Closed Bug 1425779 Opened 7 years ago Closed 7 years ago

AddressSanitizer: use-after-poison /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:495:32 in Hdr near [@ nsIFrame::RemoveDisplayItem]

Categories

(Core :: Layout, defect)

59 Branch
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 1425271
Tracking Status
firefox59 --- affected

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, csectype-framepoisoning, testcase)

Attachments

(2 files)

Attached file trigger.html
Testcase found while fuzzing mozilla-central rev 6d82e132348f. ==27612==ERROR: AddressSanitizer: use-after-poison on address 0x62500041ab18 at pc 0x7f3cdd8e4795 bp 0x7fff80046970 sp 0x7fff80046968 READ of size 8 at 0x62500041ab18 thread T0 (file:// Content) #0 0x7f3cdd8e4794 in Hdr /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:495:32 #1 0x7f3cdd8e4794 in Elements /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:1006 #2 0x7f3cdd8e4794 in IndexOf<const mozilla::FramePropertyDescriptorUntyped *, mozilla::FrameProperties::PropertyComparator> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:1155 #3 0x7f3cdd8e4794 in GetInternal /builds/worker/workspace/build/src/layout/base/FrameProperties.h:413 #4 0x7f3cdd8e4794 in Get<AutoTArray<nsDisplayItem *, 4> > /builds/worker/workspace/build/src/layout/base/FrameProperties.h:235 #5 0x7f3cdd8e4794 in GetProperty<AutoTArray<nsDisplayItem *, 4> > /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:3565 #6 0x7f3cdd8e4794 in nsIFrame::RemoveDisplayItem(nsDisplayItem*) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:938 #7 0x7f3cde06970c in ~nsDisplayItem /builds/worker/workspace/build/src/layout/painting/nsDisplayList.h:1921:15 #8 0x7f3cde06970c in nsDisplayWrapList::~nsDisplayWrapList() /builds/worker/workspace/build/src/layout/painting/nsDisplayList.cpp:6232 #9 0x7f3cddb833ab in Destroy /builds/worker/workspace/build/src/layout/painting/nsDisplayList.h:1929:11 #10 0x7f3cddb833ab in nsDisplayWrapList::Destroy(nsDisplayListBuilder*) /builds/worker/workspace/build/src/layout/painting/nsDisplayList.h:4659 #11 0x7f3cddff8d86 in nsDisplayList::DeleteAll(nsDisplayListBuilder*) /builds/worker/workspace/build/src/layout/painting/nsDisplayList.cpp:2713:11 #12 0x7f3cddb83359 in nsDisplayWrapList::Destroy(nsDisplayListBuilder*) /builds/worker/workspace/build/src/layout/painting/nsDisplayList.h:4658:11 #13 0x7f3cddfe94b2 in nsDisplayListBuilder::~nsDisplayListBuilder() /builds/worker/workspace/build/src/layout/painting/nsDisplayList.cpp:1303:8 #14 0x7f3cdd7880f8 in ~RetainedDisplayListBuilder /builds/worker/workspace/build/src/layout/painting/RetainedDisplayListBuilder.h:22:3 #15 0x7f3cdd7880f8 in DeleteValue<RetainedDisplayListBuilder> /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:542 #16 0x7f3cdd7880f8 in void mozilla::FramePropertyDescriptor<RetainedDisplayListBuilder>::Destruct<&(void DeleteValue<RetainedDisplayListBuilder>(RetainedDisplayListBuilder*))>(void*) /builds/worker/workspace/build/src/layout/base/FrameProperties.h:102 #17 0x7f3cdd65d996 in DestroyValueFor /builds/worker/workspace/build/src/layout/base/FrameProperties.h:376:9 #18 0x7f3cdd65d996 in mozilla::FrameProperties::DeleteAll(nsIFrame const*) /builds/worker/workspace/build/src/layout/base/FrameProperties.h:295 #19 0x7f3cdd881cd9 in DeleteAllProperties /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:3607:17 #20 0x7f3cdd881cd9 in nsFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:845 #21 0x7f3cdd833bb8 in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:296:22 #22 0x7f3cdd6cb6ae in Destroy /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:687:5 #23 0x7f3cdd6cb6ae in nsFrameManager::Destroy() /builds/worker/workspace/build/src/layout/base/nsFrameManager.cpp:118 #24 0x7f3cdd5e3919 in mozilla::PresShell::Destroy() /builds/worker/workspace/build/src/layout/base/PresShell.cpp:1344:22 #25 0x7f3cdd6fc7ad in nsDocumentViewer::DestroyPresShell() /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:4673:15 #26 0x7f3cdd6ec036 in nsDocumentViewer::Destroy() /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1781:5 #27 0x7f3cdd6fe83e in nsDocumentViewer::Show() /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:2118:17 #28 0x7f3cdd7a59b7 in nsPresContext::EnsureVisible() /builds/worker/workspace/build/src/layout/base/nsPresContext.cpp:2241:31 #29 0x7f3cdd6057d3 in mozilla::PresShell::UnsuppressAndInvalidate() /builds/worker/workspace/build/src/layout/base/PresShell.cpp:3888:54 #30 0x7f3cdd5ee9c2 in UnsuppressPainting /builds/worker/workspace/build/src/layout/base/PresShell.cpp:3931:5 #31 0x7f3cdd5ee9c2 in mozilla::PresShell::sPaintSuppressionCallback(nsITimer*, void*) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:1867 #32 0x7f3cd59d4d33 in nsTimerImpl::Fire(int) /builds/worker/workspace/build/src/xpcom/threads/nsTimerImpl.cpp:701:7 #33 0x7f3cd59a4879 in nsTimerEvent::Run() /builds/worker/workspace/build/src/xpcom/threads/TimerThread.cpp:286:11 #34 0x7f3cd598db04 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:396:25 #35 0x7f3cd59b43ee in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1033:14 #36 0x7f3cd59cfd50 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:508:10 #37 0x7f3cd685a60a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21 #38 0x7f3cd67adfa9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10 #39 0x7f3cd67adfa9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319 #40 0x7f3cd67adfa9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299 #41 0x7f3cdcde73da in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:157:27 #42 0x7f3ce151e7cb in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:875:22 #43 0x7f3cd67adfa9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10 #44 0x7f3cd67adfa9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319 #45 0x7f3cd67adfa9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299 #46 0x7f3ce151e1bd in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:701:34 #47 0x4f2dfc in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:63:30 #48 0x4f2dfc in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280 #49 0x7f3cf4acf82f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291 #50 0x42243c in _start (/home/forb1dden/builds/mc-asan/firefox+0x42243c) 0x62500041ab18 is located 2584 bytes inside of 8192-byte region [0x62500041a100,0x62500041c100) allocated by thread T0 (file:// Content) here: #0 0x4c31d3 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3 #1 0x7f3cd5964810 in AllocateChunk /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:193:15 #2 0x7f3cd5964810 in InternalAllocate /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:228 #3 0x7f3cd5964810 in Allocate /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:75 #4 0x7f3cd5964810 in mozilla::ArenaAllocator<8192ul, 8ul>::Allocate(unsigned long) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:80 #5 0x7f3cdd8196df in AllocateByFrameID /builds/worker/workspace/build/src/layout/base/nsPresArena.h:39:12 #6 0x7f3cdd8196df in AllocateFrame /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIPresShell.h:205 #7 0x7f3cdd8196df in operator new /builds/worker/workspace/build/src/layout/generic/ViewportFrame.cpp:34 #8 0x7f3cdd8196df in NS_NewViewportFrame(nsIPresShell*, nsStyleContext*) /builds/worker/workspace/build/src/layout/generic/ViewportFrame.cpp:31 #9 0x7f3cdd69a7fb in nsCSSFrameConstructor::ConstructRootFrame() /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:2819:5 #10 0x7f3cdd5eabe5 in mozilla::PresShell::Initialize(int, int) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:1737:36 #11 0x7f3cd8b6904c in nsContentSink::StartLayout(bool) /builds/worker/workspace/build/src/dom/base/nsContentSink.cpp:1289:26 #12 0x7f3cd7b09af5 in nsHtml5TreeOpExecutor::StartLayout(bool*) /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:672:18 #13 0x7f3cd7b0499d in nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*) /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOperation.cpp:1219:17 #14 0x7f3cd7b01f66 in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:492:29 #15 0x7f3cd7b0e23b in nsHtml5ExecutorFlusher::Run() /builds/worker/workspace/build/src/parser/html/nsHtml5StreamParser.cpp:130:20 #16 0x7f3cd598db04 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:396:25 #17 0x7f3cd59b43ee in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1033:14 #18 0x7f3cd59cfd50 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:508:10 #19 0x7f3cd685a60a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21 #20 0x7f3cd67adfa9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10 #21 0x7f3cd67adfa9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319 #22 0x7f3cd67adfa9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299 #23 0x7f3cdcde73da in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:157:27 #24 0x7f3ce151e7cb in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:875:22 #25 0x7f3cd67adfa9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10 #26 0x7f3cd67adfa9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319 #27 0x7f3cd67adfa9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299 #28 0x7f3ce151e1bd in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:701:34 #29 0x4f2dfc in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:63:30 #30 0x4f2dfc in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280 #31 0x7f3cf4acf82f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291 SUMMARY: AddressSanitizer: use-after-poison /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:495:32 in Hdr Shadow bytes around the buggy address: 0x0c4a8007b510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a8007b520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a8007b530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a8007b540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a8007b550: 00 00 00 00 00 00 00 00 f7 f7 f7 f7 f7 f7 f7 f7 =>0x0c4a8007b560: f7 f7 f7[f7]f7 f7 f7 f7 f7 f7 00 00 00 00 00 00 0x0c4a8007b570: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a8007b580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a8007b590: 00 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 00 00 00 00 00 0x0c4a8007b5a0: 00 00 00 00 00 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0c4a8007b5b0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==27612==ABORTING
Flags: in-testsuite?
Attached file prefs.js
Matt: are nsDisplayItems using "frame poisoning"? Or just re-using the same poisoned-arena mechanism? Or is this really an array of nsIFrame objects that are truly covered by frame poisoning?
Group: core-security → layout-core-security
Flags: needinfo?(matt.woodrow)
Keywords: csectype-uaf
Flags: needinfo?(matt.woodrow)
nsDisplayItems are allocated into an nsPresArena, so use the arena poisoning there (same as nsIFrame). This bug is because we're keeping the temporary items list around too long, it should be fixed by bug 1425271.
Group: layout-core-security
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
Keywords: testcase
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: