Closed Bug 1417405 (CVE-2018-5100) Opened 2 years ago Closed 2 years ago

heap-use-after-free in nsIDocument::IsPotentiallyScrollable

Categories

(Core :: DOM: Core & HTML, defect, P1)

55 Branch
defect

Tracking

()

VERIFIED FIXED
mozilla59
Tracking Status
firefox-esr52 --- unaffected
firefox57 --- wontfix
firefox58 + verified
firefox59 + verified

People

(Reporter: nils, Assigned: bzbarsky)

References

Details

(Keywords: csectype-uaf, sec-high, Whiteboard: [adv-main58+][post-critsmash-triage])

Attachments

(3 files)

The following testcase crashes the latest ASAN build of Firefox nightly (SourceStamp=f0c0fb9182d695081edf170d8e3bcb8164f2c96a). The testcase requires the fuzzPriv extension.

crash.html:
<script>
function start() {
	o37=document.createElement('iframe');
	document.documentElement.appendChild(o37);
	o259=o37.contentDocument;
	o290=document.createElement('marquee');
	document.documentElement.appendChild(o290);
 	document.documentElement.addEventListener('DOMAttrModified',fun0);
	o259.scrollingElement;
}
function fun0() {
	o259.write('<div>');
	fuzzPriv.GC();fuzzPriv.CC();fuzzPriv.GC();fuzzPriv.CC();
}
</script>
<body onload="start()"></body>

ASAN output:
=================================================================
==25937==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d0000438fc at pc 0x7f903decfd56 bp 0x7ffddcf68840 sp 0x7ffddcf68838
READ of size 4 at 0x60d0000438fc thread T0 (file:// Content)
    #0 0x7f903decfd55 in GetBoolFlag /builds/worker/workspace/build/src/dom/base/nsINode.h:1614:12
    #1 0x7f903decfd55 in IsInUncomposedDoc /builds/worker/workspace/build/src/dom/base/nsINode.h:545
    #2 0x7f903decfd55 in GetPrimaryFrame /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIContent.h:959
    #3 0x7f903decfd55 in GetPrimaryFrame /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/Element.h:1267
    #4 0x7f903decfd55 in nsIDocument::IsPotentiallyScrollable(mozilla::dom::HTMLBodyElement*) /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:11007
    #5 0x7f903ded00e6 in nsIDocument::GetScrollingElement() /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:11038:18
    #6 0x7f903f4ac198 in mozilla::dom::DocumentBinding::get_scrollingElement(JSContext*, JS::Handle<JSObject*>, nsIDocument*, JSJitGetterCallArgs) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/DocumentBinding.cpp:4096:59
    #7 0x7f903fa1bbe6 in mozilla::dom::GenericBindingGetter(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2909:13
    #8 0x7f9045e5f2b0 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
    #9 0x7f9045e5f2b0 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:473
    #10 0x7f9045e61285 in InternalCall /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:522:12
    #11 0x7f9045e61285 in Call /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:541
    #12 0x7f9045e61285 in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:656
    #13 0x7f9046de3b8c in CallGetter /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2118:16
    #14 0x7f9046de3b8c in GetExistingProperty<js::AllowGC::CanGC> /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2171
    #15 0x7f9046de3b8c in NativeGetPropertyInline<js::AllowGC::CanGC> /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2374
    #16 0x7f9046de3b8c in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2410
    #17 0x7f904689f71c in GetProperty /builds/worker/workspace/build/src/js/src/vm/NativeObject.h:1616:12
    #18 0x7f904689f71c in JS_ForwardGetPropertyTo(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2719
    #19 0x7f903fa13e1f in mozilla::dom::GetPropertyOnPrototype(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, bool*, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2096:10
    #20 0x7f903f6dd6f6 in mozilla::dom::HTMLDocumentBinding::DOMProxyHandler::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) const /builds/worker/workspace/build/src/obj-firefox/dom/bindings/HTMLDocumentBinding.cpp:2189:8
    #21 0x7f9046b24370 in getInternal /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:352:21
    #22 0x7f9046b24370 in js::Proxy::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:362
    #23 0x7f9046b4896b in GetProperty /builds/worker/workspace/build/src/js/src/vm/NativeObject.h:1615:16
    #24 0x7f9046b4896b in js::ForwardingProxyHandler::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) const /builds/worker/workspace/build/src/js/src/proxy/Wrapper.cpp:154
    #25 0x7f9046afbc88 in js::CrossCompartmentWrapper::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) const /builds/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:226:23
    #26 0x7f9046b24370 in getInternal /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:352:21
    #27 0x7f9046b24370 in js::Proxy::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:362
    #28 0x7f9045e6a8cb in GetProperty /builds/worker/workspace/build/src/js/src/vm/NativeObject.h:1615:16
    #29 0x7f9045e6a8cb in GetProperty /builds/worker/workspace/build/src/js/src/jsobj.h:805
    #30 0x7f9045e6a8cb in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:4407
    #31 0x7f9045e4cfe4 in GetPropertyOperation /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:219:12
    #32 0x7f9045e4cfe4 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2817
    #33 0x7f9045e3287a in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:423:12
    #34 0x7f9045e5f3af in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:495:15
    #35 0x7f9045e602a2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:541:10
    #36 0x7f90468a511b in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:3032:12
    #37 0x7f903f439b45 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:260:37
    #38 0x7f903fe440ed in Call<nsISupports *> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:362:12
    #39 0x7f903fe440ed in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) /builds/worker/workspace/build/src/dom/events/JSEventHandler.cpp:215
    #40 0x7f903fe0c176 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1118:51
    #41 0x7f903fe0e342 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1293:20
    #42 0x7f903fdeda61 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:462:16
    #43 0x7f903fdf0f32 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:826:9
    #44 0x7f90421018ae in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1064:7
    #45 0x7f904519ffc1 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7779:21
    #46 0x7f904519bfe4 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7577:7
    #47 0x7f90451a386f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7474:13
    #48 0x7f903cce2783 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1321:3
    #49 0x7f903cce18ec in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:862:14
    #50 0x7f903ccde978 in nsDocLoader::DocLoaderIsEmpty(bool) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:751:9
    #51 0x7f903cce0892 in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:633:5
    #52 0x7f903cce14ec in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:489:14
    #53 0x7f903b264be0 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:629:28
    #54 0x7f903dec066d in nsDocument::DoUnblockOnload() /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:9379:18
    #55 0x7f903dec0231 in nsDocument::UnblockOnload(bool) /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:9301:9
    #56 0x7f903de99e79 in nsDocument::DispatchContentLoadedEvents() /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:5666:3
    #57 0x7f903df3b542 in applyImpl<nsDocument, void (nsDocument::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1142:12
    #58 0x7f903df3b542 in apply<nsDocument, void (nsDocument::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1148
    #59 0x7f903df3b542 in mozilla::detail::RunnableMethodImpl<nsDocument*, void (nsDocument::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1192
    #60 0x7f903b0974f1 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:396:25
    #61 0x7f903b0bce86 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1037:14
    #62 0x7f903b0d7618 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:513:10
    #63 0x7f903be87e41 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #64 0x7f903bde848b in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #65 0x7f903bde848b in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #66 0x7f903bde848b in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #67 0x7f904187da0f in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:159:27
    #68 0x7f9045bb4e47 in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:877:22
    #69 0x7f903bde848b in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #70 0x7f903bde848b in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #71 0x7f903bde848b in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #72 0x7f9045bb47fa in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:703:34
    #73 0x4ec2de in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:63:30
    #74 0x4ec2de in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280
    #75 0x7f905886b82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #76 0x41dbc8 in _start (/fuzzer3/firefox/firefox+0x41dbc8)

0x60d0000438fc is located 28 bytes inside of 136-byte region [0x60d0000438e0,0x60d000043968)
freed by thread T0 (file:// Content) here:
    #0 0x4bc0fb in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:47:3
    #1 0x7f903af57067 in SnowWhiteKiller::~SnowWhiteKiller() /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2729:25
    #2 0x7f903af5e70b in FreeSnowWhite /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2917:3
    #3 0x7f903af5e70b in nsCycleCollector::BeginCollection(ccType, nsICycleCollectorListener*) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3925
    #4 0x7f903af5dc23 in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3746:9
    #5 0x7f903af61a70 in nsCycleCollector_collect(nsICycleCollectorListener*) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:4315:21
    #6 0x7f903dfa574d in nsJSContext::CycleCollectNow(nsICycleCollectorListener*) /builds/worker/workspace/build/src/dom/base/nsJSEnvironment.cpp:1505:3
    #7 0x7f903daf2feb in nsDOMWindowUtils::CycleCollect(nsICycleCollectorListener*) /builds/worker/workspace/build/src/dom/base/nsDOMWindowUtils.cpp:1437:3
    #8 0x7f903b0e77e1 in NS_InvokeByIndex /builds/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:129
    #9 0x7f903c8cee40 in Invoke /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1996:12
    #10 0x7f903c8cee40 in Call /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1315
    #11 0x7f903c8cee40 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1282
    #12 0x7f903c8d5bcf in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:929:12
    #13 0x7f9045e5f2b0 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
    #14 0x7f9045e5f2b0 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:473
    #15 0x7f9045e4a7ec in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:528:12
    #16 0x7f9045e4a7ec in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3098
    #17 0x7f9045e3287a in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:423:12
    #18 0x7f9045e5f3af in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:495:15
    #19 0x7f9045e602a2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:541:10
    #20 0x7f90468a3293 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2973:12
    #21 0x7f903c7ee35b in xpc::FunctionForwarder(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/xpconnect/src/ExportHelpers.cpp:315:18
    #22 0x7f9045e5f2b0 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
    #23 0x7f9045e5f2b0 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:473
    #24 0x7f9045e4a7ec in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:528:12
    #25 0x7f9045e4a7ec in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3098
    #26 0x7f9045e3287a in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:423:12
    #27 0x7f9045e5f3af in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:495:15
    #28 0x7f9045e602a2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:541:10
    #29 0x7f90468a511b in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:3032:12
    #30 0x7f903f43cb17 in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventListenerBinding.cpp:47:8
    #31 0x7f903fe0c13c in HandleEvent<mozilla::dom::EventTarget *> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:65:12
    #32 0x7f903fe0c13c in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1115
    #33 0x7f903fe0e342 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1293:20
    #34 0x7f903fdedd2a in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:486:14
    #35 0x7f903fdf0f32 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:826:9
    #36 0x7f903fdc01ba in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:895:12
    #37 0x7f903df8b7c1 in nsINode::DispatchEvent(nsIDOMEvent*, bool*) /builds/worker/workspace/build/src/dom/base/nsINode.cpp:1356:5

previously allocated by thread T0 (file:// Content) here:
    #0 0x4bc44c in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64:3
    #1 0x4ed85d in moz_xmalloc /builds/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:84:17
    #2 0x7f90400125a3 in operator new /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:206:12
    #3 0x7f90400125a3 in NS_NewHTMLBodyElement(already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser) /builds/worker/workspace/build/src/dom/html/HTMLBodyElement.cpp:24
    #4 0x7f9042a4711f in nsContentDLF::CreateBlankDocument(nsILoadGroup*, nsIPrincipal*, nsDocShell*) /builds/worker/workspace/build/src/layout/build/nsContentDLF.cpp:308:5
    #5 0x7f90451a6d2e in nsDocShell::CreateAboutBlankContentViewer(nsIPrincipal*, nsIURI*, bool, bool) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:8252:16
    #6 0x7f904514645f in nsDocShell::EnsureContentViewer() /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:8128:17
    #7 0x7f904517ada7 in GetDocument /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:4647:3
    #8 0x7f904517ada7 in non-virtual thunk to nsDocShell::GetDocument() /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:4645
    #9 0x7f903dbcff33 in MaybeCreateDoc /builds/worker/workspace/build/src/dom/base/nsGlobalWindow.cpp:4115:48
    #10 0x7f903dbcff33 in GetDoc /builds/worker/workspace/build/src/obj-firefox/dist/include/nsPIDOMWindow.h:213
    #11 0x7f903dbcff33 in EnsureInnerWindow /builds/worker/workspace/build/src/obj-firefox/dist/include/nsPIDOMWindow.h:978
    #12 0x7f903dbcff33 in WrapObject /builds/worker/workspace/build/src/dom/base/nsGlobalWindow.h:302
    #13 0x7f903dbcff33 in non-virtual thunk to nsGlobalWindow::WrapObject(JSContext*, JS::Handle<JSObject*>) /builds/worker/workspace/build/src/dom/base/nsGlobalWindow.h:300
    #14 0x7f903c82f459 in XPCConvert::NativeInterface2JSObject(JS::MutableHandle<JS::Value>, xpcObjectHelper&, nsID const*, bool, nsresult*) /builds/worker/workspace/build/src/js/xpconnect/src/XPCConvert.cpp:758:23
    #15 0x7f903c82e08f in XPCConvert::NativeData2JS(JS::MutableHandle<JS::Value>, void const*, nsXPTType const&, nsID const*, nsresult*) /builds/worker/workspace/build/src/js/xpconnect/src/XPCConvert.cpp:345:16
    #16 0x7f903c8cfba9 in GatherAndConvertResults /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1532:18
    #17 0x7f903c8cfba9 in Call /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1326
    #18 0x7f903c8cfba9 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1282
    #19 0x7f903c8d6385 in GetAttribute /builds/worker/workspace/build/src/js/xpconnect/src/xpcprivate.h:1679:17
    #20 0x7f903c8d6385 in XPC_WN_GetterSetter(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:965
    #21 0x7f9045e5f2b0 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
    #22 0x7f9045e5f2b0 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:473
    #23 0x7f9045e61285 in InternalCall /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:522:12
    #24 0x7f9045e61285 in Call /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:541
    #25 0x7f9045e61285 in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:656
    #26 0x7f9046de3b8c in CallGetter /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2118:16
    #27 0x7f9046de3b8c in GetExistingProperty<js::AllowGC::CanGC> /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2171
    #28 0x7f9046de3b8c in NativeGetPropertyInline<js::AllowGC::CanGC> /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2374
    #29 0x7f9046de3b8c in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2410
    #30 0x7f9045e6a8e8 in GetProperty /builds/worker/workspace/build/src/js/src/vm/NativeObject.h:1616:12
    #31 0x7f9045e6a8e8 in GetProperty /builds/worker/workspace/build/src/js/src/jsobj.h:805
    #32 0x7f9045e6a8e8 in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:4407
    #33 0x7f9045e4cfe4 in GetPropertyOperation /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:219:12
    #34 0x7f9045e4cfe4 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2817
    #35 0x7f9045e3287a in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:423:12
    #36 0x7f9045e5f3af in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:495:15
    #37 0x7f9045e602a2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:541:10
    #38 0x7f90468a3293 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2973:12
    #39 0x7f903c8b5703 in nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedJSClass.cpp:1317:23
    #40 0x7f903b0e8eca in PrepareAndDispatch /builds/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:120:28
    #41 0x7f903b0e7ea6 in SharedStub (/fuzzer3/firefox/libxul.so+0x21dcea6)
    #42 0x7f90459bd819 in nsBrowserStatusFilter::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/toolkit/components/statusfilter/nsBrowserStatusFilter.cpp:211:27
    #43 0x7f903cce2783 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1321:3
    #44 0x7f903cce12e0 in nsDocLoader::FireOnStateChange(nsIWebProgress*, nsIRequest*, int, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1284:14
    #45 0x7f903ccdfd55 in doStartURLLoad /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:799:3
    #46 0x7f903ccdfd55 in nsDocLoader::OnStartRequest(nsIRequest*, nsISupports*) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:483
    #47 0x7f903cce000c in non-virtual thunk to nsDocLoader::OnStartRequest(nsIRequest*, nsISupports*) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:394:14
    #48 0x7f903b263c05 in mozilla::net::nsLoadGroup::AddRequest(nsIRequest*, nsISupports*) /builds/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:510:28

SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/dom/base/nsINode.h:1614:12 in GetBoolFlag
Shadow bytes around the buggy address:
  0x0c1a800006c0: fd fd fd fd fd fa fa fa fa fa fa fa fa fa fd fd
  0x0c1a800006d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c1a800006e0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c1a800006f0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
  0x0c1a80000700: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c1a80000710: fd fd fd fa fa fa fa fa fa fa fa fa fd fd fd[fd]
  0x0c1a80000720: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
  0x0c1a80000730: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
  0x0c1a80000740: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
  0x0c1a80000750: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c1a80000760: fd fa fa fa fa fa fa fa fa fa 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==25937==ABORTING
Attached file ASAN output
Group: core-security → dom-core-security
Summary: heap-use-after-free iun nsIDocument::IsPotentiallyScrollable → heap-use-after-free in nsIDocument::IsPotentiallyScrollable
Bisects back to:
Start: c2ff59dd31bce41bc9108939e86618017943b88d (20170526012945)
End: 0874cf4bb194d381a3afaa51276b6cee22f82211 (20170526013027)
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=c2ff59dd31bce41bc9108939e86618017943b88d&tochange=0874cf4bb194d381a3afaa51276b6cee22f82211
Bug 1364360 presumably.
Blocks: 1364360
Has Regression Range: --- → yes
Flags: needinfo?(bzbarsky)
Version: 59 Branch → 55 Branch
IsPotentiallyScrollable can run script via the FlushPendingNotifications.  In this case that kills the arg to the function, and then things go south.

I really need to work on getting more of bug 1415230 fixed so this will stop being a problem.
Assignee: nobody → bzbarsky
Flags: needinfo?(bzbarsky)
What I don't know is how to create a testcase for this that doesn't use fuzzPriv.  :(
Comment on attachment 8929323 [details] [diff] [review]
Make sure to hold a strong ref on the stack to arguments passed to IsPotentiallyScrollable

[Security approval request comment]
How easily could an exploit be constructed based on the patch?  Not very easily.  You'd have to figure out how to cause a flush to run script and also make sure the right nodes die, etc.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?  Not really.

Which older supported branches are affected by this flaw?  Anything after 55.

If not all supported branches, which bug introduced the flaw?  Bug 1364360.

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?  This should be a trivial backport; I expect the patch just applies directly.

How likely is this patch to cause regressions; how much testing does it need?  This is a very very safe patch.
Attachment #8929323 - Flags: sec-approval?
Attachment #8929323 - Flags: review?(nika) → review+
Tracking for 58/59 to make sure we follow up for uplift.
sec-approval+ for 11/28 checkin (two weeks into the cycle). If you fought me for it, I might cave and let it go in sooner but I worry about someone figuring something clever out.

We'll want a beta patch as well.
Whiteboard: [checkin on 11/28]
Attachment #8929323 - Flags: sec-approval? → sec-approval+
Comment on attachment 8929323 [details] [diff] [review]
Make sure to hold a strong ref on the stack to arguments passed to IsPotentiallyScrollable

This patch applies cleanly to beta.

Approval Request Comment
[Feature/Bug causing the regression]: Bug 1364360
[User impact if declined]: Possible security bugs.
[Is this code covered by automated tests?]: No.
[Has the fix been verified in Nightly?]: Yes.
[Needs manual test from QE? If yes, steps to reproduce]: Yes, see comment 0.
    Will need ASAN build with fuzzpriv extension.
[List of other uplifts needed for the feature/fix]: None.
[Is the change risky?]: No
[Why is the change risky/not risky?]: Just holds a strong ref while calling a
   function.
[String changes made/needed]: None.
Attachment #8929323 - Flags: approval-mozilla-beta?
Priority: -- → P1
https://hg.mozilla.org/integration/mozilla-inbound/rev/a92a2a4fa4fbb5b69281c80ced79dcb63b66c8b8

Grafts cleanly to Beta as-is.
Flags: in-testsuite?
Whiteboard: [checkin on 11/28]
https://hg.mozilla.org/mozilla-central/rev/a92a2a4fa4fb
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla59
Comment on attachment 8929323 [details] [diff] [review]
Make sure to hold a strong ref on the stack to arguments passed to IsPotentiallyScrollable

Fix a sec-high. Beta58+.
Attachment #8929323 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Group: dom-core-security → core-security-release
Whiteboard: [adv-main58+]
Alias: CVE-2018-5100
Flags: qe-verify+
Whiteboard: [adv-main58+] → [adv-main58+][post-critsmash-triage]
Flags: sec-bounty?
Reproduced the tab crash on 59.0a1 Nightly using a linux-64 asan build.
Verified as fixed on latest 59.0a1 Nightly 2018-01-21 under Linux 14.04 64-bit and Win 10 64-bit.

I couldn't verify using Firefox 58.0RC or 58 beta 16 since the FuzzPriv extension could not be installed on these versions (the preferences to support this add-on can't be used here). Please let me know if there is a workaround available for this situation.
Status: RESOLVED → VERIFIED
Managed to verify on Firefox 58.0 20180122143917 linux x64 asan build (provided by RyanWM - thanks!) under Ubuntu 14.04 64-bit.
Flags: qe-verify+
Flags: sec-bounty? → sec-bounty+
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.