1371269 - heap-use-after-free in mozilla::dom::CanvasRenderingContext2D::ParseColor

Reporter

Description

•

8 years ago

Attached file crash.html — Details

The following testcase crashes the latest ASAN build of Firefox ESR 52.2.0 (20170607010726) <script> function start() { o0=document; o20=document.createElement('marquee'); document.documentElement.addEventListener('DOMAttrModified',fun0); document.documentElement.appendChild(o20); fuzzPriv.callDrawWindow(0); } function fun0() { o37=window.top.open('data:text/html,<div>','popup21','width=1023'); o0.write(''); o37.open('data:text/html,<div>','popup23','height=24'); fuzzPriv.GC();fuzzPriv.CC();fuzzPriv.GC();fuzzPriv.CC(); } </script> <body onload="start()"></body> ASAN output: ================================================================= ==13508==ERROR: AddressSanitizer: heap-use-after-free on address 0x61900087be90 at pc 0x7f3fe406a243 bp 0x7ffc323cd1b0 sp 0x7ffc323cd1a8 READ of size 8 at 0x61900087be90 thread T0 #0 0x7f3fe406a242 in operator bool /home/worker/workspace/build/src/gfx/gl/../../mfbt/RefPtr.h:311:45 #1 0x7f3fe406a242 in mozilla::dom::CanvasRenderingContext2D::ParseColor(nsAString_internal const&, unsigned int*) /home/worker/workspace/build/src/dom/canvas/CanvasRenderingContext2D.cpp:1144 #2 0x7f3fe40a4b10 in mozilla::dom::CanvasRenderingContext2D::DrawWindow(nsGlobalWindow&, double, double, double, double, nsAString_internal const&, unsigned int, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/canvas/CanvasRenderingContext2D.cpp:5387:8 #3 0x7f3fe343c042 in mozilla::dom::CanvasRenderingContext2DBinding::drawWindow(JSContext*, JS::Handle<JSObject*>, mozilla::dom::CanvasRenderingContext2D*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/CanvasRenderingContext2DBinding.cpp:5186:3 #4 0x7f3fe3fadea0 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2879:13 #5 0x7f3fea32a2e5 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:239:15 #6 0x7f3fea32a2e5 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:447 #7 0x7f3fea30a6ef in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:510:12 #8 0x7f3fea30a6ef in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2922 #9 0x7f3fea2ef8ad in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:405:12 #10 0x7f3fea32a94f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:477:15 #11 0x7f3fea32af92 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:523:10 #12 0x7f3fe9df9ec2 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2769:12 #13 0x7f3fe0ffb8af in xpc::FunctionForwarder(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/xpconnect/src/ExportHelpers.cpp:319:18 #14 0x7f3fea32a2e5 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:239:15 #15 0x7f3fea32a2e5 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:447 #16 0x7f3fea30a6ef in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:510:12 #17 0x7f3fea30a6ef in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2922 #18 0x7f3fea2ef8ad in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:405:12 #19 0x7f3fea32a94f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:477:15 #20 0x7f3fea32af92 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:523:10 #21 0x7f3fe9dfc12d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2828:12 #22 0x7f3fe39aabff in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:259:37 #23 0x7f3fe43c746a in Call<nsISupports *> /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:361:12 #24 0x7f3fe43c746a in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) /home/worker/workspace/build/src/dom/events/JSEventHandler.cpp:214 #25 0x7f3fe439180d in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1134:16 #26 0x7f3fe4393237 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1287:17 #27 0x7f3fe437df96 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:380:5 #28 0x7f3fe4381628 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:711:9 #29 0x7f3fe656b0ec in nsDocumentViewer::LoadComplete(nsresult) /home/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1038:7 #30 0x7f3fe730ef4b in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7635:5 #31 0x7f3fe730ad54 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7439:7 #32 0x7f3fe73123bf in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7336:13 #33 0x7f3fe1512290 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1255:3 #34 0x7f3fe1511228 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:840:5 #35 0x7f3fe150df88 in nsDocLoader::DocLoaderIsEmpty(bool) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:730:9 #36 0x7f3fe1510084 in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:612:5 #37 0x7f3fe1510c3c in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:468:14 #38 0x7f3fdfa671fa in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /home/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:633:18 #39 0x7f3fe2503696 in nsDocument::DoUnblockOnload() /home/worker/workspace/build/src/dom/base/nsDocument.cpp:8640:7 #40 0x7f3fe2502f6e in nsDocument::UnblockOnload(bool) /home/worker/workspace/build/src/dom/base/nsDocument.cpp:8568:9 #41 0x7f3fe24d822b in nsDocument::DispatchContentLoadedEvents() /home/worker/workspace/build/src/dom/base/nsDocument.cpp:5055:3 #42 0x7f3fe259d032 in applyImpl<nsDocument, void (nsDocument::*)()> /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:775:12 #43 0x7f3fe259d032 in apply<nsDocument, void (nsDocument::*)()> /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:781 #44 0x7f3fe259d032 in mozilla::detail::RunnableMethodImpl<void (nsDocument::*)(), true, false>::Run() /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:810 #45 0x7f3fdf8878bb in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1216:7 #46 0x7f3fdf9099fc in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/glue/nsThreadUtils.cpp:361:10 #47 0x7f3fe06c140f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:96:21 #48 0x7f3fe0632fc8 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:232:3 #49 0x7f3fe0632fc8 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:225 #50 0x7f3fe0632fc8 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:205 #51 0x7f3fe5c5c19f in nsBaseAppShell::Run() /home/worker/workspace/build/src/widget/nsBaseAppShell.cpp:156:3 #52 0x7f3fe7cd6451 in nsAppStartup::Run() /home/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:283:19 #53 0x7f3fe7e6d757 in XREMain::XRE_mainRun() /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4488:10 #54 0x7f3fe7e6eecd in XREMain::XRE_main(int, char**, nsXREAppData const*) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4621:8 #55 0x7f3fe7e6fd8c in XRE_main /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4712:16 #56 0x4df91a in do_main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:282:10 #57 0x4df91a in main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:415 #58 0x7f3ffab3182f in __libc_start_main /build/glibc-9tT8Do/glibc-2.23/csu/../csu/libc-start.c:291 #59 0x41ba88 in _start (/home/nils/fuzzer3/esr/firefox/firefox+0x41ba88) 0x61900087be90 is located 16 bytes inside of 1120-byte region [0x61900087be80,0x61900087c2e0) freed by thread T0 here: #0 0x4b21db in __interceptor_free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:38:3 #1 0x7f3fdf750354 in SnowWhiteKiller::~SnowWhiteKiller() /home/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2665:9 #2 0x7f3fdf74ff46 in nsCycleCollector::FreeSnowWhite(bool) /home/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2840:3 #3 0x7f3fdf75701e in nsCycleCollector::BeginCollection(ccType, nsICycleCollectorListener*) /home/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3826:3 #4 0x7f3fdf7564dc in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) /home/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3651:9 #5 0x7f3fdf75a556 in nsCycleCollector_collect(nsICycleCollectorListener*) /home/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:4144:3 #6 0x7f3fe25ecb19 in nsJSContext::CycleCollectNow(nsICycleCollectorListener*, int) /home/worker/workspace/build/src/dom/base/nsJSEnvironment.cpp:1440:3 #7 0x7f3fe211a55d in nsDOMWindowUtils::CycleCollect(nsICycleCollectorListener*, int) /home/worker/workspace/build/src/dom/base/nsDOMWindowUtils.cpp:1340:3 #8 0x7f3fdf8afec6 in NS_InvokeByIndex /home/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcinvoke_x86_64_unix.cpp:180:23 #9 0x7f3fe10d2fbe in Invoke /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:2058:12 #10 0x7f3fe10d2fbe in Call /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1377 #11 0x7f3fe10d2fbe in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1344 #12 0x7f3fe10da648 in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:999:12 #13 0x7f3fea32a2e5 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:239:15 #14 0x7f3fea32a2e5 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:447 #15 0x7f3fea30a6ef in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:510:12 #16 0x7f3fea30a6ef in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2922 #17 0x7f3fea2ef8ad in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:405:12 #18 0x7f3fea32a94f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:477:15 #19 0x7f3fea32af92 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:523:10 #20 0x7f3fe9df9ec2 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2769:12 #21 0x7f3fe0ffb8af in xpc::FunctionForwarder(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/xpconnect/src/ExportHelpers.cpp:319:18 #22 0x7f3fea32a2e5 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:239:15 #23 0x7f3fea32a2e5 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:447 #24 0x7f3fea30a6ef in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:510:12 #25 0x7f3fea30a6ef in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2922 #26 0x7f3fea2ef8ad in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:405:12 #27 0x7f3fea32a94f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:477:15 #28 0x7f3fea32af92 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:523:10 #29 0x7f3fe9dfc12d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2828:12 #30 0x7f3fe39adffc in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/EventListenerBinding.cpp:47:8 #31 0x7f3fe43917c2 in HandleEvent<mozilla::dom::EventTarget *> /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:64:12 #32 0x7f3fe43917c2 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1130 #33 0x7f3fe4393237 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1287:17 #34 0x7f3fe437e259 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:401:9 #35 0x7f3fe4381628 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:711:9 #36 0x7f3fe4383527 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:780:12 previously allocated by thread T0 here: #0 0x4b24fb in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52:3 #1 0x4e0ded in moz_xmalloc /home/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:83:17 #2 0x7f3fe40b32d8 in operator new /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:194:12 #3 0x7f3fe40b32d8 in mozilla::dom::CanvasRenderingContextHelper::CreateContextHelper(mozilla::dom::CanvasContextType, mozilla::layers::LayersBackend) /home/worker/workspace/build/src/dom/canvas/CanvasRenderingContextHelper.cpp:142 #4 0x7f3fe4558682 in mozilla::dom::HTMLCanvasElement::CreateContext(mozilla::dom::CanvasContextType) /home/worker/workspace/build/src/dom/html/HTMLCanvasElement.cpp:407:5 #5 0x7f3fe4558b24 in non-virtual thunk to mozilla::dom::HTMLCanvasElement::CreateContext(mozilla::dom::CanvasContextType) /home/worker/workspace/build/src/dom/html/HTMLCanvasElement.cpp:403:20 #6 0x7f3fe40b398c in mozilla::dom::CanvasRenderingContextHelper::GetContext(JSContext*, nsAString_internal const&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/canvas/CanvasRenderingContextHelper.cpp:186:15 #7 0x7f3fe455f914 in mozilla::dom::HTMLCanvasElement::GetContext(JSContext*, nsAString_internal const&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/html/HTMLCanvasElement.cpp:950:10 #8 0x7f3fe3c08537 in mozilla::dom::HTMLCanvasElementBinding::getContext(JSContext*, JS::Handle<JSObject*>, mozilla::dom::HTMLCanvasElement*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/HTMLCanvasElementBinding.cpp:237:43 #9 0x7f3fe3fadea0 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2879:13 #10 0x7f3fea32a2e5 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:239:15 #11 0x7f3fea32a2e5 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:447 #12 0x7f3fea30a6ef in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:510:12 #13 0x7f3fea30a6ef in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2922 #14 0x7f3fea2ef8ad in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:405:12 #15 0x7f3fea32a94f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:477:15 #16 0x7f3fea32af92 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:523:10 #17 0x7f3fe9df9ec2 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2769:12 #18 0x7f3fe0ffb8af in xpc::FunctionForwarder(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/xpconnect/src/ExportHelpers.cpp:319:18 #19 0x7f3fea32a2e5 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:239:15 #20 0x7f3fea32a2e5 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:447 #21 0x7f3fea30a6ef in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:510:12 #22 0x7f3fea30a6ef in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2922 #23 0x7f3fea2ef8ad in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:405:12 #24 0x7f3fea32a94f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:477:15 #25 0x7f3fea32af92 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:523:10 #26 0x7f3fe9dfc12d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2828:12 #27 0x7f3fe39aabff in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:259:37 #28 0x7f3fe43c746a in Call<nsISupports *> /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:361:12 #29 0x7f3fe43c746a in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) /home/worker/workspace/build/src/dom/events/JSEventHandler.cpp:214 #30 0x7f3fe439180d in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1134:16 #31 0x7f3fe4393237 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1287:17 #32 0x7f3fe437df96 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:380:5 #33 0x7f3fe4381628 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:711:9 #34 0x7f3fe656b0ec in nsDocumentViewer::LoadComplete(nsresult) /home/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1038:7 #35 0x7f3fe730ef4b in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7635:5 SUMMARY: AddressSanitizer: heap-use-after-free /home/worker/workspace/build/src/gfx/gl/../../mfbt/RefPtr.h:311:45 in operator bool Shadow bytes around the buggy address: 0x0c3280107780: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3280107790: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c32801077a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c32801077b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c32801077c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c32801077d0: fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c32801077e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c32801077f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3280107800: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3280107810: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3280107820: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==13508==ABORTING

Nils

Reporter

Comment 1

•

8 years ago

Attached file ASAN stacks — Details

Andrew McCreight [:mccr8]

Updated

•

8 years ago

Group: core-security → gfx-core-security

Tyson Smith [:tsmith]

Comment 2

•

8 years ago

This test requires popups to be allowed and the fuzzPriv extension to reproduce.

Component: DOM → Graphics

Keywords: crash, sec-high, testcase

Version: 52 Branch → Trunk

Tyson Smith [:tsmith]

Comment 3

•

8 years ago

fuzzPriv.callDrawWindow() calls CanvasRenderingContext2D.drawWindow() which can not be called by web content directly. Is there a way to indirectly trigger this call? This will affect the sec rating.

Ryan VanderMeulen [:RyanVM]

Comment 4

•

8 years ago

Markus, can you answer comment 3?

Flags: needinfo?(mstange)

Markus Stange [:mstange]

Comment 5

•

8 years ago

I'm not aware of any way to trigger this call under the controlled circumstances that are necessary here. DrawWindow is used by automatic tab snapshots and when the user uses the Firefox screenshots feature, but the timing of those calls is not controllable by the web page.

Flags: needinfo?(mstange)

Markus Stange [:mstange]

Comment 6

•

8 years ago

This bug was filed on ESR 52. It's likely that the underlying issue was fixed in bug 1355168.

Daniel Veditz [:dveditz]

Updated

•

8 years ago

Flags: sec-bounty?

Ryan VanderMeulen [:RyanVM]

Comment 7

•

8 years ago

(In reply to Markus Stange [:mstange] from comment #6) > This bug was filed on ESR 52. It's likely that the underlying issue was > fixed in bug 1355168. Ritu, it sounds like the decision in bug 1355168 needs reconsidering (in general, I think we shouldn't be passing up any chances to make our Canvas2D code more bulletproof due to the ongoing security issues being hit). How would you like to proceed?

Flags: needinfo?(rkothari)

Ritu Kothari (:ritu) (Inactive, please n-i to RyanVM, jcristau, or pascal)

Comment 8

•

8 years ago

I just A+'d the fix in bug 1355168 for uplift to ESR52 assuming it's fixing a security issue. (In reply to Ryan VanderMeulen [:RyanVM] from comment #7) > (In reply to Markus Stange [:mstange] from comment #6) > > This bug was filed on ESR 52. It's likely that the underlying issue was > > fixed in bug 1355168. > > Ritu, it sounds like the decision in bug 1355168 needs reconsidering (in > general, I think we shouldn't be passing up any chances to make our Canvas2D > code more bulletproof due to the ongoing security issues being hit). How > would you like to proceed? Thanks for the ping. I just A+'d the fix in bug 1355168 for uplift to ESR52 assuming it's fixing a security issue.

Flags: needinfo?(rkothari)

Ryan VanderMeulen [:RyanVM]

Comment 9

•

8 years ago

I just uplifted bug 1355168 to ESR52. Nils, can you see if current tip reproduces still?

Flags: needinfo?(nils)

Nils

Reporter

Comment 10

•

8 years ago

Ryan, I just tested on the latest treeherder ESR ASAN build (BuildID=20170711234922) and it reproduces. Will that have the patch already?

Flags: needinfo?(nils) → needinfo?(ryanvm)

Ryan VanderMeulen [:RyanVM]

Comment 11

•

8 years ago

Yes, that build would have :( Markus, it appears this may require some more investigation still.

Flags: needinfo?(ryanvm) → needinfo?(mstange)

Daniel Veditz [:dveditz]

Updated

•

7 years ago

status-thunderbird_esr52: --- → affected

Al Billings [:abillings - ex-MoCo]

Comment 12

•

7 years ago

Can you see if this reproduces in a trunk ASAN build?

status-thunderbird_esr52: affected → ---

Flags: needinfo?(jkratzer)

Daniel Veditz [:dveditz]

Updated

•

7 years ago

status-firefox56: --- → ?

status-firefox57: --- → ?

status-firefox-esr52: --- → affected

Jason Kratzer [:jkratzer]

Comment 13

•

7 years ago

(In reply to Al Billings [:abillings] from comment #12) > Can you see if this reproduces in a trunk ASAN build? I was unable to reproduce this using mozilla-central rev 20170815-b95b1638db48.

Flags: needinfo?(jkratzer)

Frederik Braun [:freddy]

Comment 14

•

7 years ago

Jason, can you help us identify the commit that fixed this? If so, I think we can make a better decision if this needs uplifting to beta or ESR.

Flags: needinfo?(jkratzer)

Jason Kratzer [:jkratzer]

Comment 15

•

7 years ago

(In reply to Frederik Braun [:freddyb] from comment #14) > Jason, can you help us identify the commit that fixed this? > If so, I think we can make a better decision if this needs uplifting to beta > or ESR. Bisection identifies the first good revision as: changeset: 356094:0a86729d653e date: Mon Jul 10 18:06:29 2017 -0400 summary: Bug 1371259 - Rejigger DOM object unwrapping to take mutable handles to the JS value/object in a bunch of cases.

Flags: needinfo?(jkratzer)

Daniel Veditz [:dveditz]

Updated

•

7 years ago

Keywords: csectype-uaf

Markus Stange [:mstange]

Updated

•

7 years ago

Depends on: CVE-2017-7801

Flags: needinfo?(mstange)

Frederik Braun [:freddy]

Comment 16

•

7 years ago

Seems like it was fixed by bug 1371259 and uplifted to ESR. Can we close this one?

Flags: needinfo?(dveditz)

Daniel Veditz [:dveditz]

Updated

•

7 years ago

Status: NEW → RESOLVED

Closed: 7 years ago

Flags: needinfo?(dveditz)

Resolution: --- → DUPLICATE

Al Billings [:abillings - ex-MoCo]

Updated

•

7 years ago

Flags: sec-bounty? → sec-bounty-

Ryan VanderMeulen [:RyanVM]

Updated

•

5 years ago

status-firefox56: ? → fixed

status-firefox57: ? → ---

status-firefox-esr52: affected → fixed

Daniel Veditz [:dveditz]

Updated

•

4 years ago

Group: gfx-core-security

David Lawrence [:dkl]

Updated

•

8 months ago

Keywords: reporter-external

crash.html 8 years ago Nils 492 bytes, text/html		Details
ASAN stacks 8 years ago Nils 23.66 KB, text/plain		Details