearn(nsIURI*, nsIURI*, unsigned int, mozilla::OriginAttributes const&) /home/worker/workspace/build/src/netwerk/base/Predictor.cpp:2248
    #2 0x7f029b10340b in nsDocShell::InternalLoad(nsIURI*, nsIURI*, bool, nsIURI*, unsigned int, nsIPrincipal*, nsIPrincipal*, unsigned int, nsAString const&, char const*, nsAString const&, nsIInputStream*, nsIInputStream*, unsigned int, nsISHEntry*, bool, nsAString const&, nsIDocShell*, nsIURI*, bool, nsIDocShell**, nsIRequest**) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:10780:3
    #3 0x7f029b1371ab in nsDocShell::Reload(unsigned int) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:5502:10
    #4 0x7f0294d6148f in mozilla::dom::Location::Reload(bool) /home/worker/workspace/build/src/dom/base/Location.cpp:814:18
    #5 0x7f029551493b in Reload /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/Location.h:74:14
    #6 0x7f029551493b in mozilla::dom::LocationBinding::reload(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Location*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/LocationBinding.cpp:873
    #7 0x7f029689344e in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2953:13
    #8 0x7f029c0ccc63 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
    #9 0x7f029c0ccc63 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:455
    #10 0x7f029c0cd612 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:519:10
    #11 0x7f029cce08ee in js::Wrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/worker/workspace/build/src/js/src/proxy/Wrapper.cpp:165:12
    #12 0x7f029cc97f94 in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:353:23
    #13 0x7f029ccc1153 in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:464:21
    #14 0x7f029ccc3ab7 in js::proxy_Call(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:716:12
    #15 0x7f029c0ccfb3 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
    #16 0x7f029c0ccfb3 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:437
    #17 0x7f029c0b568f in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:506:12
    #18 0x7f029c0b568f in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2997
    #19 0x7f029c09bb28 in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:395:12
    #20 0x7f029c0ccde8 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:473:15
    #21 0x7f029c0cd612 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:519:10
    #22 0x7f029ca4c17b in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2885:12
    #23 0x7f029644416e in mozilla::dom::Function::Call(JSContext*, JS::Handle<JS::Value>, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/FunctionBinding.cpp:36:8
    #24 0x7f0294c1f3d6 in Call<nsCOMPtr<nsISupports> > /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/FunctionBinding.h:72:12
    #25 0x7f0294c1f3d6 in nsGlobalWindow::RunTimeoutHandler(mozilla::dom::Timeout*, nsIScriptContext*) /home/worker/workspace/build/src/dom/base/nsGlobalWindow.cpp:13105
    #26 0x7f0294dd1326 in mozilla::dom::TimeoutManager::RunTimeout(mozilla::dom::Timeout*) /home/worker/workspace/build/src/dom/base/TimeoutManager.cpp:607:42
    #27 0x7f0294dcc7cd in mozilla::dom::(anonymous namespace)::TimerCallback(nsITimer*, void*) /home/worker/workspace/build/src/dom/base/Timeout.cpp:65:49
    #28 0x7f02925f188f in nsTimerImpl::Fire(int) /home/worker/workspace/build/src/xpcom/threads/nsTimerImpl.cpp:498:7
    #29 0x7f02925c0aab in nsTimerEvent::Run() /home/worker/workspace/build/src/xpcom/threads/TimerThread.cpp:284:11
    #30 0x7f02925d34c2 in mozilla::ThrottledEventQueue::Inner::ExecuteRunnable() /home/worker/workspace/build/src/xpcom/threads/ThrottledEventQueue.cpp:200:22
    #31 0x7f02925d2dcf in mozilla::ThrottledEventQueue::Inner::Executor::Run() /home/worker/workspace/build/src/xpcom/threads/ThrottledEventQueue.cpp:74:15
    #32 0x7f02925b0dd1 in mozilla::ValidatingDispatcher::Runnable::Run() /home/worker/workspace/build/src/xpcom/threads/Dispatcher.cpp:259:32
    #33 0x7f02925e3b90 in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1269:14
    #34 0x7f02925e05d8 in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:389:10
    #35 0x7f029339de01 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:96:21
    #36 0x7f02932fffe0 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:238:10
    #37 0x7f02932fffe0 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:231
    #38 0x7f02932fffe0 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:211
    #39 0x7f02986125ff in nsBaseAppShell::Run() /home/worker/workspace/build/src/widget/nsBaseAppShell.cpp:156:27
    #40 0x7f029bc16a17 in XRE_RunAppShell() /home/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:875:22
    #41 0x7f02932fffe0 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:238:10
    #42 0x7f02932fffe0 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:231
    #43 0x7f02932fffe0 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:211
    #44 0x7f029bc1640f in XRE_InitChildProcess(int, char**, XREChildData const*) /home/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:699:34
    #45 0x4eb5c3 in content_process_main /home/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:64:30
    #46 0x4eb5c3 in main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:286
    #47 0x7f02adc8082f in __libc_start_main /build/glibc-9tT8Do/glibc-2.23/csu/../csu/libc-start.c:291
    #48 0x41cf18 in _start (/home/nils/fuzzer3/firefox/firefox+0x41cf18)

0x60d0000c9df0 is located 0 bytes inside of 136-byte region [0x60d0000c9df0,0x60d0000c9e78)
freed by thread T0 (Web Content) here:
    #0 0x4bb44b in __interceptor_free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:47:3
    #1 0x7f02927e102b in mozilla::net::nsSimpleURI::Release() /home/worker/workspace/build/src/netwerk/base/nsSimpleURI.cpp:49:1
    #2 0x7f029b14fdac in Release /home/worker/workspace/build/src/dom/base/nsDOMNavigationTiming.h:31:3
    #3 0x7f029b14fdac in Release /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:40
    #4 0x7f029b14fdac in Release /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:395
    #5 0x7f029b14fdac in assign_assuming_AddRef /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:65
    #6 0x7f029b14fdac in operator= /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:166
    #7 0x7f029b14fdac in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7645
    #8 0x7f029b14c218 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7465:7
    #9 0x7f029b15336f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7362:13
    #10 0x7f0293ecfb59 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1276:3
    #11 0x7f0293eceb0c in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:860:14
    #12 0x7f0293ecb958 in nsDocLoader::DocLoaderIsEmpty(bool) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:749:9
    #13 0x7f0293ecd822 in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:631:5
    #14 0x7f0293ece54c in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:487:14
    #15 0x7f0292792602 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /home/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:629:28
    #16 0x7f029278eab3 in mozilla::net::nsLoadGroup::Cancel(nsresult) /home/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:265:15
    #17 0x7f0293ecaf8f in nsDocLoader::Stop() /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:245:22
    #18 0x7f029b0dd0c9 in Stop /home/worker/workspace/build/src/docshell/base/nsDocShell.h:190:25
    #19 0x7f029b0dd0c9 in nsDocShell::Stop(unsigned int) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:5566
    #20 0x7f029b102c24 in nsDocShell::InternalLoad(nsIURI*, nsIURI*, bool, nsIURI*, unsigned int, nsIPrincipal*, nsIPrincipal*, unsigned int, nsAString const&, char const*, nsAString const&, nsIInputStream*, nsIInputStream*, unsigned int, nsISHEntry*, bool, nsAString const&, nsIDocShell*, nsIURI*, bool, nsIDocShell**, nsIRequest**) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:10700:12
    #21 0x7f029b1371ab in nsDocShell::Reload(unsigned int) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:5502:10
    #22 0x7f0294d6148f in mozilla::dom::Location::Reload(bool) /home/worker/workspace/build/src/dom/base/Location.cpp:814:18
    #23 0x7f029551493b in Reload /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/Location.h:74:14
    #24 0x7f029551493b in mozilla::dom::LocationBinding::reload(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Location*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/LocationBinding.cpp:873
    #25 0x7f029689344e in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2953:13
    #26 0x7f029c0ccc63 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
    #27 0x7f029c0ccc63 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:455
    #28 0x7f029c0cd612 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:519:10
    #29 0x7f029cce08ee in js::Wrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/worker/workspace/build/src/js/src/proxy/Wrapper.cpp:165:12
    #30 0x7f029cc97f94 in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:353:23
    #31 0x7f029ccc1153 in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:464:21
    #32 0x7f029ccc3ab7 in js::proxy_Call(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:716:12
    #33 0x7f029c0ccfb3 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
    #34 0x7f029c0ccfb3 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:437
    #35 0x7f029c0b568f in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:506:12
    #36 0x7f029c0b568f in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2997
    #37 0x7f029c09bb28 in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:395:12
    #38 0x7f029c0ccde8 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:473:15
    #39 0x7f029c0cd612 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:519:10

previously allocated by thread T0 (Web Content) here:
    #0 0x4bb79c in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64:3
    #1 0x4ec75d in moz_xmalloc /home/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:83:17
    #2 0x7f02927e8f04 in operator new /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:194:12
    #3 0x7f02927e8f04 in mozilla::net::nsSimpleURI::StartClone(mozilla::net::nsSimpleURI::RefHandlingEnum, nsACString const&) /home/worker/workspace/build/src/netwerk/base/nsSimpleURI.cpp:594
    #4 0x7f02927e9574 in mozilla::net::nsSimpleURI::CloneInternal(mozilla::net::nsSimpleURI::RefHandlingEnum, nsACString const&, nsIURI**) /home/worker/workspace/build/src/netwerk/base/nsSimpleURI.cpp:635:31
    #5 0x7f0292777571 in NS_EnsureSafeToReturn(nsIURI*, nsIURI**) /home/worker/workspace/build/src/netwerk/base/nsNetUtil.cpp:1777:24
    #6 0x7f02927779cf in ToImmutableURI /home/worker/workspace/build/src/netwerk/base/nsIOService.cpp:1569:19
    #7 0x7f02927779cf in non-virtual thunk to mozilla::net::nsIOService::ToImmutableURI(nsIURI*, nsIURI**) /home/worker/workspace/build/src/netwerk/base/nsIOService.cpp:1562
    #8 0x7f02927ae23d in NS_TryToMakeImmutable(nsIURI*, nsresult*) /home/worker/workspace/build/src/netwerk/base/nsNetUtil.cpp:1805:20
    #9 0x7f029b10b1e8 in nsDocShell::SetCurrentURI(nsIURI*, nsIRequest*, bool, unsigned int) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:1985:17
    #10 0x7f029b14bd71 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7422:9
    #11 0x7f029b15336f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7362:13
    #12 0x7f0293ecfb59 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1276:3
    #13 0x7f0293ece2ef in nsDocLoader::FireOnStateChange(nsIWebProgress*, nsIRequest*, int, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1239:14
    #14 0x7f0293eccc94 in doStartURLLoad /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:797:3
    #15 0x7f0293eccc94 in nsDocLoader::OnStartRequest(nsIRequest*, nsISupports*) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:481
    #16 0x7f0293eccf8c in non-virtual thunk to nsDocLoader::OnStartRequest(nsIRequest*, nsISupports*) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:392:14
    #17 0x7f02927914da in mozilla::net::nsLoadGroup::AddRequest(nsIRequest*, nsISupports*) /home/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:510:28
    #18 0x7f0297096bdd in nsHTMLDocument::CreateAndAddWyciwygChannel() /home/worker/workspace/build/src/dom/html/nsHTMLDocument.cpp:2416:21
    #19 0x7f02970950f8 in nsHTMLDocument::Open(JSContext*, nsAString const&, nsAString const&, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/html/nsHTMLDocument.cpp:1778:3
    #20 0x7f0297092661 in nsHTMLDocument::Open(nsAString const&, nsAString const&, nsAString const&, JSContext*, unsigned char, nsISupports**) /home/worker/workspace/build/src/dom/html/nsHTMLDocument.cpp:1435:14
    #21 0x7f02970985d7 in nsHTMLDocument::WriteCommon(JSContext*, nsAString const&, bool) /home/worker/workspace/build/src/dom/html/nsHTMLDocument.cpp:1940:10
    #22 0x7f0297097a49 in nsHTMLDocument::WriteCommon(JSContext*, mozilla::dom::Sequence<nsString> const&, bool, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/html/nsHTMLDocument.cpp:1875:10
    #23 0x7f02965d4925 in mozilla::dom::HTMLDocumentBinding::write(JSContext*, JS::Handle<JSObject*>, nsHTMLDocument*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/HTMLDocumentBinding.cpp:654:9
    #24 0x7f029689344e in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2953:13
    #25 0x7f029c0ccc63 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
    #26 0x7f029c0ccc63 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:455
    #27 0x7f029c0cd612 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:519:10
    #28 0x7f029cce08ee in js::Wrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/worker/workspace/build/src/js/src/proxy/Wrapper.cpp:165:12
    #29 0x7f029cc97f94 in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:353:23
    #30 0x7f029ccc1153 in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:464:21
    #31 0x7f029ccc3ab7 in js::proxy_Call(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:716:12
    #32 0x7f029c0ccfb3 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
    #33 0x7f029c0ccfb3 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:437
    #34 0x7f029c0b568f in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:506:12
    #35 0x7f029c0b568f in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2997

SUMMARY: AddressSanitizer: heap-use-after-free /home/worker/workspace/build/src/netwerk/base/Predictor.cpp:191:8 in IsNullOrHttp
Shadow bytes around the buggy address:
  0x0c1a80011360: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
  0x0c1a80011370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1a80011380: 00 00 fa fa fa fa fa fa fa fa 00 00 00 00 00 00
  0x0c1a80011390: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
  0x0c1a800113a0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c1a800113b0: 00 00 00 00 00 00 fa fa fa fa fa fa fa fa[fd]fd
  0x0c1a800113c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c1a800113d0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c1a800113e0: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa
  0x0c1a800113f0: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c1a80011400: fd fd fd fa fa fa fa fa fa fa fa fa 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==23074==ABORTING
Group: core-security → network-core-security
Nicholas, do you have cycles to look at this?
Flags: needinfo?(hurley)
The only thing on the heap in that call stack is a URI. The predictor doesn't own the URIs it's inspecting, it just gets them as arguments. I suspect the bug is higher up, somewhere in docshell (which is what passes the URIs into the predictor). Someone who knows docshell better than I should be the one to look at this.
Component: Networking → Document Navigation
Flags: needinfo?(hurley)
Group: network-core-security → dom-core-security
Ehsan, related to your work in bug 1316683?
Flags: needinfo?(ehsan)
based on code inspection this is a bug in nsDocShell::Reload
Assignee: nobody → bugs
Attached patch minimal fix (obsolete) — Splinter Review
(vague commit message)

-m "Bug 1355039, ensure the right url is used for reloading, r=bz"
Attachment #8857426 - Flags: review?(bzbarsky)
Hmm, I wonder if I should do the same with referrer URI. I think I should
Other callers look right.
Attachment #8857426 - Attachment is obsolete: true
Attachment #8857426 - Flags: review?(bzbarsky)
Attachment #8857428 - Flags: review?(bzbarsky)
Flags: needinfo?(ehsan)
Comment on attachment 8857428 [details] [diff] [review]
be consistent how InternalLoad is called

I think this could use a code comment about how InternalLoad can modify our members or something.

r=me
Attachment #8857428 - Flags: review?(bzbarsky) → review+
Not sure where to put that to be effective.
This is of course following normal COM rules.
Comment on attachment 8857428 [details] [diff] [review]
be consistent how InternalLoad is called

[Security approval request comment]
How easily could an exploit be constructed based on the patch?
I'd say not very easily

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
"Bug 1355039, ensure the right url is used for reloading, r=bz" is vague, but the patch does hint what is happening

Which older supported branches are affected by this flaw?
All

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
Seems to apply cleanly to beta for example

How likely is this patch to cause regressions; how much testing does it need?
Should be safe.
Attachment #8857428 - Flags: sec-approval?
Attachment #8857428 - Flags: approval-mozilla-beta?
Attachment #8857428 - Flags: approval-mozilla-aurora?
> Not sure where to put that to be effective.

At the place where we put the uris in stack vars, so someone doesn't come along and "optimize" that out.
oh, I think that is pretty clear, if one explicitly assign to local variable.
We have that kind of code everywhere, especially after we changed some kungfuDeathGrips to some other names.
But I can add a comment
Attached patch +commentSplinter Review
I'd like to not fix this for 53 if we can wait till 54 - we don't have time to uplift this to 53 without missing the release date next week.
Sec-approval+ for checkin on May 3, which is two weeks into the next cycle. We're releasing 53 in the next few days.

We'll want branch patches nominated as well so we can ship this on both ESR branches and 54 and 55.
Attachment #8857428 - Flags: sec-approval? → sec-approval+
Comment on attachment 8857428 [details] [diff] [review]
be consistent how InternalLoad is called

54 was merged to Beta today, so clearing the Aurora request in light of the new Dawn world.
Attachment #8857428 - Flags: approval-mozilla-aurora? → approval-mozilla-esr52?
We're due to ship our final planned release off the esr45 branch this week, so we won't be fixing this bug on that branch unless it turns into a chemspill situation between now and June's official EOL.
Makes sense to track this for 54/55.
Keywords: testcase
Flags: sec-bounty?
Attachment #8857428 - Attachment is obsolete: true
Attachment #8857428 - Flags: approval-mozilla-esr52?
Attachment #8857428 - Flags: approval-mozilla-beta?
Comment on attachment 8857710 [details] [diff] [review]
+comment

See comment 10. I've confirmed that this grafts cleanly to Beta and ESR52.
Attachment #8857710 - Flags: approval-mozilla-esr52?
Attachment #8857710 - Flags: approval-mozilla-beta?
https://hg.mozilla.org/mozilla-central/rev/33e3bd0474b9
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
Group: dom-core-security → core-security-release
Comment on attachment 8857710 [details] [diff] [review]
+comment

Fix a sec-high. Beta54+ & ESR52+. Should be in 54 beta 6.
Attachment #8857710 - Flags: approval-mozilla-esr52?
Attachment #8857710 - Flags: approval-mozilla-esr52+
Attachment #8857710 - Flags: approval-mozilla-beta?
Attachment #8857710 - Flags: approval-mozilla-beta+
Flags: sec-bounty? → sec-bounty+
Flags: qe-verify+
Whiteboard: [post-critsmash-triage]
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main54+][adv-esr52.2+]
Alias: CVE-2017-7749
I've reproduced this crash on 51.0a1 with an asan build under Ubuntu 16.04 x64 LTS. The crash is not repro anymore on 54.0 (20170605204906) and esr 52.2.0 (20170607123825).

It seems that fuzzPriv extension is not compatible with 55.0a1, so I cannot verify it on latest Nightly.
Olli, do you have any idea if it's there another way I could verify this on 55.a01, or if could get a fuzzPriv extension which is compatible with this build version?

Thanks!
I don't know.
I think mccr8 was adding some testing methods so that fuzzPriv wouldn't be needed. Maybe he knows
Flags: needinfo?(bugs) → needinfo?(continuation)
Ciprian, did you set the "xpinstall.signatures.required" preference to false?  You probably need to do that to install that extension on recent builds...
(In reply to Boris Zbarsky [:bz] (if a patch has no decent message, automatic r-) from comment #27)
> Ciprian, did you set the "xpinstall.signatures.required" preference to
> false?  You probably need to do that to install that extension on recent
> builds...

Yes, but it didn't make any difference.
Is extensions.allow-non-mpc-extensions needed due to bug 1356462?
Flags: needinfo?(ciprian.georgiu)
(In reply to Ryan VanderMeulen [:RyanVM] from comment #29)
> Is extensions.allow-non-mpc-extensions needed due to bug 1356462?

It appears to be needed, since once I set the extensions.allow-non-mpc-extensions to true, the fuzzPriv extension can be installed.

I've verified again on latest Nightly 55.0a1, and I can confirm that this crash is fixed.
Flags: needinfo?(ciprian.georgiu)
Status: RESOLVED → VERIFIED
(In reply to Olli Pettay [:smaug] from comment #26)
> I think mccr8 was adding some testing methods so that fuzzPriv wouldn't be
> needed. Maybe he knows

This will require special fuzzing builds, so it won't be directly usable for QA verification of builds we're shipping, unfortunately.
Flags: needinfo?(continuation)
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.