Closed Bug 1425423 Opened 7 years ago Closed 7 years ago

DOM - Memory corruption in nsTArray_Impl<mozilla::FrameProperties::PropertyValue,nsTArrayInfallibleAllocator>::IndexOf

Categories

(Core :: Web Painting, defect)

Product:
Core
Component:
Web Painting
Version:
59 Branch
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1425271
Tracking Flags:
Tracking Status
firefox59 --- affected

People

(Reporter: loobenyang, Unassigned)

References

Details

(Keywords: csectype-framepoisoning, sec-low)

Crash Data

Attachments

(1 file)

IndexOf_PoC.html
1.35 KB, text/html
Details
Attached file IndexOf_PoC.html
Reproduction test case: IndexOf_PoC.html Steps to reproduce: 1. Open IndexOf_PoC.html in Firefox browser. 2. Firefox crashes in nsTArray_Impl<mozilla::FrameProperties::PropertyValue,nsTArrayInfallibleAllocator>::IndexOf by accessing arbitrary memory. (18d0.3e2c): Access violation - code c0000005 (!!! second chance !!!) eax=00ebee4c ebx=1205e080 ecx=1205e0b8 edx=f0de7fff esi=12e7dc10 edi=12e7dc10 eip=64b903e5 esp=00ebee24 ebp=00ebee28 iopl=0 nv up ei ng nz na pe cy cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010287 xul!nsTArray_Impl<mozilla::FrameProperties::PropertyValue,nsTArrayInfallibleAllocator>::IndexOf<mozilla::FramePropertyDescriptorUntyped const *,mozilla::FrameProperties::PropertyComparator>+0x6: 64b903e5 8b32 mov esi,dword ptr [edx] ds:002b:f0de7fff=???????? Firefox version: 59.0a1 (2017-12-14) (32-bit) OS: Windows 10 Stack trace: 00 xul!nsTArray_Impl<mozilla::FrameProperties::PropertyValue,nsTArrayInfallibleAllocator>::IndexOf<mozilla::FramePropertyDescriptorUntyped const *,mozilla::FrameProperties::PropertyComparator>(struct mozilla::FramePropertyDescriptorUntyped ** aItem = 0x00ebee4c)+0x6 [z:\build\build\src\obj-firefox\dist\include\nstarray.h @ 1156] 01 xul!mozilla::FrameProperties::GetInternal+0x11 [z:\build\build\src\obj-firefox\dist\include\frameproperties.h @ 413] 02 xul!mozilla::FrameProperties::Get+0x11 [z:\build\build\src\layout\base\frameproperties.h @ 235] 03 xul!nsIFrame::GetProperty+0x11 [z:\build\build\src\layout\generic\nsiframe.h @ 3574] 04 xul!nsIFrame::RemoveDisplayItem+0x16 [z:\build\build\src\layout\generic\nsframe.cpp @ 938] 05 xul!nsDisplayItem::~nsDisplayItem(void)+0x30 [z:\build\build\src\layout\painting\nsdisplaylist.h @ 1921] 06 xul!nsDisplayWrapList::{dtor}+0x32 [z:\build\build\src\layout\painting\nsdisplaylist.cpp @ 6230] 07 xul!nsDisplayWrapList::`scalar deleting destructor'(void)+0x35 08 xul!nsDisplayItem::Destroy+0x11 [z:\build\build\src\layout\painting\nsdisplaylist.h @ 1929] 09 xul!nsDisplayWrapList::Destroy(class nsDisplayListBuilder * aBuilder = 0x11dc0000)+0x3f [z:\build\build\src\layout\painting\nsdisplaylist.h @ 4659] 0a xul!nsDisplayList::DeleteAll+0x1e [z:\build\build\src\layout\painting\nsdisplaylist.cpp @ 2711] 0b xul!nsDisplayWrapList::Destroy(class nsDisplayListBuilder * aBuilder = 0x11dc0000)+0x2c [z:\build\build\src\layout\painting\nsdisplaylist.h @ 4658] 0c xul!nsDisplayListBuilder::~nsDisplayListBuilder+0x721397 [z:\build\build\src\layout\painting\nsdisplaylist.cpp @ 1302] 0d xul!RetainedDisplayListBuilder::{dtor}+0x1e [z:\build\build\src\layout\painting\retaineddisplaylistbuilder.h @ 22] 0e xul!DeleteValue+0x25 [z:\build\build\src\layout\generic\nsiframe.h @ 550] 0f xul!mozilla::FramePropertyDescriptor<RetainedDisplayListBuilder>::Destruct<&DeleteValue<RetainedDisplayListBuilder> >(void * aPropertyValue = 0x00000000)+0x29 [z:\build\build\src\layout\base\frameproperties.h @ 102] 10 xul!mozilla::FrameProperties::PropertyValue::DestroyValueFor(class nsIFrame * aFrame = 0x1209a010)+0x10 [z:\build\build\src\layout\base\frameproperties.h @ 378] 11 xul!mozilla::FrameProperties::DeleteAll+0x40 [z:\build\build\src\layout\base\frameproperties.h @ 295] 12 xul!nsIFrame::DeleteAllProperties+0x40 [z:\build\build\src\layout\generic\nsiframe.h @ 3616] 13 xul!nsFrame::DestroyFrom(class nsIFrame * aDestructRoot = 0x1209a010, struct mozilla::layout::PostFrameDestroyData * aPostDestroyData = 0x00ebef50)+0x338 [z:\build\build\src\layout\generic\nsframe.cpp @ 845]
Attachment #8937007 - Attachment mime type: text/plain → text/html
The testcase crashes Nightly with bp-6977555d-f8df-4a7a-a4e1-71f400171215, possibly the same as regression bug 1425271? edx=f0de7fff is a frame-poisoned address, as is rax in my opt crash linked above :miko -- this seems to be yours whether it's the same as bug 1425271 or just related. Let me know if it's not.
Blocks: 1352499
Group: core-security → layout-core-security
Crash Signature: [@ nsIFrame::RemoveDisplayItem ]
Component: DOM → Layout
Flags: needinfo?(mikokm)
Keywords: csectype-framepoisoning, sec-low
See Also: → 1425271
(In reply to Daniel Veditz [:dveditz] from comment #1) > The testcase crashes Nightly with bp-6977555d-f8df-4a7a-a4e1-71f400171215, > possibly the same as regression bug 1425271? > > edx=f0de7fff is a frame-poisoned address, as is rax in my opt crash linked > above > > :miko -- this seems to be yours whether it's the same as bug 1425271 or just > related. Let me know if it's not. Thank you for the report. This is indeed a duplicate bug. I have already identified the problem and this should not be too difficult to fix - I should have the fix ready in a couple of hours.
Flags: needinfo?(mikokm)
I'm assuming this crash was fixed by bug 1425271. Miko, can you land the attached testcase as a crashtest please?
Status: NEW → RESOLVED
Closed: 7 years ago
Component: Layout → Layout: Web Painting
Flags: needinfo?(mikokm)
Flags: in-testsuite?
Resolution: --- → DUPLICATE
(In reply to Mats Palmgren (:mats) from comment #3) > I'm assuming this crash was fixed by bug 1425271. > > Miko, can you land the attached testcase as a crashtest please? I looked into this and I think that this testcase is a bit too unreliable and slow for this. This should not be too big of a problem, as bug 1425271 already included a crashtest.
Flags: needinfo?(mikokm)
Flags: in-testsuite? → in-testsuite-
Group: layout-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: