Closed Bug 1403117 Opened 7 years ago Closed 7 years ago

use-after-poison in nsLayoutUtils::GetFloatContainingBlock

Categories

(Core :: Layout, defect)

33 Branch
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 1382213
Tracking Status
firefox-esr52 --- wontfix
firefox55 --- wontfix
firefox56 --- wontfix
firefox57 --- wontfix
firefox58 --- fixed

People

(Reporter: hofusec, Assigned: MatsPalmgren_bugz)

References

Details

(4 keywords)

Attachments

(4 files)

Attached file testcase.html
The current nightly build of firefox crashs with the attached testcase. ASAN: ==4008==ERROR: AddressSanitizer: use-after-poison on address 0x625000e81fb0 at pc 0x7fffe02bfe16 bp 0x7ffffffeddc0 sp 0x7ffffffeddb8 READ of size 8 at 0x625000e81fb0 thread T0 #0 0x7fffe02bfe15 in nsLayoutUtils::GetFloatContainingBlock(nsIFrame*) /builds/worker/workspace/build/src/layout/base/nsLayoutUtils.cpp:9308 (discriminator 2) #2 0x7fffe051cb99 in ReparentFloatsForInlineChild /builds/worker/workspace/build/src/layout/generic/nsInlineFrame.cpp:312 (discriminator 1) #3 0x7fffe051cb99 in DrainSelfOverflowListInternal /builds/worker/workspace/build/src/layout/generic/nsInlineFrame.cpp:505 (discriminator 1) #5 0x7fffe051c90c in nsInlineFrame::DestroyFrom(nsIFrame*) /builds/worker/workspace/build/src/layout/generic/nsInlineFrame.cpp:197 #7 0x7fffe039b66d in Destroy /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:661 ...
Attached file asanlog.txt
Group: core-security
Group: core-security → layout-core-security
Component: DOM → Layout
This appears to have an older regression range than the other bug, so I'm going to tentatively say no to that question for now. Note that the testcase needs modification to work around bug 1300895 on older builds. INFO: Last good revision: b6683e141c47c022598c0caac3ea8ba8c6236d42 (2016-04-07) INFO: First bad revision: d9b1a9829c8ee2862955043f28183efa07de3d2b (2016-04-08) INFO: Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=b6683e141c47c022598c0caac3ea8ba8c6236d42&tochange=d9b1a9829c8ee2862955043f28183efa07de3d2b Bug 1259296 in that range does touch layout/base/nsLayoutUtils.cpp and layout/generic/nsGfxScrollFrame.cpp which appear on the stack, so maybe that's a start?
Status: UNCONFIRMED → NEW
Has Regression Range: --- → yes
Ever confirmed: true
Flags: needinfo?(botond)
Version: unspecified → 48 Branch
Keywords: crash
In DrainSelfOverflowListInternal, the overflow frames of "this" have a parent not "this", and that parent is poisoned, which is weird...
(In reply to Ryan VanderMeulen [:RyanVM] from comment #3) > Bug 1259296 in that range does touch layout/base/nsLayoutUtils.cpp and > layout/generic/nsGfxScrollFrame.cpp which appear on the stack, so maybe > that's a start? I doubt it - those layout changes look like pretty harmless code removal. Given that the testcase uses insertAdjacentText(), and the regression range contains bug 811259, "implement Element.insertAdjacentText and Element.insertAdjacentElement", I think that's a more likely culprit.
Flags: needinfo?(botond)
(I tried to needinfo the assignee of bug 811259, but Bugzilla told me: "You asked Jocelyn Liu [:jocelyn] [:joliu] <yrliou@gmail.com> for needinfo on bug 1403117, but that bug has been restricted to users in certain groups, and the user you asked isn't in all the groups to which the bug has been restricted. Please choose someone else to ask, or make the bug accessible to users on its CC: list and add that user to the list." So ni?smaug, who reviewed the patches in the bug.)
Flags: needinfo?(bugs)
Ah yes, thank you. That's a lot saner :)
Flags: needinfo?(yrliou)
(In reply to Botond Ballo [:botond] from comment #6) > (I tried to needinfo the assignee of bug 811259, but Bugzilla told me: You just have to manually CC the person in order to needinfo them.
This is really unrelated to insertAdjacentText. The same crash can be reproduced with an equivalent code: > a.parentNode.insertBefore(document.createTextNode("aaaaaaa"), a.nextSibling);
Attached file updated testcase
This can be used to test earlier version.
In this range, only bug 1001994 seems very suspicious. The patch creates nsInlineFrame::DestroyFrom function, so it is likely to be the cause of this.
Flags: needinfo?(yrliou)
Flags: needinfo?(mats)
Flags: needinfo?(bugs)
See Also: → 1382213
Opt build crashes with a null deref on this testcase, so it's not protected by our "framepoisoning" mitigation (which would show a unique address range).
Blocks: 1001994
Version: 48 Branch → 33 Branch
Attached file stack + frame dump
We crash b/c nsLayoutUtils::GetFloatContainingBlock is trying to use a destroyed ancestor frame (red). The reason is that nsBlockFrame::DoRemoveFrame removes frame in order, so (red) is destroyed before (blue) which is the parent of (green). The problem is that due to "lazy reparenting", the (green) frame has not yet been reparented so its 'mParent' still points to (red) even though it's a child of (blue). So this is exactly the same underlying bug as in bug 1382213. Also, frame-poisoning should make it unexploitable on all platforms. (I don't know why it looked like a null-pointer crash to dveditz in comment 13, but I'm guessing the local variable 'ancestor' was optimized away and on some platforms that looks like a null pointer?)
Assignee: nobody → mats
Flags: needinfo?(mats)
No longer blocks: 1001994
Severity: normal → critical
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: in-testsuite?
OS: Unspecified → All
Hardware: Unspecified → All
Resolution: --- → DUPLICATE
Sorry, duped to the wrong bug.
Blocks: 1001994
(tracking this in bug 1382213)
Group: layout-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: