Closed
Bug 1359547
(CVE-2017-7752)
Opened 8 years ago
Closed 8 years ago
heap-use-after-free in mozilla::IMEContentObserver::HandleQueryContentEvent
Categories
(Core :: DOM: UI Events & Focus Handling, defect)
Tracking
()
People
(Reporter: nils, Assigned: masayuki, NeedInfo)
Details
(4 keywords, Whiteboard: [post-critsmash-triage][adv-main54+][adv-esr52.2+])
Attachments
(1 file)
|
3.40 KB,
patch
|
smaug
:
review+
gchang
:
approval-mozilla-beta+
gchang
:
approval-mozilla-esr52+
|
Details | Diff | Splinter Review |
The following testcase crashes the latest ASAN build of Firefox ESR 52.1.0 (20170417135202). It requires the fuzzPriv extension.
<script>
function start() {
o2=document;
o38=document.createElement('input');
o56=document.createElement('form');
o38.innerHTML='<keygen name=style>';
o392=document.createElement('iframe');
o2.designMode='on';
o56.appendChild(o38);
o392.style.position='fixed';
o443=document.createElement('frameset');
o444=document.createElement('audio');
o445=document.createElement('track');
o444.appendChild(o445);
o2.write('<div>');
o444.controls^=1;
o2.documentElement.appendChild(o444);
o443.onerror=fun1;
document.documentElement.appendChild(o392);
document.documentElement.style.transform='scale(1)';
fuzzPriv.trustedKeyEvent(document.documentElement,'press',false,false,true,false,37,0);
}
var c = 0;
function fun1() {
if(c++>1)return;
a=new FormData(o56);
fuzzPriv.GC();fuzzPriv.CC();fuzzPriv.GC();fuzzPriv.CC();fuzzPriv.GC();fuzzPriv.CC();
setTimeout("location.reload();",400);
}
</script>
<body onload="start()"></body>
ASAN output:
=================================================================
==25393==ERROR: AddressSanitizer: heap-use-after-free on address 0x612000032330 at pc 0x7f2fe84e5e22 bp 0x7fff07127cf0 sp 0x7fff07127ce8
READ of size 8 at 0x612000032330 thread T0
#0 0x7f2fe84e5e21 in operator bool /home/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h:763:45
#1 0x7f2fe84e5e21 in IsInitializedWithPlugin /home/worker/workspace/build/src/dom/events/IMEContentObserver.h:136
#2 0x7f2fe84e5e21 in mozilla::IMEContentObserver::HandleQueryContentEvent(mozilla::WidgetQueryContentEvent*) /home/worker/workspace/build/src/dom/events/IMEContentObserver.cpp:777
#3 0x7f2fe842e160 in mozilla::EventStateManager::HandleQueryContentEvent(mozilla::WidgetQueryContentEvent*) /home/worker/workspace/build/src/dom/events/EventStateManager.cpp:900:5
#4 0x7f2fe842bade in mozilla::EventStateManager::PreHandleEvent(nsPresContext*, mozilla::WidgetEvent*, nsIFrame*, nsIContent*, nsEventStatus*) /home/worker/workspace/build/src/dom/events/EventStateManager.cpp:610:5
#5 0x7f2fea6caae9 in PresShell::HandleEventInternal(mozilla::WidgetEvent*, nsEventStatus*, bool) /home/worker/workspace/build/src/layout/base/nsPresShell.cpp:8254:10
#6 0x7f2fea6c6964 in PresShell::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*, nsIContent**) /home/worker/workspace/build/src/layout/base/nsPresShell.cpp:7980:12
#7 0x7f2fea6c36e1 in PresShell::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*, nsIContent**) /home/worker/workspace/build/src/layout/base/nsPresShell.cpp:7468:16
#8 0x7f2fe9c8c66f in nsViewManager::DispatchEvent(mozilla::WidgetGUIEvent*, nsView*, nsEventStatus*) /home/worker/workspace/build/src/view/nsViewManager.cpp:815:7
#9 0x7f2fe9c849c0 in nsView::HandleEvent(mozilla::WidgetGUIEvent*, bool) /home/worker/workspace/build/src/view/nsView.cpp:1117:5
#10 0x7f2fe9d40088 in nsWindow::DispatchEvent(mozilla::WidgetGUIEvent*, nsEventStatus&) /home/worker/workspace/build/src/widget/gtk/nsWindow.cpp:582:17
#11 0x7f2fe9d6b078 in nsWindow::ExecuteNativeKeyBinding(nsIWidget::NativeKeyBindingsType, mozilla::WidgetKeyboardEvent const&, void (*)(mozilla::Command, void*), void*) /home/worker/workspace/build/src/widget/gtk/nsWindow.cpp:6487:9
#12 0x7f2fe9e79093 in mozilla::EditorEventListener::KeyPress(nsIDOMKeyEvent*) /home/worker/workspace/build/src/editor/libeditor/EditorEventListener.cpp:636:18
#13 0x7f2fe9e76b2f in mozilla::EditorEventListener::HandleEvent(nsIDOMEvent*) /home/worker/workspace/build/src/editor/libeditor/EditorEventListener.cpp:407:14
#14 0x7f2fe84cf99d in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1134:16
#15 0x7f2fe84d13c7 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1287:17
#16 0x7f2fe84bc7b9 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:401:9
#17 0x7f2fe84bcb6b in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:429:5
#18 0x7f2fe84bfb88 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:711:9
#19 0x7f2fe84c1a87 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:780:12
#20 0x7f2fe676cf01 in nsINode::DispatchEvent(nsIDOMEvent*, bool*) /home/worker/workspace/build/src/dom/base/nsINode.cpp:1309:5
#21 0x7f2fe84dc2c0 in mozilla::dom::EventTarget::DispatchEvent(JSContext*, mozilla::dom::Event&, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/events/EventTarget.cpp:73:9
#22 0x7f2fe7bee79b in mozilla::dom::EventTargetBinding::dispatchEvent(JSContext*, JS::Handle<JSObject*>, mozilla::dom::EventTarget*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/EventTargetBinding.cpp:988:15
#23 0x7f2fe7beb75c in mozilla::dom::EventTargetBinding::genericMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/obj-firefox/dom/bindings/EventTargetBinding.cpp:1164:13
#24 0x7f2fee331f55 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:239:15
#25 0x7f2fee331f55 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:447
#26 0x7f2fee31235f in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:510:12
#27 0x7f2fee31235f in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2922
#28 0x7f2fee2f751d in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:405:12
#29 0x7f2fee3325bf in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:477:15
#30 0x7f2fee332c02 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:523:10
#31 0x7f2fede02e42 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2769:12
#32 0x7f2fe51f9c1f in xpc::FunctionForwarder(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/xpconnect/src/ExportHelpers.cpp:319:18
#33 0x7f2fee331f55 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:239:15
#34 0x7f2fee331f55 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:447
#35 0x7f2fee31235f in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:510:12
#36 0x7f2fee31235f in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2922
#37 0x7f2fee2f751d in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:405:12
#38 0x7f2fee3325bf in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:477:15
#39 0x7f2fee332c02 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:523:10
#40 0x7f2fede050ad in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2828:12
#41 0x7f2fe7b0d7ff in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:259:37
#42 0x7f2fe850398a in Call<nsISupports *> /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:361:12
#43 0x7f2fe850398a in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) /home/worker/workspace/build/src/dom/events/JSEventHandler.cpp:214
#44 0x7f2fe84cf99d in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1134:16
#45 0x7f2fe84d13c7 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1287:17
#46 0x7f2fe84bc4f6 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:380:5
#47 0x7f2fe84bfb88 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:711:9
#48 0x7f2fea5f5a8c in nsDocumentViewer::LoadComplete(nsresult) /home/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1023:7
#49 0x7f2feb38399b in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7630:5
#50 0x7f2feb37f7a4 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7434:7
#51 0x7f2feb386e0f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7331:13
#52 0x7f2fe56eb510 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1255:3
#53 0x7f2fe56ea4a8 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:840:5
#54 0x7f2fe56e7208 in nsDocLoader::DocLoaderIsEmpty(bool) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:730:9
#55 0x7f2fe56e9304 in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:612:5
#56 0x7f2fe56e9ebc in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:468:14
#57 0x7f2fe3c9a2ca in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /home/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:633:18
#58 0x7f2fe66a5a86 in nsDocument::DoUnblockOnload() /home/worker/workspace/build/src/dom/base/nsDocument.cpp:8640:7
#59 0x7f2fe66a5456 in nsDocument::UnblockOnload(bool) /home/worker/workspace/build/src/dom/base/nsDocument.cpp:8568:9
#60 0x7f2fe667b904 in nsDocument::DispatchContentLoadedEvents() /home/worker/workspace/build/src/dom/base/nsDocument.cpp:5055:3
#61 0x7f2fe6739f72 in applyImpl<nsDocument, void (nsDocument::*)()> /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:775:12
#62 0x7f2fe6739f72 in apply<nsDocument, void (nsDocument::*)()> /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:781
#63 0x7f2fe6739f72 in mozilla::detail::RunnableMethodImpl<void (nsDocument::*)(), true, false>::Run() /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:810
#64 0x7f2fe3ac63bb in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1216:7
#65 0x7f2fe3b4578c in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/glue/nsThreadUtils.cpp:361:10
#66 0x7f2fe48c112f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:96:21
#67 0x7f2fe48337a8 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:232:3
#68 0x7f2fe48337a8 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:225
#69 0x7f2fe48337a8 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:205
#70 0x7f2fe9d0553f in nsBaseAppShell::Run() /home/worker/workspace/build/src/widget/nsBaseAppShell.cpp:156:3
#71 0x7f2febcf8f21 in nsAppStartup::Run() /home/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:283:19
#72 0x7f2febe815ce in XREMain::XRE_mainRun() /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4488:10
#73 0x7f2febe82add in XREMain::XRE_main(int, char**, nsXREAppData const*) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4621:8
#74 0x7f2febe8399c in XRE_main /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4712:16
#75 0x4df8ca in do_main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:282:10
#76 0x4df8ca in main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:415
#77 0x7f2ffead982f in __libc_start_main /build/glibc-9tT8Do/glibc-2.23/csu/../csu/libc-start.c:291
#78 0x41ba38 in _start (/home/nils/fuzzer3/esr/firefox/firefox+0x41ba38)
0x612000032330 is located 112 bytes inside of 264-byte region [0x6120000322c0,0x6120000323c8)
freed by thread T0 here:
#0 0x4b218b in __interceptor_free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:38:3
#1 0x7f2fe399b564 in SnowWhiteKiller::~SnowWhiteKiller() /home/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2665:9
#2 0x7f2fe399acf5 in ~RemoveSkippableVisitor /home/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2776:3
#3 0x7f2fe399acf5 in nsPurpleBuffer::RemoveSkippable(nsCycleCollector*, bool, bool, void (*)()) /home/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2817
#4 0x7f2fe399b8d3 in nsCycleCollector::ForgetSkippable(bool, bool) /home/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2864:3
#5 0x7f2fe39a4849 in nsCycleCollector_forgetSkippable(bool, bool) /home/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:4097:3
#6 0x7f2fe678eea8 in FireForgetSkippable(unsigned int, bool) /home/worker/workspace/build/src/dom/base/nsJSEnvironment.cpp:1240:3
#7 0x7f2fe679180d in CCTimerFired(nsITimer*, void*) /home/worker/workspace/build/src/dom/base/nsJSEnvironment.cpp:1813:7
#8 0x7f2fe6794749 in nsJSContext::NotifyDidPaint() /home/worker/workspace/build/src/dom/base/nsJSEnvironment.cpp:2605:5
#9 0x7f2fea3b6ae4 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:2050:5
#10 0x7f2fea3c0e11 in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:295:7
#11 0x7f2fea3c08b8 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:317:5
#12 0x7f2fea3c33ce in applyImpl<mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver, void (mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::*)(mozilla::TimeStamp), StoreCopyPassByValue<mozilla::TimeStamp> , 0> /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:775:12
#13 0x7f2fea3c33ce in apply<mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver, void (mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::*)(mozilla::TimeStamp)> /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:781
#14 0x7f2fea3c33ce in mozilla::detail::RunnableMethodImpl<void (mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::*)(mozilla::TimeStamp), true, false, mozilla::TimeStamp>::Run() /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:810
#15 0x7f2fe3ac63bb in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1216:7
#16 0x7f2fe3b4578c in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/glue/nsThreadUtils.cpp:361:10
#17 0x7f2feb4d0c6d in nsXULWindow::ShowModal() /home/worker/workspace/build/src/xpfe/appshell/nsXULWindow.cpp:408:12
#18 0x7f2feb3f3008 in nsWindowWatcher::OpenWindowInternal(mozIDOMWindowProxy*, char const*, char const*, char const*, bool, bool, bool, nsIArray*, bool, bool, nsIDocShellLoadInfo*, mozIDOMWindowProxy**) /home/worker/workspace/build/src/embedding/components/windowwatcher/nsWindowWatcher.cpp:1323:7
#19 0x7f2feb3ee8ee in nsWindowWatcher::OpenWindow(mozIDOMWindowProxy*, char const*, char const*, char const*, nsISupports*, mozIDOMWindowProxy**) /home/worker/workspace/build/src/embedding/components/windowwatcher/nsWindowWatcher.cpp:353:10
#20 0x7f2feb8fdb6e in nsNSSDialogHelper::openDialog(mozIDOMWindowProxy*, char const*, nsISupports*, bool) /home/worker/workspace/build/src/security/manager/pki/nsNSSDialogHelper.cpp:47:8
#21 0x7f2feb9019e3 in DisplayGeneratingKeypairInfo /home/worker/workspace/build/src/security/manager/pki/nsNSSDialogs.cpp:365:8
#22 0x7f2feb9019e3 in non-virtual thunk to nsNSSDialogs::DisplayGeneratingKeypairInfo(nsIInterfaceRequestor*, nsIKeygenThread*) /home/worker/workspace/build/src/security/manager/pki/nsNSSDialogs.cpp:358
#23 0x7f2feb85f5f5 in nsKeygenFormProcessor::GetPublicKey(nsAString_internal const&, nsAString_internal const&, nsString const&, nsAString_internal&, nsAString_internal const&) /home/worker/workspace/build/src/security/manager/ssl/nsKeygenHandler.cpp:606:18
#24 0x7f2feb860acb in nsKeygenFormProcessor::ProcessValue(nsIDOMHTMLElement*, nsAString_internal const&, nsAString_internal&) /home/worker/workspace/build/src/security/manager/ssl/nsKeygenHandler.cpp:755:12
#25 0x7f2fe87e91f2 in mozilla::dom::HTMLSelectElement::SubmitNamesValues(mozilla::dom::HTMLFormSubmission*) /home/worker/workspace/build/src/dom/html/HTMLSelectElement.cpp:1704:11
#26 0x7f2fe87e96cc in non-virtual thunk to mozilla::dom::HTMLSelectElement::SubmitNamesValues(mozilla::dom::HTMLFormSubmission*) /home/worker/workspace/build/src/dom/html/HTMLSelectElement.cpp:1659:20
#27 0x7f2fe86c191c in mozilla::dom::HTMLFormElement::WalkFormElements(mozilla::dom::HTMLFormSubmission*) /home/worker/workspace/build/src/dom/html/HTMLFormElement.cpp:1059:5
#28 0x7f2fe64c09a1 in mozilla::dom::FormData::Constructor(mozilla::dom::GlobalObject const&, mozilla::dom::Optional<mozilla::dom::NonNull<mozilla::dom::HTMLFormElement> > const&, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/base/FormData.cpp:393:11
#29 0x7f2fe7cb488b in mozilla::dom::FormDataBinding::_constructor(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/obj-firefox/dom/bindings/FormDataBinding.cpp:1033:54
#30 0x7f2fee332efc in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:239:15
#31 0x7f2fee332efc in CallJSNativeConstructor /home/worker/workspace/build/src/js/src/jscntxtinlines.h:272
#32 0x7f2fee332efc in InternalConstruct(JSContext*, js::AnyConstructArgs const&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:562
#33 0x7f2fee3122c8 in ConstructFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:588:12
#34 0x7f2fee3122c8 in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2914
#35 0x7f2fee2f751d in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:405:12
#36 0x7f2fee3325bf in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:477:15
previously allocated by thread T0 here:
#0 0x4b24ab in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52:3
#1 0x4e0d9d in moz_xmalloc /home/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:83:17
#2 0x7f2fe84f9a98 in operator new /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:194:12
#3 0x7f2fe84f9a98 in mozilla::IMEStateManager::CreateIMEContentObserver(nsIEditor*) /home/worker/workspace/build/src/dom/events/IMEStateManager.cpp:1599
#4 0x7f2fe84fc822 in mozilla::IMEStateManager::UpdateIMEState(mozilla::widget::IMEState const&, nsIContent*, nsIEditor*) /home/worker/workspace/build/src/dom/events/IMEStateManager.cpp:836:5
#5 0x7f2fe9e3bcd9 in mozilla::EditorBase::PostCreate() /home/worker/workspace/build/src/editor/libeditor/EditorBase.cpp:331:5
#6 0x7f2fea0258ba in nsEditingSession::SetupEditorOnWindow(mozIDOMWindowProxy*) /home/worker/workspace/build/src/editor/composer/nsEditingSession.cpp:481:10
#7 0x7f2fea022176 in nsEditingSession::MakeWindowEditable(mozIDOMWindowProxy*, char const*, bool, bool, bool) /home/worker/workspace/build/src/editor/composer/nsEditingSession.cpp:173:10
#8 0x7f2fe88a05b3 in nsHTMLDocument::EditingStateChanged() /home/worker/workspace/build/src/dom/html/nsHTMLDocument.cpp:2763:12
#9 0x7f2fe88b452c in SetDesignMode /home/worker/workspace/build/src/dom/html/nsHTMLDocument.cpp:2867:10
#10 0x7f2fe88b452c in nsHTMLDocument::SetDesignMode(nsAString_internal const&, nsIPrincipal&, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/html/nsHTMLDocument.cpp:2850
#11 0x7f2fe7d7eb5a in mozilla::dom::HTMLDocumentBinding::set_designMode(JSContext*, JS::Handle<JSObject*>, nsHTMLDocument*, JSJitSetterCallArgs) /home/worker/workspace/build/src/obj-firefox/dom/bindings/HTMLDocumentBinding.cpp:757:3
#12 0x7f2fe81072e3 in mozilla::dom::GenericBindingSetter(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2847:8
#13 0x7f2fee331f55 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:239:15
#14 0x7f2fee331f55 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:447
#15 0x7f2fee333c98 in Call /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:523:10
#16 0x7f2fee333c98 in js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:650
#17 0x7f2fee3990cf in SetExistingProperty /home/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2434:10
#18 0x7f2fee3990cf in js::NativeSetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::QualifiedBool, JS::ObjectOpResult&) /home/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2469
#19 0x7f2fee04b628 in SetProperty /home/worker/workspace/build/src/js/src/vm/NativeObject.h:1540:12
#20 0x7f2fee04b628 in js::SetPropertyIgnoringNamedGetter(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyDescriptor>, JS::ObjectOpResult&) /home/worker/workspace/build/src/js/src/proxy/BaseProxyHandler.cpp:182
#21 0x7f2fe8111345 in mozilla::dom::DOMProxyHandler::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) const /home/worker/workspace/build/src/dom/bindings/DOMJSProxyHandler.cpp:258:10
#22 0x7f2fee07cb01 in js::Proxy::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:333:12
#23 0x7f2fedf5c79a in JSObject::nonNativeSetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) /home/worker/workspace/build/src/js/src/jsobj.cpp:1022:12
#24 0x7f2fee30b03f in SetProperty /home/worker/workspace/build/src/js/src/vm/NativeObject.h:1539:16
#25 0x7f2fee30b03f in SetPropertyOperation /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:259
#26 0x7f2fee30b03f in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2715
#27 0x7f2fee2f751d in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:405:12
#28 0x7f2fee3325bf in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:477:15
#29 0x7f2fee332c02 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:523:10
#30 0x7f2fede050ad in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2828:12
#31 0x7f2fe7b0d7ff in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:259:37
#32 0x7f2fe850398a in Call<nsISupports *> /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:361:12
#33 0x7f2fe850398a in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) /home/worker/workspace/build/src/dom/events/JSEventHandler.cpp:214
#34 0x7f2fe84cf99d in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1134:16
#35 0x7f2fe84d13c7 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1287:17
#36 0x7f2fe84bc4f6 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:380:5
#37 0x7f2fe84bfb88 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:711:9
#38 0x7f2fea5f5a8c in nsDocumentViewer::LoadComplete(nsresult) /home/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1023:7
SUMMARY: AddressSanitizer: heap-use-after-free /home/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h:763:45 in operator bool
Shadow bytes around the buggy address:
0x0c247fffe410: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
0x0c247fffe420: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c247fffe430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c247fffe440: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa
0x0c247fffe450: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c247fffe460: fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd
0x0c247fffe470: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
0x0c247fffe480: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c247fffe490: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c247fffe4a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
0x0c247fffe4b0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==25393==ABORTING
|
||
Updated•8 years ago
|
Group: core-security → dom-core-security
|
||
Comment 1•8 years ago
|
||
Masayuki, is this something you could take a look at?
status-firefox53:
--- → wontfix
status-firefox54:
--- → affected
status-firefox55:
--- → affected
status-firefox-esr52:
--- → affected
tracking-firefox54:
--- → ?
tracking-firefox55:
--- → ?
tracking-firefox-esr52:
--- → ?
Flags: needinfo?(masayuki)
|
||
Comment 2•8 years ago
|
||
guessing sec-moderate because I think you'd have to convince a user to make those keystrokes for you to trigger this bug
Keywords: sec-moderate
|
||
Comment 3•8 years ago
|
||
I don't think we need to track this sec-moderate bug, but we could still take a patch in 54 if you come up with a fix.
|
Assignee | |
Comment 4•8 years ago
|
||
Hmm, I have no idea what causes this in IMEStateManager.
In ESR52, the crashed line (IMEStateManager.cpp:1599) is here:
https://dxr.mozilla.org/mozilla-esr52/rev/efda314ebf303ea64badfaf20d0a0de7db89d00d/dom/events/IMEStateManager.cpp#1599
> 1599 sActiveIMEContentObserver = new IMEContentObserver();
sActiveIMEContentObserver is always nullptr here (should have already returned from this method if it's not nullptr). And I don't know why creating new instance of IMEContentObserver class causes "heap-use-after-free".
Flags: needinfo?(masayuki)
|
|
Assignee | |
Comment 5•8 years ago
|
||
Oops, I skipped here:
> #0 0x7f2fe84e5e21 in operator bool /home/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h:763:45
> #1 0x7f2fe84e5e21 in IsInitializedWithPlugin /home/worker/workspace/build/src/dom/events/IMEContentObserver.h:136
> #2 0x7f2fe84e5e21 in mozilla::IMEContentObserver::HandleQueryContentEvent(mozilla::WidgetQueryContentEvent*) /home/worker/workspace/build/src/dom/events/IMEContentObserver.cpp:777
> #3 0x7f2fe842e160 in mozilla::EventStateManager::HandleQueryContentEvent(mozilla::WidgetQueryContentEvent*) /home/worker/workspace/build/src/dom/events/EventStateManager.cpp:900:5
Okay, makes sense. I'll take this if I cannot understand the reason.
|
|
Assignee | |
Updated•8 years ago
|
Assignee: nobody → masayuki
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 6•8 years ago
|
||
Simple mistake. ESM should grab IMEContenObserver with the local variable.
# This patch is available even on ESR52.
Smaug, could you review this? It's very simple.
# Another caller is here https://searchfox.org/mozilla-central/rev/068e6f292503df13515a52321fc3844e237bf6a9/dom/events/TextComposition.cpp#463 but this grabs IMEContentObserver instance with local RefPtr.
Flags: needinfo?(bugs)
|
||
Updated•8 years ago
|
Flags: needinfo?(bugs)
Attachment #8862798 -
Flags: review+
|
|
Assignee | |
Comment 7•8 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/f7b5de7bd5c745446259f5102ddbedb59b299356
Bug 1359547 EventStateManager should grab IMEContentObserver with local variable before calling HandleQueryContentEvent() r=smaug
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
|
|
||
Comment 9•8 years ago
|
||
Is this something that can ride the 55 train or should we consider it for Beta/ESR52 backport?
Flags: needinfo?(masayuki)
|
|
Assignee | |
Comment 10•8 years ago
|
||
(In reply to Ryan VanderMeulen [:RyanVM] from comment #9)
> Is this something that can ride the 55 train or should we consider it for
> Beta/ESR52 backport?
yes, the patch is really not risky and can be applied to even ESR52. Should I request approval Beta/ESR52 or request to block the releases?
Flags: needinfo?(masayuki) → needinfo?(ryanvm)
|
|
Assignee | |
Comment 12•8 years ago
|
||
Comment on attachment 8862798 [details] [diff] [review]
EventStateManager should grab IMEContentObserver with local variable before calling HandleQueryContentEvent()
Approval Request Comment
[Feature/Bug causing the regression]: Regression of bug 1200980 (fixed in 43).
[Is this code covered by automated tests?]: No.
[Has the fix been verified in Nightly?]: No.
[Needs manual test from QE? If yes, steps to reproduce]: Yes.
0. Install the fuzzPriv extension.
1. Load the testcase in comment 0 with ASAN build.
[List of other uplifts needed for the feature/fix]: No.
[Is the change risky?]: No.
[Why is the change risky/not risky?]: Just adding kung-fu-death-grip of IMEContentObserver when calling its method which may cause flushing layout.
[String changes made/needed]: No.
[Approval Request Comment]
Fix Landed on Version: 55.
Risk to taking this patch (and alternatives if risky): Not risky, see above.
String or UUID changes made by this patch: No.
Attachment #8862798 -
Flags: approval-mozilla-esr52?
Attachment #8862798 -
Flags: approval-mozilla-beta?
|
|
||
Updated•8 years ago
|
Group: dom-core-security → core-security-release
|
||
Comment 13•8 years ago
|
||
Comment on attachment 8862798 [details] [diff] [review]
EventStateManager should grab IMEContentObserver with local variable before calling HandleQueryContentEvent()
Fix a security issue. Beta54+ & ESR52+. Should be in 54 beta 5.
Attachment #8862798 -
Flags: approval-mozilla-esr52?
Attachment #8862798 -
Flags: approval-mozilla-esr52+
Attachment #8862798 -
Flags: approval-mozilla-beta?
Attachment #8862798 -
Flags: approval-mozilla-beta+
|
|
||
Comment 14•8 years ago
|
||
| uplift | ||
|
|
||
Comment 15•8 years ago
|
||
|
||
Comment 16•8 years ago
|
||
Flagging this for manual testing, instructions in Comment 12.
Flags: qe-verify+
|
|
||
Updated•8 years ago
|
Flags: sec-bounty?
|
||
Updated•8 years ago
|
|
|
||
Updated•8 years ago
|
Keywords: csectype-uaf
|
||
Updated•8 years ago
|
Whiteboard: [post-critsmash-triage]
|
||
Updated•8 years ago
|
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main54+][adv-esr52.2+]
|
|
||
Updated•8 years ago
|
Alias: CVE-2017-7752
|
||
Comment 17•8 years ago
|
||
I was not able to reproduce this issue with or without fuzzPriv extension on Ubuntu 16.04 x64 LTS using a few affected asan builds:
- 52.1.0 esr (20170417145422)
- 51.0a1 Nightly (20160810065516)
Since I could not reproduce this crash (I've used the test case from comment 0), I cannot confirm if this crash is fixed or not.
Nils, could you please verify this on the latest asan build 54.0 [1], 55.0a1 [2] and esr 52.2.0 [3]?
Thanks!
[1] https://tools.taskcluster.net/index/artifacts/#gecko.v2.mozilla-release.pushdate.2017.06.09.20170609100830.firefox/gecko.v2.mozilla-release.pushdate.2017.06.09.20170609100830.firefox.linux64-asan-opt
[2] https://tools.taskcluster.net/index/artifacts/#gecko.v2.mozilla-central.pushdate.2017.06.09.20170609013809.firefox/gecko.v2.mozilla-central.pushdate.2017.06.09.20170609013809.firefox
[3] https://tools.taskcluster.net/index/artifacts/#gecko.v2.mozilla-esr52.pushdate.2017.06.08.20170608175922.firefox/gecko.v2.mozilla-esr52.pushdate.2017.06.08.20170608175922.firefox
Flags: needinfo?(nils)
|
|
||
Updated•7 years ago
|
Group: core-security-release
|
||
Updated•6 years ago
|
Component: Event Handling → User events and focus handling
|
||
Comment 18•6 years ago
|
||
Hi, I retested this issue on Ubuntu 18.04 lts using the latest "Asan Fuzzin" builds with Fuzzin - enabled in about:Config on :67.0a1 (2019-03-15); 66.0; 67.0b2; 60.6.0esr.
I was unable to reproduce this issue at all, I will mark this issue Verified as Fixed.
Status: RESOLVED → VERIFIED
status-firefox65:
--- → verified
status-firefox66:
--- → verified
status-firefox67:
--- → verified
Flags: qe-verify+
|
|
||
Updated•6 years ago
|
status-firefox-esr60:
--- → verified
|
||
Updated•9 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•