Closed Bug 1416450 Opened 7 years ago Closed 7 years ago

DOM - Use After Free in HasFlag()

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Version:
58 Branch
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla59
Tracking Flags:
Tracking Status
firefox-esr52 --- unaffected
firefox57 --- unaffected
firefox58 + verified
firefox59 + verified

People

(Reporter: loobenyang, Assigned: smaug)

References

Details

(5 keywords, Whiteboard: [post-critsmash-triage])

Attachments

(3 files, 1 obsolete file)

UAF_HasFlag_PoC.html
1.44 KB, text/plain
Details
intersection_crash.diff
2.65 KB, patch
mrbkap
: review+
Details | Diff | Splinter Review
intersection_crash_2.diff
2.71 KB, patch
abillings
: approval-mozilla-beta+
abillings
: sec-approval+
Details | Diff | Splinter Review
Attached file UAF_HasFlag_PoC.html 
Reproduction test case: UAF_HasFlag_PoC.html

Steps to reproduce: 
	1. Open UAF_HasFlag_PoC.html in Firefox browser.
        2. Firefox crashes by using freed memory in HasFlag().

Firefox version: 58.0a1 (2017-11-10) (64-bit)
OS: Ubuntu 16.04 LTS

Stack trace:

=================================================================
==12169==ERROR: AddressSanitizer: heap-use-after-free on address 0x60e000087358 at pc 0x7febb2d6e7ef bp 0x7ffdfb1b7e70 sp 0x7ffdfb1b7e68
READ of size 4 at 0x60e000087358 thread T0 (file:// Content)
    #0 0x7febb2d6e7ee in HasFlag /builds/worker/workspace/build/src/dom/base/nsWrapperCache.h:264:15
    #1 0x7febb2d6e7ee in HasProperties /builds/worker/workspace/build/src/dom/base/nsINode.h:902
    #2 0x7febb2d6e7ee in nsINode::GetProperty(unsigned short, nsAtom*, nsresult*) const /builds/worker/workspace/build/src/dom/base/nsINode.cpp:164
    #3 0x7febb2a97d1d in GetProperty /builds/worker/workspace/build/src/dom/base/nsINode.h:768:12
    #4 0x7febb2a97d1d in mozilla::dom::Element::UnregisterIntersectionObserver(mozilla::dom::DOMIntersectionObserver*) /builds/worker/workspace/build/src/dom/base/Element.cpp:4340
    #5 0x7febb286f75e in mozilla::dom::DOMIntersectionObserver::Disconnect() /builds/worker/workspace/build/src/dom/base/DOMIntersectionObserver.cpp:221:13
    #6 0x7febb286f4e9 in mozilla::dom::DOMIntersectionObserver::cycleCollection::Unlink(void*) /builds/worker/workspace/build/src/dom/base/DOMIntersectionObserver.cpp:47:8
    #7 0x7febafd5a170 in nsCycleCollector::CollectWhite() /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3401:26
    #8 0x7febafd5cf6a in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3769:24
    #9 0x7febafd6112b in nsCycleCollector_collectSlice(js::SliceBudget&, bool) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:4330:21
    #10 0x7febb2d9861c in nsJSContext::RunCycleCollectorSlice(mozilla::TimeStamp) /builds/worker/workspace/build/src/dom/base/nsJSEnvironment.cpp:1561:3
    #11 0x7febb2d9900f in ICCRunnerFired(mozilla::TimeStamp) /builds/worker/workspace/build/src/dom/base/nsJSEnvironment.cpp:1620:3
    #12 0x7febafe7b99d in operator() /builds/worker/workspace/build/src/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/4.9.4/../../../../include/c++/4.9.4/functional:2440:14
    #13 0x7febafe7b99d in mozilla::IdleTaskRunner::Run() /builds/worker/workspace/build/src/xpcom/threads/IdleTaskRunner.cpp:62
    #14 0x7febafe7c59d in mozilla::TimedOut(nsITimer*, void*) /builds/worker/workspace/build/src/xpcom/threads/IdleTaskRunner.cpp:84:13
    #15 0x7febafeda676 in nsTimerImpl::Fire(int) /builds/worker/workspace/build/src/xpcom/threads/nsTimerImpl.cpp:701:7
    #16 0x7febafeac346 in nsTimerEvent::Run() /builds/worker/workspace/build/src/xpcom/threads/TimerThread.cpp:286:11
    #17 0x7febafe95ce1 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:396:25
    #18 0x7febafebb284 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1037:14
    #19 0x7febafed58c8 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:513:10
    #20 0x7febb0c8b9b6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:125:5
    #21 0x7febb0bebd3b in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #22 0x7febb0bebd3b in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #23 0x7febb0bebd3b in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #24 0x7febb67775ef in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:159:27
    #25 0x7febbaa94187 in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:877:22
    #26 0x7febb0bebd3b in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #27 0x7febb0bebd3b in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #28 0x7febb0bebd3b in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #29 0x7febbaa93b3a in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:703:34
    #30 0x4ec2de in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:63:30
    #31 0x4ec2de in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280
    #32 0x7febcdadf82f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
    #33 0x41dbc8 in _start (/home/thecoder/FirefoxBuilds/firefox/firefox+0x41dbc8)

0x60e000087358 is located 24 bytes inside of 152-byte region [0x60e000087340,0x60e0000873d8)
freed by thread T0 (file:// Content) here:
    #0 0x4bc0fb in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:47:3
    #1 0x7febafd562a7 in SnowWhiteKiller::~SnowWhiteKiller() /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2729:25
    #2 0x7febafd60ad4 in FreeSnowWhite /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2917:3
    #3 0x7febafd60ad4 in nsCycleCollector_doDeferredDeletion() /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:4293
    #4 0x7febb169a143 in AsyncFreeSnowWhite::Run() /builds/worker/workspace/build/src/js/xpconnect/src/XPCJSRuntime.cpp:124:34
    #5 0x7febafedc9cf in IdleRunnableWrapper::Run() /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:339:22
    #6 0x7febafebb284 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1037:14
    #7 0x7febafed58c8 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:513:10
    #8 0x7febb0c8b9c1 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #9 0x7febb0bebd3b in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #10 0x7febb0bebd3b in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #11 0x7febb0bebd3b in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #12 0x7febb67775ef in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:159:27
    #13 0x7febbaa94187 in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:877:22
    #14 0x7febb0bebd3b in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #15 0x7febb0bebd3b in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #16 0x7febb0bebd3b in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #17 0x7febbaa93b3a in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:703:34
    #18 0x4ec2de in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:63:30
    #19 0x4ec2de in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280
    #20 0x7febcdadf82f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291

previously allocated by thread T0 (file:// Content) here:
    #0 0x4bc44c in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64:3
    #1 0x4ed85d in moz_xmalloc /builds/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:84:17
    #2 0x7febb5049f43 in operator new /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:206:12
    #3 0x7febb5049f43 in NS_NewHTMLSharedElement(already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser) /builds/worker/workspace/build/src/dom/html/HTMLSharedElement.cpp:23
    #4 0x7febb1cacbff in nsHtml5TreeOperation::CreateHTMLElement(nsAtom*, nsHtml5HtmlAttributes*, mozilla::dom::FromParser, nsNodeInfoManager*, nsHtml5DocumentBuilder*, nsGenericHTMLElement* (*)(already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser)) /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOperation.cpp:460:20
    #5 0x7febb1cbaf21 in nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*) /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOperation.cpp:872:17
    #6 0x7febb1cb7976 in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:492:29
    #7 0x7febb1cc2d3b in nsHtml5ExecutorFlusher::Run() /builds/worker/workspace/build/src/parser/html/nsHtml5StreamParser.cpp:130:20
    #8 0x7febafe95ce1 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:396:25
    #9 0x7febafebb284 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1037:14
    #10 0x7febafed58c8 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:513:10
    #11 0x7febb0c8b9c1 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #12 0x7febb0bebd3b in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #13 0x7febb0bebd3b in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #14 0x7febb0bebd3b in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #15 0x7febb67775ef in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:159:27
    #16 0x7febbaa94187 in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:877:22
    #17 0x7febb0bebd3b in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #18 0x7febb0bebd3b in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #19 0x7febb0bebd3b in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #20 0x7febbaa93b3a in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:703:34
    #21 0x4ec2de in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:63:30
    #22 0x4ec2de in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280
    #23 0x7febcdadf82f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291

SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/dom/base/nsWrapperCache.h:264:15 in HasFlag
Shadow bytes around the buggy address:
  0x0c1c80008e10: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c1c80008e20: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
  0x0c1c80008e30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1c80008e40: 00 00 00 00 fa fa fa fa fa fa fa fa fd fd fd fd
  0x0c1c80008e50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
=>0x0c1c80008e60: fa fa fa fa fa fa fa fa fd fd fd[fd]fd fd fd fd
  0x0c1c80008e70: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c1c80008e80: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1c80008e90: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
  0x0c1c80008ea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1c80008eb0: 00 00 00 00 fa fa fa fa fa fa fa fa 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==12169==ABORTING
Group: core-security → dom-core-security
Running on non-ASAN builds, I can't get opt builds to crash with this testcase. However, debug builds will eventually crash after a null deref assertion. That bisects to this push:
https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?changeset=f70abea8b810

Jet, can you help find an owner? I'm going to say that <58 are unaffected under the assumption that IntersectionObserver is indeed important for whatever's going on here, but feel free to change the flags if it turns out the underlying issue goes back further.
Has Regression Range: --- → yes
status-firefox57: --- → unaffected
status-firefox59: --- → affected
status-firefox-esr52: --- → unaffected
Flags: needinfo?(bugs)
Olli: can you help shed some light on this one? It appears that a deleted Element wasn't removed from the IntersectionObserver::mObservationTargets list and a subsequent cycle collection pass tries to access it. The test replaces the Element that the IntersectionObserver is observing while a MutationObserver wraps that element in a selection range. Can you help identify a better way to purge the IntersectionObserver's targets list to avoid this? Thx!
Flags: needinfo?(bugs) → needinfo?(bugs)
Flags: needinfo?(bugs)
Hmm, yeah, someone is not calling DOMIntersectionObserver::UnlinkElement or DOMIntersectionObserver::Unobserve when one should.
Looking.
I wonder if this is a regression from bug 1316277
Attached patch wip (obsolete) — Splinter Review 
wip, but I'm seeing a leak. Not sure the patch causes that or whether it is something else.
Flags: needinfo?(bugs)
Assignee: nobody → bugs
This seems to be a regression from bug 1316277, and the leak is probably from my patch.
This should bring back the old behavior. Ensure that whenever the property is deleted, we call UnlinkElement. Note the last param to SetProperty
Attachment #8929177 - Attachment is obsolete: true
Attachment #8929232 - Flags: review?(mrbkap)
Comment on attachment 8929232 [details] [diff] [review]
intersection_crash.diff

Review of attachment 8929232 [details] [diff] [review]:
-----------------------------------------------------------------

::: dom/base/nsNodeUtils.cpp
@@ +308,1 @@
>  

Nit: Remove this blank line.
Attachment #8929232 - Flags: review?(mrbkap) → review+
[Security approval request comment]
How easily could an exploit be constructed based on the patch?
Not easily

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
Comment could be
-m "Bug 1416450, ensure IntersectionObservers are deleted when adopting elements, r=mrbkap"


Which older supported branches are affected by this flaw?
FF58

If not all supported branches, which bug introduced the flaw?
As far as I see, Bug 1316277 

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
The patch applies to beta


How likely is this patch to cause regressions; how much testing does it need?
Should be rather safe
Attachment #8929494 - Flags: sec-approval?
Attachment #8929494 - Flags: approval-mozilla-beta?
sec-approval+ for trunk and I'll approve the beta patch as well.
tracking-firefox58: --- → +
tracking-firefox59: --- → +
Attachment #8929494 - Flags: sec-approval?
Attachment #8929494 - Flags: sec-approval+
Attachment #8929494 - Flags: approval-mozilla-beta?
Attachment #8929494 - Flags: approval-mozilla-beta+
https://hg.mozilla.org/mozilla-central/rev/ef82504a2782
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox59: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla59
Blocks: 1316277
Flags: sec-bounty? → sec-bounty+
Group: dom-core-security → core-security-release
Flags: qe-verify+
Whiteboard: [post-critsmash-triage]
Reproduced the initial crash using old Nightly asan build from (2017-11-11) on Ubuntu 16.04 64bit.

==5435==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d000054b98 at pc 0x7f8c82b6047f bp 0x7ffef8d9d310 sp 0x7ffef8d9d308
READ of size 4 at 0x60d000054b98 thread T0 (file:// Content)
    #0 0x7f8c82b6047e in HasFlag /builds/worker/workspace/build/src/dom/base/nsWrapperCache.h:264:15
    #1 0x7f8c82b6047e in HasProperties /builds/worker/workspace/build/src/dom/base/nsINode.h:902
    #2 0x7f8c82b6047e in nsINode::GetProperty(unsigned short, nsAtom*, nsresult*) const /builds/worker/workspace/build/src/dom/base/nsINode.cpp:164
    #3 0x7f8c828899ad in GetProperty /builds/worker/workspace/build/src/dom/base/nsINode.h:768:12
    #4 0x7f8c828899ad in mozilla::dom::Element::UnregisterIntersectionObserver(mozilla::dom::DOMIntersectionObserver*) /builds/worker/workspace/build/src/dom/base/Element.cpp:4340
    #5 0x7f8c826613ee in mozilla::dom::DOMIntersectionObserver::Disconnect() /builds/worker/workspace/build/src/dom/base/DOMIntersectionObserver.cpp:221:13
    #6 0x7f8c82661179 in mozilla::dom::DOMIntersectionObserver::cycleCollection::Unlink(void*) /builds/worker/workspace/build/src/dom/base/DOMIntersectionObserver.cpp:47:8
    #7 0x7f8c7fb4bdc0 in nsCycleCollector::CollectWhite() /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3401:26
    #8 0x7f8c7fb4ebba in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3769:24
    #9 0x7f8c7fb52d7b in nsCycleCollector_collectSlice(js::SliceBudget&, bool) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:4330:21
    #10 0x7f8c82b8a2e6 in nsJSContext::RunCycleCollectorSlice(mozilla::TimeStamp) /builds/worker/workspace/build/src/dom/base/nsJSEnvironment.cpp:1561:3
    #11 0x7f8c82b8ac9f in ICCRunnerFired(mozilla::TimeStamp) /builds/worker/workspace/build/src/dom/base/nsJSEnvironment.cpp:1620:3
    #12 0x7f8c7fc6d5ed in operator() /builds/worker/workspace/build/src/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/4.9.4/../../../../include/c++/4.9.4/functional:2440:14
    #13 0x7f8c7fc6d5ed in mozilla::IdleTaskRunner::Run() /builds/worker/workspace/build/src/xpcom/threads/IdleTaskRunner.cpp:62
    #14 0x7f8c7fcaced4 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1037:14
    #15 0x7f8c7fcc7518 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:513:10
    #16 0x7f8c80a7d271 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #17 0x7f8c809dd5eb in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #18 0x7f8c809dd5eb in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #19 0x7f8c809dd5eb in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #20 0x7f8c8656877f in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:159:27
    #21 0x7f8c8a8882b7 in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:877:22
    #22 0x7f8c809dd5eb in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #23 0x7f8c809dd5eb in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #24 0x7f8c809dd5eb in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #25 0x7f8c8a887c6a in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:703:34
    #26 0x4ec2de in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:63:30
    #27 0x4ec2de in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280
    #28 0x7f8c9da5382f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #29 0x41dbc8 in _start (/home/bogdan.maris/Documents/Asasasan/firefox/firefox+0x41dbc8)

0x60d000054b98 is located 24 bytes inside of 136-byte region [0x60d000054b80,0x60d000054c08)
freed by thread T0 (file:// Content) here:
    #0 0x4bc0fb in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:47:3
    #1 0x7f8c7fb47ef7 in SnowWhiteKiller::~SnowWhiteKiller() /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2729:25
    #2 0x7f8c7fb52724 in FreeSnowWhite /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2917:3
    #3 0x7f8c7fb52724 in nsCycleCollector_doDeferredDeletion() /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:4293
    #4 0x7f8c8148b9f3 in AsyncFreeSnowWhite::Run() /builds/worker/workspace/build/src/js/xpconnect/src/XPCJSRuntime.cpp:124:34
    #5 0x7f8c7fcce61f in IdleRunnableWrapper::Run() /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:339:22
    #6 0x7f8c7fcaced4 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1037:14
    #7 0x7f8c7fcc7518 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:513:10
    #8 0x7f8c80a7d271 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #9 0x7f8c809dd5eb in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #10 0x7f8c809dd5eb in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #11 0x7f8c809dd5eb in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #12 0x7f8c8656877f in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:159:27
    #13 0x7f8c8a8882b7 in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:877:22
    #14 0x7f8c809dd5eb in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #15 0x7f8c809dd5eb in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #16 0x7f8c809dd5eb in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #17 0x7f8c8a887c6a in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:703:34
    #18 0x4ec2de in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:63:30
    #19 0x4ec2de in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280
    #20 0x7f8c9da5382f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291

previously allocated by thread T0 (file:// Content) here:
    #0 0x4bc44c in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64:3
    #1 0x4ed85d in moz_xmalloc /builds/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:84:17
    #2 0x7f8c84e3ab03 in operator new /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:206:12
    #3 0x7f8c84e3ab03 in NS_NewHTMLSharedElement(already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser) /builds/worker/workspace/build/src/dom/html/HTMLSharedElement.cpp:23
    #4 0x7f8c81a9e4af in nsHtml5TreeOperation::CreateHTMLElement(nsAtom*, nsHtml5HtmlAttributes*, mozilla::dom::FromParser, nsNodeInfoManager*, nsHtml5DocumentBuilder*, nsGenericHTMLElement* (*)(already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser)) /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOperation.cpp:460:20
    #5 0x7f8c81aac7d1 in nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*) /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOperation.cpp:872:17
    #6 0x7f8c81aa9226 in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:492:29
    #7 0x7f8c81ab495b in nsHtml5ExecutorFlusher::Run() /builds/worker/workspace/build/src/parser/html/nsHtml5StreamParser.cpp:130:20
    #8 0x7f8c7fc87931 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:396:25
    #9 0x7f8c7fcaced4 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1037:14
    #10 0x7f8c7fcc7518 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:513:10
    #11 0x7f8c80a7d271 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #12 0x7f8c809dd5eb in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #13 0x7f8c809dd5eb in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #14 0x7f8c809dd5eb in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #15 0x7f8c8656877f in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:159:27
    #16 0x7f8c8a8882b7 in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:877:22
    #17 0x7f8c809dd5eb in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #18 0x7f8c809dd5eb in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #19 0x7f8c809dd5eb in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #20 0x7f8c8a887c6a in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:703:34
    #21 0x4ec2de in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:63:30
    #22 0x4ec2de in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280
    #23 0x7f8c9da5382f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291

SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/dom/base/nsWrapperCache.h:264:15 in HasFlag
Shadow bytes around the buggy address:
  0x0c1a80002920: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c1a80002930: fd fd fd fd fa fa fa fa fa fa fa fa 00 00 00 00
  0x0c1a80002940: 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa
  0x0c1a80002950: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
  0x0c1a80002960: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
=>0x0c1a80002970: fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c1a80002980: fd fa fa fa fa fa fa fa fa fa fd fd fd fd fd fd
  0x0c1a80002990: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c1a800029a0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c1a800029b0: fd fd fd fd fd fa fa fa fa fa fa fa fa fa fd fd
  0x0c1a800029c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==5435==ABORTING

I verified that the crash does not reproduce anymore using latest Nightly 59.0a1 and latest 58.0 asan builds on Ubuntu 16.04 64bit and regular latest Nightly 59.0a1 and 58.0RC on macOS 10.13.2 and Windows 10 64bit.
Status: RESOLVED → VERIFIED
status-firefox58: fixedverified
status-firefox59: fixedverified
Flags: qe-verify+
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: