Closed Bug 1410473 Opened 8 years ago Closed 8 years ago

AddressSanitizer: heap-use-after-free READ of size 8 in reset include/mozilla/UniquePtr.h:340:19

Categories

(Core :: DOM: Events, defect)

Product:
Core
Component:
DOM: Events
Version:
58 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: rs, Assigned: stone)

References

Details

(Keywords: csectype-uaf)

Attachments

(1 file)

crash.html
191 bytes, text/html
Details
Attached file crash.html
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.9 Safari/537.36 Steps to reproduce: Mouse over will crash Firefox,tested on 58.0a1 nightly asan build. <body> <input id='tname' type="text" onblur=alert("blur")></input> <BR> <input id='bTest' type="button" value="Test" onclick=alert("click") onmouseover=alert("mouseover")></input> </body> Actual results: ================================================================= ==5848==ERROR: AddressSanitizer: heap-use-after-free on address 0x6040000d7110 at pc 0x7f57ab5027bf bp 0x7fffdccae570 sp 0x7fffdccae568 READ of size 8 at 0x6040000d7110 thread T0 (file:// Content) #0 0x7f57ab5027be in reset /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/UniquePtr.h:340:19 #1 0x7f57ab5027be in operator= /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/UniquePtr.h:313 #2 0x7f57ab5027be in Reset /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/CoalescedInputData.h:34 #3 0x7f57ab5027be in mozilla::dom::TabChild::MaybeDispatchCoalescedMouseMoveEvents() /builds/worker/workspace/build/src/dom/ipc/TabChild.cpp:1611 #4 0x7f57ab50217d in mozilla::dom::CoalescedMouseMoveFlusher::WillRefresh(mozilla::TimeStamp) /builds/worker/workspace/build/src/dom/ipc/CoalescedMouseData.cpp:58:14 #5 0x7f57ac3c8d92 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1887:12 #6 0x7f57ac3d756b in TickDriver /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:337:13 #7 0x7f57ac3d756b in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:307 #8 0x7f57ac3d7266 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:329:5 #9 0x7f57ac3d97bb in RunRefreshDrivers /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:770:5 #10 0x7f57ac3d97bb in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:683 #11 0x7f57ac3d93c6 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:584:9 #12 0x7f57acc12302 in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) /builds/worker/workspace/build/src/layout/ipc/VsyncChild.cpp:67:16 #13 0x7f57a67bc9a1 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:155:20 #14 0x7f57a641b37e in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:1755:28 #15 0x7f57a6364869 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2119:25 #16 0x7f57a636187f in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2049:17 #17 0x7f57a6362fb4 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1895:5 #18 0x7f57a6363608 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1928:15 #19 0x7f57a557d3d6 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1037:14 #20 0x7f57a5597898 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:512:10 #21 0x7f57a636c4c6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:125:5 #22 0x7f57a62cb99b in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10 #23 0x7f57a62cb99b in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319 #24 0x7f57a62cb99b in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299 #25 0x7f57abcde01f in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27 #26 0x7f57b007de97 in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:877:22 #27 0x7f57a62cb99b in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10 #28 0x7f57a62cb99b in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319 #29 0x7f57a62cb99b in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299 #30 0x7f57b007d84a in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:703:34 #31 0x4ec2de in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:63:30 #32 0x4ec2de in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280 #33 0x7f57c3074509 in __libc_start_main (/lib64/libc.so.6+0x20509) #34 0x41dbc8 in _start (/home/rs/browsers/firefox_old/firefox+0x41dbc8) 0x6040000d7110 is located 0 bytes inside of 40-byte region [0x6040000d7110,0x6040000d7138) freed by thread T0 (file:// Content) here: #0 0x4bc0fb in __interceptor_free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:47:3 #1 0x7f57a5464e8f in RawRemove /builds/worker/workspace/build/src/xpcom/ds/PLDHashTable.cpp:669:3 #2 0x7f57a5464e8f in PLDHashTable::RemoveEntry(PLDHashEntryHdr*) /builds/worker/workspace/build/src/xpcom/ds/PLDHashTable.cpp:651 #3 0x7f57ab567a8a in RemoveEntry /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTHashtable.h:222:12 #4 0x7f57ab567a8a in Remove /builds/worker/workspace/build/src/obj-firefox/dist/include/nsBaseHashtable.h:194 #5 0x7f57ab567a8a in mozilla::dom::TabChild::RecvRealMouseButtonEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) /builds/worker/workspace/build/src/dom/ipc/TabChild.cpp:1685 #6 0x7f57a692e9ca in mozilla::dom::PBrowserChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBrowserChild.cpp:3511:20 #7 0x7f57a6a8689d in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PContentChild.cpp:4868:28 #8 0x7f57a6364869 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2119:25 #9 0x7f57a636187f in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2049:17 #10 0x7f57a6362fb4 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1895:5 #11 0x7f57a6363608 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1928:15 #12 0x7f57a5557f81 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:396:25 #13 0x7f57a557d3d6 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1037:14 #14 0x7f57a5597898 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:512:10 #15 0x7f57a558290b in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThreadManager.cpp:431:36)> /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.h:323:25 #16 0x7f57a558290b in nsThreadManager::SpinEventLoopUntil(nsINestedEventLoopCondition*) /builds/worker/workspace/build/src/xpcom/threads/nsThreadManager.cpp:431 #17 0x7f57a55a7a91 in NS_InvokeByIndex /builds/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:129 #18 0x7f57a6d90db0 in Invoke /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1996:12 #19 0x7f57a6d90db0 in Call /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1315 #20 0x7f57a6d90db0 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1282 #21 0x7f57a6d97b3f in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:929:12 #22 0x7f57b032b0c4 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15 #23 0x7f57b032b0c4 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:473 #24 0x7f57b031572c in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:528:12 #25 0x7f57b031572c in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3067 #26 0x7f57b02fc32a in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:423:12 #27 0x7f57b032b1c3 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:495:15 #28 0x7f57b031572c in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:528:12 #29 0x7f57b031572c in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3067 #30 0x7f57b02fc32a in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:423:12 #31 0x7f57b032b1c3 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:495:15 #32 0x7f57b032c0b2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:541:10 #33 0x7f57b0d72d33 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2962:12 #34 0x7f57a6d77673 in nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedJSClass.cpp:1317:23 #35 0x7f57a55a917a in PrepareAndDispatch /builds/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:120:28 #36 0x7f57a55a8156 in SharedStub (/home/rs/browsers/firefox_old/libxul.so+0x221d156) #37 0x7f57a8015e74 in nsGlobalWindow::AlertOrConfirm(bool, nsTSubstring<char16_t> const&, nsIPrincipal&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsGlobalWindow.cpp:7685:24 #38 0x7f57a9619773 in mozilla::dom::WindowBinding::alert(JSContext*, JS::Handle<JSObject*>, nsGlobalWindow*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/WindowBinding.cpp:2391:13 previously allocated by thread T0 (file:// Content) here: #0 0x4bc44c in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64:3 #1 0x4ed85d in moz_xmalloc /builds/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:84:17 #2 0x7f57ab56796e in operator new /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:206:12 #3 0x7f57ab56796e in mozilla::dom::TabChild::RecvRealMouseButtonEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) /builds/worker/workspace/build/src/dom/ipc/TabChild.cpp:1683 #4 0x7f57a692e9ca in mozilla::dom::PBrowserChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBrowserChild.cpp:3511:20 #5 0x7f57a6a8689d in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PContentChild.cpp:4868:28 #6 0x7f57a6364869 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2119:25 #7 0x7f57a636187f in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2049:17 #8 0x7f57a6362fb4 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1895:5 #9 0x7f57a6363608 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1928:15 #10 0x7f57a5557f81 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:396:25 #11 0x7f57a557d3d6 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1037:14 #12 0x7f57a5597898 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:512:10 #13 0x7f57a636c4c6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:125:5 #14 0x7f57a62cb99b in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10 #15 0x7f57a62cb99b in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319 #16 0x7f57a62cb99b in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299 #17 0x7f57abcde01f in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27 #18 0x7f57b007de97 in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:877:22 #19 0x7f57a62cb99b in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10 #20 0x7f57a62cb99b in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319 #21 0x7f57a62cb99b in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299 #22 0x7f57b007d84a in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:703:34 #23 0x4ec2de in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:63:30 #24 0x4ec2de in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280 #25 0x7f57c3074509 in __libc_start_main (/lib64/libc.so.6+0x20509) SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/UniquePtr.h:340:19 in reset Shadow bytes around the buggy address: 0x0c0880012dd0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa 0x0c0880012de0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd 0x0c0880012df0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd 0x0c0880012e00: fa fa 00 00 00 00 00 fa fa fa fd fd fd fd fd fd 0x0c0880012e10: fa fa 00 00 00 00 06 fa fa fa fd fd fd fd fd fa =>0x0c0880012e20: fa fa[fd]fd fd fd fd fa fa fa fd fd fd fd fd fd 0x0c0880012e30: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd 0x0c0880012e40: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd 0x0c0880012e50: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd 0x0c0880012e60: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa 0x0c0880012e70: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==5848==ABORTING
Group: firefox-core-security → dom-core-security
Component: Untriaged → DOM: Events
Keywords: csectype-uaf
Product: Firefox → Core
I think this has the same cause as bug 1407700. Verified with the nightly build (https://hg.mozilla.org/mozilla-central/rev/d1e995c8640a191cd127e87273ec96cb2fabffa9) and it works.
You mean, you don't see the crash on a build with bug 1407700? I'll close this as WFM then, thanks. Reporter, please reopen or needinfo me or something if you think we have not actually fixed this issue.
Assignee: nobody → sshih
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Depends on: 1407700
Resolution: --- → WORKSFORME
Group: dom-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: