Closed Bug 1413981 Opened 3 years ago Closed 2 years ago

heap-use-after-free in [@ mozilla::dom::ImageTracker::SetLockingState]

Categories

(Core :: DOM: Core & HTML, defect, P1, critical)

58 Branch
defect

Tracking

()

RESOLVED DUPLICATE of bug 1414762
Tracking Status
firefox-esr52 --- unaffected
firefox56 --- unaffected
firefox57 --- unaffected
firefox58 + fixed

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(4 keywords)

Crash Data

Attachments

(6 files)

I'm not sure if this is DOM or ImageLib I'll start with DOM.

==12337==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c00073a440 at pc 0x7fcda52bae77 bp 0x7ffef3cbae50 sp 0x7ffef3cbae48
READ of size 8 at 0x60c00073a440 thread T0
    #0 0x7fcda52bae76 in mozilla::dom::ImageTracker::SetLockingState(bool) /src/dom/base/ImageTracker.cpp:116:14
    #1 0x7fcda95d9452 in mozilla::PresShell::UpdateImageLockingState() /src/layout/base/PresShell.cpp:10598:44
    #2 0x7fcda95dd5e1 in mozilla::PresShell::SetIsActive(bool) /src/layout/base/PresShell.cpp:10576:17
    #3 0x7fcdac67780e in nsDocShell::SetIsActive(bool) /src/docshell/base/nsDocShell.cpp:6345:13
    #4 0x7fcda26ad4c1 in NS_InvokeByIndex /src/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:129
    #5 0x7fcda3eb36e0 in Invoke /src/js/xpconnect/src/XPCWrappedNative.cpp:1996:12
    #6 0x7fcda3eb36e0 in Call /src/js/xpconnect/src/XPCWrappedNative.cpp:1315
    #7 0x7fcda3eb36e0 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /src/js/xpconnect/src/XPCWrappedNative.cpp:1282
    #8 0x7fcda3ebac54 in SetAttribute /src/js/xpconnect/src/xpcprivate.h:1682:17
    #9 0x7fcda3ebac54 in XPC_WN_GetterSetter(JSContext*, unsigned int, JS::Value*) /src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:957
    #10 0x7fcdade1b535 in js::jit::CallNativeSetter(JSContext*, JS::Handle<JSFunction*>, JS::Handle<JSObject*>, JS::Handle<JS::Value>) /src/js/src/jit/VMFunctions.cpp:1544:12
    #11 0x3587b5687860  (<unknown module>)

0x60c00073a440 is located 0 bytes inside of 128-byte region [0x60c00073a440,0x60c00073a4c0)
freed by thread T0 here:
    #0 0x4bc0fb in __interceptor_free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:47:3
    #1 0x7fcda4efcec5 in imgRequestProxy::Release() /src/image/imgRequestProxy.cpp:96:1
    #2 0x7fcda51aec07 in Release /src/obj-firefox/dist/include/mozilla/RefPtr.h:41:11
    #3 0x7fcda51aec07 in Release /src/obj-firefox/dist/include/mozilla/RefPtr.h:398
    #4 0x7fcda51aec07 in assign_assuming_AddRef /src/obj-firefox/dist/include/mozilla/RefPtr.h:66
    #5 0x7fcda51aec07 in operator= /src/obj-firefox/dist/include/mozilla/RefPtr.h:168
    #6 0x7fcda51aec07 in nsImageLoadingContent::ClearPendingRequest(nsresult, mozilla::Maybe<mozilla::OnNonvisible> const&) /src/dom/base/nsImageLoadingContent.cpp:1510
    #7 0x7fcda51b6adb in PreparePendingRequest /src/dom/base/nsImageLoadingContent.cpp:1401:3
    #8 0x7fcda51b6adb in nsImageLoadingContent::PrepareNextRequest(nsImageLoadingContent::ImageLoadType) /src/dom/base/nsImageLoadingContent.cpp:1344
    #9 0x7fcda51b7a20 in nsImageLoadingContent::LoadImage(nsIURI*, bool, bool, nsImageLoadingContent::ImageLoadType, bool, nsIDocument*, unsigned int, nsIPrincipal*) /src/dom/base/nsImageLoadingContent.cpp:995:34
    #10 0x7fcda51b912b in nsImageLoadingContent::LoadImage(nsTSubstring<char16_t> const&, bool, bool, nsImageLoadingContent::ImageLoadType, nsIPrincipal*) /src/dom/base/nsImageLoadingContent.cpp:889:10
    #11 0x7fcda7648e88 in mozilla::dom::HTMLImageElement::LoadSelectedImage(bool, bool, bool) /src/dom/html/HTMLImageElement.cpp:1012:12
    #12 0x7fcda7648528 in mozilla::dom::HTMLImageElement::MaybeLoadImage(bool) /src/dom/html/HTMLImageElement.cpp:682:3
    #13 0x7fcda76a86a7 in applyImpl<mozilla::dom::HTMLImageElement, void (mozilla::dom::HTMLImageElement::*)(bool), StoreCopyPassByConstLRef<bool> , 0> /src/obj-firefox/dist/include/nsThreadUtils.h:1142:12
    #14 0x7fcda76a86a7 in apply<mozilla::dom::HTMLImageElement, void (mozilla::dom::HTMLImageElement::*)(bool)> /src/obj-firefox/dist/include/nsThreadUtils.h:1148
    #15 0x7fcda76a86a7 in mozilla::detail::RunnableMethodImpl<mozilla::dom::HTMLImageElement*, void (mozilla::dom::HTMLImageElement::*)(bool), true, (mozilla::RunnableKind)0, bool>::Run() /src/obj-firefox/dist/include/nsThreadUtils.h:1192
    #16 0x7fcda508d220 in nsContentUtils::RemoveScriptBlocker() /src/dom/base/nsContentUtils.cpp:5735:15
    #17 0x7fcda547a819 in nsDocument::EndUpdate(unsigned int) /src/dom/base/nsDocument.cpp:5419:3
    #18 0x7fcda77f321c in nsHTMLDocument::EndUpdate(unsigned int) /src/dom/html/nsHTMLDocument.cpp:2522:15
    #19 0x7fcda5575415 in ~mozAutoDocUpdate /src/dom/base/mozAutoDocUpdate.h:40:18
    #20 0x7fcda5575415 in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) /src/dom/base/nsINode.cpp:2540
    #21 0x7fcda5ca5b06 in InsertBefore /src/dom/base/nsINode.h:1838:12
    #22 0x7fcda5ca5b06 in AppendChild /src/dom/base/nsINode.h:1842
    #23 0x7fcda5ca5b06 in mozilla::dom::NodeBinding::appendChild(JSContext*, JS::Handle<JSObject*>, nsINode*, JSJitMethodCallArgs const&) /src/obj-firefox/dom/bindings/NodeBinding.cpp:885
    #24 0x7fcda6ffc670 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /src/dom/bindings/BindingUtils.cpp:3040:13
    #25 0x7fcdad627470 in CallJSNative /src/js/src/jscntxtinlines.h:291:15
    #26 0x7fcdad627470 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /src/js/src/vm/Interpreter.cpp:472
    #27 0x7fcdad6122b9 in CallFromStack /src/js/src/vm/Interpreter.cpp:527:12
    #28 0x7fcdad6122b9 in Interpret(JSContext*, js::RunState&) /src/js/src/vm/Interpreter.cpp:3066
    #29 0x7fcdad5fa18a in js::RunScript(JSContext*, js::RunState&) /src/js/src/vm/Interpreter.cpp:422:12
    #30 0x7fcdad62756f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /src/js/src/vm/Interpreter.cpp:494:15
    #31 0x7fcdad628462 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /src/js/src/vm/Interpreter.cpp:540:10
    #32 0x7fcdae06e3fb in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /src/js/src/jsapi.cpp:3019:12
    #33 0x7fcda6a1ab27 in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /src/obj-firefox/dom/bindings/EventListenerBinding.cpp:47:8
    #34 0x7fcda73df28c in HandleEvent<mozilla::dom::EventTarget *> /src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:65:12
    #35 0x7fcda73df28c in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /src/dom/events/EventListenerManager.cpp:1115
    #36 0x7fcda73e1492 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /src/dom/events/EventListenerManager.cpp:1293:20
    #37 0x7fcda73c0b71 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /src/dom/events/EventDispatcher.cpp:462:16
    #38 0x7fcda73c4042 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /src/dom/events/EventDispatcher.cpp:826:9
    #39 0x7fcda739323a in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) /src/dom/events/EventDispatcher.cpp:895:12
    #40 0x7fcda556e501 in nsINode::DispatchEvent(nsIDOMEvent*, bool*) /src/dom/base/nsINode.cpp:1356:5
    #41 0x7fcda5080ada in nsContentUtils::DispatchEvent(nsIDocument*, nsISupports*, nsTSubstring<char16_t> const&, bool, bool, bool, bool*, bool) /src/dom/base/nsContentUtils.cpp:4607:18
    #42 0x7fcda508089b in nsContentUtils::DispatchTrustedEvent(nsIDocument*, nsISupports*, nsTSubstring<char16_t> const&, bool, bool, bool*) /src/dom/base/nsContentUtils.cpp:4575:10

previously allocated by thread T0 here:
    #0 0x4bc44c in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64:3
    #1 0x4ed85d in moz_xmalloc /src/memory/mozalloc/mozalloc.cpp:84:17
    #2 0x7fcda4ed9ebb in operator new /src/obj-firefox/dist/include/mozilla/mozalloc.h:206:12
    #3 0x7fcda4ed9ebb in imgLoader::CreateNewProxyForRequest(imgRequest*, nsILoadGroup*, nsIDocument*, imgINotificationObserver*, unsigned int, imgRequestProxy**) /src/image/imgLoader.cpp:1122
    #4 0x7fcda4ee73e3 in imgLoader::LoadImage(nsIURI*, nsIURI*, nsIURI*, mozilla::net::ReferrerPolicy, nsIPrincipal*, unsigned long, nsILoadGroup*, imgINotificationObserver*, nsINode*, nsIDocument*, unsigned int, nsISupports*, unsigned int, nsTSubstring<char16_t> const&, bool, imgRequestProxy**) /src/image/imgLoader.cpp:2393:10
    #5 0x7fcda507b5d9 in nsContentUtils::LoadImage(nsIURI*, nsINode*, nsIDocument*, nsIPrincipal*, unsigned long, nsIURI*, mozilla::net::ReferrerPolicy, imgINotificationObserver*, int, nsTSubstring<char16_t> const&, imgRequestProxy**, unsigned int, bool) /src/dom/base/nsContentUtils.cpp:3841:21
    #6 0x7fcda51b7c6a in nsImageLoadingContent::LoadImage(nsIURI*, bool, bool, nsImageLoadingContent::ImageLoadType, bool, nsIDocument*, unsigned int, nsIPrincipal*) /src/dom/base/nsImageLoadingContent.cpp:1012:17
    #7 0x7fcda51b912b in nsImageLoadingContent::LoadImage(nsTSubstring<char16_t> const&, bool, bool, nsImageLoadingContent::ImageLoadType, nsIPrincipal*) /src/dom/base/nsImageLoadingContent.cpp:889:10
    #8 0x7fcda7648e88 in mozilla::dom::HTMLImageElement::LoadSelectedImage(bool, bool, bool) /src/dom/html/HTMLImageElement.cpp:1012:12
    #9 0x7fcda7648528 in mozilla::dom::HTMLImageElement::MaybeLoadImage(bool) /src/dom/html/HTMLImageElement.cpp:682:3
    #10 0x7fcda76a86a7 in applyImpl<mozilla::dom::HTMLImageElement, void (mozilla::dom::HTMLImageElement::*)(bool), StoreCopyPassByConstLRef<bool> , 0> /src/obj-firefox/dist/include/nsThreadUtils.h:1142:12
    #11 0x7fcda76a86a7 in apply<mozilla::dom::HTMLImageElement, void (mozilla::dom::HTMLImageElement::*)(bool)> /src/obj-firefox/dist/include/nsThreadUtils.h:1148
    #12 0x7fcda76a86a7 in mozilla::detail::RunnableMethodImpl<mozilla::dom::HTMLImageElement*, void (mozilla::dom::HTMLImageElement::*)(bool), true, (mozilla::RunnableKind)0, bool>::Run() /src/obj-firefox/dist/include/nsThreadUtils.h:1192
    #13 0x7fcda508d220 in nsContentUtils::RemoveScriptBlocker() /src/dom/base/nsContentUtils.cpp:5735:15
    #14 0x7fcda547a819 in nsDocument::EndUpdate(unsigned int) /src/dom/base/nsDocument.cpp:5419:3
    #15 0x7fcda77f321c in nsHTMLDocument::EndUpdate(unsigned int) /src/dom/html/nsHTMLDocument.cpp:2522:15
    #16 0x7fcda5575415 in ~mozAutoDocUpdate /src/dom/base/mozAutoDocUpdate.h:40:18
    #17 0x7fcda5575415 in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) /src/dom/base/nsINode.cpp:2540
    #18 0x7fcda5ca5b06 in InsertBefore /src/dom/base/nsINode.h:1838:12
    #19 0x7fcda5ca5b06 in AppendChild /src/dom/base/nsINode.h:1842
    #20 0x7fcda5ca5b06 in mozilla::dom::NodeBinding::appendChild(JSContext*, JS::Handle<JSObject*>, nsINode*, JSJitMethodCallArgs const&) /src/obj-firefox/dom/bindings/NodeBinding.cpp:885
    #21 0x7fcda6ffc670 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /src/dom/bindings/BindingUtils.cpp:3040:13
    #22 0x7fcdad627470 in CallJSNative /src/js/src/jscntxtinlines.h:291:15
    #23 0x7fcdad627470 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /src/js/src/vm/Interpreter.cpp:472
    #24 0x7fcdad628462 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /src/js/src/vm/Interpreter.cpp:540:10
    #25 0x7fcdae3143ee in js::ForwardingProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /src/js/src/proxy/Wrapper.cpp:176:12
    #26 0x7fcdae2c9e65 in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /src/js/src/proxy/CrossCompartmentWrapper.cpp:359:23
    #27 0x7fcdae2f4073 in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /src/js/src/proxy/Proxy.cpp:511:21
    #28 0x7fcdae2f6757 in js::proxy_Call(JSContext*, unsigned int, JS::Value*) /src/js/src/proxy/Proxy.cpp:770:12
    #29 0x7fcdad6277ef in CallJSNative /src/js/src/jscntxtinlines.h:291:15
    #30 0x7fcdad6277ef in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /src/js/src/vm/Interpreter.cpp:454
    #31 0x7fcdad6122b9 in CallFromStack /src/js/src/vm/Interpreter.cpp:527:12
    #32 0x7fcdad6122b9 in Interpret(JSContext*, js::RunState&) /src/js/src/vm/Interpreter.cpp:3066
    #33 0x7fcdad5fa18a in js::RunScript(JSContext*, js::RunState&) /src/js/src/vm/Interpreter.cpp:422:12
    #34 0x7fcdad62756f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /src/js/src/vm/Interpreter.cpp:494:15
    #35 0x7fcdad628462 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /src/js/src/vm/Interpreter.cpp:540:10
    #36 0x7fcdae06e3fb in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /src/js/src/jsapi.cpp:3019:12
    #37 0x7fcda6a1ab27 in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /src/obj-firefox/dom/bindings/EventListenerBinding.cpp:47:8
    #38 0x7fcda73df28c in HandleEvent<mozilla::dom::EventTarget *> /src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:65:12
    #39 0x7fcda73df28c in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /src/dom/events/EventListenerManager.cpp:1115
Keywords: sec-high
Attached file test_case.html
Attached file fuzz.js
Attached file launcher.html
Attached file prefs.js
Timothy, is this something you could look at? Or is it more docshell-y. Thanks.
Flags: needinfo?(tnikkel)
STR:
1) grab all the attached files and put them in the same location
2) launch the browser using the attached prefs.js file (not required but allows window.close() to work properly)
3) open launcher.html the browser usually crashes after about three attempts
Attached file alt_log.txt
I am also see this UAF [@ mozilla::dom::ImageTracker::RequestDiscardAll] from the same test case.
Crash Signature: [@ mozilla::dom::ImageTracker::SetLockingState]
Looks like we mess up in image tracking. Probably image related code. I'm looking into it.
INFO: Last good revision: 19d68ad55452ab72ff9662e3ac778f5aaac751a5
INFO: First bad revision: f24a18bffbc70de57437b69fcd9e36734d252199
INFO: Pushlog:
https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=19d68ad55452ab72ff9662e3ac778f5aaac751a5&tochange=f24a18bffbc70de57437b69fcd9e36734d252199
Blocks: 1404422
Has Regression Range: --- → yes
The CancelAndForgetObserver call in nsImageLoadingContent::ClearPendingRequest here

http://searchfox.org/mozilla-central/rev/af86a58b157fbed26b0e86fcd81f1b421e80e60a/dom/base/nsImageLoadingContent.cpp#1509

ends up triggering the load event of the document (presumably the onload blocking things that were removed by the regressing bug changed this) and that flushes layout, constructs frames, constructs the frame for the same nsImageLoadingContent object and that triggers calling TrackImage before we clear mPendingRequest.
Attached file stack.txt
Here's the stack showing the problem.
new sec-high in 58, tracking
tnikkel, it sounds like the fix will be the same as in bug 1414762?
Priority: -- → P1
Yes.
Flags: needinfo?(tnikkel)
Tyson: can you retest now that bug 1414762 is fixed? (it's not clear to me if comment 13 means it's a dupe, or if we need the "same fix" in a new spot.)
Depends on: 1414762
Flags: needinfo?(twsmith)
I can no long reproduce this issue with the latest m-c ASan nightly build. I assume this can be closed?
Flags: needinfo?(twsmith) → needinfo?(tnikkel)
Yes.
Flags: needinfo?(tnikkel)
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1414762
Group: dom-core-security
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.