Closed
Bug 1429227
Opened 6 years ago
Closed 6 years ago
AddressSanitizer: use-after-poison SetFrameIsModified nsIFrame.h:4129:69
Categories
(Core :: Layout, defect)
Core
Layout
Tracking
()
RESOLVED
FIXED
mozilla59
| Tracking | Status | |
|---|---|---|
| thunderbird_esr52 | --- | unaffected |
| firefox-esr52 | --- | unaffected |
| firefox58 | --- | fixed |
| firefox59 | --- | fixed |
| firefox60 | --- | fixed |
People
(Reporter: rs, Assigned: MatsPalmgren_bugz)
References
(Blocks 1 open bug)
Details
(4 keywords, Whiteboard: [fixed by bug 1427221])
Attachments
(1 file)
|
3.90 KB,
application/java-archive
|
Details |
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3298.3 Safari/537.36
Steps to reproduce:
Open index.html attached as sample.zip with Nighlty 59.0a1 (2018-01-06) (64-bit) Asan build.
Actual results:
==12020==ERROR: AddressSanitizer: use-after-poison on address 0x625001de7b0e at pc 0x7f0127998a50 bp 0x7ffdadf84b90 sp 0x7ffdadf84b88
READ of size 2 at 0x625001de7b0e thread T0 (Web Content)
#0 0x7f0127998a4f in SetFrameIsModified /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:4129:69
#1 0x7f0127998a4f in nsIFrame::MarkNeedsDisplayItemRebuild() /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:1036
#2 0x7f012793730f in nsFrame::DidSetStyleContext(nsStyleContext*) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:1174:9
#3 0x7f012792f915 in nsFrame::Init(nsIContent*, nsContainerFrame*, nsIFrame*) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:730:3
#4 0x7f0127b3ff51 in nsSplittableFrame::Init(nsIContent*, nsContainerFrame*, nsIFrame*) /builds/worker/workspace/build/src/layout/generic/nsSplittableFrame.cpp:23:12
#5 0x7f01278cbee1 in nsContainerFrame::Init(nsIContent*, nsContainerFrame*, nsIFrame*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:59:22
#6 0x7f012775c8d7 in InitAndRestoreFrame /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:5130:14
#7 0x7f012775c8d7 in nsCSSFrameConstructor::ConstructInline(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameItems&) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:12130
#8 0x7f0127757bdc in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:3996:7
#9 0x7f0127763547 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:6359:3
#10 0x7f0127740305 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameItems&) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:10788:5
#11 0x7f012776cf6c in nsCSSFrameConstructor::ContentRangeInserted(nsIContent*, nsIContent*, nsIContent*, nsILayoutHistoryState*, nsCSSFrameConstructor::InsertionKind, TreeMatchContext*) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:8235:3
#12 0x7f012776451d in nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, nsCSSFrameConstructor::InsertionKind) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:9834:9
#13 0x7f012768103d in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) /builds/worker/workspace/build/src/layout/base/RestyleManager.cpp:1514:25
#14 0x7f01276fdff3 in mozilla::ServoRestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /builds/worker/workspace/build/src/layout/base/ServoRestyleManager.cpp:1164:9
#15 0x7f01276b881e in ProcessPendingRestyles /builds/worker/workspace/build/src/layout/base/ServoRestyleManager.cpp:1240:3
#16 0x7f01276b881e in ProcessPendingRestyles /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RestyleManagerInlines.h:44
#17 0x7f01276b881e in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:4215
#18 0x7f012761c655 in FlushPendingNotifications /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIPresShell.h:584:5
#19 0x7f012761c655 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1891
#20 0x7f012762b96f in TickDriver /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:336:13
#21 0x7f012762b96f in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:306
#22 0x7f012762b536 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:328:5
#23 0x7f012762ddae in RunRefreshDrivers /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:769:5
#24 0x7f012762ddae in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:682
#25 0x7f012762d9ae in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:583:9
#26 0x7f0127f1ad3f in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) /builds/worker/workspace/build/src/layout/ipc/VsyncChild.cpp:68:16
#27 0x7f0120fdc630 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:155:20
#28 0x7f0120e888b8 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:1812:28
#29 0x7f0120a94b0e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2110:25
#30 0x7f0120a91b87 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2040:17
#31 0x7f0120a9328c in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1886:5
#32 0x7f0120a938e8 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1919:15
#33 0x7f011fbeee0d in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1040:14
#34 0x7f011fc0a8c0 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:517:10
#35 0x7f0120a9cc2a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
#36 0x7f01209f3bb9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
#37 0x7f01209f3bb9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
#38 0x7f01209f3bb9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
#39 0x7f0126e9d4fa in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:157:27
#40 0x7f012b5c943b in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:875:22
#41 0x7f01209f3bb9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
#42 0x7f01209f3bb9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
#43 0x7f01209f3bb9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
#44 0x7f012b5c8e2d in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:701:34
#45 0x4ee965 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:63:30
#46 0x4ee965 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280
#47 0x7f013e6d8009 in __libc_start_main (/lib64/libc.so.6+0x21009)
#48 0x41dfe8 in _start (/home/rs/browsers/firefox/firefox+0x41dfe8)
0x625001de7b0e is located 2574 bytes inside of 8192-byte region [0x625001de7100,0x625001de9100)
allocated by thread T0 (Web Content) here:
#0 0x4bed83 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3
#1 0x7f011fb9f590 in AllocateChunk /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:193:15
#2 0x7f011fb9f590 in InternalAllocate /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:228
#3 0x7f011fb9f590 in Allocate /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:75
#4 0x7f011fb9f590 in mozilla::ArenaAllocator<8192ul, 8ul>::Allocate(unsigned long) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:80
#5 0x7f0127adc333 in AllocateByObjectID /builds/worker/workspace/build/src/layout/base/nsPresArena.h:52:12
#6 0x7f0127adc333 in AllocateByObjectID /builds/worker/workspace/build/src/layout/base/nsIPresShell.h:226
#7 0x7f0127adc333 in operator new /builds/worker/workspace/build/src/layout/generic/nsLineBox.cpp:160
#8 0x7f0127adc333 in NS_NewLineBox(nsIPresShell*, nsIFrame*, bool) /builds/worker/workspace/build/src/layout/generic/nsLineBox.cpp:83
#9 0x7f012791c4e0 in NewLineBox /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.h:442:12
#10 0x7f012791c4e0 in nsBlockFrame::AddFrames(nsFrameList&, nsIFrame*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:5426
#11 0x7f012792e462 in nsBlockFrame::SetInitialChildList(mozilla::layout::FrameChildListID, nsFrameList&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:7034:5
#12 0x7f0127f8bec0 in nsMathMLmathBlockFrame::SetInitialChildList(mozilla::layout::FrameChildListID, nsFrameList&) /builds/worker/workspace/build/src/layout/mathml/nsMathMLContainerFrame.h:418:19
#13 0x7f012775b32a in nsCSSFrameConstructor::FlushAccumulatedBlock(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsFrameItems&, nsFrameItems&) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:5305:15
#14 0x7f01277598db in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:4205:9
#15 0x7f0127763547 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:6359:3
#16 0x7f012775cba7 in ConstructFramesFromItemList /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:10788:5
#17 0x7f012775cba7 in nsCSSFrameConstructor::ConstructInline(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameItems&) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:12148
#18 0x7f0127757bdc in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:3996:7
#19 0x7f0127763547 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:6359:3
#20 0x7f012775cba7 in ConstructFramesFromItemList /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:10788:5
#21 0x7f012775cba7 in nsCSSFrameConstructor::ConstructInline(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameItems&) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:12148
#22 0x7f0127757bdc in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:3996:7
#23 0x7f0127763547 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:6359:3
#24 0x7f0127741a46 in ConstructFramesFromItemList /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:10788:5
#25 0x7f0127741a46 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsContainerFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:11106
#26 0x7f0127759375 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:4180:9
#27 0x7f0127763547 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:6359:3
#28 0x7f0127740305 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameItems&) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:10788:5
#29 0x7f01277717c9 in nsCSSFrameConstructor::ContentAppended(nsIContent*, nsIContent*, nsCSSFrameConstructor::InsertionKind, TreeMatchContext*) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:7698:3
#30 0x7f0127680d4c in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) /builds/worker/workspace/build/src/layout/base/RestyleManager.cpp:1405:27
#31 0x7f01276fdff3 in mozilla::ServoRestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /builds/worker/workspace/build/src/layout/base/ServoRestyleManager.cpp:1164:9
#32 0x7f01276b881e in ProcessPendingRestyles /builds/worker/workspace/build/src/layout/base/ServoRestyleManager.cpp:1240:3
#33 0x7f01276b881e in ProcessPendingRestyles /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RestyleManagerInlines.h:44
#34 0x7f01276b881e in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:4215
#35 0x7f012761c655 in FlushPendingNotifications /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIPresShell.h:584:5
#36 0x7f012761c655 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1891
#37 0x7f012762b96f in TickDriver /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:336:13
#38 0x7f012762b96f in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:306
#39 0x7f012762b536 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:328:5
#40 0x7f012762ddae in RunRefreshDrivers /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:769:5
#41 0x7f012762ddae in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:682
#42 0x7f012762d9ae in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:583:9
#43 0x7f0127f1ad3f in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) /builds/worker/workspace/build/src/layout/ipc/VsyncChild.cpp:68:16
#44 0x7f0120fdc630 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:155:20
SUMMARY: AddressSanitizer: use-after-poison /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:4129:69 in SetFrameIsModified
Shadow bytes around the buggy address:
0x0c4a803b4f10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a803b4f20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a803b4f30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f7
0x0c4a803b4f40: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c4a803b4f50: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
=>0x0c4a803b4f60: f7[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c4a803b4f70: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c4a803b4f80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c4a803b4f90: f7 f7 f7 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a803b4fa0: 00 00 00 00 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c4a803b4fb0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==12020==ABORTING
|
||
Updated•6 years ago
|
Attachment #8941211 -
Attachment mime type: application/zip → application/java-archive
|
|
||
Comment 1•6 years ago
|
||
Looks like this would hit our "frame poisoning" mitigation and not actually be exploitable (nsIFrames are treated specially and when freed are overwritten with a poison value that points at an explicitly unmapped memory region).
Group: firefox-core-security → core-security
Component: Untriaged → Layout
Keywords: csectype-framepoisoning,
sec-other
Product: Firefox → Core
|
Reporter | |
Comment 2•6 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #1) > Looks like this would hit our "frame poisoning" mitigation and not actually > be exploitable (nsIFrames are treated specially and when freed are > overwritten with a poison value that points at an explicitly unmapped memory > region). Right, I was aware of that. I already reported one in the past, but in the same way I think it is better to report it so that it is registered here in case in the future (which I doubt) someone bypass the mitigation. It does not require more than that this bug, you can close it but do not leave it public. Thank you!
|
|
||
Updated•6 years ago
|
|
Assignee | |
Comment 3•6 years ago
|
||
This was fixed by bug 1427221. (Backing out that fix locally makes the test crash my ASAN Linux build.)
Assignee: nobody → mats
Severity: normal → critical
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox58:
--- → fixed
status-firefox59:
--- → fixed
status-firefox60:
--- → fixed
status-firefox-esr52:
--- → unaffected
Flags: in-testsuite-
OS: Unspecified → All
Hardware: Unspecified → All
Resolution: --- → FIXED
Whiteboard: [fixed by bug 1427221]
|
||
Updated•6 years ago
|
Target Milestone: --- → mozilla59
|
|
||
Updated•6 years ago
|
Group: layout-core-security → core-security-release
|
|
||
Updated•6 years ago
|
Group: core-security-release
|
||
Updated•4 years ago
|
Blocks: asan-maintenance
You need to log in
before you can comment on or make changes to this bug.
Description
•